Service Plans
A Service Plan is a collection of allowed services and certificate types that are assigned to an Enterprise. A service plan may specify but not limited to the following:
- To control the issuance of server-side keys
- Simple
- Remote Authorisation
- To control the issuance of client-side key
- Certifying a CSR
- Generating a key pair on client side (e.g. in a PKCS#11 device) using ADSS Go>Sign Desktop
- Multi-factor authentication (optional)
- At the time of system login
- At the time of sending certificate revocation request
- At the time of sending certificate renewing request
How it Works?
- The Service Plans can be assigned to the Enterprises only. You cannot assign the Service Plan to the users.
- Based on your business requirements you can create multiple Service Plans to offer different set of certification services to the different enterprises.
- You can configure one service plan in multiple enterprises but it is good practice to create separate Service Plan for each Enterprise if you are the service provider and you got many enterprises registered in the Web RA.
|
Basic Information |
|
|
Field |
Description |
|
Name |
Specify a unique name for this service plan, i.e. My Service Plan. The service plans are used in the configuration of Enterprise Accounts. |
|
Description |
Specify any description related to this service plan for your record. |
|
Active |
Tick this check box to make this service plan active. Inactive service plans cannot be configured in the Enterprise Accounts. |
|
Profiles Settings |
|
|
Field |
Description |
|
Key Stores > Profiles for requesting certificates with CSR |
This field will list all the active ADSS Certification Service Profiles that have been created to issue certificates by submitting users' CSRs. Specify the ones to be used by Web RA to process such certificate requests. If the check box Enable client keys is checked in the profile then the profile will be shown in Profile for requesting certificate with CSR dropdown where operator can configured it in service plan.
|
|
Key Stores > Profiles for creating keys on smartcards/tokens |
This field will list all those active ADSS Certification Service Profiles that have been created to issue signing keys and certificates on smart cards and tokens, i.e. the profiles in which the "Smartcard/Token Profile" field is enabled. Specify the one to be used by Web RA to process such certificate requests. |
|
Key Stores > Profiles for server-side keys & certificates |
This field will list all those active ADSS Certification Service Profiles that have been created to issue remote/ server-side signing keys and certificates. The remote keys will be generated and held in the ADSS Server. Specify the ones to be used by Web RA to process such certificate requests. If the check box Enable client keys is unchecked in the profile then the profile will be shown in Profile for server-side keys & certificates drop down where operator can configured it in service plan. In case of specifying multiple profiles here, the Web RA operator will have the option to choose the one before sending a server-side certificate request. |
|
Services > CSP Profile |
This field will list all those active ADSS CSP Service Profiles that have been created to issue Remote Authorised Signing (RAS) certificates. Specify the one to be used by Web RA to process such certificate requests. |
|
Services > Device Enrolment Profile |
This section lists down all configured profiles to create certificates for SCEP (Simple Certificate Enrolment Protocol) and Certificate Management Protocol (CMP). On selection of SCEP or CMP profile in a service plan, the device enrolment option appears on Web RA user's portal. |
|
Services > SigningHub Connector |
This shows the list of all configured SigningHub connectors that can be used for Web RA integration. |
|
Services > Default certificate profile for SigningHub |
This shows the list of all configured certification profiles which can be used for default certificate generation for Remote Authorisation Signing under integrated app. If None is selected then no default certificate will be generated under integrated app for enterprise account at registration time. |
|
Advanced Settings |
|
|
Field |
Description |
|
Login Authentications > Primary Authentication Profile |
Primary authentication configured as login authentication which lets an enterprise RAO to login on Web RA User's portal and by default one of the available Primary Authentication profiles must be selected. |
|
Enterprise Registration > Enable vetting to approve enterprise registration |
This enables the vetting on new enterprise account registrations, if enabled then the list of vetting forms appears to select a vetting form that has to be shown while registering an enterprise either through Web RA Admin or Web RA Web. When None is selected under Vetting Form list, then no vetting form appears to be filled and only the new enterprise registration has to be approved by Admin RAO. |
|
Notifications |
|||
|
Field |
Description |
||
|
SMS Gateway |
This shows all the configured SMS gateway connectors that can be selected to receive OTP via SMS. Additionally, OTP length and retry interval can also be set. |
||
|
Email Gateway |
This shows the list of configured SMTP connectors that can be selected to receive email notifications.
|
||
Create a Service Plan
- Click Service Plans from the left menu.
- Click
from the grid header. - A dialog wizard will appear to configure the service plan details. The wizard consists of 4 sequential screens, i.e.:
- Basic Information
- Profile Settings
- Authentications
- Notifications
- Specify the details of each screen accordingly and click Next to proceed further. Click Finish. A new service plan will be saved and displayed in the list. You may also edit and delete this service plan as required, see details. See the below table for fields description.
- Click Publish Changes from the top right corner, to make these configurations effective.
SAML Authentication
When creating a service plan for SAML authentication, a user will b required to fill some basic information, profile settings, notification and advanced settings. The Advanced Settings screen will display a drop down named as 'Login Authentications', which will require all the primary authentications that are to be configured in the system. Once the user completes the configuration, the primary settings will include Email/Password authentication and SAML authentication. Here, user can select the SAML authentication profile configured previously with name as SAML Authentication using Azure.
|
|
Note: It is the responsibility of an administrator to ensure that SAML is not configured as both primary and secondary authentication simultaneously while logging in. Web RA does not have any automated check to prevent an administrator from doing so. |
Configure Service Plan in Enterprise
- Click Enterprises from the left menu.
- Search the Enterprise whose service plan is required to change and click
adjacent to it. - Select Edit.
- A dialog wizard will appear to configure the service plan details. The wizard consists of 3 sequential screens (Profile Settings, Notification and Advance Settings).
- Navigate to the Advanced Settings tab.
- Select the new Service Plan from the drop down.
- Click Finish to save the configurations.
- Click Publish Changes from the top right corner, to make these configurations effective.
An operator can configure multiple authentication profiles in a service plan for primary and secondary authentication. One of them will be selected by default, as shown below:
