Entrust Identity as a Service and Entrust CloudControl

- Industries
- Solutions
  - Our Expertise
  - Strong Identities
  - Secure Payments
  - Protected Data
- Featured Products
  - As a Service Products
- Enterprise ID & Issuance
  - Instant ID as a Service
    Learn More
  - Instant Issuance
- Financial ID & Issuance
  - Digital Card Solution
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
  - Central Issuance
- Government ID & Issuance
  - Digital Citizen
    1. Seamless Travel as a Service
    2. ePassport as a Service
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. System Software
    3. Supplies
    4. Services
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
    7. Supplies
    8. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - KeyControl for VM Encryption
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - 1. nShield as a Service
  - nShield HSMs
  - Why you need an HSM
    Learn about all the details related to what hardware security modules offer you in security and cost savings...
    Learn More
- Digital Certificates
  - 1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
    1. QWAC eIDAS Certificates
    2. QWAC PSD2 Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
- Public Key Infrastructure (PKI)
  - PKI Products
  - Managed Services
  - Cryptographic Center of Excellence
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Resources
  - Issuance Systems Knowledge Base
    Learn More
  - Digital Security Knowledge Base
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Partners
  - Partner with Entrust
    Join one or more of our partner programs and we’ll help you increase profitability, expand your brand, and target strategic customers.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology.
    Search for a Partner
  - Programs
  - Partner Logins
- Buy
  - Shop Certificate Services
    Shop for new single certificate purchases.
    Learn More
  - Certificate Services Customer Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Search Entrust
  - Search:

Introduction
- Product configurations
- Requirements
Procedures

Introduction

This guide describes how to integrate Entrust IDaaS with Entrust CloudControl. Entrust Identity as a Service is Cloud-based identity and access management (IAM) solution with multi-factor authentication (MFA), credential-based passwordless access, and single sign-on (SSO). Entrust CloudControl can be configured to use Entrust IDaaS as an external authentication method.

Product configurations

Entrust has successfully tested the integration of Entrust CloudControl with Entrust IDaaS in the following configurations:

System	Version
Entrust CloudControl	6.5.0
Entrust IDaaS	5.24
VMware vCenter	7.0.1 U1

Requirements

Before starting the integration process, familiarize yourself with:

Entrust IDaaS. You can request a free trial at the Entrust Identity as a Service product page.
The documentation and setup process for Entrust CloudControl. The online documentation contains everything you need to successfully install and deploy CloudControl.

Procedures

This guide uses a standalone CloudControl deployment configured with Active Directory for authentication. CloudControl supports a cluster environment. For more information refer to the Entrust CloudControl Installation Guide in the online documentation.

Download the CloudControl software

Go to https://my.hytrust.com/s/software-downloads .
Log in and select HyTrust CloudControl .
Open the HTCC_6.5.0_2022-03-01 folder. This folder contains version 6.5.0 that was used in this guide.
Select the Entrust-CloudControl-6.5.0.650509.zip link to download the file.
After the file has been downloaded, open the ZIP file to access to the OVA file.

Set up a content library in vCenter for the CloudControl OVA

Log in to vCenter.
Go to Menu > Content Libraries .
Create a content library called HyTrust CloudControl .
In the HyTrust CloudControl library, select Actions > Import item . For example:

The Import Library Item dialog appears.
Select Local File and upload the CloudControl OVA file.
After the file has been uploaded, select Import to import the OVA file into the library.

Deploy the CloudControl VM from the OVA

After the file has been imported into the content library, it is listed accordingly. Right-click the Name and select New VM from this Template to deploy the VM.

Follow the instructions during the deployment as needed.

Note	For more information refer to Installing CloudControl from an OVA in the online documentation.

Power on the appliance

Log in to the vSphere Client.
Locate the Entrust CloudControl virtual machine in the inventory.
Right-click the CloudControl virtual machine and select Power > Power On .

Configure the CloudControl virtual appliance

This guide uses a Standalone Node setup. For more information refer to Creating a Standalone Node in the online documentation.

Set up the CloudControl GUI

After the standalone node has been configured, you must finish the setup using the GUI. For more information refer to Setting Up the CloudControl GUI in the online documentation.

Domain controller setup

Add a DNS Host entry in the domain controller for the CloudControl server.

For the purposes of this guide, the following Host was added to the local DNS server:

FQDN: cloudcontrol1-65.example.com

Active Directory setup

You must have Active Directory configured in order to use External Authentication with CloudControl.

Refer to the CloudControl online documentation for details instructions on how to setup Active Directory in CloudControl .

Adapt the steps below to match your organization Active Directory settings.

Users

For the purposes of this guide, four AD users were required. These are used in the configuration steps described in this guide.

htaServiceAccount: This is used in the Entrust CloudControl AD settings, to connect to the AD server.
etccadmin: This is used to log in to Entrust CloudControl after Active Directory services have been configured. It is whitelisted when external authentication is enabled, to show the whitelist feature that is available on the external authentication setup.
etccuser: This is used to log in to Entrust CloudControl after Active Directory services have been configured. It is the user that logs in to demonstrate the IDaaS login process.
idaasaduser: This is used in the Entrust IDaaS AD settings, to connect to the AD server.

Note	When creating the users in AD, make sure that the Last Name and Email fields are not empty.

Groups

Create a group in AD called ASC_SuperAdmin and make the etccadmin and etccuser users members of this group.

Active Directory setup - CloudControl

After Active Directory has the users and groups needed to setup Active Directory in CloudControl, you can configure Active Directory.

Select Home > System > Primary Authentication .
Select Configure Active Directory and Confirm you want to configure Active Directory.

Once Active Directory is configured, local authentication is disabled.
In the Details tab of the Configure Active Directory window, enter the following:
1. Configuration Method : Select Manual .
  
  This guide uses a Manual configuration. However, in a production environment Entrust recommends that this field is set to Automatic Mode . The mode can also be changed later using the Actions menu, using Change to Automatic Mode .
2. Default Domain Name : Enter the domain name.
3. Root Domain Name : Enter the domain name.
4. Security : Select None .
5. Service Account : Enter the service account.
6. Service Account Password : Enter the password used for the service account.
In the Domain Controllers tab of the Configure Active Directory window, select the Add Domain Controller Now link.
In the Add Domain Controller window, enter the following information:
1. Name : The IP address/FQDN of the AD server.
2. Priority : Select Primary .
3. Port : 389 (for LDAP)
4. User Search Context (Base DN) : Enter the search context that applies to you. For example, DC=example,DC=com .
5. Group Search Context (Base DN) : Enter the search context that applies to you. For example: DC=example,DC=com .
Select Continue .
In the Global Catalogs tab of the Configure Active Directory window, select the Add a Global Catalog Now link.
In the Add Global Catalog window, enter the following information:
1. Name : The IP address/FQDN of the AD server.
2. Priority : Select Primary .
3. Port : 3268
4. User Search Context (Base DN) : Enter the search context that applies to you. For example, DC=example,DC=com .
5. Group Search Context (Base DN) : Enter the search context that applies to you. For example, DC=example,DC=com .
Select Add .
Select Continue .
In the Add Additional Domains window, select Skip .
In the ASC_SuperAdmin Role Mapping tab of the Configure Active Directory window, enter the AD Group Name to map to the ASC_SuperAdmin role.

In this example, an AD Group with the same name as the role was created.
Select Continue .
The summary window displays the details.
Select Apply to make the changes effective.

A confirmation window is shown asking you to confirm the changes to Active Directory.
Select Apply AD Settings and Log Out .

You are logged out of CloudControl.
Log back in with the AD user account and password. In this example, these accounts are etccadmin or etccuser , the only two accounts in the ASC_SuperAdmin group in AD.

Entrust IDaaS registration

Now you need to register for Entrust IDaaS. Entrust provides a 60-day free trial.

Get Entrust Identity as a Service free for 60 days .

Once you register for Entrust IDaaS, you will have a unique IDaaS URL. For example, https://example.US.trustedauth.com .

Active Directory setup - Entrust IDaaS

After CloudControl is set up using Active Directory, you must setup Entrust IDaaS to use the same Active Directory services. To do this, configure a Gateway to sync users from an on-premises Active Directory. Changes made to your Active Directory are automatically synced with Identity as a Service through this Gateway. Adapt the steps below to match your configuration. The examples in this guide use the Identity as a Service Gateway provided by Entrust IDaaS.

For additional information, refer to Configure an on-premise directory in the online documentation.

Install the Identity as a Service Gateway

Download the Identity as a Service Gateway OVA and deploy it using vCenter. This is the Gateway that allows connection to the On-Premise Active Directory used by Entrust IDaaS.

For additional information, refer to Create and configure a Gateway Instance in the online documentation.

On the Entrust IDaaS Home page, select Gateways .
On the Gateways page, select IDENTITY AS A SERVICE GATEWAY to download the software.

The Identity as a Service Gateway Download URL dialog appears.
Select one of the following options:
1. VMware vSphere to download a vSphere (.ova) image file.
2. Microsoft Hyper-V to download a Hyper-V (.vhd) image file.
In this guide, the VMware vSphere is selected. The file is downloaded to your device.
Import your Gateway image file.

Consult the VMware vSphere or Microsoft Hyper-V documentation for instructions on how to import your image file. Once the Gateway has been deployed, configure it. Power on your the virtual machine.
In your Web browser, enter the IP address of your Virtual Machine using port 9090.

https://xxx.xxx.xxx.xxx:9090
Accept the browser self-signed certificate warning.

The Identity as a Service Gateway Web Interface opens.

Note
Internet Explorer is not supported.
At the User Name prompt, enter entrust .
At the password prompt, enter entrust .

You are prompted to create a new password.

Note
After you have changed your password, when you log in to the Web Interface, you must select Reuse my password for privileged tasks .
At the (current) UNIX password prompt, enter entrust to confirm your existing password and select Log In .
Enter a new password.
At the Retype new password prompt, re-enter the password.

The Identity as a Service Enterprise Gateway Configuration Tool dialog appears.
Select Get Started .

The Network Settings page appears.
To change the default hostname:
1. Select the Hostname link. The Hostname dialog appears.
2. Enter a new hostname and select Save .
To change the IP Configuration, select the IP Address link.
1. Select Static or DHCP .
2. Make the required network settings changes. A confirmation dialog appears.
3. Select Save .
Select Next . The NTP Settings page appears.
Optionally, if you want to change any of the NTP Settings, do the following:
1. On the NTP Settings page, select Edit .
2. Make the required NTP Settings changes and select Save .
Select Next .
If required, select Configure . The Configure Proxy page appears.
1. Enter the Proxy server host IP or Proxy host name .
2. Enter the Proxy port number .
3. Enter the Proxy username .
4. Enter the Proxy password .
5. Select Save .
Select Next . The Registration Parameters dialog appears.

Leave this window open. You will paste content from the Add a Gateway procedure into this page.

Add a Gateway

To add a Gateway to Entrust IDaaS:

Access the Entrust IDaaS Home page. For example:
Select Gateways .

The Gateways page appears.
Select the + icon on the left of the page and select Gateway .

The Add Gateway dialog appears.
Enter a Gateway Name and then select Add .

The Gateway is added. The Waiting for Gateway to Establish connection dialog appears.
Copy the registration code.
Back in the Identity as a Service Gateway registration page, paste the Registration Code you copied when you created the Gateway.
Select Register .
Back in the Waiting for Gateway to Establish connection dialog, select Close .

After the Identity as a Service Gateway is configured and connected to a Gateway in Entrust IDaaS, you can create a directory.

Creating a directory

To tie the AD server to Entrust IDaaS, create a directory using the Gateway that was created in the previous step.

Access the Entrust IDaaS Home page. For example:
Select Directories .

The Directories List page appears.
Select the + icon on the left of the page and select Active Directory (on-premise) .

The Add Directory page appears.
In the Connection Settings section of the page, enter the following information:
1. Directory Name - Name of the directory.
2. Username - Name of the AD user used to read the Active Directory inventory.
3. Password - The password for the AD user to access the Active Directory server.
4. Directory Servers - Select Add to enter the Active Directory server information.
  1. On the Directory Server Dialog, enter the IP/FQDN of the Active Directory server, the Port and select Add .
In the Attribute Mappings section, leave the default settings.

You may need to adjust some of the fields according to your AD settings.
In the SearchBase & Group Filters section, enter the following:
1. Root Domain Name Context - Enter the AD search string to view the directory.
2. Group Filters - Enter the Group Name you created in your AD server for Entrust CloudControl. Only users in this group will be allowed.
In the Synchronization section, do the following:
1. Select the Synchronization Agent . This is the Gateway that was created in the previous section.
2. Once selected, either adjust the other fields in the section according to your AD settings or leave the defaults.
Once all the information has been provided, select Add

The Directory List page appears.
Select the Sync icon on the directory list row to sync the directory.
Once synced, the users belonging to the Group filter specified in the Directory appears under Users in the Home page.

Entrust IDaaS application configuration

After the AD is setup and configured, you can create a Generic Web Application that uses OpenID Connect and OAUTH Cloud Integration. This is the application that CloudControl uses to be able to integrate with IDaaS.

Log in to Entrust IDaaS.
Select Applications on the Home page.
Select the + icon on the left of the page to create a new Generic OpenID Connect and OAuth Cloud Integration .

The Add Application Select an Application Template page appears.
Scroll down the template list and from the OpenID Connect and OAuth Cloud Integrations section select Generic Web Application .

The Add Generic Web Application page appears.
Change the Application Name , Description and Add an Application Logo if required.
Select Next .

The Add Generic Web Application page appears.
In the Setup page, under General Settings , do the following:
1. Capture Client ID and Client Secret . These details are needed to configure the OpenID connect in Entrust CloudControl. For example:
  Client ID : 080fe01a-xxxx-xxxx-xxxx-dc3f2c5f6c42
  
  Client Secret : 9bIXVaDyxxxxxxxx_xxxxxxxxx1xN83TGyoE
2. Change Token / Revocation Endpoint Client Authentication Method to Client Secret Post .
3. Change Subject ID Attribute to UserPrincipalName .
4. For Login Redirect URLs , select ADD to add the login redirect for your CloudControl instance.
  
  Important
  You must use the FQDN of the CloudControl server and not its IP address.
5. For Logout Redirect URLs , select ADD to add the logout redirect for your CloudControl instance.
  
  Important
  You must use the FQDN of the CloudControl server and not its IP address.
For example:
In the Setup page, under Supported Scopes :
1. Select Your Unique Identifier .
2. Select Email Address .
3. Leave all other settings as default.
For example:
Select Submit .

The Add Generic Web Application Complete page appears.

You can now add a resource rule to the application.

Add a resource rule to the application

You must add a resource rule to the application so that an AD group and users from that AD group can access the application.

For additional information, refer to Create a resource rule in the online documentation.

In the Entrust IDaaS application, select the Main Menu > Resources > Resource Rules .

The Resource Rules List page appears.
Select the + icon on the Generic Web Application - Entrust CloudControl application created in the previous section.

The Add Resource List page appears.
In the General Settings setup, select the Group(s) you want to use that applies to the users for the application.
Select Next .
In the Authentication Conditions setup, under Authentication Decision :
1. Change Low Risk > First Factor to Password .
2. Enable the following Low Risk > Second Factors and drag them to the following order, or to the order that applies to your organization:
  One Time Password
  
  Entrust Soft Token Push
  
  FIDO2
  
  Software / Hardware Token
  
  Grid Card
3. Clear the remaining Low Risk > Second Factors check boxes.
Keep the defaults for the remaining fields in the Authentication Decision setup. For example:
Select Submit .

Enable external authentication in CloudControl to use Entrust IDaaS

After Entrust IDaaS is set up, you can enable external authentication in CloudControl to use Entrust IDaaS. CloudControl must be setup using the same Active Directory server as the one configured in Entrust IDaaS.

Log in to the CloudControl instance
Select Home > System > External Authentication .
In the External Authentication tab, under Configuration , enter the following information:
1. For Authentication Type , select OpenId Connect .
2. For Client ID , enter the Client ID of the Entrust IDaaS application created earlier.
3. For Client Secret , enter the Client Secret of the Entrust IDaaS application created earlier.
4. For Base URL , enter your Entrust IDaaS URL followed by api/oidc .
5. For Name , enter a name.
For example:
In the External Authentication tab, under Whitelist , enter the user ID of a user that you do not want to use IDaaS for authentication.

This provides a user that can bypass external authentication in the event of configuration issues. In this example, the etccadmin user was added. If you want to bypass external authentication, log in with [email protected] .
Select Enable .

The OpenID Connect Configuration dialog appears.
Select Verify and Enable .

External configuration is enabled.

Test external authentication using Entrust IDaaS

After Entrust IDaaS and Entrust CloudControl are set up, you can test the configuration and make sure Entrust IDaaS is used when you attempt to log in to CloudControl.

Make sure you do the steps below on a server that has access to the CloudControl DNS entry and the Entrust IDaaS URL.

In this section, the etccuser and etccadmin users are used, which were created earlier in this guide. Use the AD users that you have setup.

Testing IDaaS authentication

To test Entrust IDaaS with CloudControl using external authentication:

Open a browser and access the URL of the CloudControl server. Log in using the etccuser user.

This is the user that was created for testing the IDaaS integration. For example:
Select Continue .

The login screen takes you to the Entrust IDaaS login screen.
Select Next .
Enter the etccuser password.

Entrust IDaaS sends an OTP code to the email for etccuser .
Enter the OTP code.
Select Login .

Entrust IDaaS authenticates the user and redirects you back to the CloudControl home screen.

Testing whitelist authentication

You can now test the whitelist configuration. When external authentication was set up, a user was added to the whitelist configuration. If that user is used for logging in, CloudControl will not use Entrust IDaaS to authenticate the user. Instead, the internal authentication method configured is used. In this example, the user in the whitelist configuration is [email protected] .

If you log in, it will not use IDaaS. For example:

Open a browser and access the URL of the CloudControl server. Log in using [email protected] .

This is the user created and added to the whitelist of the external authentication settings:
Select Continue .

The login screen asks for the user password.
Enter the password and select SIGN IN .

CloudControl logs the user into the application without going to IDaaS.

Table of Contents
Introduction
Procedures

RESOURCES

Integration Guide
Entrust Identity as a Service and Entrust CloudControl Integration Guide

Table of Contents