Information regarding the " SSLVerifyClient " parameter.
Release: Any Supported CA/Broadcom CA Access Gateway (AKA SPS) Agents.
Component : SITEMINDER - CA Access Gateway
Note: All these are APACHE third party settings used for Client Certificate Authentication and Client certificate verification.
When we use these settings the web server will request the browser to submit a cert to verify and to process further.
The " SSLVerifyClient " parameter instructs the SSL Server to request a certificate from the Client (Client Authentication) that it can validate.
The Access Gateway will send the list of Trusted RootCA Certificates to the Browser, and If the Browser has a certificate that was signed by any of the RootCA Certs presented by the SPS in the handshake, then the Browser will present the Client Certificate for validation.
If the Browser does NOT have a matching Client Certificate, then it will not send a Certificate.
By default OOTB the " SSLVerifyClient " is set to " optional " but when we use any " Client Certificate Authentication " it is mandatory and you would need to set this to " Required " which forces the browser to submit the user cert.
When we use these settings the web server will request the browser to submit a cert to verify the user and to process further.
The " SSLVerifyClient " parameter instructs the SSL Server to request a certificate from the Client (Client Authentication) that it can validate.
If you set it to "Optional" or "NONE", the Apache Server will not request the Client Certificate, but if you perform "Certificate Authentication" with SiteMinder, then that would fail since there is no Certificate. So, if you use Client Certificate Authentication this setting is required.
For more details, check the below references:
Optional: To disable 'client authentication' within Apache, change the following configuration in the "\httpd\conf\extra\httpd-ssl.conf" file.