X.509 Cert Authentication Scheme configuration with Apache Agent
search cancel

X.509 Cert Authentication Scheme configuration with Apache Agent

book

Article ID: 46568

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

How to configure X.509 cert authentication with CA Single-On Web Agent on Apache Web Server.

 

Environment

 

Web Agent 12.52SP1 on Apache 2.4 on Windows;

Web Agent 12.52SP1CRxx on Apache 2.4 on Linux/UNIX;

Resolution

 

Pre-requisites:

Get the following 3 required certificates (1):

  1. Trusted CA root certificate.
  2. Server Certificate from a trusted CA.
  3. Client Certificate from a trusted CA.

Instructions:

Changes on the Apache Web Server (2):

Changes to httpd.conf

1. Ensure mod_ssl is uncommented. 

    LoadModule ssl_module modules/mod_ssl.so

2. Ensure either httpd-ssl.conf or httpd-ahssl.conf is configured.

    <IfModule ssl_module>
    #Include conf/extra/httpd-ssl.conf
    Include conf/extra/httpd-ahssl.conf
    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin
    </IfModule>

Changes to httpd-ssl.conf/httpd-ahssl.conf

1. Ensure Listen port is specified for HTTPS

    Listen 443 https

2. Configure virtual host for SSL with the following highlighted option set

    <VirtualHost _default_:443>
    ServerName localhost:443
    SSLEngine on
    SSLCertificateFile "${SRVROOT}/conf/ssl/server.crt"
    SSLCertificateKeyFile "${SRVROOT}/conf/ssl/server.key"
    SSLCACertificateFile "${SRVROOT}/conf/ssl/ca.crt"
    SSLVerifyClient require
    SSLVerifyDepth 10
    DocumentRoot "${SRVROOT}/htdocs"
    # DocumentRoot access handled globally in httpd.conf
    CustomLog "${SRVROOT}/logs/ssl_request.log" \  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    <Directory "${SRVROOT}/htdocs">
    Options Indexes Includes FollowSymLinks
    AllowOverride AuthConfig Limit FileInfo
    Require all granted
    </Directory>
    </Virtualhost>

    Note: If Apache is run as a Windows service, it will need the server key unencrypted.

    Use the following command to change the encrypted server key to unencrypted:

      c:\> openssl rsa –in server.key -out server.key

       Enter pass phrase for server.key:      -> Enter passphrase and hit return
       writing RSA key

Changes on the Policy Server

1. Create X.509 certificate authentication scheme as below:

 

2. Create Domain, Realm, Rule (get/post), Policy. Protect the realm with the X.509 authentication scheme.

3. Click Certificate Mappings under Directory and create mapping as below.

   Note:

   Ensure that the Issuer DN matches exactly as in the user certificate.
   Choose the mapping attribute as per the Active Directory LDAP User DN lookup configuration.

 


Changes on the client machine:

1. Open the MMC console and import the client certificate and CA root certificate. Import them to the Current User account.


How to Test:

1. From the client machine access, the resource is protected with X.509 authentication scheme.

2. It will prompt to select the client/user certificate. Choose the appropriate user certificate and click Ok.



Additional Information

 


    

(1)
    
    SSL/TLS Strong Encryption: How-To
    

Powered by Wolken Software