Managing PKI Authentication

Authentication is performed using the Public Key Infrastructure (PKI) Public Key Infrastructure (PKI) PKI is the comprehensive system required to provide public-key encryption and digital signature services. credentials stored in the user's browser or on a device (such as a smart card or token).

By default, ActivID Appliance supports the following PKI-based authentication methods:

  • PKI challenge/response for direct user authentication - the authenticating party signs a challenge. ActivID Appliance then validates the response using the end user’s reference credential (the public key certificate).
  • PKI certificate check for indirect user authentication - a trusted system presents a public key certificate bound in ActivID Appliance to an end user. ActivID Appliance checks that the certificate is associated with the user and that the device and credential status are Active.
    This authentication method assumes that the trusted system, for example a web server hosting the business application, has established a two-way SSL/TLS session with the user, thereby confirming that the user’s certificate is valid and that the user is in possession of the associated private key.
  • PKI certificate matching for indirect user authentication - similar to the PKI certificate check method except that the user's certificate is not stored or bound to the user in ActivID Appliance. Instead, at authentication, ActivID Appliance checks that the attributes of the certificate provided in the SSL/TLS session match the rules defined in the associated credential type.

The following data is required to create a PKI authentication record for a user:

  • The Authentication policy containing the predefined parameters enforced during authentication such as constraints and validity.

  • The Device Serial Number of the device you are binding to the user by creating the authentication record. Wild cards are allowed.

  • The Device Type and Credential Type to which the device is linked in the authentication server.

  • Optionally, you can also define a Device Friendly Name to identify your device.

  • The Status of the authentication record (Enabled or Disabled)

    By default, Enabled is selected. If set to Disabled, the user will not be able to authenticate using this authenticator.

  • The Validity from which the authenticator will be valid for use in the dd/mm/yyyy format.

    The default value is the current date.

  • The Maximum number of successful authentications allowed by the user to authenticate to ActivID Appliance using this authentication record.

    Default value derived is from the Default expiry threshold field specified for the authentication policy. Select Unlimited if you do not want to use the expiration threshold functionality.

When you create an authentication record, the authentication policy you select governs the composition of the authentication record.

Prerequisites: The root certificate of the certificate authority (CA) must be imported into the truststore of ActivID Appliance.

Topics in this section