Managing security for certificate authentication
The IBM Copy Services Manager server supports authentication to the server through Client Certificates. Client Certificates are x.509 certificates that users with access to the server can create for the purposes of authenticating to the server through REST calls.
Administrators or User Administrators have full control over how the Client Certificates are used on the server. Client Certificates are disabled by default. An Administrator or User Administrator must enable them before use.
When Client Certificates are used, the certificate grants the caller all the same permissions that are tied to the user at the time the call is made. If the user's permissions change, then any calls with the certificate after the change authorizes through the new permissions.
The following section describes how an Administrator or User Administrator can manage Client Certificate usage.
Enabling and Disabling Client Certificates
Client Certificates are disabled by default. Users with access to the server cannot create and use certificates for authentication if the feature is Disabled.
To enable or disable Client Certificate usage, the Administrator or User Administrator completes the following steps:
- From the top Navigator in the GUI, go to Settings → Administration
- On the Administration page, click the link at the top of the page called "Manage Client Certificates".
- In the popup, select the Enabled or Disabled radio button
- When you click Enabled, ensure that you also set the Maximum Expiration (days) to the maximum number of days allowed by your security guidelines for token creation. The default is 366 days.
- Click Ok to save the changes.
Viewing Users with Client Certificates
At any time, an Administrator or User Administrator can view which users created a Client Certificate and what the current expiration is for that certificate.
To view the current list of users with tokens, the Administrator or User Administrator completes the following steps:
- From the top Navigator in the GUI, go to Settings → Administration
- On the Administration page, click the link at the top of the page called "Manage Client Certificates".
- In the popup there is a table that displays the username, the certificate name, the date the certificate was created, and the actual expiration date for that certificate.
- Validate that all certificates are valid and meet security guidelines.
Revoking Client Certificates for Users
If a user with a certificate no longer requires access, or if a security issue occurs, an Administrator or User Administrator can revoke their certificate at any time.
To revoke a Client Certificate for one or more users, the Administrator or User Administrator completes the following steps:
- From the top Navigator in the GUI, go to Settings → Administration
- On the Administration page, click the link at the top of the page called "Manage Client Certificates".
- In the table, select one or more users to revoke their certificates
- Click the Revoke Selected Certificates button.
- Click Ok on the "Are you sure?" prompt.
Deleting User Access to the Server
When Client Certificates are enabled, any user with access to the server can create a Client Certificate. This includes LDAP or Active Directory users or users with access through a Group.
While the user has access to the server, their certificate remains valid. If an Administrator or User Administrator removes access for that user, or the group that the user is in, the server automatically deletes their certificate. Administrators or User Administrators do not need to manually delete the user certificates when they remove the user or group.