To authenticate users with X.509 client certificates, such as a certificate stored on a smart card, be sure these requirements are met. Some settings are client-specific.
In addition, you can use X.509 authentication to access the Administrative Console and the HTML Session list.
These settings are required for any client using X.509 certificates.
X.509 must be enabled in the Administrative Console: Configure Settings - Authentication & Authorization > X.509. |
|
Each client that is authorized to use MSS resources must have a client certificate, such as a certificate stored on a smart card. |
|
The issuer of the client certificates must be trusted by MSS. For more information, refer to Trusted Certificates. |
|
If using Clustering, be sure to configure the servers that will be replicated. See Servers in a Cluster. |
Check the requirements for your client:
These additional settings must be in place for Host Access for the Cloud.
A port configured for TLS client authentication must be enabled on MSS. This secure port listens for and authenticates communications between MSS and the Host Access for the Cloud Session Server. This port is automatically configured when using the MSS automated installer or an MSS configuration utility. |
|
Note: A certificate to trust the Host Access for the Cloud Session Sever is configured by the automated installer. No further action is needed, unless you want to add a CA-signed certificate to the MSS trust store. |
|
If using Clustering, be sure to configure the servers that will be replicated. See Servers in a Cluster. |
In the Administrative Console, open Configure Settings - Trusted Certificates.
Click Trusted Sub-System, and click +IMPORT.
Click UPLOAD and select the file containing the certificate to upload to the MSS Administrative Server.
Enter the Keystore file name, Keystore password, and Friendly name.
Click IMPORT to add the certificate.
Restart the MSS Administrative Server.
These additional settings must be in place for Windows-based clients.
A port configured for TLS client authentication must be enabled on MSS. This secure port authenticates end-user certificates presented by Windows-based clients (such as Reflection Desktop or Rumba+). Note: When using the MSS automated installer or an MSS configuration utility, this port is automatically configured. |
|
The MSS Administrative Server must be restarted after adding a CA-signed certificate. |
|
If using Clustering, be sure to configure the servers that will be replicated. See Servers in a Cluster. |
If you are using X.509 authentication and Clustering, the changes you make to a certificate store are automatically replicated to the other MSS Administrative Servers in the cluster.
You do not need to repeat the process on each MSS server in the cluster.
Administrators can use X.509 authentication to log in to the MSS Administrative Console, and users can use X.509 authentication to access their list of assigned sessions.
To enable X.509 authentication, you must perform the following setup in addition to configuring the X.509 authentication settings in the Administrative Console.
Add the root CA certificate to the MSS servletcontainer truststore using either the Keystore Explorer utility or the Java keytool.
Keystore Explorer
Java keytool
Configure the MSS Administrative Console to use HTTPS to access MSS web services.
Open <installpath>\MSS\server\conf\container.properties and edit this setting to use HTTPS:
management.server.url=https://<servername>:<HTTPS port>/mss
Note: Enter the <servername> and <HTTPS port> that were set during the initial installation.
Restart the server for the changes to take effect.
Navigate to the server URL using HTTPS. The browser will prompt for your certificate credentials.
Assuming that the user certificate is configured in the browser (details vary by browser), you can navigate to the adminconsole url:
https://<servername>:<HTTPS port>/adminconsole