Support Home Communities Home   Search Today's Posts Mark Forums Read

 
 
LinkBack Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 05-Nov-2009, 09:45 AM
Junior Member
  
Join Date: Mar 2008
Posts: 13
jsa134 0 reputation points
Default NAM 3.1 x509 Mutual SSL Authentication
I have a working SSL secured reverse proxy for an application. The application uses its own internal user/password authentication and I do not want to change this. However, I would like to add an additional authentication requirement for access from the internet. Initially, I thought a client x509 certificate would be easy. I think the basic requirements are described in the NAM documentation for "Mutual SSL Authentication":
1. Set up Access Manager certificates for security, and import them into the Access Manager system. (See Section 24.1)
2. Create an X.509 authentication class. (Section 8.2.3)
3. Create an authentication method using this class. (Section 8.3)
4. Create an authentication contract using the X.509 method. (Section 8.4)
5. Update any associated Access Gateways to read the new authentication contract. (Section 13.4)
6. Update the Identity Server cluster configuration. (See Section 3.2.1)

Unfortunately, none of the described tasks give any further details, just basic feature descriptions. So I have:

1. Created a NAM CA issued cert w/ critical key usage "Encrypt data directly" and "Non-repudiation". Exported public and private kays to .PFX file then imported to my workstation's browser.
2. Create an X.509 authentication class w/ Attribute Mappings for "Subject name" and "Serial number and issuer name" populated from the NAM CA issued cert values.
3. Create an authentication method using the X.509 class. Checked "Identifies User". User store is "local" (NAM) and no additional Properties.
4. Create an authentication contract using the X.509 method. The URI is secure/x509/uri (?!). Created an "Authentication Card" using image X509.
5. Unsure how to update any associated Access Gateways to read the new authentication contract. I did add a Policy "Access Gateway: Authorization" to site's Access Gateway Reverse Proxy/Authentication service. Here is the logic:

Conditions
Condition structure:
Condition Group 1
Credential Profile: X509 Serial Number
Comparison: String: Equals
Regular Expression: Matches
Mode: Case Insensitive
Value: Data Entry
Data Entry Field: (NAM CA issued cert Serial Number, ex. E3:3C:06:46:83:2E:63:9D:97:02:02:33:DF:F4:AB:42:52 :15:62:8A:02:1C:11:FF:A4:2D:55:AE:94:A3:55:08:85:F 3:C0:98)
Result on Condition Error: False
Actions
Do: Permit
Reply With Quote
 

Tags
authentication, client certificate, mutual ssl, ssl, x509

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -6. The time now is 08:45 PM.
Contact Us - NOVELL FORUMS - Archive - Privacy Statement - Top

© 2007 Novell, Inc. All Rights Reserved.

Search Engine Friendly URLs by vBSEO 3.3.0 RC2