Column | ||
---|---|---|
| ||
This information is written in English only
This guide describes the additional changes that are needed to be done in Microsoft Active Directory (AD) in order to use Buypass Access Manager - the LRA applicationclient. Before implementation of new groups in AD the CA must be adjusted with templates. For installation and configuration of CA, AD and AD and CRL please see the document “Installation guide to Microsoft Windows 2008 Server – MicroSoft CA, AD and CRL”.and CRL - Installation and configuration on MS Win 2008 Server If your company organization already has a Microsoft PKI infrastructure implemented please see the document “Guide Guide to setup of templates – Certificate Templates - Buypass Certificate Templates in Templates in MS CA” CAfor further configurationdefinition of needed templates. Buypass Certificate Groups in Microsoft ADThe groups which must be created in AD in order to use Buypass Access Manager - LRA are as follows: Group for CA ADM GADM G_CA_Admins * *) Optional. This group can be created to give LRA operators Operators access to the CA server without giving them domain admins permissions.
It may be considered if it is necessary to split in Global and Local Domain Groups. The names of the groups can be determined or changed by the organization. The important thing is that the names of the groups in Active Directory are the same configured in the LRA configuration. LRA v2.5.3/v2.5.4 (Java-version)(…\cfg\properties\cnl\cts\lra\subjectadconfig.properties) #LRA groups lra.client.adapter.subject.ad.lraadmin_group_prefix=CN=G_CA_LRA_Admins lra.client.adapter.subject.ad.lraop_group_prefix=CN=G_CA_LRA_Operators lra.client.adapter.subject.ad.install_qc_group_prefix=CN=G_IDM_KvalifiserteSertifikater lra.client.adapter.subject.ad.install_lc_group_prefix=CN=G_IDM_LokaleSertifikater LRA v3.3 (.net version)... her må det inn bilde av Configuration Application - tab for AD ........ We refer to CA installation document chapter 4.2 for more details and for the settings for LRA privilege hierarchy. We also refer to the LRA system documentation for more information about the function of the various groups mentioned above. Figure: A test setup from Buypass lab
Users must be registered in ADIn order to use Buypass Access manager - the Buypass LRA all client, all users must be registered in AD. AD is the primary userdatabase user database of all users/employees as the Buypass LRA issues and administrates the certificates for these users/employees. There is no update of data in the AD from the LRA client. A service account must be created for use by the LRA client. The LRA client will use this service account [lrauser] to retrieve data from AD. The account must have enough privileges to read information that the LRA client needs through the issuance of certificates. The password for this user should have a minimum validity of 3 years and be correspondingly strong. The password must be entered in the config file to the LRA client. The password should be encrypted. This is done by using the LRA client after installation. LRA v2.5.3/v2.5.4 (Java-version)(…\cfg\properties\cnl\cts\lra\subjectadconfig.properties) #AD configs lra.client.adapter.subject.ad.host=192.168.1.21 lra.client.adapter.subject.ad.port=389 lra.client.adapter.subject.ad.basedn=DC=lab,DC=buypass,DC=no lra.client.adapter.subject.ad.principal=lrauser lra.client.adapter.subject.ad.credentials=secretpassword lra.client.adapter.subject.ad.searchbase=OU=Brukere(*);OU=Admin(*);CN=Users(*) LRA v3.3 (.net version)... her må det inn bilde av Configuration Application - tab for AD ........
Fields which the LRA client are reading from ADThe installation of Buypass Access Manager - the LRA client, does not require any AD schema extensions. It is sufficient to use an existing attribute that is not in use.
The fields the LRA client is reading from are fields that already exist in AD. If someone wants to add information in other attributes than those selected default, it will not be a problem, as long as the LRA has privileges to read when issuing certificates. 1*) A D-number is a temporary number assigned to foreign citizens who must pay tax or national insurance in Norway.need a national identity in order to communication with official authorities in Norway, as applying for a bank account, getting working permission, pay taxes or getting national insurance.
Note: There is no update of data in the AD from the LRA client.
Default does the LRA client read from these fields in AD: .USERID=sAMAccountName .EMAIL=mail .IDDOCUMENT=extensionattribute15 ... and from these groups: CN=G_IDM_LokaleSertifikater
In order to be able to retrieve the information there must be a mapping between the attributes in AD and the same information elements in the LRA client. The mapping is specified in a configuration file. LRA v2.5.3/v2.5.4 (Java-version)(…\cfg\properties\cnl\cts\lra\subjectadconfig.properties) #AD fields lra.client.adapter.subject.ad.mapping.USERID=sAMAccountName lra.client.adapter.subject.ad.mapping.SSN=uid lra.client.adapter.subject.ad.mapping.SSN2=uid lra.client.adapter.subject.ad.mapping.FIRSTNAME=givenName lra.client.adapter.subject.ad.mapping.LASTNAME=sn lra.client.adapter.subject.ad.mapping.BIRTHDATE=uid lra.client.adapter.subject.ad.mapping.EMAIL= lra.client.adapter.subject.ad.mapping.IDDOCUMENT= ... her må det inn bilde av Configuration Application - tab for AD ........
GPO - Group PolicyIt is not necessary to set up the GPO for distribution of intermediate CA root certificate, it is distributed automatically. For those clients using stand alone Root CA the trusted root certificate must be distributed.
|
Column | ||
---|---|---|
| ||
Column | ||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||
|
Column | ||
---|---|---|
| ||
Section | ||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Include Page | ||||
---|---|---|---|---|
|
Include Page | ||||
---|---|---|---|---|
|
Include Page | ||||
---|---|---|---|---|
|