Tech Tip – X.509 Cert Authentication with Apache Agent

x509 certificate authentication
Summary:

How to configure X.509 cert authentication with CA Single-On Web Agent on Apache web server

Environment:
  • Policy Server : R12.52 SP1 and above
  • User Store : ANY LDAP
  • Web Server : Apache 2.4 on Windows
Pre-requisites:

You have already obtained following three required certificates:

  • Trusted CA root certificate.
  • Server Certificate from a trusted CA.
  • Client Certificate from a trusted CA.

(Refer : Tech Tip : How to create self signed RootCA/Server/User Certificates using OpenSSL )

Instructions:

Changes on the Apache Web Server

Changes to httpd.conf

1. Ensure mod_ssl is uncommented.

LoadModule ssl_module modules/mod_ssl.so

2. Ensure either httpd-ssl.conf or httpd-ahssl.conf is configured.

<IfModule ssl_module>

#Include conf/extra/httpd-ssl.conf

Include conf/extra/httpd-ahssl.conf

SSLRandomSeed startup builtin

SSLRandomSeed connect builtin

</IfModule>

Changes to httpd-ssl.conf/httpd-ahssl.conf

1. Ensure Listen port is specified for HTTPS

Listen 443 https

2. Configure virtual host for SSL with following highlighted option set

<VirtualHost _default_:443>

ServerName localhost:443

SSLEngine on

SSLCertificateFile “${SRVROOT}/conf/ssl/server.crt”

SSLCertificateKeyFile “${SRVROOT}/conf/ssl/server.key”

SSLCACertificateFile “${SRVROOT}/conf/ssl/ca.crt”

SSLVerifyClient require

SSLVerifyDepth 10

DocumentRoot “${SRVROOT}/htdocs”

# DocumentRoot access handled globally in httpd.conf

CustomLog “${SRVROOT}/logs/ssl_request.log” \  “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”

<Directory “${SRVROOT}/htdocs”>

Options Indexes Includes FollowSymLinks

AllowOverride AuthConfig Limit FileInfo

Require all granted

</Directory>

</Virtualhost>

 

Note : If Apache is run as windows service, it will need the server key unencrypted.

You can use following command to change the encrypted server key to unencrypted:

>openssl rsa –in server.key -out server.key

Enter pass phrase for server.key:      -> Enter passphrase and hit return

writing RSA key

 

Changes on the Policy Server

 

1. Create X.509 certificate authentication scheme as below :

 

2. Create Domain, Realm, Rule (get/post), Policy . Protect the realm with the X.509 authentication scheme.

3. Click Certificate Mapings under Directory and create mapping as below.

Note :

  • Ensure that the Issuer DN matches exactly as in the user certificate.
  • Choose the mapping attribute as per the Active Directory LDAP User DN lookup configuration

Changes on the client machine

1. Open MMC console and import the client certificate and CA root certificate. Import them to the Current Useraccount.

Testing:

1. From the client machine access the resource protected with X.509 authentication scheme.

2. It will prompt you to select the client/user certificate. Choose the appropriate user certificate and click Ok.

Additional Information:

Leave a Reply