Symantec Access Management

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

X.509 certificate

  • 1.  X.509 certificate

    Posted Nov 04, 2013 04:40 AM

    Can we configure X.509 certificate Authentication,if user certificate and Server certificate are issued by different Certificate Authorites?

    For Example:If user certificate is issued by Internal CAs and Server certificate is issued by External CA s like verisign...

    Thanks.



  • 2.  RE: X.509 certificate

    Posted Nov 04, 2013 06:34 AM

    Do we have any X509 certificate Authentication+forms authentication,configuration guide for Apache.

     

    Thanks.



  • 3.  RE: X.509 certificate
    Best Answer

    Posted Nov 05, 2013 12:38 AM
    antonys:

    Do we have any X509 certificate Authentication+forms authentication,configuration guide for Apache.

     

    Thanks.


    The X509 certificate Authentication+forms authentication scheme is policy server side configuration. You can find information from below link:

    https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2051-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?policy-design.html
     

    web agent configuration guide:

    https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2051-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?agent-guide.html
     



  • 4.  RE: X.509 certificate

    Posted Nov 05, 2013 12:00 AM
    antonys:

    Can we configure X.509 certificate Authentication,if user certificate and Server certificate are issued by different Certificate Authorites?

    For Example:If user certificate is issued by Internal CAs and Server certificate is issued by External CA s like verisign...

    Thanks.


    Hi,

    You can have user certificate and server certificate from different CA as long as you have the respective root CA import.



     



  • 5.  RE: X.509 certificate

    Posted Nov 05, 2013 03:29 AM

    Hi Karmeng,

     

    Where should we import the root certificate,is it on Server end or User end.If its on User end,then we will have a challenge of importing to multiple user machines.

    Also how can we get a Root certificate.Appreciate if you can forward any steps to follow.

    Thanks



  • 6.  RE: X.509 certificate

    Posted Nov 05, 2013 04:58 AM

    i imported the CA root cert in webserver..still the cert authentication is failing..



  • 7.  RE: X.509 certificate

    Broadcom Employee
    Posted Nov 05, 2013 10:08 AM

    Hi Antony,

    what webserver are you looking at, and on what OS?  If this is windows, please ensure you imported the CA into the correct Certificate store. 



  • 8.  RE: X.509 certificate

    Posted Nov 05, 2013 11:56 AM

    Hi Martin,

    Nice to see your response.

    Server version: Apache/2.2.24 (Unix)
    Architecture:   64-bit

    OS:Linux OEL version 2.6.18-308.el5

    Our requirement is to create a Strong Authentication.(X509 cert and Form Authentication)

    We are using selectlogin.fcc as the credentical collector.Our User certificate which is a SmartCard has a certificate issued by our Internal Certficate Authority(CA)

    Our Apache Webserver is installed with the certificate issued by Verisign.

    Here is our SSL Config in Webserver:

    #   Server Certificate://Certificate recieved from Verisign
    SSLCertificateFile "/opt/software/test-emp-red-side-login/auth-service/certs/server.crt"
    #   Server Private Key:
    SSLCertificateKeyFile "/opt/software/test-emp-red-side-login/auth-service/certs/server.key"
    #   Server Certificate Chain:
    SSLCertificateChainFile "/opt/software/test-emp-red-side-login/auth-service/certs/server-chain.crt"
    #   Certificate Authority (CA)://Root Certificate from Verisign and our Internal CA cert have been added in the bundle cert
    #SSLCACertificatePath "/opt/software/test-emp-red-side-login/auth-service/certs/ssl.crt"
    SSLCACertificateFile "/opt/software/test-emp-red-side-login/auth-service/certs/ca-bundle.crt"

    For Certificate Mapping,We have added the IssuerDn of Smartcard.also the mapping has been created as SamAccountName=%CN%.Also for FormAuthentication we have SamAccountname binded.

    Errors noticed in SmAccessLogs:

    AuthReject cns006a010 [05/Nov/2013:12:19:44 0000] "10.111.48.218 CN=XXXXXXX,OU=employee,OU=btplc,DC=iuser,DC=iroot,DC=XXXX,DC=com" "wa_dyl00658web01_test-emp-red-side-login GET /auth/redirect.html?authtype=certform&target=https://XXXXXXXXXXXXXXXXX:8443/portalhome/home.html" [] [0]  [] [

    Logs noticed in Policy Trace logs:

    9922][146][11/05/2013][13:07:29][13:07:29.800][Authenticating user.][Sm_Auth_Message.cpp:403][CSm_Auth_Message::AuthenticateUser][wa_dyl00658web01_test-emp-red-side-login][/auth/redirect.html?authtype=certform&target=https://XXXXXXXXXXXxxx:8443/portalhome/home.html][BackendRealm_CertForm][as_playpen_8400_certandform][][][][][

    [9922][146][11/05/2013][13:07:29][13:07:29.805][Auth Scheme used: Cert+Forms][SmAuthCert.cpp:3851][getSpecificScheme][][][][Cert+Forms][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

    ][Start of call Search.][SmDsDir.cpp:338][CSmDsDir::Search][][][][][][][][][][][][Advanced search, Root='DC=iuser,DC=iroot,DC=adidom,DC=com',Filter='(samAccountName=XXXX)'][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

    ][Ldap Search callout succeeds.][SmDsLdapProvider.cpp:2125][CSmDsLdapProvider::Search][][][][][][][][][][][][(Search) Base: 'DC=iuser,DC=iroot,DC=XXXXXXX,DC=com', Filter: '(samAccountName=*********)'. Status: 1 entries][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

    [Start of call InitUser.][SmDsUser.cpp:95][CSmDsUser::CSmDsUser][][][][][][][][][][][][About to initialize User 'CN=*********,OU=employee,OU=btplc,DC=iuser,DC=iroot,DC=XXXXXXXXXDC=com' in dir 'iuserCAD'][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

    ][Leave function CSmPasswordCheck::FindApplicablePasswordPolicies][SmPasswordCheck.cpp:566][CSmPasswordCheck::FindApplicablePasswordPolicies][][][][][][][][][][][][][][][true][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

    ][Authenticating user by the auth scheme][SmAuthUser.cpp:4375][CSmAuthUser::Authenticate][][][][as_playpen_8400_certandform][][][][iuserCAD][XXXXXXX][][][][][][][][][][][][][][][][][][][][][][][rZHR2UPHOkYz8VzR13D28m44Do8=][][CN=*********,OU=employee,OU=XXXXDC=iuser,DC=iroot,DC=XXXX,DC=com][][][][][][][][][][][][][][LDAP://147

    ][bad input parameters][SmAuthCert.cpp:4066][parseCert][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

    [9922][146][11/05/2013][13:07:29][13:07:29.827][Print currentCert.certBinLen: 0][SmAuthCert.cpp:5776][SmAuthenticate][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

    ][Leave function SmAuthenticate][SmAuthCert.cpp:6173][SmAuthenticate][][][][][][][][][][][][][][][Sm_AuthApi_Reject][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

     

    ][Evaluating OnAuthReject policy][Sm_Auth_Message.cpp:800][CSm_Auth_Message::AuthenticateUser][wa_dyl00658web01_test-emp-red-side-login][/auth/redirect.html?authtype=certform&target=https://XXXXXXXXXXXXXXxx:8443/portalhome/home.html][BackendRealm_CertForm][as_playpen_8400_certandform][][][][iuserCAD][605520187][][][][][][][][0000000000000000000000004d4c230a-38a3-5278ed91-

     



  • 9.  RE: X.509 certificate

    Posted Nov 05, 2013 09:14 PM

    Hi,

    smaccess log show AuthReject means Policy server cannot find this user in user store

    CN=XXXXXXX,OU=employee,OU=btplc,DC=iuser,DC=iroot,DC=XXXX,DC=com

    What is the user store that you are using? Please check if this user exist in the user store.

    For user certificate, it basically represent an identity to end user. The end user will need to submit the certificate when access the protected resource. The end user will get a pop up to ask for where there user certificate stored. Once submit the certificate, the server will check if the root CA exist in the server certificate database. If it is, it will verify the validity of the user certificate with CA.

    For server certificate, if this was signed by some known CA ie: Verisign, the Verisign root CA normally is installed default to the browser. (IE browser -> Tools -> Internet Options -> Content tab -> Certificate button -> Trusted Root Certification Authorities)



  • 10.  RE: X.509 certificate

    Posted Nov 06, 2013 05:10 AM

    Hi Karmeng,

    Thanks for the responses,

    I have added the root cert of Verisign(Server Certificate) and also our Internal CAs root certificate under Server certificates.

    I dont think its a issue with User store,since we are using the same credentials with different application which are pointing to same user store.And also its not a issue with particular login id,we have multple ids.



  • 11.  RE: X.509 certificate

    Posted Nov 06, 2013 08:24 AM

    Finally it worked after add the root ca of our Internal CA...Thanks all



  • 12.  RE: X.509 certificate

    Posted Nov 07, 2013 12:36 PM

    Though the cert and form authentication works..we see a behviour where Users who have User certificate in the browser are prompted for certificate before getting the selectlogin.fcc page.

    The logic in selectlogin.fcc is once we do a submit on the login button which has a login action to a resource which is protected by cert and form authentication.So after entering credentials,the user certificate in the browser should get prompted.

    i tried the following in Apache SSL config,made the SSLVerifyClient none and did a certificate authentication for a specific resource pattern,but still am getting login failed

    #   Client Authentication (Type):
    SSLVerifyClient none
    SSLVerifyDepth  10

    #   Access Control:
    <Location /auth>
    SSLVerifyClient optional
    SSLVerifyDepth  10

    </Location>

    Any thoughts are appreciated.

    Thanks.