Configure smart card authentication without a domain
You can configure NetBackup to validate users with smart cards or certificates without an associated AD or LDAP domain. Only users are supported for this configuration. User groups are not supported.
To configure smart card authentication without a domain
- At the top right, select Settings > Smart card authentication.
- Turn on Smart card authentication.
- (Conditional step) If AD or LDAP domain is configured in your environment, select Continue without the domain option.
- Select a Certificate mapping attribute: Common name (CN) or Universal principal name (UPN).
- Optionally, enter the OCSP URI.
If you do not provide the OCSP URI, the URI in the user certificate is used.
- Select Save.
- To the right of CA certificates, click Add.
- Browse for or drag and drop the CA certificates and click Add.
- Smart card authentication requires a list of trusted root or intermediate CA certificates. Add the CA certificates that are associated with the user digital certificates or the user smart cards.
Certificate file types must be
.crt,.cer,.der,.pem, orPKCS #7format and less than 64KB in size. - On the Smart card authentication page, verify the configuration information.
After configuring smart card authentication, you must restart the NetBackup Web Management Console (nbwmc) service.
Before users can use a digital certificate that is not installed on a smart card, the certificate must be uploaded to the browser's certificate manager.
- When users sign in, they now see an option to Sign in with certificate or smart card.
If you do not want users to have this sign-in option yet, turn off Smart card authentication. (For example, if all users do not yet have their certificates configured on their hosts.). The settings that you configured are retained even if you turn off smart card authentication.