Configuring runtime security services for client certificate authentication

Configure runtime security services for client certificate authentication used for authentication between WebSEAL and Advanced Access Control.

About this task

Before selecting the client certificate authentication option provided in the isamcfg tool, you must perform the following general steps for the client certificate:

1. Generate a certificate that represents the user who will be authenticating from WebSEAL, or the Web Reverse Proxy, to Advanced Access Control. For example, use easuser.
2. Import that certificate into the WebSEAL or Web Reverse Proxy key database as a personal certificate.
3. Import the signer of this certificate as a trusted certificate in the Advanced Access Control keystore.
4. Set Accept Client Certificates to True on the appliance.

Procedure

1. Create a client certificate for user easusercert.
   1. In the local management interface, go to System > Secure Settings > SSL Certificates.
   2. Select the pdsrv certificate database.
   3. Click Manage > Edit SSL Certificate Database.
   4. Click Personal Certificates.
   5. Click New to create a new personal certificate.
   6. Provide the following information:
      • Certificate Label: easusercert
      • Certificate Distinguished Name: cn=easuser
      • Key Size: 2048
      • Expiration Time (in days): 365
   7. Click Save.
2. Deploy pending changes. See Deploying pending changes.
3. Restart your reverse proxy instances.
4. Export the client certificate.
   1. Select the pdsrv certificate database.
   2. Click Manage > Edit SSL Certificate Database.
   3. Click Personal Certificates.
   4. Select the easusercert certificate you created.
   5. Click Manage > Export.
   6. Save the file.
5. Import the exported personal certificate as a signer certificate on the appliance. The signer of the client certificate needs to be trusted. The certificate is self-signed. Importing the easusercert as a signer certificate into the appliances allows that trust.
   1. Click System > Secure Settings > SSL Certificates.
   2. Select the rt_profiles_keys certificate database.
   3. Click Manage > Edit SSL Certificate Database.
   4. Click Signer Certificates.
   5. Click Manage > Import.
   6. Click Browse.
   7. Browse to the directory that contains the file to be imported and select the file. Click Open.
   8. Click Import. A message that indicates successful import is displayed.
6. Deploy pending changes. See Deploying pending changes.
7. Configure the appliance for client certificate authentication.
   1. In the local management interface, go to AAC > Global Settings > Runtime Parameters.
   2. Select Accept Client Certificates.
   3. Click Edit and set the value as True.
8. Restart the runtime.

What to do next

Run the isamcfg tool. Ensure that you respond to the following isamcfg prompts appropriately:

• When answering the question Select the method for authentication between WebSEAL and the Advanced Access Control rumtime listening interface in the isamcfg tool, select Certificate Authentication.
• When prompted to enter the Advanced Access Control rumtime listening interface SSL keyfile label, enter the label of the certificate that represents the user who will be authenticating from WebSEAL or Web Reverse Proxy to Advanced Access Control.

For more information, see isamcfg Verify Identity Access appliance configuration worksheet.