Summary:
How to configure X.509 cert authentication with CA Single-On Web Agent on Apache web server
Environment:
- Policy Server : R12.52 SP1 and above
- User Store : ANY LDAP
- Web Server : Apache 2.4 on Windows
Pre-requisites:
You have already obtained following three required certificates:
- Trusted CA root certificate.
- Server Certificate from a trusted CA.
- Client Certificate from a trusted CA.
(Refer : Tech Tip : How to create self signed RootCA/Server/User Certificates using OpenSSL )
Instructions:
Changes on the Apache Web Server
Changes to httpd.conf
1. Ensure mod_ssl is uncommented.
LoadModule ssl_module modules/mod_ssl.so
2. Ensure either httpd-ssl.conf or httpd-ahssl.conf is configured.
<IfModule ssl_module>
#Include conf/extra/httpd-ssl.conf
Include conf/extra/httpd-ahssl.conf
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
Changes to httpd-ssl.conf/httpd-ahssl.conf
1. Ensure Listen port is specified for HTTPS
Listen 443 https
2. Configure virtual host for SSL with following highlighted option set
<VirtualHost _default_:443>
ServerName localhost:443
SSLEngine on
SSLCertificateFile "${SRVROOT}/conf/ssl/server.crt"
SSLCertificateKeyFile "${SRVROOT}/conf/ssl/server.key"
SSLCACertificateFile "${SRVROOT}/conf/ssl/ca.crt"
SSLVerifyClient require
SSLVerifyDepth 10
DocumentRoot "${SRVROOT}/htdocs"
# DocumentRoot access handled globally in httpd.conf
CustomLog "${SRVROOT}/logs/ssl_request.log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Directory "${SRVROOT}/htdocs">
Options Indexes Includes FollowSymLinks
AllowOverride AuthConfig Limit FileInfo
Require all granted
</Directory>
</Virtualhost>
Note : If Apache is run as windows service, it will need the server key unencrypted.
You can use following command to change the encrypted server key to unencrypted:
>openssl rsa –in server.key -out server.key
Enter pass phrase for server.key: -> Enter passphrase and hit return
writing RSA key
Changes on the Policy Server
1. Create X.509 certificate authentication scheme as below :
2. Create Domain, Realm, Rule (get/post), Policy . Protect the realm with the X.509 authentication scheme.
3. Click Certificate Mapings under Directory and create mapping as below.
Note :
- Ensure that the Issuer DN matches exactly as in the user certificate.
- Choose the mapping attribute as per the Active Directory LDAP User DN lookup configuration
Changes on the client machine
1. Open MMC console and import the client certificate and CA root certificate. Import them to the Current User account.
How to Test
1. From the client machine access the resource protected with X.509 authentication scheme.
2. It will prompt you to select the client/user certificate. Choose the appropriate user certificate and click Ok.
Additional Information: