Novell Home

Configuring Mutual Authentication Using Third-Party Certificates

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 19 Feb 2004
 

TID10090790

When configuring SSL Certificate Mutual Authentication, the Client CA must be the same as the server CA. If this is not the case Mutual Authentication will not work. Please pay special attention to this before beginning.

Configuring Mutual Authentication using a third party CA such as Verisign, Thawte, etc... is slightly different than using Novell's CA. If you desire to use Novell's CA, please see TID10066648. The steps in this TID are almost identical to this document, however, they do have some differences. Pay special attention to "Signing the CSR" and "Obtaining a Client Certificate from Verisign."

steps
  1. Verify date/time settings
  2. Check the date/time settings on iChain and the Certificate Server that will be signing the request. If they are not the same (or very close) the certificate may not work.

  3. Create a Certificate Signing Request (CSR)
  4. Using the iChain Web Management utility, create a certificate from the Certificate Maintenance tab on the home page. When creating, choose the defaults. Name it something you'll remember. For the Subject name, make sure it matches the DNS name of the reverse accelerator. This will prevent any errors with the certificate name check. Use an External certificate authority. Fill in the Organization, City/town, State/province and Country fields. Click OK and Apply.

    This will create a CSR. Use the view CSR Button to view the CSR in a browser window. The Status will read "CSR in progress" at this point. Click on File > Save as. Name it CSR.B64 so that you can keep track.

  5. Signing the CSR
  6. Now that you have generated the CSR from the iChain proxy, you need to have it signed by Verisign. Please visit http://www.verisign.com to choose your SSL Certificate product and follow the online instructions for getting your CSR signed. Once your CSR is signed you will receive an email from Verisign with your server certificate and a link to download their trusted root certificate. You will need both of these to complete the certificate creation process that you started in the iChain Web Management tool.

    Now that you have the Trusted Root Certificate and Server Certificate from Verisign, switch back to the iChain Web Management Tool. Select the Certificate Maintenance tab on the Home page. Select the certificate that you created before. Click the Store Certificate button at the bottom.

    You should have two fields. One for the CA Certificate Contents, and one for the Server Certificate contents. The text of the Trusted Root Certificate you received from Verisign goes into the CA one; The text of the Server Certificate you received from Verisign goes into the Server one. Use WordPad to open, copy and paste the text. Notepad has a tendency to add box characters in place of carriage returns and the certificate will not be valid.

    Click Create. Everything should go as expected, and then you click the apply button on the iChain Web Management button.

  7. Create the Mutual Authentication Profile
  8. You are now ready to setup your accelerator for mutual authentication with your Authentication tree (LDAP Tree).

    Go to the Configure page, the Authentication Tab. Click Insert. Name the profile (like MUTUAL), and choose the "SSL Certificate Mutual Authentication" radio button. Click OK. There's nothing else to configure.

  9. Create the Accelerator
  10. Now choose the Web Server Accelerator tab. Create a new accelerator the way you would create any accelerator. Set the IP addresses, DNS Names (must match the subject name in step 1), etc. Click the Enable Authentication box. Click the Authentication Options button. Select the Mutual Profile and Add it to the Services Profiles side. Click OK.

    You don't need to enable Secure Exchange, but you do need to make sure that you are listening on a unique SSL listening port (for that IP address) and that you choose the name of the certificate that you created in the drop down box. Click OK.

  11. Obtaining a Client Certificate from Verisign
  12. As spoke of in the beginning. In order to Mutual Authentication to work, you need to have a Client Certificate and a Server Certificate. The above instructions were for the Server Certificate. You must now object a Client Certificate from Verisign as well. Please visit, http://www.verisign.com/products/site/faq/sales.html to obtain this. Verisign will then send back a client certificate in PKCS7 format. This certificate is to be installed into the Internet Explorer.

  13. Import the Private Key (Client Certificate) into Internet Explorer
  14. Launch IE and go to File, then Open. Browse to the user's private certificate that you just received from Verisign (the PKCS7 file). Click Open and OK. Click Next to continue importing the certificate. Click Next again to import the selected file. The next screen will prompt for the password that was used to create the user certificate (if a password was used) during the export process. Click Next. The next screen asks where you want to store the certificate. Choose the default to automatically install. Click on Next, then Finish, and Yes to add the certificate.

troubleshooting information:
  1. Can't see the Certificate to select when configuring the accelerator.

    There are constantly problems when copying/pasting the certificate text file. Open the file in Notepad and make sure there are no "box" characters in the text. They may appear at the very end of the text, or the entire text may appear to be only one or two lines; all carriage returns show up as a box character. Delete them and try it again. The certificates need to be in the following format:

    -----BEGIN NEW CERTIFICATE REQUEST-----
    MIIBlTCB/wIBADBWMRowGAYDVQQDExFwb3J0YWwuaWNoYWluLmNvbTEOMAwGA1UE
    ChMFZjNsYWIxDjAMBgNVBAcTBXByb3ZvMQswCQYDVQQIEwJ1dDELMAkGA1UEBhMC
    dXMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMXsOHVWcrdPluAmvV9d9V04
    VFR3bqsCtrX/nO9jxM6OxjBdVh/dDxqrNcY6aRDqrSnX2mhKy7P47gxPWyYdsjdy
    kthBFTtlMsq/txbaPce95PE5YXhxXKijCTM2XXtLi37dmX3M4Li7bblJ1y1F3vLg
    6tR+3B1ZlnjIKQdFfOB7AgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQAMJ77ynzRo
    tagNH9aX1t7BpmpDxacdcOUvk+LHp800qH2XrXXiP6P76iEV0H+/RU8UQ8LWLeFg
    nq1mnKKDCv0wZm/ya5EkyvJ80btCoaTPyLbaXOxGAIHz8Cv7jrdaLkrQaqQfk92h
    wPl9vlUZc44CBZFIls62RO9/vS9Dd7Q80A==
    -----END NEW CERTIFICATE REQUEST-----


  2. There is no prompt to select the proper certificate when you connect to the accelerator. View the User certificate you imported into Internet Explorer and the Organization CA and verify that the Issuer name matches (Tools > Internet Options > Content > Certificates > Highlight the certificate > View > Details Tab.)


  3. Turn on advanced troubleshooting error messages by adding the following to PROXY.CFG on the iChain box:

    [Mutual Authentication]
    SendErrorPageWhenMutualFails=1

    Then restart the server. The browser should then receive more meaningful error messages. Do not leave this turned on. Doing so will give "hackers" an advantage.

    **Don't forget to configure your ISO object and your ACL rules to allow the user into the protected resource.
additional information


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell