X.509 Cert Authentication configuration with CA Access Gateway (SPS)
book
Article ID: 9824
calendar_today
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)CA Single Sign On SOA Security Manager (SiteMinder)CA Single Sign-OnSITEMINDERCA Single Sign On Agents (SiteMinder)
Issue/Introduction
How to configure X.509 cert authentication with CA Access Gateway?
Resolution
Pre-requisites:
Get 3 required certificates (1):
Trusted CA root certificate.
Server Certificate from a trusted CA.
Client Certificate from a trusted CA.
Changes on the Policy Server:
Create X.509 certificate authentication scheme as below:
Create Domain, Realm, Rule (get/post), Policy. Protect the realm with the X.509 authentication scheme:
Click Certificate Mappings under Directory and create mapping as below.
Note :
- Ensure that the Issuer DN matches exactly as in the user certificate. - Choose the mapping attribute as per the Active Directory LDAP User DN lookup configuration.
Changes on the CA Access Gateway (SPS):
A) Configure SSL for Apache
Login to Proxy UI and navigate to Proxy Configuration > SSL Config
Click the Request button under Embedded Web Server SSL Configuration
Enter the requested details. Ensure that the Requester Name matches the hostname as configured in the VirtualHost configuration in Server.conf.
Click Generate button to create the CSR (certificate signing request file).
Save the CSR file. You will need to submit this file to CA for signing it.
Now, before importing the signed server certificate file from CA, if the CA is not a Trusted CA, import the CA along with its intermediate certificate.
Navigate to Proxy Configuration > SSL Config Click Import CA under Embedded Web Server SSL Configuration.
Click on the Browse button and select the CA certificate. Then, continue clicking Next until the CA certificate is imported successfully.
If there are Intermediate CA certificates, repeat the same steps to import them as well.
Once CA is imported, import the signed server certificate from CA.
Navigate to Proxy Configuration > SSL Config. Under Embedded Web Server SSL Configuration, Click Browse to select the signed server certificate, Choose the CA which signed it from the CA Certificate drop-down, and Click Apply. Click Import CA under Embedded Web Server SSL Configuration.
Upon import, a confirmation message is shown. Restart the CA Secure Proxy service to fully enable the SSL configuration.
Restart CA Secure Proxy Service and try accessing the Apache on HTTPS to confirm that SSL is enabled:
B) Configure SPS Apache for X.509 client certificate authentication
To ensure that Apache request a certificate from the client (browser), modify the httpd-SSL.conf file under <CA Access Gateway Home>\httpd\conf\extra folder as below (2)(3)(4):
Change SSLVerifyClient from optional to require
Next, un-comment the SSLCACertificateFile parameter. The ca-bundle.cert will already have been configured with the CA certificate which signed the Apache server certificate.
If the CA which signed the client certificate is not the same as the one which signed your Apache server certificate, manually add the CA certificate to the ca-bundle.cert file.
(For testing, both CA are the same so there's no need to add any extra certificate to this file)
Restart CA Secure Proxy Service.
Changes on the client machine
Import the client certificate either using MMC or using Browser itself.
Testing:
From the client machine access, the resource is protected with X.509 authentication scheme. For this test, protect the Auth/Az webservice with X.509 certificate authentication scheme so try accessing the same on the HTTPS port.
At the prompt, select the client/user certificate. Choose the appropriate user certificate and click Ok.