"SSLVerifyClient" parameter.
search cancel

"SSLVerifyClient" parameter.

book

Article ID: 193501

calendar_today

Updated On: 02-28-2024

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

Information regarding the " SSLVerifyClient " parameter.

Environment

Release: Any Supported CA/Broadcom CA Access Gateway (AKA SPS) Agents.

Component : SITEMINDER - CA Access Gateway

Resolution

Note: All these are APACHE third party settings used for Client Certificate Authentication and Client certificate verification.

When we use these settings the web server will request the browser to submit a cert to verify and to process further.

The " SSLVerifyClient " parameter instructs the SSL Server to request a certificate from the Client (Client Authentication) that it can validate.

The Access Gateway will send the list of Trusted RootCA Certificates to the Browser, and If the Browser has a certificate that was signed by any of the RootCA Certs presented by the SPS in the handshake, then the Browser will present the Client Certificate for validation.

If the Browser does NOT have a matching Client Certificate, then it will not send a Certificate.

“SSLVerifyClient” is it mandatory setting?

By default OOTB the " SSLVerifyClient " is set to " optional " but when we use any " Client Certificate Authentication " it is mandatory and you would need to set this to " Required " which forces the browser to submit the user cert.

What is the purpose of this setting?

When we use these settings the web server will request the browser to submit a cert to verify the user and to process further.

The " SSLVerifyClient " parameter instructs the SSL Server to request a certificate from the Client (Client Authentication) that it can validate.

What’s the behavior if it's optional or none?

If you set it to "Optional" or "NONE", the Apache Server will not request the Client Certificate, but if you perform "Certificate Authentication" with SiteMinder, then that would fail since there is no Certificate. So, if you use Client Certificate Authentication this setting is required.

Additional Information

For more details, check the below references:

Optional: To disable 'client authentication' within Apache, change the following configuration in the "\httpd\conf\extra\httpd-ssl.conf" file.

  • SSLVerifyClient optional > SSLVerifyClient none