Clients Tab
Partition SOSecurity officer - UKC partition administrator role. ˃ Clients
→ presents the following:
- The Create button to Add Client.
- Table of Clients.
Table of Clients
The table of clients. Each row presents the following attributes:
- Name of the client.
- Status - activation status. Applicable to clients created using Activation Code (AC).
- Registration mode - see Clients Tab.
- Certificate expiry - certificate's expiration due date.
- Last Changed - the last time the client was modified.
- [
] - see Commands and Clients Tab.
Notes
1. The red alert badge next to the Clients tab in the TOCTable of Content. The left pane in the Web UI. pane indicates the number of clients that should update their certificates. These clients are highlighted on the
clients
list.
2. Non-persistent (not stored in the CORE database) ephemeral clients are not listed.
Add Client
Partition SOSecurity officer - UKC partition administrator role. ˃ Clients ˃ Create
→ The New Client dialog appears:
- Client name - enter the client's name.
Note
It is good practice to use the client's hostname as the client's name.
- Registration mode - click ▼
- Click one of the modes.
- Activation Code (AC)
- Certificate Download (Full)
- Ephemeral Client Template
- External Certificate
- To modify the common default settings, click
- Advanced Attributes >> - presents Clients Tab dialog.
→ The list of registration options appears. See Client Types and Certificates.
→ The mode-specific dialog appears. See
→ The list of verification options appears:
Click the Add button.
Activation Code (AC)
This method:
- Adds the client's name to the partition's client list (Status =
Pending
). - Creates an AC
Activation Code that can be applied by the CORE client (see CORE Appliance Commands).
Client name
- see Client Name Characters.
Client IP verification
- click ▼
→ Two options are presented:
- Follow the policy specified in the partition settings.
- Customize the policy for this client. See Client IP Verification Options.
Use advanced configuration
- click the checkbox to modify the following default settings:
- Allowed IP range - specify allowed client IP range using CIDR
Classless Inter-Domain Routing, an IP addressing notation notation. It is relevant when the EP applies the Check-IP validation to a certificate presented by a client. EP authenticates the sender's appliance if the certificate is valid and the sender's IP is within the specified range.
- Certificate validity period - specifies how long the certificate will be valid (days, months, years
For any time interval setting in years, 1 year is converted to 365 days).
- Allows to customize the AC
Activation Code parameters:
- Activation Code length - number of digits in the AC
Activation Code.
- Activation Code validity period - specified in minutes.
- Activation Code length - number of digits in the AC
Add client
- once clicked, the system stores the potential client settings and enables the client to complete its registration with the partition. Once you click this button, the ACActivation Code value appears. Write it down or use Refresh AC to extend its validity or create a new value as needed.
The new client now appears on the partition client list. Its status is pending- waiting for registration from a client appliance.
- To proceed with the registration, forward to the client appliance's admin the following settings:
- The partition's name.
- The client's name.
- The activation code.
Ephemeral Client Template
This method:
- Adds the template name to the partition's client list.
- Specifies settings that shall be used by all clients that choose the template-based registration.
- All such clients shall use the Activation Code that is assigned to the Template.
- Creates an AC
Activation Code that shall be used to register ephemeral clients. See Ephemeral client registration.
Use the Refresh AC command to restart the timer with/out changing the ACActivation Code.
- Allows specifying whether the ephemeral client data will be stored in the CORE database (default: true) or not.
Template name
- see Client Name Characters.
Client IP verification
- click ▼
→ Two options are presented:
- Follow the policy specified in the partition settings.
- Customize the policy for this client. See Client IP Verification Options.
Persistent
checkbox
- true (default) - the data of ephemeral clients created using this template is stored in the CORE database.
- false - the data of ephemeral clients created using this template isn't stored in the CORE database. Such clients will not appear when listing the clients.
Use advanced configuration
- click the checkbox to modify the following default settings:
- Allowed IP range - specify allowed client IP range using CIDR
Classless Inter-Domain Routing, an IP addressing notation notation. It is relevant when the EP applies the Check-IP validation to a certificate presented by a client. EP authenticates the sender's appliance if the certificate is valid and the sender's IP is within the specified range.
- Certificate validity period - specifies how long the certificate will be valid (days, months, years
For any time interval setting in years, 1 year is converted to 365 days).
- Allows to customize the AC
Activation Code parameters:
- Activation Code length - number of digits in the AC
Activation Code.
- Activation Code validity period - specified in minutes.
- Activation Code length - number of digits in the AC
Add ephemeral client template
- records the above settings and enables a client to complete its registration with the partition. Once you click this button, the ACActivation Code value appears. Write it down or use Refresh AC to extend its validity or create a new value as needed.
The new client-template name now appears on the partition client list. Its status is pending- waiting for registration from a client appliance.
- To proceed with the registration, forward to the client appliance admin the following settings:
- Partition name.
- Template's name.
- Activation code.
- Type of registration - template
Certificate Download (Full)
This method:
- Adds the client's name to the partition's client list.
- Creates the client's certificate that shall be installed in the designated appliance.
Once you select this option, the following dialog appears:
Client name
- see Client Name Characters.
Client alternative names and addresses
- a comma-separated list of the client IP addresses and their hostnames.
- Note:
Subject Alternative Names (SAN
in the generated certificate shall contain:Subject Alternative Names - Certificate field with a list of IP addresses.)
- - The specified client name, if it is a valid DNS name
- - The specified IP addresses and the RFC1123-compliant hostnames
-
Note
Not valid entries are silently omitted.Important
The SANSubject Alternative Names - Certificate field with a list of IP addresses. is mandatory if the partition's setting enforce validation of the certificate sender's IP. See Certificate Misuse Prevention.
Use default PFX
checkbox - An archive file format for storing cryptography objects using Base64 encoding password
- check-mark this box if the certificate shall be installed used by the CORE client software and installed as required by the CORE client software.
Tip
Use this option if your appliance can not validate the EP certificate. Otherwise, you should use the Activation Code (AC) procedure to register the client and obtain and install its and its trust certificates.
- In all the other cases - specify the password.
See Full Client.
Client IP verification
- click ▼
→ Two options are presented:
- Follow the policy specified in the partition settings.
- Customize the policy for this client. See Client IP Verification Options.
Use advanced configuration
- click the checkbox to modify the following default settings:
- Allowed IP range - specify allowed client IP range using CIDR
Classless Inter-Domain Routing, an IP addressing notation notation. It is relevant when the EP applies the Check-IP validation to a certificate presented by a client. EP authenticates the sender's appliance if the certificate is valid and the sender's IP is within the specified range.
- Certificate validity period - specifies for how long the certificate will be valid (days, months, years
For any time interval setting in years, 1 year is converted to 365 days).
The created certificate is stored in the PFXAn archive file format for storing cryptography objects using Base64 encoding file in the browser's default download directory.
External Certificate
This method allows a client using properly formatted certificate that is signed by its CA provider. It creates a partition client while storing the imported certificate in the CORE database.
Client name
- see Client Name Characters. It must match the name specified by the certificate's CN setting.
Choose File
- specify path to the certificate you want to use. The Subject section in the certificate must comply with CORE requirements. See External Client Cert Details.
Client IP verification
- click ▼
→ Two options are presented:
- Follow the policy specified in the partition settings.
- Customize the policy for this client. See Client IP Verification Options.
Use advanced configuration
- click the checkbox to modify the following default settings:
- Allowed IP range - specify allowed client IP range using CIDR
Classless Inter-Domain Routing, an IP addressing notation notation. It is relevant when the EP applies the Check-IP validation to a certificate presented by a client. EP authenticates the sender's appliance if the certificate is valid and the sender's IP is within the specified range.
- Certificate validity period - specifies how long the certificate will be valid (days, months, years
For any time interval setting in years, 1 year is converted to 365 days).
Add client
- validates the settings, stores the imported certificate, and adds the client's name to the partition client list.
Client IP Verification Options
The "Client IP verification" presents two options:
-
Use the partition settings (default)
Select this option if the partition settings force the client's IP assertion type.
-
Use the following IP verification settings
→ The Custom Options dialog appears:
- Do not check the originator's IP.
- Check the originator's IP
- without taking into account possible NAT
Network Address Translation - remapping of IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device impact on it.
- by taking into account possible NAT
Network Address Translation - remapping of IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device impact on it.
- without taking into account possible NAT
Commands
Note
Check also Clients Tab for commands client status-dependent commands.
Partition SOSecurity officer - UKC partition administrator role. ˃ Clients ˃ select Client ˃ [
]
→ The list of commands appears.
Show Info
The Show Info output depends on the client registration mode:
- For a client that completed its registration:
- Client creation date.
- The software version of the client.
- The last time the client's setting (or software) was updated.
- The status of the
check-ip
andallow-nat
properties.
Note
If these settings are undefined, then the status shows values inherited from the partition settings. - For a client-template or AC
Activation Code-client in the pending state:
- The
check-ip
andallow-nat
settings that should be used by the clients. - AC
Activation Code parameters and status.
- The
Edit
The Edit dialog allows modifying the client's
check-ip
andallow-nat
settings.
ip_range
setting (see ucl client create - Overview) can be modified for the following types:- AC
Activation Code clients while their state is
Pending
.
Note
The modification ofip_range
does not generate a new ACActivation Code value. It applies to future use of the current AC
Activation Code value.
- AC
Refresh AC
Applicable to clients that use ACActivation Code for their registration. This command restarts the count-down timer of a pending AC
Activation Code. Provides two options:
- Keep the same AC
Activation Code if it has not yet expired.
- Generate a new AC
Activation Code while optionally changing its parameters.
In both cases, the new count-down time is restored to the previously used value or set as specified.
Show Certificate
Presents the client's certificate at two levels:
- Summary.
- Details.
Delete
- Delete the AC
Activation Code or the FULL client
- Delete the client-template
Note
The deletion of a template has no impact on the ephemeral clients already derived from it.