X.509 Client Certificate and HTML Forms Authentication Schemes

The X.509 Client Certificate and HTML Forms authentication scheme combines HTML Forms authentication and X.509 Client Certificate authentication. This authentication scheme provides an extra layer of security for critical resources.
sm1252sp1
The X.509 Client Certificate and HTML Forms authentication scheme combines HTML Forms authentication and X.509 Client Certificate authentication. This authentication scheme provides an extra layer of security for critical resources.
For a user to authenticate successfully, the following two events must occur:
  • The user’s X.509 client certificate must be verified.
  • The user must provide the credentials that are requested by an HTML form.
For this scheme, the authentication process follows these steps:
  1. The Policy Server instructs the Web Agent to redirect the user to an FCC on an SSL-enabled web server.
  2. The Web Agent presents the form.
  3. The FCC passes the certificate and form back to the Policy Server.
  4. The Policy Server verifies that the user in the certificate mapping exists.
  5. The Policy Server verifies the HTML form credentials of the user and verifies that the certificate credentials and the HTML Forms credentials represent the same user.
X.509 Client Certificate and HTML Forms Scheme Prerequisites
Verify the following prerequisites are met before configuring an X.509 Client Certificate and HTML Forms authentication scheme:
  • An X.509 Server Certificate is installed on the SSL Web server.
    sm1252sp1
    If the Policy Server is operating in FIPs mode, ensure the certificate was generated using only FIPS-approved algorithms.
  • The network supports an SSL connection to the client browser (HTTPS protocol).
  • X.509 client certificates are installed on client browsers.
  • Trust is established between client certificates and server certificates.
  • The certificate is issued by a valid and trusted Certification Authority (CA).
  • The issuing CA’s public key validates the issuer’s digital signature.
  • Client and server certificates have not expired.
  • The user’s public key validates the user’s digital signature.
  • Form credentials information exists in a user directory.
  • A directory connection exists between the Policy Server and the user directory.
  • (Sun Java Systems) If you are using a Sun Java Systems web server, increase the value of the StackSize parameter in the magnus.conf file to a value greater than 131072. Failing to change the value causes the web server to dump its core and restart each time the Policy Server makes an authentication request using forms.
For Apache Web servers where Certificates are required or optional, the SSL Verify Depth 10 line in the httpd.conf file must be uncommented.
The certificate and forms data are collected and passed to the Policy Server together.
If...
then...
There is no certificate
The browser issues error 500
The certificate and forms credentials are not accepted
The browser issues error 500
Agent API Support
The X.509 Client Certificate and HTML Forms uses the Sm_AuthApi_Cred_SSLRequired and the Sm_AuthApi_Cred_FormRequired bits.
Configure an X.509 Certificate and HTML Forms Authentication Scheme
Use an X.509 Certificate and HTML authentication scheme to combine certificate authentication and HTML forms-based authentication.
sm1252sp1
The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.
Follow these steps:
  1. Click Infrastructure, Authentication.
  2. Click Authentication Schemes.
  3. Click Create Authentication Scheme.
    Verify that the Create a new object of type Authentication Scheme is selected.
  4. Click OK.
  5. Enter a name and a protection level.
  6. Select X509 Client Cert and Form Template from the Authentication Scheme Type list.
  7. Enter the server name and target information for the SSL Credentials Collector.
  8. (Optional) Select Persist Authentication Session Variables in Scheme Setup. This option specifies that the authentication context data is saved in the session store.
  9. Click Submit.
    The authentication scheme is saved and can be assigned to a realm.