X.509 Certificate or Basic Authentication Schemes

The X.509 Client Certificate or Basic authentication scheme allows either Basic authentication or X.509 Client Certificate authentication to establish a user identity. For a user to authenticate successfully, one of the following two events must occur:
sm1252sp1
The X.509 Client Certificate or Basic authentication scheme allows either Basic authentication or X.509 Client Certificate authentication to establish a user identity. For a user to authenticate successfully, one of the following two events must occur:
  • The X.509 client certificate of the user must be verified.
  • The user must provide a valid user name and password.
With this scheme, when a user requests a protected resource, the Web Agent challenges the browser to present a certificate. If the user does not have a certificate or chooses not to provide one (by clicking Cancel), the Web Agent challenges the user with the HTTP Basic protocol. HTTP Basic authentication allows the agent to obtain a user name and password.
This scheme is useful if you must gradually deploy X.509 certificates. For example, in a company with 50,000 users, it is a challenge to issue and deploy 50,000 certificates simultaneously. This scheme allows you to issue certificates as you see fit (500 or 5,000 at a time). During this transition period, your resources can be protected with certificates for those users who already have them, allowing other authorized users to access resources based on directory user names and passwords.
This scheme gives you the option of configuring the Basic authentication exchange to require an SSL connection.
If you implement multiple certificate-based authentication schemes that include a mixture of X509 Certificate OR Basic schemes, a browser caching limitation can cause unexpected behavior. When a user does not select  certificate-based authentication for accessing a resource in a realm protected by a Certificate or Basic authentication scheme, the browser automatically caches this decision. If the same user (using the same browser session) then attempts to access a resource that is protected by an authentication scheme with a mandatory certificate portion (such as X509 Certificate, X509 Certificate and Basic, or X509 Certificate and Form) the user receives a " Forbidden " error message.
Because the user chose not to send a certificate for the certificate-based authentication when accessing the first resource, and the browser cached that decision, the user is automatically rejected when accessing the realm that requires the certificate.
Encourage users who have valid certificates to use them when accessing resources in a deployment that includes a mixture of realms protected by certificate-based authentication schemes that include X509 Certificate or Basic schemes and other certificate-based schemes that do not allow a user to decide whether to send a certificate for authentication.
2
X.509 Client Certificate or Basic Scheme Prerequisites
Verify the following prerequisites before you configure an X.509 Client Certificate or Basic authentication scheme:
  • An X.509 Server Certificate is installed on the SSL Web server.
    sm1252sp1
    If the Policy Server is operating in FIPs mode, ensure the certificate was generated using only FIPS-approved algorithms.
  • The network must support an SSL connection to the client browser (HTTPS protocol).
  • X.509 client certificates are installed on client browsers.
  • Trust is established between client certificates and server certificates.
  • Certificates are issued by a valid and trusted Certification Authority (CA).
  • The issuing CA public key validates the issuer’s digital signature.
  • Client and server certificates have not expired.
  • The public key of the user validates the digital signature of the user.
  • Client user name and password information exists in a user directory.
  • A directory connection exists between the Policy Server and the user directory.
For Apache Web servers where Certificates are required or optional, the SSL Verify Depth 10 line in the httpd.conf file must be uncommented.
Configure an X.509 Certificate or Basic Authentication Scheme
You use an X.509 Certificate or Basic authentication scheme to implement certificate authentication or basic authentication or both.
sm1252sp1
The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.
sm1252sp1
Follow these steps:
  1. Click Infrastructure, Authentication.
  2. Click Authentication Schemes.
  3. Click Create Authentication Scheme.
    Verify that the Create a new object of type Authentication Scheme is selected.
  4. Click OK.
  1. Enter a name and a protection level.
  2. Select X509 Client Cert or Basic Template from the Authentication Scheme Type list.
  3. Enter server and target information for the SSL Credentials Collector.
  4. (Optional) Select Persist Authentication Session Variables in Scheme Setup. This option specifies that the authentication context data is saved in the session store.
  5. Click Submit.
    The authentication scheme is saved and can be assigned to a realm.