To configure for PKI authentication, you must first create an access policy. The process flow is as follows:
The administrator performs this task using the product (Web Interface only), and as part of the process, needs to assign a unique text code to each access policy.
For PKI access authentication, a user application needs to obtain a digital certificate that contains both a public key and private key pair. An administrator can obtain the digital certificate through third-party Certificate Authority (CA) or security products that support digital certificates. CA SDM also provides a server-side utility that can generate a digital certificate. It is located in <NX_ROOT>/bin directory as follows:
pdm_pki -p policy_code [-l certificate file] [-f] [-h]
Identifies a unique policy code.
Allows the utility to replace the existing public key with a new public key.
Loads the public key stored in a X509 V3 certificate.
Displays help on the command line window.
If you obtain a digital certificate through a third-party, CA Technologies, or security products, import it to where the CA SDM server is located, and then associate it to an access policy. The administrator of the user application should obtain a digital certificate file that includes the content of an X509 V3 certificate in DER/ASN.1 format.
In addition, the certificate should contain only the public key of the public/private key pair. Using the –l option, the administrator should invoke the pdm_pki utility to load the certificate. The utility then loads the certificate, extracts the public key, converts the public key to BASE64 text format, and saves it with the access policy specified by the policy code.
When a digital certificate is generated by the pdm_pki utility, the administrator invokes the command in CA SDM without the –l option. The utility then generates a public and private key pair (keys are RSA1024 bit keys). The public key is converted to BASE64 text format where it is stored along with the access policy specified by the policy code. An X509 V3 certificate is also created to hold the public key along with other information (the default pass phase is set as the policy code). Finally, the X509 V3 certificate is packaged with the private key to a standard portable certificate format of PKCS12. It is then saved in a file with a file name of policy_code.p12, depending on the policy code supplied. This file can then be exported to clients.
Note: If an access policy has already been associated with a public key of a certificate, users need to specify the –f option when calling the pdm_pki command in order to overwrite the existing public key with a new public key.
|
Copyright © 2013 CA.
All rights reserved.
|
|