Clients Tab

Partition SOClosedSecurity officer - UKC partition administrator role. ˃ Clients

→ presents the following:

Table of Clients

The table of clients. Each row presents the following attributes:

  • Name of the client.
  • Status - activation status. Applicable to clients created using Activation Code (AC).
  • Registration mode - see Clients Tab.
  • Certificate expiry - certificate's expiration due date.
  • Last Changed - the last time the client was modified.
  • [] - see Commands and Clients Tab.

Notes
1. The red alert badge next to the Clients tab in the TOCClosedTable of Content. The left pane in the Web UI. pane indicates the number of clients that should update their certificates. These clients are highlighted on the clients list.
2. Non-persistent (not stored in the CORE database) ephemeral clients are not listed.

Add Client

Partition SOClosedSecurity officer - UKC partition administrator role. ˃ Clients ˃ Create

→ The New Client dialog appears:

  • Client name - enter the client's name.

    • Note
    It is good practice to use the client's hostname as the client's name.

Click the Add button.

Activation Code (AC)

This method:

Client name - see Client Name Characters.

Client IP verification - click ▼

→ Two options are presented:

Use advanced configuration - click the checkbox to modify the following default settings:

Add client - once clicked, the system stores the potential client settings and enables the client to complete its registration with the partition. Once you click this button, the ACClosedActivation Code value appears. Write it down or use Refresh AC to extend its validity or create a new value as needed.

The new client now appears on the partition client list. Its status is pending- waiting for registration from a client appliance.

To proceed with the registration, forward to the client appliance's admin the following settings:
The partition's name.
The client's name.
The activation code.

Ephemeral Client Template

This method:

  • Adds the template name to the partition's client list.
    1. Specifies settings that shall be used by all clients that choose the template-based registration.
    2. All such clients shall use the Activation Code that is assigned to the Template.
  • Creates an ACClosedActivation Code that shall be used to register ephemeral clients. See Ephemeral client registration.

    • Use the Refresh AC command to restart the timer with/out changing the ACClosedActivation Code.

  • Allows specifying whether the ephemeral client data will be stored in the CORE database (default: true) or not.

Template name - see Client Name Characters.

Client IP verification - click ▼

→ Two options are presented:

Persistent checkbox

  • true (default) - the data of ephemeral clients created using this template is stored in the CORE database.
  • false - the data of ephemeral clients created using this template isn't stored in the CORE database. Such clients will not appear when listing the clients.

Use advanced configuration - click the checkbox to modify the following default settings:

Add ephemeral client template - records the above settings and enables a client to complete its registration with the partition. Once you click this button, the ACClosedActivation Code value appears. Write it down or use Refresh AC to extend its validity or create a new value as needed.

The new client-template name now appears on the partition client list. Its status is pending- waiting for registration from a client appliance.

To proceed with the registration, forward to the client appliance admin the following settings:
Partition name.
Template's name.
Activation code.
Type of registration - template

Certificate Download (Full)

This method:

  • Adds the client's name to the partition's client list.
  • Creates the client's certificate that shall be installed in the designated appliance.

Once you select this option, the following dialog appears:

Client name - see Client Name Characters.

Client alternative names and addresses - a comma-separated list of the client IP addresses and their hostnames.

Note: Subject Alternative Names (SANClosedSubject Alternative Names - Certificate field with a list of IP addresses.) in the generated certificate shall contain:
- The specified client name, if it is a valid DNS name
- The specified IP addresses and the RFC1123-compliant hostnames

Note
Not valid entries are silently omitted.

Important
The SANClosedSubject Alternative Names - Certificate field with a list of IP addresses. is mandatory if the partition's setting enforce validation of the certificate sender's IP. See Certificate Misuse Prevention.

Use default PFXClosedAn archive file format for storing cryptography objects using Base64 encoding password checkbox -

  • check-mark this box if the certificate shall be installed used by the CORE client software and installed as required by the CORE client software.

    • Tip
    Use this option if your appliance can not validate the EP certificate. Otherwise, you should use the Activation Code (AC) procedure to register the client and obtain and install its and its trust certificates.

  • In all the other cases - specify the password.

    • See Full Client.

Client IP verification - click ▼

→ Two options are presented:

Use advanced configuration - click the checkbox to modify the following default settings:

The created certificate is stored in the PFXClosedAn archive file format for storing cryptography objects using Base64 encoding file in the browser's default download directory.

External Certificate

This method allows a client using properly formatted certificate that is signed by its CA provider. It creates a partition client while storing the imported certificate in the CORE database.

Client name - see Client Name Characters. It must match the name specified by the certificate's CN setting.

Choose File - specify path to the certificate you want to use. The Subject section in the certificate must comply with CORE requirements. See External Client Cert Details.

Client IP verification - click ▼

→ Two options are presented:

Use advanced configuration - click the checkbox to modify the following default settings:

Add client - validates the settings, stores the imported certificate, and adds the client's name to the partition client list.

Client IP Verification Options

The "Client IP verification" presents two options:

Commands

Note
Check also Clients Tab for commands client status-dependent commands.

Partition SOClosedSecurity officer - UKC partition administrator role. ˃ Clients ˃ select Client ˃ []

→ The list of commands appears.

Show Info

The Show Info output depends on the client registration mode:

  • For a  client that completed its registration:
    • Client creation date.
    • The software version of the client.
    • The last time the client's setting (or software) was updated.
    • The status of the check-ip and allow-nat properties.

      • Note
      If these settings are undefined, then the status shows values inherited from the partition settings.

  • For a client-template or ACClosedActivation Code-client in the pending state:
    • The check-ip and allow-nat settings that should be used by the clients.
    • ACClosedActivation Code parameters and status.

Edit

The Edit dialog allows modifying the client's

  • check-ip and allow-nat settings.

Refresh AC

Applicable to clients that use ACClosedActivation Code for their registration. This command restarts the count-down timer of a pending ACClosedActivation Code. Provides two options:

In both cases, the new count-down time is restored to the previously used value or set as specified.

Show Certificate

Presents the client's certificate at two levels:

  • Summary.
  • Details.

Delete

  • Delete the client-template

    • Note
    The deletion of a template has no impact on the ephemeral clients already derived from it.