Procedures for Configuring Connections to the ActivID AAA Server

Important:

  • If you are using ActivID AAA Server 6.8.x with Web Help Desk installed, do not install ActivID CMS on the same machine as the AAA Authentication, Authorization, and Accounting Web Help Desk.
    Note: Earlier versions of the ActivID AAA Server (6.7.x) are no longer supported in this version of ActivID CMS.

  • Both servers use Apache Tomcat services but different versions.

  • Both services use the same default ports; therefore, it is not possible to run both servers at the same time (for example, ActivID CMS fails to start).

Using ActivID CMS, you can issue devices containing SKI Symmetric Key Infrastructure or OATH Open Authentication applications for secure remote access using ActivID AAA servers. These SKI applications allow a user to access resources (for example, different applications or computers) using a dynamic password generated by the user’s device. This authentication method requires an ActivID AAA server to manage access to the resources.

Note: For OATH Open Authentication applications, the latest AAA hotfix (FIXS2208000 or more recent) is required. Its “SKI Connector” also manages OATH credentials.

So that it can manage SKI and OATH credentials, ActivID CMS communicates with one or more ActivID AAA servers.

Managing SKI credentials includes the following SKI key-related operations:

  • Issuing and revoking,

  • Suspending and resuming,

  • Managing emergency access, and

  • Managing access logs display.

Managing OATH credentials includes the following OATH key-related operations:

  • Issuing and revoking.

Important: Before you begin, make sure that:

  1. If you have not already done so, you must configure the User Attribute to Store Card Serial Number with the same attribute defined for the AAA server (for example, telexNumber).

    You can set this attribute using the User Attribute to Store Card Serial Number field which is available when you select “Directories” from the Select a Topic menu on the Customization sub-tab of the Configuration tab.

    Note: If you want to issue OATH certificates, the user attribute must be multi-valued (for example, otherTelephone).

  2. Go to the Repositories Management page.

  3. To create a new server, click Add Authentication Server.

  4. Click Submit. The AAA Administration Server Creation page appears:

  5. Enter the appropriate information and select the appropriate options:

    • Name—Enter a name for the server (which must be unique within ActivID CMS).

    • TypeAAA is displayed automatically.

      Note: The current version of ActivID CMS is compatible with AAA version 6.8 and 7.0.

    • Hostname or IP Address—Enter a name or IP address for the computer system hosting the SKI Connector.

    • Port—Enter a value for connecting to the SKI Connector (the default is 8200).

    • User Name—Enter the user name for the ActivID AAA server user used by ActivID CMS to connect to the server. This username must have administrator rights in the ActivID AAA Server Administration Console.

    • Password—This is the password that corresponds to the ActivID AAA server administrator you just specified for the User Name.

    • Connection Time-out—Enter a value (in seconds) that represents the time period within which the connector must answer; if it does not answer ActivID CMS within this time period, then ActivID CMS assumes that the connector is unavailable (the default is 10 seconds).

    • Number of Retries—Enter the maximum number of connection retry attempts you can make before the server connection is considered to have timed out (the default number of attempts is 3).

    • Retry Delay—Enter the delay time period (in milliseconds or ms) between two consecutive connection attempts to the SKI Connector (the default is 5000 ms).

    • Secure Connection—If you want ActivID CMS to connect to the SKI Connector using an SSL connection with mutual authentication (recommended), then select Yes for Secure Connection. If you select Yes, then you must provide the following additional information:

      • Client Credentials for SSL—Enter the complete file name and path to the file that contains the client credentials for accessing the SKI Connector. The file is a .p12 file and must be present on the system that is hosting the ActivID CMS server.

        Important: The password used for the Client Credentials for SSL will also be used for the CA Certificate Chain.

      • Password for Client Credentials—Enter the password that protects the content of the file you designated in the previous Client Credentials for SSL text box.

      • CA Certificate Chain—Enter the complete file name and path to the file that contains the certificate chain of the CA that issued the server and client certificates for the SSL communication between ActivID CMS and the SKI Connector. The file is a .jks file that contains the certificate encoded in base64 format (which must be present on the system hosting the ActivID CMS server).

  6. Click Test to verify that the connection is working.

  7. Click Create to declare the new ActivID AAA server.

Note: For security reasons, the password is not retrieved during an update. You cannot modify the Name field.

  1. Go to the Repositories Management page.

  2. Locate the ActivID AAA server connection you want to update in the Authentication Servers panel on the page, in the Name column.

  3. In the Action column, click Update. The Authentication Server Update page appears.

    See Procedure 1: Adding a Connection to an ActivID AAA Server (this procedure illustrates the AAA Administration Server Creation page).

  4. Modify the respective data as required.

  5. Click Test to verify that the connection is working.

  6. Click Update.

  7. When the confirmation message appears, click Done.

  1. Go to the Repositories Management page.

  2. Locate the ActivID AAA server in the Authentication Servers panel on the page, in the Name column.

  3. In the Action column, click View. The Authentication Server Information page appears.

  4. Click Done to return to the main page.

Removing an ActivID AAA server from the ActivID CMS database does not physically remove the ActivID AAA server. However, ActivID CMS will be unable to manage the credentials issued by that server.

  1. Go to the Repositories Management page.

  2. Locate the ActivID AAA server in the Authentication Servers panel on the page, in the Name column.

  3. In the Action column, click Delete. The Authentication Server Deletion page appears.

  4. Click Delete.

  5. When the confirmation message appears, click Done.