Enabling multi-factor authentication for CES

CES supports multi-factor authentication (MFA), which enhances the security of your environment by requiring multiple verification methods.

Using a smart card and client certificate in multi-factor authentication adds an extra layer of security by verifying the device's identity and ensuring that only trusted devices can access sensitive information in CES and the web products. This reduces the risk of unauthorized access even if passwords are compromised.


Related topics

Defining-the-web-server-settings

Securing-access-to-administrative-functions

Adding-a-user

To set up smart card authentication to support multi-factor authentication, perform the following steps:

  1. Make sure that you have a valid certificate on your smart card device. CES supports certificate files that are in the .pfx format only.
  2. Log on to CES.
  3. If CES security is enabled or you are logging on as a guest user, select the Administration > Web server settings > Server tab.
    1. In the Server protocols pane, turn on the Enable HTTPS toggle switch.
    2. Enter the relevant details in the fields in the Server certificate for Java KeyStore pane.
    3. Click Apply and restart server. Accept the CES restart prompt.
  4. After CES restarts, again select the Administration > Web server settings > Server tab.
    1. In the Client workstation certificate authentication pane, select the TrustStore type.
    2. Enable the Require client authentication switch and specify the relevant details in the pane.
    3. Click Apply and restart server and accept the CES restart prompt.
  5. After CES restarts, access CES by using the HTTPS protocol and the HTTPS port.
  6. Select the Administration > Web server settings > Server tab.
    1. In the Server protocols pane, turn on the Enable Strict HTTPS (HTTP Strict Transport Security) toggle switch to use CES only on the HTTPS port.
    2. Enter the password in both the Password fields.
    3. Click Apply and restart server and accept the CES restart prompt.
  7. Access CES by using the HTTPS protocol and the HTTPS port. CES prompts you to select the client certificate.
  8. Log on to CES and select the Administration > Security settings > Security tab.
    1. If the Authentication mode is Disabled, select Enable to enable CES security.
    2. In the Protocol pane, configure the Client certificate protocol settings pane.
    3. In Client certificate mask, use the default value.
    4. In Administrators, enter the relevant user names as configured in the certificate. The user names must be the same as the Subject – CN value displayed in the certificate.
    5. Click Apply and accept the CES restart prompt.
  9. When CES restarts, log on to CES by using your smart card.

If you have a valid certificate on your smart card and attempt to log on to CES by using that certificate, you can log on based on the permissions assigned to the default group (AppUsers), which has the Automatically assign users option enabled.

As an administrator, to moderate access rights for users, you can either create a new group or modify an existing group with the Automatically assign users option enabled to grant the relevant access.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*