X.509 Client Certificate Authentication Schemes

You can configure X.509 V3 client certificates. After a certificate is installed on a client, that certificate can be used to verify the identity of a user requesting a resource. Certificate authentication uses SSL communication and can be combined with basic authentication to provide an even higher level of access security.
sm1252sp1
You can configure X.509 V3 client certificates. After a certificate is installed on a client, that certificate can be used to verify the identity of a user requesting a resource. Certificate authentication uses SSL communication and can be combined with basic authentication to provide an even higher level of access security.
For certificate-only authentication schemes, Agent returns HTTP Error 403: Access Denied/Forbidden for any failed authentication or authorization attempt. This is because there is no way for Agent to challenge the user for a new certificate.
The X.509 Client Certificate authentication schemes implement certificate authentication. To use X.509 client certificate authentication, your environment must be able to handle SSL communication. This means that the client browser, the web server and any user certificates must be configured to accept and perform certificate authentication. These tasks are outside the scope of the Policy Server configuration.
After the necessary SSL components are set up properly, configure a X.509 authentication scheme. The configuration tasks include:
  • (Web Agent) Select an advanced SSL authentication scheme when running the Web Agent Configuration Wizard.
  • Configure one of the X.509 authentication schemes using the Administrative UI.
The X.509 Client Certificate authentication schemes do the following tasks:
  • Collect the client certificate information.
  • Identify a user in a directory based on the information from the user certificate. This process is named
    certificate mapping
    .
  • Optionally, checks whether the certificate is valid, using Certificate Revocation Lists (CRLs) or the Online Certificate Status Protocol (OCSP).
2
Extracting a Certificate for Certificate Authentication
When a user requests a protected resource, the Agent first contacts the Policy Server to determine which authentication scheme is protecting the resource. If an X.509 authentication scheme is protecting a resource, Agent redirects the user’s browser to the credential collector that corresponds to the configured authentication scheme. The path to the credential collector is defined in the authentication scheme configuration.
The connection to the credential collector is an SSL-secured connection and the web server is configured to require a client certificate. Therefore, the browser must submit a client certificate for authentication. The resource name and extension at the end of the credential collector URL instructs Agent to extract a user certificate from the web server. Agent then passes the certificate to the Policy Server for use by the authentication scheme.
How
CA Single Sign-On
Uses Certificate Data to Identify Users
After Agent collects certificate information, it passes the data to the Policy Server for verification. The Policy Server then performs certificate mapping. The goal of certificate mapping is to locate a user by the Subject Name in the user certificate.
First, the Policy Server looks up the appropriate certificate mapping in the policy store. The Policy Server uses the certificate Issuer DN to locate the mapping. The Issuer DN is part of the certificate mapping configuration. After the Policy Server finds the mapping, it takes the Subject Name from the certificate and applies the mapping to find the user entry in the user directory.
The Policy Server can access user certificates that are stored only in the following repositories:
  • LDAP/AD user directory
  • ODBC store
You are required to configure certificate mapping for any X.509 client certificate authentication scheme.
X.509 Client Certificate Scheme Prerequisites
Satisfy the following prerequisites before configuring an X.509 Client Certificate authentication scheme:
  • Install an X.509 server certificate on the SSL web server. Be sure that the certificate is not expired.
    If the Policy Server is operating in FIPs mode, ensure the certificate was generated using only FIPS-approved algorithms.
  • Verify that the network supports an SSL connection to the client browser (HTTPS protocol).
  • Verify that the X.509 client certificates are installed for client browsers. Be sure that the certificates are not expired.
Configure an X.509 Certificate Authentication Scheme
In addition to setting up the SSL environment, complete the following process to configure certificate authentication:
  1. Set up your environment to handle SSL communication. Configure the client browser, the web server and any user certificates to accept and perform certificate authentication.
  2. Verify that the installed Agent can handle SSL authentication.
  3. Configure a X.509 authentication scheme in the Administrative UI.
  4. Define certificate mappings to identify a user that is based on the information in the client certificate.
  5. (Optionally) Configure certificate validation using CRLs or OCSP.
    The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objec
Follow these steps:
  1. Click Infrastructure, Authentication.
  2. Click Authentication Schemes.
  3. Click Create Authentication Scheme.
    Verify that the Create a new object of type Authentication Scheme is selected.
  4. Click OK.
  5. Enter a name and a protection level. 
  6. Select the X.509 Client Cert Template from the Authentication Scheme Type list. 
  7. Enter the server name and target information for the SSL Credentials Collector. 
  8. (Optional) Select the Persist Authentication Session Variables in Scheme Setup. This option specifies that the authentication context data is saved in the session store for later use in authentication decisions.
  9. Click Submit.
    The authentication scheme is saved and can be assigned to a realm.
The X.509 certificate authentication scheme is now configured in the Administrative UI. Now set up certificate mapping.