Symantec Access Management

Hi,

We have enabled cert based authentication for a URL which is nothing but TEWS url ( /iam/im/TEWS ) from SSO side. 

it works well with basic auth as we tested earlier.

SSO configuration is in place like cert authentication scheme, certificate mapping valid SSL certificate and proetcting resource with certauth.

I have generated self sign client certificate for testing but when i am accessing URL protected using certauth its getting stuck @ eminderagent/cert/1486860096/smgetcred.scc?TYPE=16777244&REALM= this redirect and ends up as access forbidden in browser.

questions:-

1. Can we use self signed cert for client testing as this certicate is issued by different CA and apache SSL cert is issued by different CA ?

2. What is needed to generate client cert depeding on SSL configuratiuon that alreay exists on webserver ?

Below is SSL config from https-ssl.conf

SSLCertificateFile "/apps/ca/secure-proxy/SSL/certs/login.public.pem"

SSLCertificateKeyFile "/apps/ca/secure-proxy/SSL/keys/login.key"

SSLCACertificateFile "/apps/ca/secure-proxy/SSL/certs/ca-bundle.cert"

SSLVerifyClient require
SSLVerifyDepth 10

Thanks in advance,

Yatin..

Hi Yatin,

Have you had a look at : 

Tech Tip : CA Single Sign-On :X.509 Cert Authentication with Apache Agent 

Tech Tip : How to create self signed RootCA/Server/User Certificates using OpenSSL 

Yes , you can use self signed cert issued by different CA. 

Regards,

Ujwol 

Ujwol,

Thanks for your reply. I actually followed below posts only to generate client certificate . I only followed step 4 as I assume rest of the steps is already done as SSL was already enabled on webserver mentioned below in SSL config from httpd-ssl.conf. ( in mycase it is SPS apache as we are directing it through SPS ).

openssl x509 -CA public/ca.crt -CAkey private/ca.key -CAserial public/ca.srl -req -in client/client.req -out client/client.pem -days 100

what I am not sure in above command is what to use in my scenario for -CA public/ca.crt -CAkey private/ca.key. Do I need to generate new ca.key like you generated in step1 in your post and use one of the certs below for –CA public option.

SSLCertificateFile "/apps/ca/secure-proxy/SSL/certs/login.public.pem"

SSLCertificateKeyFile "/apps/ca/secure-proxy/SSL/keys/login.key"

SSLCACertificateFile "/apps/ca/secure-proxy/SSL/certs/ca-bundle.cert"

SSLVerifyClient require

SSLVerifyDepth 10

As mentioned I am getting stuck at smgetcreds.dcc redirect resulting in access forbidden in browser.

Thanks in advance.

Regards,

Yatin..

Yes, if you are going to self-sign, you will need to first create private key for your CA.
Try this :

Create CA Certificate and Private Key

1. Create an RSA private key as follows
openssl genrsa -des3 -out private/ca.key 1024
2. Create an X.509 certificate and sign using a private key as follows:
openssl req -new -x509 -key private/ca.key -out public/ca.crt -days 3600

Create User Certificate

1. Create a client private key and generate a request as follows:
openssl req -new -newkey rsa:1024 -nodes -out client/client.req -keyout client/client.key
2. Create an X.509 certificate and sign it using CA as follows:
openssl x509 -CA public/ca.crt -CAkey private/ca.key -CAserial public/ca.srl -req -in client/client.req -out client/client.pem -days 100
3. Convert the .pem file to the pkcs12 format as follows:
openssl pkcs12 -export -clcerts -in client/client.pem -inkey client/client.key -out client/client.p12 -name Ujwol

Import CA Certificate into CA SPS

Now, for the SPS Apache to trust this self-signed CA and the user certificate issued by it , you will also need to import the CA certificate (public/ca.crt) as below :

(Note : The below steps should import your CA certs into /apps/ca/secure-proxy/SSL/certs/ca-bundle.cert file as per your current configuration)

1. Navigate to Proxy Configuration > SSL Config
2. Click Import CA under Embedded Web Server SSL Configuration

Click on Browse button and select the CA certificate. Then, continue clicking Next until the CA certificate is imported successfully.
If there are Intermediate CA certificate, repeat the same steps to import them as well.

How did this go Yatin ?

Ujwol,

I will be trying this today and keep you posted. Thanks for reaching out for this.

Regards,

Yatin..

Yatin, Is it worked ? Can you share an update us as I am tyring the same but getting some error while executing 

/openssl x509 -CA public/ca.crt -CAkey private/ca.key -CAserial public/ca.srl -req -in client/client.req -out client/client.pem -days 100

Enter pass phrase for private/ca.key:
public/ca.srl: No such file or directory
4277976252:error:02001002:system library:fopen:No such file or directory:bss_file.c:391:fopen('public/ca.srl','r')
4277976252:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:393:

public/ca.srl: No such file or directory - Do we have a different step to create it? 

Followed How to create RootCA/Server/User Certificates using OpenSSL  and corrected it.