How to create Certificate Realm Authentication
search cancel

How to create Certificate Realm Authentication


Article ID: 232075


Updated On:


ProxySG Software - SGOS


How a Certificate Realm Works:
After an SSL session has been established, the user is prompted to select the certificate to send to the ProxySG appliance. If the certificate was signed by a Certificate Authority (CA) that the appliance trusts, the user is considered authenticated. The appliance then extracts the username for that user from the certificate.

At this point the user is authenticated. If an authorization realm has been specified, such as LDAP, XML or Local, the certificate realm then passes the username to the specified authorization realm, which figures out which groups the user belongs to.

Note: A certificate Realm Works only in Transparent mode due to redirection. 


Step 1 Creating a Certificate Realm
1. Select the Configuration > Authentication > Certificate > Certificate Realms tab.
2. Click New. The Management Console displays the Add Certificate Realm
3. In the Realm name field, enter a realm name. The name can be 32 characters
long and composed of alphanumeric characters and underscores. The name
must start with a letter.
4. Click OK.
5. Click Apply

Step 2 Defining General Certificate Realm Properties

1. Select the Configuration > Authentication > Certificate > Certificate General tab.
2. From the Realm name drop-down list, select the Certificate realm to modify
3. Specify a virtual URL
    a) In Virtual URL enter https://:4433 (it can be any random port not in use by proxy)
     Note: that the protocol is HTTPS and the port number is 4433 (or the port you assigned the listener created above). Also note that the proxy name must match the name used in the Common Name field of the       authentication certificate created above and this name must be resolvable by the client, in our example we are using https://ProxyIP:4433

Step 3 Create a new Service and Listener to intercept the redirected authentication requests

1 .Select Configuration > Services > Proxy Services > Standard > New Service.
2. Give the new service a meaningful name, in this example CertRealm
3. Under Proxy Settings, change the Proxy to HTTPS Reverse Proxy
4. For Keyring select the default or any other
5. Under Listeners click on New
6. Change the Destination to ALL and change the port to 4433 (or any other port of your choosing as long as it doesn't conflict with a preexisting port)
    Click on OK then OK again and Apply

7. Enable Interception on HTTPS port 443.

Step 4  Configure SSL between the client and ProxySG appliance.

1. Open VPM
2. Add new Web Authentication Layer
3. Add new rule 
   a) In Action Set up Force Authentication 
   b) Select Mode: Origin Cookie Redirect 
4. Save and install policy 

Step 5 Import CA certificate into CA Certificate List

1. Select Configuration > SSL > CA Certificates > CA Certificate Lists
2. Click Import -> Put Certificate name -> Paste Certificate in base64 code
3. Select CA Certificate List -> Browser-Trusted and add new created CA certificate

Step 6 Import Client Certificate into Browser.