Previous Topic: Prevent Re-Challenges After Realm Timeouts When Multiple Valid Sessions ExistNext Topic: How to Link a Client Certificate to a Session (UNIX)


How to Link a Client Certificate to a CA SiteMinder® Session (Windows)

For IIS 7.x (Windows only) and Apache-based web servers, you can link a client certificate with a CA SiteMinder® session. This feature verifies that the following identities match:

If these items do not match, the product blocks transactions.

To use this feature, do the following tasks:

Use an X.509 Certificate authentication scheme (other authentication schemes are not supported).

The following graphic describes how to link a client certificate with a session:

This workflow describes How to Verify Client Certificates Used in Sessions for Windows web servers.

Follow these steps:

  1. Add the plug-in to the WebAgent.conf file.
  2. Set the agent configuration parameters.

Add the Plug–in

Adding the plug-in is the first step of linking the client certificate with the session.

Follow these steps:

  1. Log in to the system hosting your agent.
  2. Open the following file with a text editor:
    WebAgent.conf
    
  3. Locate the following line:
    LoadPlugin="web_agent_home\bin\HttpPlugin.dll"
    
  4. Add a line immediately following the line on Step 3.
  5. Add the following text to the new line.
    LoadPlugin="web_agent_home\bin\CertSessionLinkerPlugin.dll"
    

    Note: The CertSessionLinkerPlugin must follow the HttpPlugin.

  6. Save the file.
  7. Restart the web server.

    The plug-in is added. Continue by adding your configuration parameters.

Set the Agent Configuration Parameters

Set the agent configuration parameters after adding the plug-in.

Follow these steps:

  1. Using the Administrative UI, open the agent configuration object that you want.
  2. Change the values of the following parameters:
    CslCertUniqueAttribute

    Lists the attributes of the certificate by which it is uniquely identified. The following certificate attributes are available:

    • version
    • serialnumber
    • signaturealgorithm
    • issuerdn
    • subjectdn
    • validitystart
    • validityend

    Note: The sequence of the values in in this parameter does not matter.

    Default: Disabled (only the serialnumber and the issuerdn attributes are matched).

    CslMaxCacheEntries

    Specifies the maximum number of entries that the agent cache contains.

    Note: For any Apache-based servers operating on UNIX, we recommend setting the value of the singleprocessmode parameter to no. This setting creates a multi‑process cache which shares information across multiple requests. This setting improves performance when the Apache-based server runs in pre‑fork mode.

    Default: 1000

  3. Save the changes and close your agent configuration object.

    Certificates are linked with sessions.