This section contains the following topics:
Configuring the SSL Advanced Authentication Schemes requires Web Servers to be properly configured to use SSL. Most of the problems you may encounter configuring Authentication Schemes over SSL connections are likely to be SSL configuration issues. Therefore, the first step in troubleshooting Authentication Schemes over SSL is to verify that SSL is properly configured and working. This is done without the interaction of the CA SiteMinder® Web Agent so that these components can be individually analyzed.
The first step in troubleshooting Authentication Schemes over SSL is to verify that SSL is properly configured and working. This is done without the interaction of the CA SiteMinder® Web Agent so that these components can be individually analyzed.
To determine whether you are able to establish an SSL connection
Note: For information about disabling a Web Agent, see the Web Agent Configuration Guide.
If this SSL connection is configured to require certificates, you will be prompted to select a certificate.
If you are unable to successfully establish this SSL connection, then see SSL Configuration for more information on configuring SSL. If you were able to establish this connection, but have not been successful in configuring CA SiteMinder®, see SSL Troubleshooting.
It is imperative that SSL be configured and working properly before using CA SiteMinder®. In order to make an SSL connection, you must be able to trust the certificate authority of an incoming certificate. For example, if a browser presents a certificate that was signed by VeriSign, you must have a VeriSign Certificate Authority installed and trusted in the Web Server. In addition to trusting client certificates that are presented, the server itself must have a certificate to present to the clients. The clients have to trust the Certificate Authority that issued the certificate. This allows for mutual authentication. Once these certificates have been installed, you can configure the Web Server to use SSL and require certificates, if desired.
For detailed SSL configuration information, see the documentation provided with your web server software. This section contains step-by-step instructions for configuring your Web Server and Web browser to successfully establish an SSL connection. If you have correctly configure SSL, but are still having problems making the connection, see the common problems at the end of the section.
If a certificate authority is already installed in the Web Server, go on to the next section. Otherwise, install a certificate for the Certificate Authority on the SSL Web Server.
To enable the Web Server to Trust Client Certificates in Netscape
After installing the Netscape Web Server Certificate, you must configure the Netscape Web Server to use SLL by requiring certificates.
To require certificates for your SSL Web Server
Note: Do not turn on Required Certificates for the Certificate or Basic Authentication Scheme.
If a certificate authority is installed in the Web Server, you can establish trust between the two.
To establish trust for the Netscape Certificate Authority
You must trust your client certificates by installing the appropriate Certificate Authority Certificates.
SSL Web Servers must have certificates for each Certificate Authority. Major certificate authorities may already be installed. You can configure certificates in Windows operating systems by using the Certificates snap-in. For information, see your Windows documentation.
Be sure that a secure port has been enabled on the Web Server. Generally this is port 443. You can verify this through the Management Console by right-clicking on the Web Server and in the Web site tab you will see an SSL Port. Be sure a port number has been installed.
The advanced authentication schemes will create virtual directories in the Web Server. These directories will automatically be configured to require SSL and certificates as required by the specific authentication scheme. However, for testing purpose, you may want to create a test virtual directory. You can configure this virtual directory to require certificates through the Directory Security tab, Secure Communications.
https://servername:port/virtual directory - Ensure that the browser is asked for a certificate.
If you have not already done so, you will need to generate a key for your Web server. This is done through the Management Console, Key Manager. Access the Key Manager by doing the following:
Note: Note this process may be slightly different for IIS 3 and IIS 4.
To install the IIS Web Server Certificate
Once you create a key, you can request a certificate using the file created in the steps mentioned earlier. Go to the Certificate Authority and request a certificate for this server. You will need to paste the certificate request information generated in Step 1 in order to receive a certificate. Once you received a certificate, go back to Management Console, Directory Security and click Key Manager to install the certificate for the key described in the next step.
If a certificate authority is already installed on your web server, go on to the next section. Otherwise, install a certificate for the CA on the SSL Web Server as follows.
To enable the Web Server to trust client certificates in Apache
See the Policy Server Installation Guide for details about installing the web server.
The process for installing a certificate on an Apache Web Server varies with individual configurations. Consult the documentation for Mod_SSL and OpenSSL for details about how to configure these components.
The following sections detail the most common problems encountered when dealing with SSL authentication schemes.
If you were not prompted for a certificate, verify that SSL is configured appropriately. If the Web Agent is installed, disable the Web Agent. The first step is to verify a simple SSL connection.
To determine whether you are able to establish an SSL connection
Note: For information about disabling a Web Agent, see the Web Agent Configuration Guide.
If this SSL connection is configured to require certificates, you will be prompted to select a certificate.
Perform the following five additional steps if you are still not receiving a certificate prompt.
Firefox browsers can be configured to pass the same certificate automatically. This establishes the SSL connection using a certificate without prompting users to select a certificate.
Follow these steps:
Verify that the virtual directories SMGetCredCert, SMGetCredCertOptional, SMGetCredNoCert are created and have the correct settings.
Note: As part of the CA SiteMinder® SSL Authentication setup, CA SiteMinder® configures SSL virtual directories based on the type of SSL connection required by the authentication scheme.
To verify the following settings for each CA SiteMinder® Virtual Directory
In the httpd.conf file, be sure to set SSLVerifyClient as follows:
Note: For Apache Web servers where Certificates are required or optional, the "SSL Verify Depth 10" line in the httpd.conf file must be uncommented.
If an Apache Web Server certificate expires, you will receive an error messages at server startup that indicates the certificate has expired.
A missing certificate or an invalid certificate can prevent you from receiving a certificate prompt.
Open your Web browser and verify the validity of the browser certificate.
Note: For more information about viewing certificate information, see your vendor–specific documentation.
Verify that the Certificate Authority for the certificate is listed and that the Trust for the certificate has not expired. If it is not there or is not valid, install a new CA certificate.
Verify that the certificate is listed and that it is valid. If it is not present or is not valid, install a new certificate. If you are able to get to the destination directory, then certificates are installed correctly.
After completing the steps in the previous topic based on your specific web server, verify your policy server and web agent configuration.
To verify correct policy server and web agent configuration
In this situation, there is a Policy that is being called, but the user is incorrectly being denied access. This can result from a number of configuration errors. Common errors include:
This is generally caused from the Authentication Scheme Parameter being configured improperly. The redirect is not configured properly so the Web Server is unable to find the SSL Web Agent component.
On Netscape Web Servers, the Certificate or Basic scheme requires the Web Server to have encryption turned on, but does not require certificates. Be sure that in the Encryption Preferences section of the Netscape Server Administration, the Require Certificate setting is set to No.
Copyright © 2013 CA.
All rights reserved.
|
|