X.509 client certificates provide cryptographic evidence of a user’s identity. A user certificate, supplied by a certificate vendor, is unique, and can be used to identify the user who attempts to access a protected resource.
A client certificate contains the following information:
CA SiteMinder® uses the X.509 Client Certificate authentication schemes to implement certificate authentication. To use X.509 client certificate authentication, your environment must be able to handle SSL communication. This means that the client browser, the web server and any user certificates must be configured to accept and perform certificate authentication. These tasks are outside the scope of CA SiteMinder® configuration.
After the necessary SSL components are set up properly, you can configure a CA SiteMinder® X.509 authentication scheme. SiteMinder configuration tasks require that you do the following:
For information about the Web Agent Configuration Wizard, see the CA SiteMinder® Web Agent Installation Guide.
The CA SiteMinder® X.509 Client Certificate authentication schemes perform the following tasks:
When a user requests a CA SiteMinder®-protected resource, the Web Agent first contacts the Policy Server to determine which authentication scheme is protecting the resource. If an X.509 authentication scheme is protecting a resource, the Web Agent redirects the user’s browser to the CA SiteMinder® credential collector that corresponds to the configured authentication scheme. The path to the credential collector is defined in the authentication scheme configuration.
The connection to the credential collector is an SSL-secured connection and the web server is configured to require a client certificate. Therefore, the browser must submit a client certificate for authentication. The resource name and extension at the end of the credential collector URL instructs the Web Agent to extract a user certificate from the web server. The Web Agent then passes the certificate to the Policy Server for use by the authentication scheme.
After the Web Agent collects certificate information, it passes the data to the Policy Server for verification. The Policy Server then performs certificate mapping. The goal of certificate mapping is to locate a CA SiteMinder® user by the Subject Name in the user certificate.
First, the Policy Server looks up the appropriate certificate mapping in the policy store. The Policy Server uses the certificate Issuer DN to locate the mapping. The Issuer DN is part of the certificate mapping configuration. After the Policy Server finds the mapping, it takes the Subject Name from the certificate and applies the mapping to find the user entry in the user directory.
The Policy Server can access user certificates that are stored only in the following repositories:
Important! You are required to configure certificate mapping for any X.509 client certificate authentication scheme.
Satisfy the following prerequisites before configuring an X.509 Client Certificate authentication scheme:
Note: If the Policy Server is operating in FIPs mode, ensure the certificate was generated using only FIPS-approved algorithms.
In addition to setting up the SSL environment, complete the following process to configure certificate authentication:
Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.
Follow these steps:
The Authentication Schemes page appears.
Verify that the Create a new object of type Authentication Scheme is selected.
The Create Authentication Scheme page appears.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Scheme-specific settings open.
The authentication scheme is saved and can be assigned to a realm.
The X.509 certificate authentication scheme is now configured in the Administrative UI. Now set up certificate mapping.
|
Copyright © 2013 CA.
All rights reserved.
|
|