7.4 X.509 Certificates - Setup Requirements

To authenticate users with X.509 client certificates, such as a certificate stored on a smart card, be sure these requirements are met. Some settings are client-specific.

In addition, you can use X.509 authentication to access the Administrative Console and the HTML Session list.

7.4.1 Client requirements

These settings are required for any client using X.509 certificates.

X.509 must be enabled in the Administrative Console: Configure Settings - Authentication & Authorization > X.509.

Each client that is authorized to use MSS resources must have a client certificate, such as a certificate stored on a smart card.

The issuer of the client certificates must be trusted by MSS. For more information, refer to Trusted Certificates.

If using Clustering, be sure to configure the servers that will be replicated. See Servers in a Cluster.

Check the requirements for your client:

Host Access for the Cloud clients

These additional settings must be in place for Host Access for the Cloud.

A port configured for TLS client authentication must be enabled on MSS.

This secure port listens for and authenticates communications between MSS and the Host Access for the Cloud Session Server. This port is automatically configured when using the MSS automated installer or an MSS configuration utility.

Note: A certificate to trust the Host Access for the Cloud Session Sever is configured by the automated installer.

No further action is needed, unless you want to add a CA-signed certificate to the MSS trust store.

If using Clustering, be sure to configure the servers that will be replicated. See Servers in a Cluster.

To add a CA-signed or other certificate to the MSS trust store:

  1. In the Administrative Console, open Configure Settings - Trusted Certificates.

  2. Click Trusted Sub-System, and click +IMPORT.

  3. Click UPLOAD and select the file containing the certificate to upload to the MSS Administrative Server.

  4. Enter the Keystore file name, Keystore password, and Friendly name.

  5. Click IMPORT to add the certificate.

  6. Restart the MSS Administrative Server.

Windows-based clients

These additional settings must be in place for Windows-based clients.

A port configured for TLS client authentication must be enabled on MSS. This secure port authenticates end-user certificates presented by Windows-based clients (such as Reflection Desktop or Rumba+).

Note: When using the MSS automated installer or an MSS configuration utility, this port is automatically configured.

The MSS Administrative Server must be restarted after adding a CA-signed certificate.

If using Clustering, be sure to configure the servers that will be replicated. See Servers in a Cluster.

7.4.2 Servers in a Cluster

If you are using X.509 authentication and Clustering, the changes you make to a certificate store are automatically replicated to the other MSS Administrative Servers in the cluster.

You do not need to repeat the process on each MSS server in the cluster.

7.4.3 Configure Access to the Administrative Console or Sessions List

Administrators can use X.509 authentication to log in to the MSS Administrative Console, and users can use X.509 authentication to access their list of assigned sessions.

To enable X.509 authentication, you must perform the following setup in addition to configuring the X.509 authentication settings in the Administrative Console.

  1. Add the root CA certificate to the MSS servletcontainer truststore using either the Keystore Explorer utility or the Java keytool.

    • Keystore Explorer

      • a. Open servletcontainer.bcfks in the etc folder of the MSS installation. The default password is changeit.
      • b. From the Tools menu, choose Import Trusted Certificate.
      • c. Select the root CA certificate that was used to issue the end-user certificates for X.509 authentication.
      • d. Enter an alias to identify the certificate in the truststore.
      • e. After the certificate is imported, choose File > Save; then exit Keystore Explorer.

    • Java keytool

      • a. Open a command prompt in the etc folder of the MSS installation.
      • b. Issue the following keytool command. Specify the full path to the root CA certificate if it's not in the current directory. In this example, daso_rootca.crt is the certificate being imported, and daso_rootca is the alias being assigned.
      • keytool -importcert -no-prompt -file daso_rootca.crt -keystore servletcontainer.bcfks -providername BCFIPS -storetype bcfks -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath ../lib/bc-fips-*.jar -storepass changeit -alias daso_rootca

  2. Configure the MSS Administrative Console to use HTTPS to access MSS web services.

    Open <installpath>\MSS\server\conf\container.properties and edit this setting to use HTTPS:

    management.server.url=https://<servername>:<HTTPS port>/mss

    Note: Enter the <servername> and <HTTPS port> that were set during the initial installation.

  3. Restart the server for the changes to take effect.

  4. Navigate to the server URL using HTTPS. The browser will prompt for your certificate credentials.

    Assuming that the user certificate is configured in the browser (details vary by browser), you can navigate to the adminconsole url:

    https://<servername>:<HTTPS port>/adminconsole