McAfee EPOCDE-AA-BA Product Guide - Page 58
Authenticating with certificates, When to use certificate authentication
View all McAfee EPOCDE-AA-BA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 58 highlights
7 Configuring advanced server settings Authenticating with certificates Authenticating with certificates Client-side certificate authentication allows a client to use a digital certificate as their authentication credentials when logging on to an ePolicy Orchestrator server. This chapter details how and when certificate authentication should be used. Contents When to use certificate authentication Configuring ePolicy Orchestrator for certificate authentication Uploading server certificates Removing server certificates Configuring users for certificate authentication Problems with certificate authentication When to use certificate authentication Certificate authentication is the most secure method available. However, it is not the best choice for all environments. Certificate authentication is an extension of public-key authentication. It uses public keys as a basis, but differs from public-key authentication in that you only need to trust a trusted third party known as a certification authority (or CA). Certificates are digital documents containing a combination of identity information and public keys, and are digitally signed by the CA who verifies that the information is accurate. Advantages of certificate-based authentication Certificate-based authentication has a number of advantages over password authentication: • Certificates have predefined lifetimes. This allows for a forced, periodic review of a user's permissions when their certificate expires. • If a user's access must be suspended or terminated, the certificate can be added to a certificate revocation list, or CRL, which is checked on each logon attempt to prevent unauthorized access. • Certificate authentication is more manageable and scalable in large institutions than other forms of authentication because only a small number of CAs (frequently only one) must be trusted. Disadvantages of certificate-based authentication Not every environment is best for certificate-based authentication. Disadvantages of this method include: • A public-key infrastructure is required. This can add additional cost that in some cases may not be worth the additional security. • Additional overhead in maintaining certificates is required when comparing to password-based authentication. Configuring ePolicy Orchestrator for certificate authentication Before users can log on with certificate authentication, ePolicy Orchestrator must be configured properly. Before you begin You must have already received a signed certificate in P7B, PKCS12, DER, or PEM format. 58 McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide