Layer7 Access Management

Tech Tip : CA Single Sign-On :CA Access Gateway:X.509 Cert Authentication

By Ujwol posted 11-29-2016 11:01 PM

  

Summary

How to configure X.509 cert authentication with CA Access Gateway

Environment:

  • Policy Server : R12.52 SP1 and above
  • CA Access Gateway : R12.52 SP1 and above
  • User Store : ANY LDAP/ODBC 

Pre-requisites:

You have already obtained following three required certificates:

  • Trusted CA root certificate.
  • Server Certificate from a trusted CA.
  • Client Certificate from a trusted CA.

Instructions

Changes on the Policy Server

 

1. Create X.509 certificate authentication scheme as below :

2. Create Domain, Realm, Rule (get/post), Policy . Protect the realm with the X.509 authentication scheme.

3. Click Certificate Mappings under Directory and create mapping as below.

Note :

  • Ensure that the Issuer DN matches exactly as in the user certificate.
  • Choose the mapping attribute as per the Active Directory LDAP User DN lookup configuration

 

 

Changes on the CA Access Gateway

 

A) Configure SSL for Apache

1. Login to Proxy UI and navigate to Proxy Configuration > SSL Config

    Click Request button under Embedded Web Server SSL Configuration

 

2. Enter the requested details. Ensure that the Requester Name matches the host name as configured in the VirtualHost configuration in Server.conf

3. Click Generate button to create the CSR (certificate signing request file). 

    Save the CSR file. You will need to submit this file to CA for signing it.

4. Now, before importing the signed server certificate file from CA , if the CA is not a Trusted CA , you will need to import the CA along with it's intermediate certificate.

Navigate to Proxy Configuration > SSL Config 

Click Import CA under Embedded Web Server SSL Configuration

5. Click on Browse button and select the CA certificate. Then, continue clicking Next until the CA certificate is imported successfully.

If there are Intermediate CA certificate, repeat the same steps to import them as well.

 

6. Once CA is imported, you are now ready to import the signed server certificate from CA.

Navigate to Proxy Configuration > SSL Config.

Under Embedded Web Server SSL Configuration , Click Browse  to select the signed server certificate, Choose the CA which signed it from the CA Certificate drop down and Click Apply.

Click Import CA under Embedded Web Server SSL Configuration

7. Upon import , confirmation message is shown. You will need to restart the CA Secure Proxy service to fully enable the SSL configuration.

8. Restart CA Secure Proxy Service and try accessing the Apache on https to confirm that SSL is enabled :

 

 

B) Configure SPS Apache for X.509 client certificate authentication

1. To ensure that Apache request certificate from client (browser) , modify the httpd-ssl.conf file under <CA Access Gateway Home>\httpd\conf\extra folder as below :

Change SSLVerifyClient from optional to require

2. Next, un-comment the SSLCACertificateFile parameter. The ca-bundle.cert will already have been configured with the CA certificate which signed the Apache server certificate.

If the CA which signed your client certificate is not the same as the one which signed your Apache server certificate, manually add the CA certificate to the ca-bundle.cert file.

(For my testing, both CA are the same so I didn't have to add any extra certificate into this file)

3. Restart CA Secure Proxy Service.

 

Changes on the client machine

Import the client certificate either using MMC or using Browser itself.

 

 

 

Testing:

1. From the client machine access the resource protected with X.509 authentication scheme. For this test, I protected the Auth/Az webservice with X.509 certificate authentication scheme so I will try accessing the same on HTTPS port.

2. It will prompt you to select the client/user certificate. Choose the appropriate user certificate and click Ok.

 

Additional Information

9 comments
0 views

Comments

11-07-2018 02:48 PM

Hi Ujwol ,

 

I followed all above steps and protected /authazws with X509 cert base auth scheme. When I access the protected url my browser pop-up for cert and I select the client cert. I already added corresponding CA cert in ca-bundle.

 

can you help me understand why I am getting error in SPSTrace:

[SmScc::getCredentials][Failed to get the certificate credentials.].

 

There is no error in smtrace:


[11/07/2018][14:46:11.054][Sm_Az_Message.cpp:208][CSm_Az_Message::ProcessMessage][12397][140215431227136][s1160/r2][][][smwebauth][][][][][][][][][][][server01][** Received agent request.][][]
[11/07/2018][14:46:11.054][IsProtected.cpp:52][CSm_Az_Message::IsProtected][12397][140215431227136][][][][][][][][][][][][][][][][Enter function CSm_Az_Message::IsProtected][][]
[11/07/2018][14:46:11.054][IsProtected.cpp:75][CSm_Az_Message::IsProtected][12397][140215431227136][][][][smwebauth][][][][][][][][][][][1536][Received request from agent, check agent api version.][][]
[11/07/2018][14:46:11.055][IsProtected.cpp:98][CSm_Az_Message::IsProtected][12397][140215431227136][][][][smwebauth][][][/authazws/auth?wsdl][][][][][][][][][Starting IsProtected processing.][][]
[11/07/2018][14:46:11.055][SmAuthorization.cpp:620][CSmAz::IsProtected][12397][140215431227136][][][DEVSS_DOMAINS][][][SM_WebAuth_Realm][/authazws/auth?wsdl][][][][][][][][][Resource is protected by realm.][][]
[11/07/2018][14:46:11.055][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][12397][140215431227136][s1160/r2][][DEVSS_DOMAINS][smwebauth][][SM_WebAuth_Realm][][][][][][][][][03-000dcc46-9d1c-19f8-8a7f-2de60a695a5a][Send response attribute 150, data size is 39][][]
[11/07/2018][14:46:11.055][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][12397][140215431227136][s1160/r2][][DEVSS_DOMAINS][smwebauth][][SM_WebAuth_Realm][][][][][][][][][06-000cd273-61c6-1bd3-b7d1-2de60a690000][Send response attribute 204, data size is 39][][]
[11/07/2018][14:46:11.055][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][12397][140215431227136][s1160/r2][][DEVSS_DOMAINS][smwebauth][][SM_WebAuth_Realm][][][][][][][][][SM_WebAuth_Realm][Send response attribute 203, data size is 16][][]
[11/07/2018][14:46:11.055][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][12397][140215431227136][s1160/r2][][DEVSS_DOMAINS][smwebauth][][SM_WebAuth_Realm][][][][][][][][][16777244][Send response attribute 219, data size is 8][][]
[11/07/2018][14:46:11.055][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][12397][140215431227136][s1160/r2][][DEVSS_DOMAINS][smwebauth][][SM_WebAuth_Realm][][][][][][][][][https://server.com/siteminderagent/cert/smgetcred.scc][Send response attribute 220, data size is 70][][]
[11/07/2018][14:46:11.055][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][12397][140215431227136][s1160/r2][][DEVSS_DOMAINS][smwebauth][][SM_WebAuth_Realm][][][][][][][][][][Send response attribute 146, data size is 0][][]
[11/07/2018][14:46:11.055][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][12397][140215431227136][s1160/r2][][DEVSS_DOMAINS][smwebauth][][SM_WebAuth_Realm][][][][][][][][][][Send response attribute 147, data size is 0][][]
[11/07/2018][14:46:11.055][Sm_Az_Message.cpp:598][CSm_Az_Message::SendReply][12397][140215431227136][s1160/r2][][DEVSS_DOMAINS][smwebauth][][SM_WebAuth_Realm][][][][][][][][][][** Status: Protected. ][][]
[11/07/2018][14:46:11.055][IsProtected.cpp:328][CSm_Az_Message::IsProtected][12397][140215431227136][][][][][][][][][][][][][][][][Leave function CSm_Az_Message::IsProtected][][]
[11/07/2018][14:46:16.393][SmDsLdapConnMgr.cpp:626][PingServer][12397][140214055966464][][][][][][][][][][][][][][][][LDAP Server Ping Successful][][]
[11/07/2018][14:46:16.403][SmDsLdapConnMgr.cpp:626][PingServer][12397][140214055966464][][][][][][][][][][][][][][][][LDAP Server Ping Successful][][]

 

and in browser it says Access Forbidden. with url :

https://server.com/siteminderagent/cert/1541619073/smgetcred.scc?TYPE=16777244&REALM=-SM-SM_WebAuth_Realm%20[14%3a31%3a13%3a139955804312747]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-sBpI5F2xUhKv%2bsLKSZVAtQozj7gtzAu6KCBG%2fmnlSnpM2wBIiY%2fCKP8%2bjHLy3JI1&TARGET=-SM-HTTPS%3a%2f%2f--dserver.com%2fauthazws%2fauth%3fwsdl

06-20-2017 03:09 AM

For cert+form, the process is exactly the same as described in this blog.

Just that, while selecting the authentication scheme type , you will need to choose 

X.509 Client Cert and Form Template

X.509 Client Cert and Form Template - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

 

Cert and Form authentication scheme is definitely secure, as you require your user to submit certificate as well as username/password for authentication.

06-20-2017 02:10 AM

the above post is very helpful, Thanks I got to know .scc is virtual file.

 

I have situation requirement cert+form based authentication for a site which is already protected with form based authentication.
can you elaborated how that works, and if possible post me any cert+form config steps like above.

 

 

Is the above request is standard and whether it is secure?

06-20-2017 01:59 AM

Hi , 

 

smgetcred.scc is virtual file.

 

Regards,

Leo Joseph.

06-20-2017 01:56 AM

Hi Ujwol,

 

Is smgetcred.scc is a physical file?

03-08-2017 07:01 AM

I still do not see your User Policy configuration.

Did you check Policy seever trace log? It should say why it didn't authorize the request.

03-06-2017 06:47 AM

Are you sure that is a CA directory user? It looks like AD user... may be try allowing ALL users and see if it works

03-06-2017 05:37 AM

Did you allow user "CN=Administrator,CN=Users,DC=smdemo,DC=com" to access to get/post policy for Auth/AZ resource?

11-29-2016 11:06 PM