Question & Answer
Question
Why am I unable to add new users and manage existing ones after enabling Smart Card Authentication?
Cause
When the SmartCard system is used, Guardium depends upon the external read-only LDAP authority to provide Authentication and Authorization as the System-of-Record.
By changing or modifying the user credentials on the end-point, this introduces a second System-of-Record.
This is contrary to standard best practices as it allows the end-point to be the authority for Authentication and Authorization and can subvert the LDAP authority.
This is contrary to standard best practices as it allows the end-point to be the authority for Authentication and Authorization and can subvert the LDAP authority.
Answer
The best practice is to utilize the Smart Card credentials as is, and compare them to the System-of-Record.
When those two match, then Authentication and Authorization are approved. If they do not match, then this is denied.
The suggestion is for the LDAP authority to be made the 'System-of-Record' to match the credentials that are provided on the Smart Card.
When those two match, then Authentication and Authorization are approved. If they do not match, then this is denied.
The suggestion is for the LDAP authority to be made the 'System-of-Record' to match the credentials that are provided on the Smart Card.
Related Information
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Component":"","Platform":[{"code":"PF004","label":"Appliance"}],"Version":"10.x,11.0,11.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Product Synonym
IBM Guardium
Was this topic helpful?
Document Information
Modified date:
11 November 2019
UID
ibm11105377