Table of Contents
Advertisement
Access Manager supports two schemes for a URL:
OCSP Validation: If OCSP validation is enabled, the Authority Info Access point (AIA) is
read out of the user certificate, which contains the URL for the OCSP responder. A signed
OCSP request for the user certificate is sent to OCSP responder. A signed OCSP response is
received from the responder that has the revoked status for the user certificate. Alternately, if
you are not expecting an AIA in a user certificate, you can specify a value in the OCSP
responder URL field. The value you enter here overrides any OCSP responder URLs in a
certificate.
Access Manager supports two schemes for a URL:
Disable Root CA Revocation Check: Disables whether to check if a certificate authority has
been revoked. This option checks the CRL and OCSP for the trusted root certificate in the
chain. You can enable or disable this option for X.509 user authentication performance.
If you enable the root CA revocation check, what the Identity Server checks depends upon the
certificates that have been added to the Identity Server trust store. If the root certificate and the
intermediate certificates in the chain are in the trust store, the Identity Server only validates the
client (leaf) certificate. If the trust store only contains the root certificate, the browser sends the
intermediate and leaf certificates, which are then validated by the Identity Server.
8 Configure the trust stores:
NIDP Trust Store: This trust store must contain the trusted root certificate of the certificate
authorities that signed your user certificates. Click this link to add certificates to the trust store.
OCSP Trust Store: This trust store must contain the signing certificate of the OCSP servers
you want to trust. Click this link to add certificates to the trust store. You must add the signing
certificate, not the trusted root certificate, for this feature to work.
9 Configure the browser restart option.
Some browsers, such as Internet Explorer, keep the SSL session active until the user closes the
browser. When the user logs in with the certificate on a smart card, then removes the card and
logs out but does not close the browser, the SSL session is still active. If another user has access
to the machine, that user can use the existing session.
To prevent this from happening, enable the Force browser restart on logout option.
10 Click Next.
11 Configure attribute mappings.
108 Novell Access Manager 3.1 SP1 Identity Server Guide
and
.
http://
ldap://
and
.
http://
ldap://
Advertisement
Table of Contents
Troubleshooting
Related Manuals for Novell ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER
Related Products for Novell ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER
- NOVELL ACCESS MANAGER 3.1 SP2 - README 2010
- NOVELL ACCESS MANAGER 3.1 SP2 BETA 1 - SCENARIOS 2009
- NOVELL ACCESS MANAGER 3.1 SP1 - AGENT GUIDE
- NOVELL ACCESS MANAGER 3.1 SP2 - SSL VPN USER GUIDE 2010
- Novell Access Manager 3.1 SP 1
- Novell Access Manager 3.1 SP2 Beta 1
- Novell Access Manager 3.1 SP 2
- NOVELL CLIENT LOGIN EXTENSION 3.7 - ADMINISTRATION
- NOVELL IDENTITY ASSURANCE SOLUTION 3.0.2 - ADMINISTRATION
- NOVELL IDENTITY MANAGER 3.6.1 - STAGING BEST PRACTICES GUIDE 2010
- NOVELL IDENTITY MANAGER 3.6.1 - NULL SERVICE AND LOOPBACK SERVICE DRIVERS
- NOVELL IDENTITY MANAGER 3.6.1 - JOBS GUIDE
- NOVELL IDENTITY MANAGER 3.6.1 - TASK SERVICE DRIVER
- NOVELL IFOLDER 3 - ADMINISTRATION
- NOVELL POLICIES IN IMANAGER 3.6.1 - 06-05-2009
- NOVELL POLICY IN DESIGNER 3.5 - 09-18-2009