Configure USB key authentication

USB key authentication is a widely used authentication method at present. As a hardware device with USB interface, built-in MCUs or smart card chips, a USB key has a certain storage space to store the users' private keys and digital certificates. The built-in public key algorithms of USB keys can be used to authenticate the users' identity.

When a USB key is plugged into the computer for authentication, the system first uses the public key certificate uploaded in advance to obtain the corresponding private key in the USB key. Then, it uses the private key in the USB key to generate the digital signature and transmit the signature to the server for authentication. For security purposes, the key is encrypted by using a domestic cryptographic algorithm.

With USB key authentication enabled, the USB key login option will appear on the login page. If the login page cannot be opened due to the incorrect configuration of USB key authentication, access the escape path https://IP-Address/platform/#/login/skip, log in to the system as user admin, and reconfigure USB key authentication.

 

To configure USB key authentication, perform the following tasks:

Task	Description
Enable USB key authentication	With USB key authentication enabled, USB key login option will appears on the login page.
Upload a USB key	The USB key certificates are issued by the Certification Authority (CA) and correspond to the USB key hardware devices one by one. The USB key certificates need to be uploaded to corresponding users in the system in advance.
Log in by using a USB key	USB key users log in to the system.

 

Figure-1 Configuring USB key authentication

 

Enable USB key authentication

Restrictions and guidelines

A USB key can be issued only to one user.

Prerequisites

• USB key authentication is enabled in the system.

• The user has subscribed for USB key and installed corresponding USB key driver locally.

• The configurations of encryption modules are completed in advance. For more information, see "Configure encryption module."

• Configure signature verification platform settings if the manufacturer of the encryption module is Fisec. For more information, see "Configure a signature verification platform."

Procedure

1. On the top navigation bar, click System.

2. From the left navigation pane, select System Settings > Security Settings > Certificate Config > Authentication Policies.

3. Select USB Key Authentication, and select a vendor.

4. Upload certificate for user admin as required to enable USB key authentication.

Upload a USB key certificate

Create local users in advance. For more information, see Create a user. For more information about user privileges and organization management, see Manage local users.

 

1. On the top navigation bar, click System.

2. From the left navigation pane, select System Settings > Security Settings > Certificate Config > Authentication Policies.

3. After USB Key Authentication is selected on the page, click Access control or Organization Management on the right side, or navigate to the System > Access Control > User > Local User page.

4. Select the target user, click More > Upload USB Key Certificate.

5. Click OK.

Log in by using a USB key

Restrictions and guidelines

• If you select Fisec as the vendor, you must first select a device and then select a certificate.

• To log in to the system by using a USB key, plug a USB key into the computer before login.

Procedure

1. Enter the system IP address and port in the address bar to enter the system USB key user login page.

2. Select a certificate, and enter the PIN corresponding to the certificate.

Update a USB key certificate

You can perform this task to update uploaded USB key certificates.

1. On the top navigation bar, click System.

2. From the left navigation pane, select System Settings > Security Settings > Certificate Config > Authentication Policies.

3. After USB Key Authentication is selected on the page, click Access control or Organization Management on the right side, or navigate to the System > Access Control > User > Local User page.

4. Select the target user, click More > Update USB Key Certificate.

5. Click OK.

Delete a USB key certificate

Deleting a USB key certificate can cause the user that uses the USB key unable to log in to the system. Perform this operation with caution.

 

1. On the top navigation bar, click System.

2. From the left navigation pane, select System Settings > Security Settings > Certificate Config > Authentication Policies.

3. After USB Key Authentication is selected on the page, click Access control or Organization Management on the right side, or navigate to the System > Access Control > User > Local User page.

4. Select the target user, click More > Delete USB Key Certificate.

5. In the dialog box that opens, click OK.