Information regarding the " SSLVerifyClient " parameter.

book

Article ID: 193501

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

Customers would like to know Information regarding the " SSLVerifyClient " parameter.

Environment

Release: Any Supported CA/Brodcom CA Access Gateway (AKA SPS) Agents.

Component : SITEMINDER - CA Access Gateway

Resolution

Kindly note that all these are APACHE third party settings which used for Client Certificate Authentication and Client certificate verification.

When we use these setting the web server will request browser to submit a cert to verify and to process further.

The " SSLVerifyClient " parameter instructs the SSL Server to request a certificate from the Client (Client Authentication) that it can validate.

The Access Gateway will send the list of Trusted RootCA Certificates to the Browser, and If the Browser has a certificate that was signed by any of the RootCA Certs presented by the SPS in the handshake, then the Browser will present the Client Certificate for validation.

If the Browser does NOT have a matching Client Certificate, then it will not send a Certificate.

------ “SSLVerifyClient” is it mandatory setting?

By default OOTB the " SSLVerifyClient " is set to " optional " but when we use any " Client Certificate Authentication " it is mandatory and customer would need to set this to " Required " which forces the browser to submit the user cert.

------ What is the purpose of this setting?

When we use these setting the web server will request browser to submit a cert to verify the user and to process further.

The " SSLVerifyClient " parameter instructs the SSL Server to request a certificate from the Client (Client Authentication) that it can validate.

------ What’s the behavior if its optional or none.

If you set it to " Optional " or " NONE ", the Apache Server will not request the Client Certificate but if you perform " Certificate Authentication " with SiteMinder, then that would fail since no Certificate so If you use Client Certificate Authentication this setting is required.

------ For more details, kindly check the below document reference:

https://ca-broadcomcsm.wolkenservicedesk.com/wolken/esd/knowledgebase_search?articleId=45106

https://www.oreilly.com/library/view/apache-the-definitive/0596002033/re169.html

- Optional: To disable 'client authentication' within Apache, change the following configuration in the "\httpd\conf\extra\httpd-ssl.conf" file.

SSLVerifyClient optional > SSLVerifyClient none