When X.509 authentication is enabled, any Address Manager user can present a valid, matching client certificate to log into Address Manager. If the user was created manually with a local password or associated with a remote authenticator, the user may also continue to log in at the standard Address Manager login screen with username and password. You can set X.509 user access when adding a new user or editing an existing user. Note that X.509 authentication isn't supported for an API user.
If you want to ensure that a user can only authenticate using a valid X.509 client certificate, set the X.509 Required flag for the user account. The X.509 Required flag is enabled by default for user accounts created by X.509 authentication in combination with an LDAP group. A user with this flag set won't be able to log into Address Manager with username and password.
To set X.509 user access:
- Select the Administration tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Administration page.
- Under User Management, click Users and Groups.
- Under Users, click New to add a new user or click an existing username > username menu and select Edit.
- Under User Access, select X.509 Required.
- Click Add or Update.