Client Manager - ADSS-Admin-Guide

Client Manager

The ADSS Client Manager module is used to control business application access to the following ADSS Server services:

ADSS Signing Service
ADSS Verification Service (covers both signature verification and certificate validation)
ADSS Certification Service
ADSS LTANS Service

ADSS XKMS Service

ADSS Decryption Service
ADSS Go>Sign Service
ADSS RA Service
ADSS RAS Service
ADSS SAM Service
ADSS CSP Service
ADSS NPKD Service
ADSS SPOC Service
Advanced Settings

The other ADSS Server services including ADSS TSA, ADSS OCSP and ADSS SCVP are not controlled by client manager since these are more general services offered to a wide range of end-user clients and not to a smaller number of business application clients. These services use their own Access Control module to allow open or restricted access.

For the bullet point list of trust services shown above, these are based on an XML/SOAP Web Services interface and the interaction of end-users with these services is typically done via business applications which in turn make requests to ADSS Server. This section explains how these client business applications can be registered so that they can be authenticated and their access to specific services, service profiles and keys can be reviewed and authorized.

Click on the Client Manager tab to access this module. The screen displays a table of all existing clients that can access the above ADSS Server trust services:

Click the New button as shown in the above screen to register new clients, you will be presented with the following screen:

The configuration items are as follows:

Item	Description
Status	A client may be marked as Active or Inactive. Note: Only active clients can request services from ADSS Server.
Client ID	Specify a unique ID of the client that will be used later for service requests to ADSS Server. This field is mandatory to be filled for client registration. If crypto source Azure Key Vault is being used for Key/Certificate storage while using Certification/RA services, then only these characters are supported in Client ID: A-Z, a-z, 0-9 and hyphen "-". This is important because the final certificate alias is a concatenation of Client ID and the certificate alias being sent in requests to Certification/RA services. Note: The maximum acceptable length for Client ID is 50 visible characters. If you are registering a foreign SPOC as a client, then client ID should consists of two-letter country code of the foreign SPOC e.g. 'FR' for France.
Request Signing Certificate	If any of the services require the request message to be signed then the client’s request signing certificate must be imported using the Browse button so that the ADSS service modules can verify the signature on the request message. Once the client get registered then the configured certificate can be viewed/removed using View Certificate / Remove button respectively. Once a configured Certificate is removed, user needs to press the Save button to make the changes take effect.
TLS Client Certificate	If any of the services require the request message to be sent over TLS Client Authentication then the TLS Client Authentication Certificate must be imported using the Add button so that the ADSS Server can validate the request against this certificate. Once added, user needs to press the Save button to make the changes take effect. Multiple TLS Client Certificates can be added against a single client. Note: It is required to register the Issuer CA of the TLS Client Authentication Certificate in Trust Manager with the purpose CA for verifying TLS client certificates.
Certificate Friendly Name	Enter a unique friendly name for the certificate for internal tracking and reporting purposes.
Certificate DN	Certificate DN is an auto populated field and is extracted from configured certificate. By clicking on this, user can also view the certificate.
Valid To	Shows the date and time till when a configured certificate is valid.
Status	Shows the status of the configured certificate in the table. The possible values are Active/Expired/Not Yet Valid.
Remove	This button is used to remove a configured certificate from the list by selecting it using radio button against it. Once removed, user needs to press the Save button and Restart Service Instance to make the changes take effect.
Auxiliary Setings	Specifies the additional information of the client for easy management.
Client Friendly Name	Enter a unique friendly name for the client application for internal tracking and reporting purposes. This field is mandatory to be filled for client registration. Note: The maximum acceptable length for Client ID is 50 visible characters.
Phone No	Optionally specify the Client's Phone Number.
Address	Optionally specify the Client's Address.
Email Address	Optionally specify the Client's Email Address.
Employee No	Optionally specify the Client's Employee Number.
Social Security Number	Optionally specify the Client's Social Security Number.
National Identification Number	Optionally specify the Client's National Identity Number.
Additional Information 1	Optionally specify the additional information related to Client
Additional Information 2	Optionally specify the additional information related to Client

It is not necessary to register each end-user on ADSS Server; only the business applications that actually make requests to the ADSS Services needs to be registered
The list of registered ADSS Server clients can be sorted by Status, Client ID, Created At, or Friendly Name.

Clicking on the Search button on Client Manager main screen will display following screen:

This helps to locate a particular client. The clients can be searched based on Client ID, Client's Friendly Name and Status. If a search is based on multiple values, then these will be combined together using the “AND” operand, and thus only records that meet all the criteria will be presented.

If "_" character is used in the search then it will act as wildcard.

Signing Service

Verification Service

Certification Service