How to configure Client Certificate Emulation

book

Article ID: 171118

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

How to configure Client Certificate Emulation. 

This feature is available starting in ASG/ProxySG versions 6.7.x and greater. 

Authenticating users in a typical reverse proxy deployment involves steps such as configuring a client certificate authentication realm in SGOS and providing authentication to origin content servers (OCSs) behind the proxy using Kerberos, or forwarding specific client certificate fields to the OCS using an HTTP header. To facilitate choosing signing certificates for the client, it's possible to emulate client certificates. When this feature is enabled:
  • The appliance requests a certificate from the client.
  • If the client returns a certificate, the appliance copies the certificate attributes to a new client certificate (so that it appears to originate from the client). Emulation does not occur if the client does not return a certificate.
  • The appliance presents the certificate during the SSL/TLS handshake when an OCS requests a client certificate.

Please reference the 6.7 Release Notes which can be downloaded at https://support.symantec.com > Downloads > Network Protection (BlueCoat) Downloads - and navigate to the 6.7 release notes for the Proxy or ASG. 

The Admin Guide also covers this topic. Find this Admin guide linked below:

SGOS Administration Guide (6.7.x) - Page 37 - Client Certificate Emulation
 

Resolution

Configure Client Certificate Emulation

 
1. Make sure that the appliance has valid CA certificates for signing emulated
client certificates.
 
2. Create a keyring that includes the signing certificate.
Refer to"Creating a Keyring" on page 1307 of the administrators guide for details. If supported/
applicable, it's possible to create and use an HSM keyring.
 
3. For client certificate emulation to occur, the appliance must be able to request
a certificate from the client.
 
For forward proxy, include the following condition in policy:
client.certificate.require(yes)
 
For reverse proxy, enable the verify-client attribute for the HTTPS reverse
proxy service:
 
#(config <HTTPS_service_name>) attribute verify-client enable
 
4. Include the server.connection.client_issuer_keyring() action in policy.
Refer to the Content Policy Language Reference for details.