Understanding Trusts And Trusted Managers

A new Trusted Manager object is added for each Manager imported in the system. It contains both the CA certificate and the contact information for the Manager. Administrators can edit any information associated with the Trusted Manager except its name (Trusted Managers are named according to the Manager fully qualified domain name from which they were exported.).

Managers

The Administration>Trusts>Managers view is composed of the following administrative actions:

Edit

To modify properties, click the Edit button from the action bar.

Contact Information

To edit contact information associated with a Trusted Manager, in the Contact Information tab, update the information in the appropriate prompt and click OK.

Permissions

Access permissions allow administrators to associate users and groups with selected type of privileges. For information on enabling permissions, see Understanding Users.

Delete

When you delete a Trusted Manager from the system, you are prompted to remove the Trusted Manager's CA certificate from the agents to which it has been assigned. Deleting a Trusted Manager does not delete the organization and agents associated with it.

To delete a Trusted Manager:

  1. Select the Trusted Manager you want to delete and click Delete.
  2. Click Yes at the confirmation prompt.

Remove Trust

To remove a trust from an agent:

  1. Select the Trusted Manager with the agents from which you want to remove the trust and click Remove Trust. The Delete Manager page appears with a list of agents associated with the selected Manager.
  2. Ensure that the Remove check box is selected beside each agent from which you want to remove the trust. By default, the check box beside every agent in the list is selected.
  3. Click Remove Trust.

Import

See Multi-Manager: Clustered Environment

Export Local Manager

See Multi-Manager: Import

Root Certificates

Root Certificates are certificates imported from other sources. Local Certificates are agent certificates installed from the selected Manager. The Multi-Manager and Third-Party Certificates pages displays the third-party and multi-manager certificates added to Signiant, and include information about the dates when certificates expire, when they were revoked, when they were issued and so on. Click the drop-down arrow beside each column to filter on which columns appear, and the information that appears in them. For example, you can filter the Expiry Date field so that only certificates that expire before, after or on a certain date appear. You could also remove this column entirely from the display by choosing Column and removing the check beside it. From this screen you can also add, edit, delete and export root certificates, or install keys, revoke certificates, download the certificate revocation list (CRL) or change the CA passphrase for local certificates.

The Administration>Trusts>Root Certificates view is composed of the following administrative actions:

Add/Edit

To add or edit a third-party or multi-manager certificate:

  1. Click the Add button from the action bar to create and add a certificate or click the Edit button to modify its properties.
  2. Paste the certificate into the Certificate prompt, or modify accordingly.
  3. If desired, add/modify the Description.
  4. Click OK.

Delete Third Party Certificates

You can delete only third party certificates, not certificates added as part of a multi-manager import (because these are tied to another Manager). Deleting a third-party certificate here does not remove it from the agents to which it has been applied.

To delete a third-party certificate:

  1. Select the certificate and click Delete.
  2. Click Yes at the confirmation prompt.

Export

To export a third-party or multi-manager certificate:

  1. Select the certificate to export and click Export.
  2. Follow the directions on the screens to export the certificate.pem file.

Local Certificates

The local certificates displays the certificates of agents installed from the Manager. Administrators can filter each column to create a view of agents with certain names, organizations, whose certificates are going to expire before, after or on a certain date, by status, revocation/issue date or serial number.

To manage local certificates:

Enter/Change Passphrase

The CA (Certificate Authority) Admin Passphrase is used to perform CA administrative functions (for example, requesting installation keys). The first time you use any CA function during a session, you are prompted for the CA Admin Passphrase. The passphrase is then cached, which means you do not have to retype it for other tasks that require the CA Passphrase at any time during the existing session. Once you log out of the Web UI the passphrase is no longer cached, and you must retype it the next time you log on and wish to complete a task that requires the passphrase.

Note: The passphrase must be at least seven characters. If you change the passphrase, make sure you record it in a safe place. If you lose this information, it cannot be recovered and you will have to re-install the Manager.

To change the CA Admin Passphrase:

  1. From the Manager, select Administration>Trusts>Local Certificates.
  2. Click Change Passphrase.
  3. In the Current Passphrase field, type the current CA passphrase.
  4. Type the new passphrase in the New Passphrase and Confirm New Passphrase prompts.
  5. Click OK.

Generate Keys

Installation keys are for one-time use at installation time. They allow administrators to control the number of agents to be installed. Installation keys are associated with an organization. When you request an installation key, the Certificate Authority on the Manager returns a list of valid installation keys, which you can use to install agents, or give to users to install them. The number of keys available to an organization is based on the maximum number of agents associated with an organization. By default, keys are valid for five days. You can make them valid for up to 30 days by editing the Authentication (Installation) Key Life Span (days) field in the Certificate & Key Properties screen. You can also make an organization keyless, allowing for agents to be installed against that organization without requiring keys.

When you request installation keys, you can choose to generate the number of remaining keys without invalidating any existing, unused keys, or you can choose to generate new keys and invalidate all previously-generated installation keys. If you choose to invalidate all previously-generated keys, a user who has an unused installation key will need to get a new one in order to install an agent. You cannot generate installation keys for organizations that are keyless.

To retrieve a list of installation keys:

  1. Select Administration>Trusts>Local Certificates.
  2. Click Generate Keys.
  3. If this is the first time you are performing a CA function during the current session, you must enter the CA Admin Passphrase in the field and click OK. If you have already performed a CA function during the current session, the password has already been cached and you will not be prompted for it for the rest of the session. Once you log out of the Web UI, the passphrase is no longer cached, and you must retype it the next time you log on and wish to complete a task that requires the passphrase.
  4. From the drop-down list, choose the name of the organization whose installation keys you want to retrieve and click Download. Select the Generate New Keys check box to retrieve all new keys. This action invalidates any outstanding keys that you have not yet used.
  5. Follow the instruction to save or open the file. If you are using Windows, do not open the file in Notepad, as it will not format the file correctly. Each key should appear on a separate line.
  6. Note the installation key(s) and use them to install the agent(s). You can use each key only once.

Revoke

Revoking an agent's certificate does not remove the agent software from the agent. Once you revoke an agent's certificate, the only way the agent can take part in transfers again is if it is re-installed. You can also revoke the certificate of an agent imported as part of a Multi-Manager configuration. Revoking an agent's certificate is irreversible.

To revoke an agent's certificate:

  1. From the Manager, select Administration>Trusts>Local Certificates.
  2. If this is the first time you are performing a CA function during the current session, enter the CA Admin Passphrase and click OK.
  3. In the display area, click the agent whose certificate you want to revoke, and click Revoke.
  4. Select the Delete Selected Agents check box if you want to permanently delete the agent from the system. Leaving the check box cleared means that the agent is still identified in the database, as are any jobs with which it is associated. Make sure you clear the check box if you are planning to re-install the same agent, if, for example, your agent machine had a technical problem and you need to reinstall the Signiant software. However, if you are not planning to re-install the agent whose certificate you are revoking, you may want to remove it from the database. If you do not delete it from the database, it will be included in the agent counts when evaluating license keys.
  5. Click Yes. A screen appears to confirm agent deletion, and displays the number of jobs and users that were associated with the deleted agent.
  6. Click OK. Revoking an agent's certificate adds the agent to a list of revoked certificates that agents check periodically.