IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2

Smart card revocation and expiry

You can terminate the use of a smart card as an authentication factor in two ways: Revoke the registered smart card or revoke the certificate.

Revoke the registered smart card registered from AccessAdmin

If a user tries to log on with the smart card, AccessAgent detects that the smart card is not registered. AccessAgent deletes any existing smart card credentials cached on the machine and informs the user that the smart card is not registered. The user might register the smart card again and provide the required credentials.

Revoke the certificate issued to the smart card

To check the revocation status of the smart card certificates, the IBM® HTTP Server must be configured to check either the CRL or OCSP status. If the user tries to log on to AccessAgent with the revoked or expired smart card certificate, the SSL client authentication with IBM HTTP Server fails. In this case, AccessAgent deletes any existing smart card credentials cached on the machine and informs the user that the smart card cannot be authenticated. After this point, the user cannot use the smart card to log on to AccessAgent even if IBM HTTP Server is not reachable.

Only IBM HTTP Server can perform CRL/OCSP look up and checking the expiry. If the user has the smart card credentials cached on a machine and the IBM HTTP Server is not reachable, the user can log on to the machine even with a revoked or an expired certificate.



Feedback