Configuring the ActivID AAA SKI Connector

Configure the ODBC Connection to existing AAA Server Databases

If you installed the SKI Connector on a machine different to that hosting the AAA Server solution, you must now link the SKI Connector to the existing AAA Administration databases using the ODBC management tool.

This procedure applies to all the AAA Server supported database systems: SQL and Oracle.

Note:
Configuring on 64-Bit Platforms
You might see error messages when trying to configure the Data Sources (ODBC) on 64-bit platforms. This is related to a Microsoft configuration issue described at http://support.microsoft.com/kb/942976/en-us. For the workaround, see the AAA Server Release Notes.
  1. From the Windows Start menu, point to Programs, Administrative tools, and then Data Sources (ODBC).

    The ODBC Data Source Administrator opens:

     

  2. Select the System DSN tab.

    3.  

  1. Click Add.

    If the ActivPackAdmin and ActivPackServer DSNs already exist, select ActivPackAdmin... and click Configure... to verify that the data source corresponds to the configuration detailed below.
    The DSNs must be ActivPackAdmin and ActivPackServer and are case-sensitive.

     

  2. Depending on your database management system, select ODBC Driver 17 or Oracle Instant Client and then click Finish.

    3.  

  1. Select the server hosting the AAA Server databases from the Server drop-down list and click Next or enter it manually if the database browser service is not running.

     

  2. Select With SQL Server authentication... (or the Oracle equivalent if necessary).
  3. Click Client Configuration...
  4. Enter the Login ID and Password to access the database and click Next.

    These credentials were set during the installation of the AAA Server.

     

  5. Select Change the default database to and select ActivPackAdmin from the list.
  6. Click Next.

     

  7. Leave the default as illustrated above and click Finish.

     

  8. Click Test Data Source... to verify the connection to the AAA Server database.

    If the connection is configured correctly, the following message is displayed:

     

    If the test fails, click OK and verify the ODBC settings, in particular, the Login ID and Password entered.

  9. Click OK.

     

  10. Click OK and, if the AAA Server is on the same machine, restart the AAA Server service.
  11. To verify the databases are set up correctly, log on to the AAA Server Configuration.

Create a New Console User in the AAA Server (Optional)

In order to manage SKI credentials from the second application, you must have an account in the AAA Server with at least Device Manager privileges. The second application uses this account to access the SKI Connector services. The user account must be configured to use a static password.

You can reuse an existing AAA Server console user account to connect to the AAA Server. However, in order to track the activity initiated from the second application, it is recommended that a separate account is created for the connection. To create a new user account, see Managing the ActivID AAA Server.

If you create a new user in the AAA Server, then make a note of the user name and password. They are required when configuring the connection to the AAA Administration Server in the second application.

Prerequisites: You have created device repositories and imported some devices. Otherwise, you cannot define the rights of your Console users properly or assign them authentication devices.
Console users are specific to the Administration Console and do not correspond to any user in your LDAP directory.
  1. From the tree in the left pane of the Administration Console, select Company.
  2. Click the icon.

     

  3. Click Add to add a Console user.

    If you have already created users, and you want to Modify a profile or Remove a user from the system, the highlight the user from the list above and click the option corresponding to the action you want to perform. You cannot modify or remove the administrator you are currently logged on as.

     

  4. In the Username field, enter a name for the user. (You cannot change a Console user’s name after you have created the user.)
  5. From the Role drop-down list, select Device Manager profile for the new user.
  6. Select None from the Device drop-down list.
  7. In the Password and Confirm fields, enter and confirm a static password for the user.
  8. In the Group Administration section of the screen, ensure that the SKI Connector user is able to manage all user groups by selecting Manage all groups if it is not already enabled.

    You can also use this function to restrict the groups ‘managed’ by the SKI Connector.

  9. Click > to move the highlighted group(s) to the Selected group(s) list.
  10. Click OK to return to the Add New User window.
  11. Click OK.

Securing the ActivID SKI Connector Service with SSL (Optional)

This step is required only if you want to manually generate the certificates for the SSL connection between the SKI Connector and the second application.

Three certificates are required to configure SKI Connector with SSL:

  • A server certificate - installed manually by the Administrator on the server hosting your SKI Connector service.
  • A client certificate - used by the second application to connect to the SKI Connector.
  • The certificate authority root certificate.
Note: All three certificates must be issued by the same certificate authority.
Prerequisites: The Certificate Authority is running and you have the appropriate rights to issue server certificates.

Steps for the Server Certificate

For steps 1 and 3, see the server documentation.

For step 2, see the certificate authority documentation.

  1. Create a server certificate request for the server that hosts your SKI Connector service.
  2. Submit the server certificate request, retrieve the certificate and save it in a file (base64 format).
  3. Install the server certificate in the local certificate store of the machine hosting your SKI Connector service.
Note: Make a note of the name of the client certificate file and its location. This file is protected by a password. This file must be copied on the machine hosting the second application to secure the connection.

Steps for the Client Certificate

  1. Get a client certificate from your certificate authority. See the certificate authority documentation.

    Select Mark keys as exportable so that both the public and private keys of the certificate can be exported to a file.

  2. Export the client certificate to a .p12 or .pfx file (PKCS #12 format).

Steps for the Certificate Authority Root Certificate

  1. Get the root certificate for your certificate authority (see the certificate authority documentation).
  2. Export the certificate to a file (a .cer in base64 format).
Note:
  • Make a note of the name of the root certificate file and its location.
  • Make a note of this URL.

Once you have configured the SKI Connector to use SSL, the URL to connect to the SKI Connector is:

https://<servername>:<port>/Invoke?Handler=ActivIdentitySKIConnectorV2

  • where <servername> is the name of the machine where you installed the SKI Connector.
  • By default, the port number is 8200.

Configure the SKI Connector

Prerequisites:
  1. From the Windows Start menu, point to Programs, ActivID, AAA, and then click SKI Connector Configurator.

     

    In the ODBC settings section of the screen, the DSN, User ID and Password fields of the account used to connect to the AAA Server Administration database are pre-populated with the default values.

    These parameters are set during the installation of the ActivPack Administration Console Database.

  2. If you want the SKI Connector service to use Windows account other than the Local System administrator, then enter the credentials for the alternative account in the Run SKI Connector Service as... section.

    To use the Local System administrator account, leave these fields empty.

  3. Under LDAPS settings, in the field Trusted CA certificate file path, browse to the exported root certificate (a .cer file in base64 format) of the certificate authority that issued the server certificate installed in your directory (see Steps for the Certificate Authority Root Certificate).
    Important: You must also configure the same certificate in the Administration Console (see Configure the Connection to LDAP) and AAA Server (see Configure the AAA Server).
  4. By default, the connection between the SKI Connector and the second application is secured using SSL. To view the SSL certificates or deactivate SSL (not recommended), select the HTTP Configuration tab.

     

    • If required, change the SSL connection port number in the Port field.
    • To deactivate the SSL connection, clear the Use SSL option.
    • If you want to reactivate the SSL connection, select the option and enter the Port number.

    The configurator verifies the certificates installed on the computer and populates the Certificates list box.

    From the list of certificates detected in the computer’s store, select the certificate issued for the SKI Connector.

    If no certificates are detected, a warning is displayed:

     

    See Securing the ActivID SKI Connector Service with SSL (Optional).

  5. If the Web Self Help Desk is used with this SKI Connector, select the Generic Operator tab.

    The SKI Connector must use the credentials of a generic AAA Server operator account to log on to the Self Help Desk.

    • If the Web Help Desk device assignment functions are used, you can use the credentials of a Device Manager.
    • If the functions are not used, you can use the credentials of a Help Desk operator.

     

  6. Enter the username and password for the Generic operator.
  7. To verify the specified account has the required access, click Test Generic Operator.
  8. To configure the SKI Connector logs, select the Logs and Traces tab.

     

  9. Accept the default settings (as shown above) for the Log and traces Path, Error log Maximum size, and Trace for debug Maximum size.
  10. To verify the SKI Connector configuration, return to the General tab and click Test Configuration.

     

  11. Enter the Username and Password for the AAA Server console user designated for the SKI Connector.
  12. Click OK.

    The system tests the configuration and returns a success message.

     

    If the test is unsuccessful, verify the configuration details.

  13. Click OK to return to the SKI Connector Configurator.
  14. Click Apply to save the configuration.

    The following message might display.

     

  15. Click Yes.

    The ActivID SKI Connector service starts.