X.509 client authentication allows clients to authenticate to servers with certificates rather than with a user name and password by leveraging the X.509 public key infrastructure (PKI) standard.
When you enable X.509 client authentication:
When the user accesses the web client using TLS the browser sends a certificate to the session server identifying the end user and completing the TLS handshake.
The session server refers to its truststore to check the client’s certificate and verify its trust.
Once the TLS negotiation is complete (the session server trusts the end user), the session server sends the end user’s public certificate to MSS for further validation.
MSS also verifies that it trusts the end users certificate using its trust store.
When MSS finishes the validation, the end user will have successfully authenticated.
The client’s full certificate chain needs to be present in the session server and MSS truststores or alternatively signed by a Certificate Authority that is present in the truststores.
How the browser determines the client certificate to send is a browser or smart card specific configuration.
Basic steps:
Trust certificates in the session server and MSS if they have not already been trusted.
Restart the servers.
Configure X.509 in the MSS Administrative Console.
Step 1. Trust the certificate in MSS and the session server
Trust the certificate in MSS
MSS’ trusted store may already contain your signing authority certificate. This is often the case with well-known certificate signing authorities, and if so, then you can skip this step.
To check:
Open the Administrative Console, click Configure Settings, and open the Trusted Certificates tab. Open Trusted Root Certificate Authorities to see a list of available certificates.
If your certificate is not listed you need to install your signing root CA into MSS following the prompts and documentation in the Administrative Console.
Trust the certificate in the session server
To install the certificate into the session server:
In <install_directory>\sessionserver\etc import the certificate: keytool -importcert -file <cert-file> -alias <alias-to-store-cert-under> -keystore trustcerts.bcfks -storetype bcfks -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath ../lib/bc-fips-*.jar -storepass changeit
Step 2. Restart all the servers
For the configuration to take effect, you must restart all servers.
Step 3. Configuring X.509 with LDAP fail over in the MSS Administrative Console
Once the certificates are in place, you can enable X.509 with the Fallback to LDAP authentication option in Management and Security Server Administrative Console | Configure Settings | Authentication & Authorization. See the Administrative Console online help for descriptions of the configuration options.