Policy Server Guides › Policy Server Configuration Guide › Authentication Schemes › X.509 Client Certificate and Basic Authentication Schemes

X.509 Client Certificate and Basic Authentication Schemes

The X.509 Client Certificate and Basic authentication scheme combines Basic authentication and X.509 Client Certificate authentication. This authentication scheme provides an extra layer of security for critical resources.

In order for a user to authenticate successfully, the following two events must occur:

• The user’s X.509 client certificate must be verified.

  AND

• The user must provide a valid user name and password.

For X.509 Client Certificate authentication, CA SiteMinder® processes authentication using the following steps:

1. The Policy Server instructs the CA SiteMinder® Web Agent to redirect the user to an SSL server and map the user’s certificate to the server.
2. CA SiteMinder® verifies the user exists.
3. CA SiteMinder® verifies the user’s basic credentials.
4. CA SiteMinder® verifies that the certificate credentials and the basic credentials represent the same user.

More information:

X.509 Client Certificate Authentication Schemes

X.509 Client Certificate and Basic Scheme Prerequisites

Ensure the following prerequisites are met before configuring a X.509 Client Certificate and Basic authentication scheme:

• An X.509 Server Certificate is installed on the SSL Web server.

  Note: If the Policy Server is operating in FIPs mode, ensure the certificate was generated using only FIPS-approved algorithms.

• The network supports an SSL connection to the client browser (HTTPS protocol).
• X.509 client certificates are installed on client browsers.
• Trust must is established between client certificates and server certificates.
• The certificate is issued by a valid and trusted Certification Authority (CA).
• The issuing CA’s public key validates the issuer’s digital signature.
• Client and server certificates have not expired.
• The user’s public key validates the user’s digital signature.
• Client user name and password information exists in a user directory.
• A directory connection exists between the Policy Server and the user directory.

Note: For Apache Web servers where Certificates are required or optional, the SSL Verify Depth 10 line in the httpd.conf file must be uncommented.

More information:

User Directories

Configure an X.509 Certificate and Basic Authentication Scheme

You can use an X.509 Certificate and Basic authentication scheme to combine certificate authentication and basic authentication.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

Follow these steps:

1. Click Infrastructure, Authentication.
2. Click Authentication Schemes.

   The Authentication Schemes page appears.

3. Click Create Authentication Scheme.

   Verify that the Create a new object of type Authentication Scheme is selected.

4. Click OK

   The Create Authentication Scheme page appears.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

5. Enter a name and a protection level.
6. Select X509 Client Cert and Basic Template from the Authentication Scheme Type list.

   Scheme-specific settings open.

7. Enter the server name and target information for the SSL Credentials Collector.
8. (Optional) Select Persist Authentication Session Variables in Scheme Setup. This option specifies that the authentication context data is saved in the session store.
9. Click Submit.

   The authentication scheme is saved and can be assigned to a realm.