Enabling certificate authentication
About this task
Certificate authentication is disabled by default. To enable certificate authentication:
Procedure
| Configuration | Description |
|---|---|
accept-client-certs = optional |
Client can optionally use certificate-based authentication. WebSEAL asks clients for an X.509 certificate. If the user supplies a certificate, certificate-based authentication is used. |
accept-client-certs = required |
Client must use certificate-based authentication. WebSEAL asks clients for an X.509 certificate. If the user does not present a certificate, WebSEAL does not allow a connection. |
accept-client-certs = prompt_as_needed |
The user is not required to authenticate with a certificate at session start-up. The user can later initiate certificate authentication. This setting enables delayed certificate authentication mode. |
For example, to prompt users for a client-side certificate only when the user encounters a resource that requires certificate authentication, enter:
[certificate]
accept-client-certs = prompt_as_neededprompt_as_needed configuration
entry to not function correctly. Additional configuration is required to allow
prompt_as_needed to work with all browsers.The configuration parameter,
secondary-port, must be set in the [certificate] stanza. This
modifies the behavior of accept-client-certs = prompt_as_needed to post the
certificate login to a secondary interface listening on this port.
A secondary interface must
be configured for the secondary-port specified and accept-client-certs=required set
for the secondary interface.
secondary-port
method:[server]
https = yes
https-port = 443
network-interface = 172.16.99.10
[ssl]
webseal-cert-keyfile-label = WebSEAL-Test-Only
[certificate]
accept-client-certs = prompt_as_needed
secondary-port = 444
[interfaces]
interface1 = network-interface=172.16.99.10;https-port=444;certificate-label=WebSEAL-Test-Only;accept-client-certs=required;always-neg-tls=yes;use-secondary-listener=yes
- An interface that is configured with "
prompt_as_needed" and has a non-zerosecondary-portis not used to prompt for certificates. - A macro is provided,
%SECONDARY_BASE%. Whensecondary-port" is non-zero it has the value:HTTPS://%HOSTNAME%:<secondary-port>. - When
secondary-portis zero, or not set, is has an empty (zero length) value. - The certlogin.html and stepuplogin.html pages use the
%SECONDARY_BASE%macro.- When the Certificate Login button is pressed the underlying action is to
POST to
%SECONDARY_BASE%/pkmslogin.form.
- When the Certificate Login button is pressed the underlying action is to
POST to
- [certificate] cert-prompt-max-tries is not used in this mode and the login requires significantly less redirects to operate.
accept-client-certs=required"- When a successful authentication using client certs occurs on a request accessing
/pkmslogin.form, WebSEAL redirects back to a request cached due to being interrupted by the login process.Note:[server] cache-host-headermust be set to yes- This is different to previous behavior as using “required” method of authentication did not disrupt the access to the page requested when prompting the user for a certificate.
- A configuration parameter,
always-neg-tls, was added to[server]and[interfaces].- If
always-neg-tlsis set toyes. then any TLS connections on this interface only processes one request. Once the request is complete the connection is closed, and the TLS session is destroyed. This forces a full TLS session renegotiation every connection. This is an expensive method of using TLS so this option should only be enabled if absolutely necessary. Typically, it could be enabled on the interface the secondary-port is referring to so the TLS on that interface always requests a certificate from the client (browser).
- If