|[Front page] [Index]|
The integrated identity management (IIM) feature enables various external identity management systems like IBM Tivoli and Computer Associates eTrust Admin to acquire and revoke certificates while adding and deleting users. The Identity Integration Service of SSH Tectia Certifier handles the IIM operations on the Certifier side.
Service description is a free-form description of the Service and its function.
Service status can be either Active or Disabled. If the service is Disabled, it does not perform its function. This option can be used to take the service temporarily out of use.
Service Instance Name identifies the Identity Integration Service and it is also used as the directory name under
Replication Type selects how identity information is relayed to SSH Tectia Certifier.
If External directory notifications is selected, the Identity Integration Service waits for notifications (in XML format) from an external source to appear in the
certifier/var/extid/<iis-name>/incoming directory and polls the directory at the selected intervals. The Poll interval is given in seconds.
If Run external provider is selected, the Identity Integration Service invokes the named external provider from the directory
certifier/lib/extid-providers/ at the selected intervals. The Invocation interval is given in seconds. The LDAP Provider
ext-id-provider-ldap.pl is shipped by default with SSH Tectia Certifier.
Notification Provider Type
Notification Provider Type selects the type of the provider used. If you have selected External directory notifications as the Replication Type, select No configuration here.
If the built-in LDAP Provider is used, select LDAP. An additional field for LDAP Provider Configuration appears (see below).
If another provider is used, select Custom. An additional field for Custom Provider Configuration appears. You can enter the provider-specific configuration in XML format to the text box.
LDAP Provider Configuration
The LDAP Provider Configuration field is shown when LDAP has been selected as the Notification Provider Type.
The configuration contains connection parameters to the LDAP directory, including LDAP Address and Port, LDAP Username, and LDAP Password.
To specify the LDAP Actions, click Add and select the action from the drop-down list.
The supported actions are the following:
- Add new user, which causes an entity to be created in SSH Tectia Certifier.
- Modify user data, which causes the corresponding entity data to be modified.
- Delete user, which causes the entity to be deleted and its certificates to be revoked.
- Disable user which causes the entity to be inactivated and its certificates to be suspended.
- Enable user which causes the entity and its certificates to be re-activated.
Each action requires a set of parameters. These are Base, Scope, Filter, Search Size Limit, and Search Time Limit.
An example configuration for IBM Tivoli is shown in Figure Identity Integration Service.
CA Binding is the CA the entity is associated with.
Attribute Mapping defines how attributes from the external entity are mapped to the entity created in SSH Tectia Certifier.
An example attribute mapping is shown in Figure Identity Integration Service.
Parameters define the status for the created entities and list the operations that the Identity Integration Service is allowed to do.
The Initial entity status can be set to Active or Inactive.
The allowed operations are the following:
- Allow new entity creation
- Allow entity update
- Allow entity removal
- Allow certificate revocation
- Allow PSK creation for existing entities
- Allow certificate issuing
Entity Policy and PSK
Under Entity Policy, policy modules can be added to the entity. This has the same effects as in normal entity creation. See Section Policy Module Attributes.
A Pre-Shared Key can be created for the new entities by selecting the Create PSK for new entities check box.
Under PSK Policy, policy modules can be added to the PSK. This has the same effects as in normal entity creation. See Section Policy Module Attributes.
SSH Tectia Certifier can be configured to automatically send an e-mail to the user when the entity is ready for enrollment. This e-mail contains the pre-shared key for enrolling the certificates.
To enable this, select the check box under Notification Script and enter the command line for the e-mailer script in the text box. The
ssh-ca-notify-email script is included by default with SSH Tectia Certifier on Unix platforms. Modify the script according to your needs.
Click the Continue button to accept changes made to the Service settings, or click Cancel to discard them. After clicking Continue, remember to Commit Changes on the Edit Server Entity page.
[Front page] [Index]