Enhanced Settings
For details about configuring the 1E Client Auto-Provisioning for 1E Client, refer to 1E Platform client requirements
You can access this menu by clicking your avatar and selecting Enhanced Settings.
In the Intelligence and Inventory Insights modules the 1E Client certificate settings, and Platform settings are available from the left-hand navigation.
Certificates
The Settings module contains the Client Cert Provisioning feature. Certificates are essential for establishing a secure connection between the 1E Client and the 1E Platform. They ensure that communication is encrypted and that both parties can verify each others identity, preventing unauthorized access and ensuring data integrity. The Certificate Provisioning service provides you with an alternative to using your own PKI infrastructure.
Permissions
The Settings module is only visible, and restricted to the Full Administrator role by default or a configured role with the Security permission. For users with the Security, Read permission, the Enable/Disable toggle is grayed out, the GENERATE KEY button is not visible, and actions for existing keys, such as revoke, reactivate, or suspend, are not displayed. Refer to Roles and Securables and Roles.
Using the Provisioning Service
If you have an upgraded version of 1E Platform or use a newly provisioned instance, note the following:
-
Use Provisioning Service: Is disabled by default for both new and existing platform instances. You will need to manually enable this service using the toggle.
-
Use Certificates Provisioned by my Organisation: Is disabled by default for new platform instances. You cannot currently change this option (if disabled). To enable the feature, supply 1E with your certificates.
If you have an upgraded instance and previously supplied your own certificates, the feature will be automatically enabled, as shown in the following image. To make any changes to these settings, please contact 1E Support through the 1E Support Portal.
The 1E Client typically selects the first appropriate client certificate available in the Windows certificate store. If it fails to connect to the Switch with that certificate, it will try other certificates sequentially until a successful connection is made or all options are exhausted. Once a working certificate is identified, the 1E Client records it for future connections to the Switch.
The CA certificate that the Switch loads for a tenant depends on the toggle settings. When you activate the Use Provisioning Service setting and create a provisioning key, this action is independent of the Use Certificates Provisioned by my Organisation setting. The latter toggle cannot be directly modified by end users. It is enabled if the tenant has been pre-configured with one or more existing CA certificates, which are set during tenant provisioning or adjusted post-provisioning by 1E.
For example, if an existing tenant has already provided ACMECorp CA certificates (indicating the second toggle is active), and then enabled the Use Provisioning Service toggle (activating both toggles), the Switch will accept client certificates issued by ACMECorp as well as those automatically provisioned.
Provisioning key states
As a security admin, when managing the auto provisioning service, you can activate, suspend or revoke auto provisioned certificates so you can control their usage.
State |
Description |
---|---|
Active |
Key is currently active, and can be used to issue client certificates. |
Suspended |
Key is suspended. When suspended, no client certificates will be issued, but clients with previously issued certificates will be able to connect. However, if the client certificate expires it will not be able to renew the certificate and the key is suspended. Suspension of a key is reversible, when resumed the key will be moved back to the Active state. |
Revoked |
Key is revoked. No client certificates will be issued by the Certificate Service and clients with certificates issued by this key cannot connect. Revoking a key is a permanent operation. The key is no longer usable. |
Provision a key
A maximum of 3 concurrent keys are allowed, which includes both active and suspended keys.
Suspended keys are included in the limit because they can be resumed, and once resumed become active. If the limit is reached you cannot create additional keys. Revoked keys do not count towards the limit because this action cannot be undone, so revoking an active or suspended key allows you to create a new key.
Keys are valid until they are either suspended or revoked.
-
Click GENERATE KEY to start the process.
-
Specify the provisioning key name which should follow these considerations:
-
Should be unique.
-
Not exceed the name limit of 64 characters.
-
Must start with a letter.
-
Can include alphanumeric characters, spaces and dashes (-).
-
-
Click GENERATE KEY.
When the key is generated, you must copy it to the clipboard for use in your 1E Client deployment process, you will be unable to view the key again later.
The CLOSE button will not be enabled until you have copied the key. You will need to provide this key to the 1E Client as part of your command-line installation arguments, and if you are using the 1E Client Deployment Assistant. Refer to Running the wizard and 1E Platform client requirements
-
Once you have successfully copied the new key to the clipboard, the CLOSE button will be enabled.
Click the three dots in the Action column for each provisioning key to view its details, suspend or revoke it.
Rename a key
You can rename a provisioned key to enhance key management, the key name should be unique and not exceed the 64 character limit.
Suspend a key
To suspend a key.
-
Click the three dots under the Action column on the Provisioning Service page, and click Suspend key.
-
To proceed you will need to add Reasons for suspending this key, select I understand the impact of this action and want to proceed and click SUSPEND KEY.
-
You see the following message confirming the key has been suspended. The Provisioning Keys table will display the new Status for the key.
Reactivate a key
You can only reactivate suspended keys.
To reactivate a key.
-
Click the three dots under the Action column on the Provisioning Service page, and click Reactivate key.
-
To proceed you will need to select I understand the impact of this action and want to proceed and click REACTIVATE KEY.
-
You see the following message confirming the key has been reactivated. The Provisioning Keys table will display the new Status for the key.
Revoke a key
To revoke a key.
-
Click the three dots under the Action column on the Provisioning Service page, and click Revoke key.
-
To proceed you will need to add Reasons for revoking this key, select I understand the impact of this action and want to proceed and click REVOKE KEY.
Revoking a key is a permanent action and cannot be undone.
-
You see the following message confirming the key has been revoked. The Provisioning Keys table will display the new Status for the key.
Disable the provisioning service
-
Clicking the Use Provisioning Service toggle will disable the provisioning service with the following actions.
-
To continue, select I understand the impact of this action and want to proceed.
Enable the provisioning service
To enable the provisioning service once from the disabled state.
-
Click the Use Provisioning Service toggle to enable the service.
-
All devices relying on the service will be brought online.
-
New certificate provisioning requests will be accepted.
-
All previously disabled keys will be enabled.
-
Audit log
The platform records who performed the action, and when it was performed. For suspend, re-activate, and revoke actions, you must provide a reason to be included in the log. The 1E Platform audit log is available to view at Settings > Monitoring > Audit information log, refer to Monitoring.
The Certificate Service saves the following operations to the Audit log:
-
Tenant.
-
Issuer certificate.
-
Create / Renew.
-
-
-
Provisioning Feature.
-
Enable / Disable.
-
-
Provisioning key.
-
Created.
-
Suspended.
-
Re-activated.
-
Revoked.
-
Renamed.
-