Data Domain - Log in Using CAC or PIV Smart Card and User Certificates

Summary: Log in Using CAC or PIV Smart Card and User Certificates

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Prerequisites

  • To login using user certificate, the protection system must trust one or more CA certificates (root and if any intermediate CA certificates as well):
    • For local users, user identity must be specified in the common-name field in the certificate.
    • For Active Directory users, user identity can be specified either as commonName value in subject-line (or) in Microsoft UPN format under OtherNames in the SubjectAlternativeName field.
  • You must have a user account on the protection system. You can be either a local user or a name service user (NIS or AD).

For a name service user, your group-to-role mapping must be configured on the protection system.

  • Imported CRLs must not revoke user certificates and upstream intermediate CAs.

Steps

  1. Run the following command to enable certificate-based login for users:
adminaccess certificate import ca application login-auth
Note: A user with privileges to add CA can enable certificate-based login for users with the same privileges and lower.
  1. Optionally, to enable certificate-based login for security user, import a CA certificate that can issue security user certificates, run the following command:
Note: To enable certificate-based login for security users, security user must import the CA certificate, even if the same CAs were previously imported by a sysadmin, admin, or limited-admin user.
  1. Log in using CAC/PIV card to Data Domain System Manager:
adminaccess certificate import ca application login-auth
  • For Microsoft Windows, once the PIV card is inserted in the PIV reader that is connected to your workstation, user certificates are automatically read and imported.
  • In your browser, click Login with certificate and chose the user certificate from the dialog that prompted with a list of imported user certificates.
  • On selection, any additional MFA enabled on PIV card is enforced and on entering valid PIN, the user should get access to PowerProtect DD System Manager.
  1. Login using CAC/PIV card to Data Domain CLI over SSH:
  • Use SSH clients that support X.509 certificate-based login (Example: SecureCRT, PKIXSSH's ssh) and see the respective user guide to configure certificate-based login using CAC/PIV/Smartcards on the client application.

Results

The system validates the user certificate against the trust store. Based on authorization privileges associated with your account, a user session is created for you.
 

Note: Log in Using CAC or PIV Smart Card and User Certificates' is part of the customer configuration process, it falls outside break‑fix support—however, we are glad to point you in the right direction and help clarify the steps.

 

Additional Information

Data Domain - How to disable password-based login and AD authentication and use only PIV cards with local users. 

Affected Products

Data Domain
Article Properties
Article Number: 000221698
Article Type: How To
Last Modified: 20 يناير 2026
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.