Configuring the Recommended Scenario

This chapter describes how to configure the recommended smart card login scenario and add additional administrators to it.

Configuration Procedure

Configuring the recommended smart card login scenario consists of the following tasks:

Configuring the DSA and LDAP Server
Configuring DirX Identity Manager
Configuring DirX Identity

The next sections describe each configuration task.

Prerequisites

The recommended smart card login scenario has the following prerequisites:

Atos CardOS API V 5.5 64-bit (see DirX Directory Manager Guide: Core component → Using LDAP → Smart Card Login → Software Requirements)
DirX Directory Server V8.9 or newer
DirX Manager V2.3 build 110 or newer
Java 11 64-bit Java Runtime Environment (JRE)

Configuring the DSA and LDAP Server

To configure the DSA and LDAP Server for smart card login:

Using DirX Manager, follow the instructions in the document DirX Directory Manager Guide → Core component → Using LDAP → Smart Card Login → Setting up the LDAP Server and the DSA for Smart Card Login, with the following exceptions:
- In the Client Authentication tab of the LDAP server SSL configuration subentry, select client authentication required and then select Use the directory entry that owns the Certificate as bind initiator from the drop-down list.
- The selection Use the directory entry that owns the Certificate as bind initiator requires that you configure an initial index for the userCertificate attribute. You can use the Database node in DirX Manager’s Schema View to perform this task.
In the LDAP Configuration subentry, add the distinguished name provided in the subject field of your smart card certificate to the LDAP Extended Operations Read Users attribute (or use the value all) to allow the personalized DomainAdmin to perform all extended LDAP read operations. The following figure shows the subentry and the attribute:

LDAP Server Configuration Subentry and the ldapExtOpReadUsers Attribute

Because the client (Identity Manager) will use SASL external binding for the personalized DomainAdmin, you need to specify the DN attribute values in X.500 syntax prefixed with X500DN:. For example:

X500DN:/C=DE/O=Atos/SURNAME=Schwinn/GIVENNAME=Ignaz/SERIALNUMBER=A987/CN=Ignaz Schwinn/UID=Z1234)

See the DirX Administration Reference → DirX String Representation for DAP Binds → String Representations for Structured Attribute Syntaxes → Certificate Attribute for a description of this syntax. See the DirX Administration Reference → DirX Attributes → X.500 User Application Attributes → LDAP Extended Operations Admins for more information about access policies for LDAP extended operations.

Configuring DirX Identity Manager

To configure DirX Identity Manager for smart card login:

Configure it to use:
The PKCS#11 library
The Java 11 JRE (64-bit)
Set up the login profiles for the Provisioning and Connectivity views.

Configure the PKCS#11 Library

In DirX Identity Manager’s Tools → Options menu, select to manage Java keystores and then specify the path to the PKCS#11 library in the Smart Card frame, as shown in the DirX Directory Manager Guide → Core Component → Using LDAP → Smart Card Login → Configuring the PKCS#1 Library for DirX Manager.

Configure Java 11 JRE (64-bit)

To ensure that DirX Identity Manager uses Java 11 JRE (64-bit), you can set it up to use existing Java 11 JRE (64-bit) installation:

Open the file dxi_install_path\setdxienv.bat.
Check to make sure the set DXI_JAVA_HOME= directive is present in the file and is set to the valid path to the JRE installation. For example:
```
…
@ECHO OFF
set DXI_JAVA_HOME=C:\Program Files\AdoptOpenJDK\jre-11.0.11.9-hotspot
SET PATH=%DXI_JAVA_HOME%\bin;%PATH%
…
```

Set up the Login Profiles

To set up the login profiles for Connectivity and Provisioning, follow the instructions given in the DirX Directory Manager Guide → Core Component → Using LDAP → Smart Card Login → Setting up the Client. In the Authentication frame, select SASL EXTERNAL bind and then select Smart Card PKCS#11 from the drop-down list in Client Keystore.

Configuring DirX Identity

Configuring DirX Identity for smart card login in the recommended scenario consists of the following tasks:

Creating the personalized DomainAdmin in the Provisioning view.
Storing the smart card certificate in the personalized DomainAdmin.
Adding the personalized DomainAdmin to DirXmetahub read and write groups in the Connectivity view.
Setting up the request workflow service for SASL authentication.

Create the Personalized DomainAdmin

To set up the personalized DomainAdmin, follow the instructions in the chapter "Creating a Personalized DomainAdmin".

Store the Smart Card Certificate in the Personalized DomainAdmin

To store the smart card certificate in the personalized DomainAdmin:

In DirX Identity Manager’s Provisioning → Users view, open the personalized DomainAdmin user you created (for example, MyDomainAdmin).
In this user’s Authentication tab, edit the Certificate attribute to add the smart card certificate.

Add the Personalized DomainAdmin to DirXmetahub Read and Write Groups

To add the personalized DomainAdmin to the DirXmetahub read and write groups:

Change to the Identity Manager’s Data View and then open the Connectivity view.
Add the personalized DomainAdmin you created (for example, MyDomainAdmin) as a member of the following groups:

dxmC=dirxmetahub,dxmc=groups,cn=Write

dxmC=dirxmetahub,dxmc=groups,cn=Read

Here is a sample entry in LDIF format that show the update for MyDomainAdmin to the Write group:

dn: cn=Write,dxmC=Groups,dxmC=DirXmetahub
objectClass: top
objectClass: groupOfUniqueNames
cn: Write
description: Default Administrator Group (with Write permissions)
uniqueMember: cn=admin,dxmC=DirXmetahub
uniqueMember: cn=MyDomainAdmin,cn=Users,cn=My-Company

Set up Request Workflow Service SASL Authentication

To set up request workflow service authentication:

Navigate to the /utils/ssl subdirectory in the directory of the Java-based Server that runs the request workflows; for example, dxi_install_path/ids-j-My-Company-S1/utils/ssl. You can use DirX Manager’s Connectivity → Expert view to check for request workflow support: open the Manage Ids-J Configuration context menu on a Java-based Server (right-click the server entry) and then select requestworkflow Types.
Edit the following genManager.bat (or .sh) script parameters to your requirements:

set dname - specifies the host name; for example, dxi-w-2012-03.

set alias - specifies the keystore alias; for example, dxi-w-2012-03.

set keystorePassword - specifies the keystore password.

set truststorePassword - specifies the truststore password. The default is changeme.

Run the genManager.bat (or .sh) script.
Copy the generated keystore file to dxi_install_path*/GUI/bin* on the machine that hosts DirX Identity Manager.
In dxi_install_path*/GUI/bin*, edit the dxi.cfg property file: uncomment the following lines and then set the keystoreName and keystoreAlias values:

#keystoreName=manager-keystore-<alias>
#keystoreAlias=<alias>

For example:

#keystoreName=manager-keystore-dxi-w2012-03
#keystoreAlias=dxi-w2012-03

Enabling Additional Administrators – Recommended Scenario

If you have already set up smart card login for one administrator, you can define additional administrators by performing a subset of the configuration tasks.

To enable additional administrators for the recommended configuration:

Add this administrator to the LDAP Extended Operations Read Users attribute as described in "Configuring the DSA and LDAP Server".
Prepare the personalized DomainAdmin as described in "Creating a Personalized DomainAdmin".
Store the certificate in this personalized DomainAdmin as described in "Store the Smart Card Certificate in the Personalized DomainAdmin".
Add the personalized DomainAdmin to DirXmetahub read and write groups as described in "Add the Personalized DomainAdmin to DirXmetahub Read and Write Groups".