Column | ||
---|---|---|
| ||
This guide describes the additional changes that are needed to be done in Microsoft Active Directory (AD) in order to use Buypass Access Manager - the LRA application. Before implementation of new groups in AD the CA must be adjusted with templates. For installation and configuration of CA, AD and CRL please see the document “Installation guide to Microsoft Windows 2008 Server – CA, AD and CRL”. If your company already has a Microsoft PKI infrastructure implemented please see the document “Guide to setup of templates – Buypass Certificate Templates in MS CA” for further configuration. Buypass Certificate Groups in Microsoft ADThe groups which must be created in AD in order to use Buypass Access Manager - LRA are as follows: Group for CA ADM G_CA_Admins * *) Optional. This group can be created to give LRA operators access to the CA server without giving them domain admins permissions.
It may be considered if it is necessary to split in Global and Local Domain Groups. The names of the groups can be determined or changed by the organization. The important thing is that the names of the groups in Active Directory are the same configured in the LRA configuration. LRA v2.5.3/v2.5.4 (Java-version)(…\cfg\properties\cnl\cts\lra\subjectadconfig.properties) #LRA groups lra.client.adapter.subject.ad.lraadmin_group_prefix=CN=G_CA_LRA_Admins lra.client.adapter.subject.ad.lraop_group_prefix=CN=G_CA_LRA_Operators lra.client.adapter.subject.ad.install_qc_group_prefix=CN=G_IDM_KvalifiserteSertifikater lra.client.adapter.subject.ad.install_lc_group_prefix=CN=G_IDM_LokaleSertifikater LRA v3.3 (.net version)... her må det inn bilde av Configuration Application - tab for AD ........ We refer to CA installation document chapter 4.2 for more details and for the settings for LRA privilege hierarchy. We also refer to the LRA system documentation for more information about the function of the various groups mentioned above. Users must be registered in ADIn order to use the Buypass LRA all users must be registered in AD. AD is the primary userdatabase of all users/employees as the Buypass LRA issues and administrates the certificates for these users/employees. There is no update of data in the AD from the LRA client. A service account must be created for use by the LRA client. The LRA client will use this service account [lrauser] to retrieve data from AD. The account must have enough privileges to read information that the LRA client needs through the issuance of certificates. The password for this user should have a minimum validity of 3 years and be correspondingly strong. The password must be entered in the config file to the LRA client. The password should be encrypted. This is done by using the LRA client after installation. LRA v2.5.3/v2.5.4 (Java-version)(…\cfg\properties\cnl\cts\lra\subjectadconfig.properties) #AD configs lra.client.adapter.subject.ad.host=192.168.1.21 lra.client.adapter.subject.ad.port=389 lra.client.adapter.subject.ad.basedn=DC=lab,DC=buypass,DC=no lra.client.adapter.subject.ad.principal=lrauser lra.client.adapter.subject.ad.credentials=secretpassword lra.client.adapter.subject.ad.searchbase=OU=Brukere(*);OU=Admin(*);CN=Users(*) LRA v3.3 (.net version)... her må det inn bilde av Configuration Application - tab for AD ........
Fields which the LRA client are reading from ADThe installation of LRA client does not require any AD schema extensions. It is sufficient to use an existing attribute that is not in use.
The fields the LRA client is reading from are fields that already exist in AD. If someone wants to add information in other attributes than those selected default, it will not be a problem, as long as the LRA has privileges to read when issuing certificates.
1) A D-number is a temporary number assigned to foreign citizens who must pay tax or national insurance in Norway. Note: There is no update of data in the AD from the LRA client.
Default does the LRA client read from these fields in AD: .USERID=sAMAccountName .EMAIL=mail .IDDOCUMENT=extensionattribute15 ... and from these groups: CN=G_IDM_LokaleSertifikater
In order to be able to retrieve the information there must be a mapping between the attributes in AD and the same information elements in the LRA client. The mapping is specified in a configuration file. LRA v2.5.3/v2.5.4 (Java-version)(…\cfg\properties\cnl\cts\lra\subjectadconfig.properties) #AD fields lra.client.adapter.subject.ad.mapping.USERID=sAMAccountName lra.client.adapter.subject.ad.mapping.SSN=uid lra.client.adapter.subject.ad.mapping.SSN2=uid lra.client.adapter.subject.ad.mapping.FIRSTNAME=givenName lra.client.adapter.subject.ad.mapping.LASTNAME=sn lra.client.adapter.subject.ad.mapping.BIRTHDATE=uid lra.client.adapter.subject.ad.mapping.EMAIL= lra.client.adapter.subject.ad.mapping.IDDOCUMENT= LRA v3.3 (.net version)... her må det inn bilde av Configuration Application - tab for AD ........
GPO - Group PolicyIt is not necessary to set up the GPO for distribution of intermediate CA root certificate, it is distributed automatically. For those clients using stand alone Root CA the trusted root certificate must be distributed.
|
Column | ||
---|---|---|
| ||
Column | |||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||
|
Column | ||
---|---|---|
| ||
Section | ||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Include Page | ||||
---|---|---|---|---|
|
Include Page | ||||
---|---|---|---|---|
|
Include Page | ||||
---|---|---|---|---|
|