How to Link a Client Certificate to a Session (Windows)

Contents
sm1252sp1
Contents
sm1252sp1
For IIS 7.x (Windows only) and Apache-based web servers, you can link a client certificate with a
CA Single Sign-On
session. This feature verifies that the following identities match:
  • The identity of the user that is associated with a
    CA Single Sign-On
    session.
  • The identity of the client certificate that is used in the transaction.
If these items do not match, the product blocks transactions.
To use this feature, do the following tasks:
  • Configure all web servers so that they acquire the client certificate automatically. Especially when the logon-server is separate from the policy-enforcement point.
  • Use an X.509 Certificate authentication scheme (other authentication schemes are
    not
    supported).
Follow these steps:
Add the Plug–in
Adding the plug-in is the first step of linking the client certificate with the session.
Follow these steps:
  1. Log in to the system hosting your agent.
  2. Open the following file with a text editor:
    WebAgent.conf
  3. Locate the following line:
    LoadPlugin="web_agent_home\bin\HttpPlugin.dll"
  4. Add a line immediately following the line on Step 3.
  5. Add the following text to the new line.
    LoadPlugin="web_agent_home\bin\CertSessionLinkerPlugin.dll"
    The CertSessionLinkerPlugin must follow the HttpPlugin.
  6. Save the file.
  7. Restart the web server.
    The plug-in is added. Continue by adding your configuration parameters.
Set the Agent Configuration Parameters
Set the agent configuration parameters after adding the plug-in.
Follow these steps:
  1. Using the Administrative UI, open the agent configuration object that you want.
  2. Change the values of the following parameters:
    • sm1252sp1
      CslCertUniqueAttribute
      Lists the attributes of the certificate by which it is uniquely identified. The following certificate attributes are available:
      • version
      • serialnumber
      • signaturealgorithm
      • issuerdn
      • subjectdn
      • validitystart
      • validityend
      Note
      : The sequence of the values in in this parameter does not matter.
      Default
      : Disabled (only the serialnumber and the issuerdn attributes are matched).
    • sm1252sp1
      CslMaxCacheEntries
      Specifies the maximum number of entries that the agent cache contains.
      Note
      : For any Apache-based servers operating on UNIX, we recommend setting the value of the singleprocessmode parameter to no. This setting creates a multi-process cache which shares information across multiple requests. This setting improves performance when the Apache-based server runs in pre-fork mode.
      Default
      : 1000
  3. Save the changes and close your agent configuration object.
    Certificates are linked with sessions.