3.9 Configuring the Server Options

Perform the following configurations to configure the Advanced Authentication server settings:

3.9.1 Uploading the SSL Certificate

Advanced Authentication server uses the HTTPS protocol. You must create a certificate file that is in the .pem or .crt, or .pfx format. You must apply the existing SSL certificate on the server.

IMPORTANT:Smartphone and Voice Call authentication providers work only with a valid SSL certificate. Self-signed certificate does not work.

To upload an SSL certificate perform the following steps:

  1. Log in to the Advanced Authentication Administration portal directly and not through a load balancer or Access Manager.

  2. Click Server Options.

  3. Click Browse in Web server SSL certificate for HTTPS and select a new SSL certificate. The file must contain both the certificate and the private key.

    NOTE:The certificate must not contain any of the encrypted private keys.

    Intermediate certificates must also be placed in the certificate file in the .pem or .crt or .pfx format if they are present.

    IMPORTANT:The certificate file must be in the following order:

    -----BEGIN PRIVATE KEY----- 
    (Your Private Key: your_domain_name.key) 
    -----END PRIVATE KEY----- 
    -----BEGIN CERTIFICATE----- 
    (Your Primary SSL certificate: your_domain_name.crt) 
    -----END CERTIFICATE----- 
    -----BEGIN CERTIFICATE----- 
    (Your Intermediate certificate: intermediate.crt) 
    -----END CERTIFICATE----- 
    -----BEGIN CERTIFICATE----- 
    (Your Root certificate: TrustedRoot.crt) 
    -----END CERTIFICATE-----
  4. Click Upload.

IMPORTANT:The certificate is not replicated among the Advanced Authentication servers. Therefore, it is recommended to upload the certificate to each Advanced Authentication server or add it on a load balancer.

3.9.2 Customizing the Login Page Background

You can set a custom login page background. It must be a JPEG or PNG image and the recommended resolution is 1920x774 px, 72 dpi. You must not use backgrounds whose size exceeds 100KB. To apply a custom login page background, perform the following steps:

  1. Click Browse in Login page background.

  2. Select the background file.

  3. Click Upload to upload and apply the custom background.

  4. Click Revert to original to revert the settings to original.

3.9.3 Uploading a Keytab File

The Keytab file option located in Server Options of Advanced Authentication Administration portal helps you to upload a keytab file. The keytab file contains the encrypted files required for the Advanced Authentication server to authenticate to the selected Active Directory using Kerberos.

  1. Generate a keytab file for Kerberos authentication to the Advanced Authentication server on a Domain Controller. For information on generating a keytab file, see the website.

    Sample command to create the keytab file:

    ktpass /princ HTTP/aas1.netiq.loc@NETIQ.LOC /mapuser aas1srv@authasas.local /crypto ALL /ptype KRB5_NT_PRINCIPAL /mapop set /pass Q1w2e3r4 /out C:\Temp\keytab_aas1srv

    Information about the sample command is as follows:

    • HTTP in upper-case is mandatory in the parameter for keytab file. For more information, see the website.

    • aas1 is a server name (according to record in DNS), the domain name is netiq.loc.

    • aas1srv is a service account specially created in Active Directory for the Advanced Authentication server, Q1w2e3r4 is the password.

    • The keytab file keytab_aas1srv is created in the folder C:\Temp.

    IMPORTANT:If there are multiple Advanced Authentication servers in the cluster, generate a keytab file for each Advanced Authentication server. Different users must be used for the keytab file generation for each server.

  2. Click Upload to select and upload the keytab file.

NOTE:Keytab file can be removed only when an Active Directory repository is selected in the Kerberos SSO Options policy.