X.509 Client Certificate or HTML Forms Authentication Schemes

The X.509 Client Certificate or HTML Forms authentication scheme allows either HTML Forms authentication or X.509 Client Certificate authentication to establish a user identity. For a user to authenticate successfully, one of the following two events must occur:
sm1252sp1
The X.509 Client Certificate or HTML Forms authentication scheme allows either HTML Forms authentication or X.509 Client Certificate authentication to establish a user identity. For a user to authenticate successfully, one of the following two events must occur:
  • The X.509 client certificate must be verified.
  • The user must provide the credentials that an HTML form requests.
When a user requests a protected resource, the Web Agent challenges the browser to present a certificate. The scheme has the following effect:
If...
then...
A certificate is presented
The certificate is processed
The certificate is not accepted
The browser issues error 500
No certificate is presented
The browser presents a form
The form is rejected
The browser prompts again for a form
This scheme is useful if you must deploy X.509 certificates gradually. For example, in a company with 50,000 users, it is a challenge to issue and deploy 50,000 certificates simultaneously. This scheme allows you to issue certificates as you see fit (500 or 5,000 at a time). During this transition period, your resources can be protected with certificates for those users who already have them, allowing other authorized users to access resources that are based on HTML forms credentials.
If you implement multiple certificate-based authentication schemes that include a mixture of X509 Certificate OR Forms schemes, a browser caching limitation may cause unexpected behavior. When a user does not use the certificate-based authentication for accessing a resource in a realm that is protected by a Certificate or Forms authentication scheme, the browser automatically caches this decision. If the same user (using the same browser session) then attempts to access a resource that is protected by an authentication scheme with a mandatory certificate portion, such as X509 Certificate, X509 Certificate and Basic, or X509 Certificate and Form, the user receives a " Forbidden " error message.
Because the user chose not to send a certificate for the certificate-based authentication when accessing the first resource, and the browser cached that decision, the user is automatically rejected when accessing the realm that requires the certificate.
Encourage users who have valid certificates to use them when accessing resources in a deployment that includes a mixture of realms that are protected by certificate-based authentication schemes that include X509 Certificate or Forms schemes and other certificate-based schemes that do not allow a user to decide  whether to send a certificate for authentication.
X.509 Client Certificate or HTML Forms Scheme Prerequisites
Verify the following prerequisites before you configure an X.509 Client Certificate or HTML Forms authentication scheme:
  • An X.509 Server Certificate is installed on the SSL Web server.
    sm1252sp1
    If the Policy Server is operating in FIPs mode, ensure the certificate was generated using only FIPS-approved algorithms.
  • The network must support SSL connection to the client browser (HTTPS protocol).
  • X.509 client certificates are installed on client browsers.
  • Trust  is established between client certificates and server certificates.
  • A valid and trusted Certification Authority (CA) issues certificates.
  • The issuing CA public key validates the digital signature of the user.
  • Client and server certificates have not expired.
  • The public key validates the digital signature of the user.
  • User attributes requested by the HTML form exist in a user directory.
  • A directory connection exists between the Policy Server and the user directory.
  • (Sun Java Systems) If you are using a Sun Java Systems web server, increase the value of the StackSize parameter in the magnus.conf file to a value greater than 131072. Failing to change the value causes the web server to dump its core and restart each time the Policy Server makes an authentication request using forms.
Agent API Support
In the Agent API, the value Sm_AuthApi_Cred_CertOrForm has been added to the enumerated type Sm_Api_Credentials_t. Sm_Api_Credentials_t specifies the credentials that are required for a user to access the realm that the structure Sm_AgentApi_Realm_t references. The enumerated type applies to the nRealmCredentials field of the structure.
The new value specifies that user authentication requires either an X.509 certificate or a forms-based authentication scheme.
Configure an X.509 Certificate or HTML Forms Authentication Scheme
You can use an X.509 Certificate or HTML Forms authentication scheme to implement certificate authentication or HTML forms-based authentication.or both.
sm1252sp1
The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.
sm1252sp1
Follow these steps:
  1. Click Infrastructure, Authentication.
  2. Click Authentication Schemes.
  3. Click Create Authentication Scheme.
    Verify that the Create a new object of type Authentication Scheme is selected.
  4. Click OK.
  1. Enter a name and a protection level.
  2. Select X509 Client Cert or Form Template from the Authentication Scheme Type list.
  3. Enter server and target information.
  4. (Optional) Select Persist Authentication Scheme Data in Scheme Setup. This option specifies that authentication context data is saved in the session store.
  5. Click Submit.
    The authentication scheme is saved and can be assigned to a realm.
For Apache Web servers where Certificates are required or optional, uncomment the SSL Verify Depth 10 line in the httpd.conf file.