This page explains how to enable PKI so that users can log in to the Portal and Command Centers with certificates or smart cards instead of passwords. The process assumes that your organization already has the necessary certificates:
It also assumes that you have completed the following procedures, all of which are external to Lumeta:
When the Public Key Infrastructure (PKI) feature is enabled on Lumeta Portal and Command Center, you will no longer need a password to log into the Lumeta Web UI or CLI. You will use certificates stored on your local system or on a smart card (CAC) to identify yourself to Lumeta. You will still be able to use a password to log in to the system's console.
The procedures that follow will give your user community a reprieve from disconcerting certificate-related warning messages like this one, from a Chrome browser:
Other browsers display warning messages as well:
PKI is supported on the three most recent versions of the following browsers:
The first step is to load a server certificate, which enables yourto validate the Portal or Lumeta server. This one-time procedure is performed by the Portal or Lumeta system administrator. Server certificates are used regardless of whether PKI is enabled. When users do not uploaded their own server certificates, the system uses unique self-signed certificates that are delivered with the Portal or Lumeta license.
Although your certificates may use any naming convention, file extension, friendly name, and password (aka secrets), be aware that the Common Name (CN) listed on the server certificate’s Subject, must match your Portal or Lumeta system’s IP address, host name, or domain.
Before beginning this procedure, procure the following:
Follow this procedure:
Browse to a Server Certificate stored on your local system. This file is in PKCS12 format and typically has a .p12 or a .pfx extension.
Files with the .pfx extension must be renamed to have a .p12 extension.
The next steps are to load CA certificates, users' certificates, and SSH certificates. The CA file may contain many CAs. It should provide the Lumeta system with all of the CAs that have signed all of your users' certificates.
Load Certification Authority (CA) Certificates to Portal or Lumeta
The next step is to load a CA certificate, which will enable the Portal or Lumeta server to validate Portal or Lumeta users. The CA that signed users' certs should be loaded into the browser or operating system of your local system. The procedure is beyond the scope of this document.This is also a one-time procedure performed by the system administrator.
Before beginning, you’ll need Certification Authority certificates in PEM format.
Load certificates for users so user's can access the web browser interface without needing a password.
The private portion of a user's certificate may be loaded into the browser or operating system of the local system, or it may rLumetade on a smart card (CAC). A description of loading the certificate into the browser or operating system is beyond the scope of this document.
Before beginning, you’ll need the users' public key certificate in PEM format.
In this procedure, Portal or Lumeta system administrators upload SSH keys to provide their users with access to the CLI. The Portal or Lumeta system administrator repeats this procedure for each Portal or Lumeta user. Users will connect to the CLI using PuTTY-CAC or another SSH client.
Before beginning, you’ll need the users' public SSH certificate.
The private portion of a user's SSH key should be either in a file on the local system or on a smart card (CAC). Where to put the private key and how to extract the public key from a smart card is beyond the scope of this document.
The final step is to enable PKI. This permits Portal or Lumeta users to access the system without having to use a password. You will perform this step once on your Lumetasystem.