Q
UANTUM
S
CALAR
I
6000 & S
AFE
N
ET
K
EY
S
ECURE
Q
UICK
S
TART
G
UIDE
20
The available fields are:
-
Password
Authentication
- determines whether you require users to provide a username and
password to access the key server when using KMIP. There are two options:
•
Optional
- (default) no password authentication is required; global sessions are allowed;
unauthenticated users can create global keys; all users can access global keys; only authenticated
users can create and access non-global keys.
•
Required
- password authentication is required; global sessions are not allowed; only non-global
keys can be created; authenticated users can access global and non-global keys.
-
Client
Certificate
Authentication
- You must enable this feature to comply with the KMIP standard.
there are two options.
•
Used for SSL session only
- clients must provide a certificate signed by a CA trusted by the
KeySecure in order to establish an SSL connection. When you select this option, you must also
select a Trusted CA List Profile.
•
Used for SSL session and username
- clients must provide a certificate signed by a CA trusted by
the KeySecure in order to establish an SSL connection; additionally, a username is derived from
the client certificate. That username is the sole means of authentication if password authentication
is optional and the client does not provide a username and password. If the client does provide a
username, the key server compares the username derived from the certificate against the
username in the authentication request. If the usernames match and the password is valid, the
user is authenticated. If the usernames are not the same, the connection is closed immediately.
When you select this option, you must also select a Trusted CA List Profile, and you must choose
the field from which the username is derived.
-
Trusted
CA
List
Profile
- select a profile to use to verify that client certificates are signed by a CA
trusted by the KeySecure. This field is only used if you select
Used for SSL session only
or
Used for
SSL session and username
above. As delivered, the default Trusted CA List profile contains no CAs.
You must either add CAs to the default profile or create a new profile and populate is with at least
one trusted CA before the key server can authenticate client certificates.
-
Username
Field
in
Client
Certificate
- specify the field from which to derive the username. This
field is only used if you select
Used for SSL session and username
above. The username can come
from the
UID
(user ID),
CN
(Common Name),
SN
(Surname),
E
(Email address),
E_ND
without domain), or
OU
(Organizational Unit) field.
If you select
E_ND
, the key server matches against the data to the left of the @ symbol in the email
address in the certificate request. For example, if the certificate request contains the email address
[email protected], then the key server matches against User1.
-
Require
Client
Certificate
to
Contain
Source
IP
- determines if the key server expects that the
client certificate presented by the client application has an IP address in the subjectAltName field.
The key server obtains the IP address from the subjectAltName and compares that the source IP
address of the client application; if the two IP addresses match, the key server authenticates the
user. If the two IP addresses do not match, the key server closes the connection with the client.
The KeySecure is now ready to manage keys and can handle requests that come through the KMIP
Interface.
