7.4 X.509 Certificates - Setup Requirements

To authenticate users with X.509 client certificates, such as a certificate stored on a smart card, be sure these requirements are met. Some settings are client-specific.

In addition, you can use X.509 authentication to log in to the Administrative Console.

7.4.1 Client requirements

These settings are required for any client using X.509 certificates.

Table 7-4

X.509 must be enabled in the Administrative Console: Configure Settings - Authentication & Authorization > X.509.

Each client that is authorized to use MSS resources must have a client certificate, such as a certificate stored on a smart card, and a valid user account in LDAP.

The issuer of the client certificates must be trusted by MSS. For more information, refer to Trusted Certificates.

If using Clustering, be sure to configure the servers that will be replicated. See Servers in a Cluster.

Check the requirements for your client:

Host Access for the Cloud clients

These additional settings must be in place for Host Access for the Cloud.

Table 7-5

A port configured for TLS client authentication must be enabled on MSS.

This secure port listens for and authenticates communications between MSS and the Host Access for the Cloud Session Server. This port is automatically configured when using the MSS automated installer or an MSS configuration utility.

Note: A certificate to trust the Host Access for the Cloud Session Sever is configured by the automated installer.

No further action is needed, unless you want to add a CA-signed certificate to the MSS trust store.

If using Clustering, be sure to configure the servers that will be replicated. See Servers in a Cluster.

To add a CA-signed or other certificate to the MSS trust store:

  1. In the Administrative Console, open Configure Settings - Trusted Certificates.

  2. Click Trusted Sub-System, and click +IMPORT.

  3. Click UPLOAD and select the file containing the certificate to upload to the MSS Administrative Server.

  4. Enter the Keystore file name, Keystore password, and Friendly name.

  5. Click IMPORT to add the certificate.

  6. Restart the MSS Administrative Server.

Windows-based clients

These additional settings must be in place for Windows-based clients.

Table 7-6

A port configured for TLS client authentication must be enabled on MSS. This secure port authenticates end-user certificates presented by Windows-based clients (such as Reflection Desktop or Rumba+).

Note: When using the MSS automated installer or an MSS configuration utility, this port is automatically configured.

The MSS Administrative Server must be restarted after adding a CA-signed certificate.

If using Clustering, be sure to configure the servers that will be replicated. See Servers in a Cluster.

7.4.2 Servers in a Cluster

If you are using X.509 authentication and Clustering, the changes you make to a certificate store are automatically replicated to the other MSS Administrative Servers in the cluster.

You do not need to repeat the process on each MSS server in the cluster.

7.4.3 Optional: Administrative Console login

You can use X.509 authentication to log in to the MSS Administrative Console. In this instance, the Administrative Console acts as a client to the core MSS Administrative Server.

Use the Java keytool application to place the certificate in the expected location.

  1. Add the root CA certificate to the MSS servletcontainer trust store.

    keytool -importcert -no-prompt -file daso_rootca.crt -keystore servletcontainer.bcfks -providername BCFIPS -storetype bcfks -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath ../lib/bc-fips-*.jar -storepass changeit -alias daso_rootca

  2. Configure the MSS Administrative Console to use HTTPS to access MSS web services.

    Open <installpath>\MSS\server\conf\container.properties and edit this setting to use HTTPS:

    management.server.url=https://<servername>:8443/mss

  3. Navigate to the server URL using HTTPS.

    Assuming that the user certificate is configured in the browser (details vary by browser), you can navigate to the adminconsole url:

    https://<servername>:8443/adminconsole