Configuring Mutual Authentication
Novell Cool Solutions: Tip
Digg This -
Updated: 22 Jan 2002
Version: iChain 2.0
Step 1: Verify date/time settings
Step 2: Create a Certificate Signing Request (CSR)
Step 3: Create a Trusted Root or "Self Signed" Certificate
Step 4: Create the Mutual Authentication Profile
Step 5: Create the Accelerator
Step 6: Create User Certificate to Import into Internet Explorer
Step 7: Export the User's Private Key
Step 8: Import the Private Key into Internet Explorer
Step 9: Troubleshooting
Verify date/time settings
Check the date/time settings on iChain and the Certificate Server that will be signing the request. If they are NOT the same (or very close) the certificate may not work.
Create a Certificate Signing Request (CSR)
Using the iChain Web Management utility, create a certificate from the Certificate Maintenance tab on the home page. When creating, choose the defaults. Name it something you'll remember. For the Subject name, make sure it matches the DNS name of the reverse accelerator. This will prevent any errors with the certificate name check. Use an External certificate authority. Fill in the Organization, City/town, State/province and Country fields. Click OK and Apply.
This will create a CSR. Use the view CSR Button to view the CSR in a browser window. The Status will read "CSR in progress" at this point. Click on File > Save as. Name it CSR.B64 so that you can keep track.
Signing the CSR
Use ConsoleOne to go to your authentication tree. Login as admin. Highlight the tree. Click Tools from the dropdown menu, and select issue a Certificate. Browse your CSR (CSR.B64) file and add into the window. Click Next. Choose the Organizational CA. Click Next. For type, leave as Unspecified. Click Next. Make sure subject name is the URL of your domain. Set your period for 2 years (or whatever, you choose). Click Next, and Click Finish.
Choose the Base64 format and save the certificate as SERVER.B64.
Create a Trusted Root or "Self Signed" Certificate
Now, go to your organizational CA (in the Security Container of your Authentication Tree). Click the Certificates tab, and make sure you are on the Self Signed Certificate part of that tab. Click export. Export it in Base64 format. Save it to your hard drive. Change the filename to CA-SelfSignedCert.B64 (or keep the default filename) and save.
Import Trusted Root/Signed Certificate into the Server Certificate
Switch back to the iChain Web Management tool. Select the Certificate Maintenance tab on the Home page. Select the certificate that you created before. Click the Store Certificate button at the bottom.
You should have two fields. One for the CA Certificate Contents, and one for the Server certificate contents. The text of CA-SelfSignedCert.B64 file CA goes in the CA one; The SERVER.B64 file goes in the Server one. Use WordPad to open, copy and paste the text. Notepad has a tendency to add box characters in place of carriage returns and the certificate will not be valid.
Click Create. Everything should go as expected, and then you click the apply button on the iChain Web Management button.
Create the Mutual Authentication Profile
You are now ready to setup your accelerator for mutual authentication with your Authentication tree (LDAP Tree).
Go to the Configure Page, the Authentication Tab. Click Insert. Name the profile (like Mutual), and choose the Background SSL Mutual Authentication radio button. Click OK. There's nothing else to configure.
Create the Accelerator
Now choose the Web Server Accelerator tab. Create a new accelerator the way you would create any accelerator. Set the IP addresses, DNS Names (must match the Subject name in step 1), etc. Click the Enable authentication box. Click the Authentication Options box. Select the Mutual Profile and Add it to the Service Profiles side. Click OK.
You don't need to enable Secure Exchange, but you do need to make sure that you are using a unique SSL listening port (for that IP address) and that you choose the name of the certificate that you created in the drop down box. Click OK.
Prepare ConsoleOne and the workstation
See TID 10065296 before proceeding. You must use NICI Client 2.0.2 for Windows and Novell Certificate Server v2.0 Snapin Version 2.21 (or later) for ConsoleOne to create the user certificates!
The correct files can be found on the Client CD shipped with iChain 2.0 or can be downloaded from www.novell.com/download. If installing from the CD, install NICI Client 2.0.2 for Windows, ConsoleOne and the NetWare 6 ConsoleOne Snapins.
Create User Certificate to Import into Internet Explorer
Login to the Authentication tree as Administrator. Click on the user object that you want to be able to authenticate with a certificate. Go to the properties of this object, and the Security Certificates tab. Click the Create button. Name the certificate (The user's CN is good) and choose to create it with the Custom method. Choose the Organizational CA as the signing authority. Click Next. Certificate's usage is unspecified, and pick the appropriate key size (1024 works well for 128bit SSL). Make sure the Allow private key to be used for authentication box is checked. Click Next. Put in an e-mail address, make sure the validity period is good, the signature Algorithm is RSA w/ SHA-1 hash, and Click next. Click Finish.
Export the User's Private Key
Log out of the Authentication tree. Log back into the Authentication tree as the user you just gave a certificate to. Browse to the user object again. Open the properties, go to the Security / Certificates tab. Click Export. Make sure the private key gets exported with the certificate. Make sure the Include all certificates in the certification path box is checked. Set a name for the file, and also a password to protect the Private Key. Click Next, and then Finish. Save the .PFX file so that it can be imported into the Browser.
Import the Private Key into Internet Explorer
Launch IE and go to File, then Open. Browse to the user's private certificate that you just exported and saved (the .PFX file). Click Open and OK. Click Next to continue importing the certificate. Click Next again to import the selected file. The next screen will prompt for the password that was used to create the user certificate during the export process. Click Next. The next screen asks where you want to store the certificate. Choose the default to automatically install. Click on Next, then Finish, and Yes to add the certificate.
- Can't see the Certificate to select when configuring the accelerator.
There are constantly problems when copying/pasting the certificate text file. Open the file in Notepad and make sure there are no "box" characters in the text. They may appear at the very end of the text, or the entire text may appear to be only one or two lines; all carriage returns show up as a box character. Delete them and try it again. The certificates need to be in the following format:
-----BEGIN NEW CERTIFICATE REQUEST----- MIIBlTCB/wIBADBWMRowGAYDVQQDExFwb3J0YWwuaWNoYWluLmNvb TEOMAwGA1UEChMFZjNsYWIxDjAMBgNVBAcTBXByb3ZvMQswCQYDVQ QIEwJ1dDELMAkGA1UEBhMCdXMwgZ8wDQYJKoZIhvcNAQEBBQADgY0 AMIGJAoGBAMXsOHVWcrdPluAmvV9d9V04VFR3bqsCtrX/nO9jxM6O xjBdVh/dDxqrNcY6aRDqrSnX2mhKy7P47gxPWyYdsjdykthBFTtl Msq/txbaPce95PE5YXhxXKijCTM2XXtLi37dmX3M4Li7bblJ1y1F3v Lg6tR+3B1ZlnjIKQdFfOB7AgMBAAGgADANBgkqhkiG9w0BAQUFAAOB gQAMJ77ynzRotagNH9aX1t7BpmpDxacdcOUvk+LHp800qH2XrXXiP6 P76iEV0H+/RU8UQ8LWLeFgnq1mnKKDCv0wZm/ya5EkyvJ80btCoaTP yLbaXOxGAIHz8Cv7jrdaLkrQaqQfk92hwPl9vlUZc44CBZFIls62RO 9/vS9Dd7Q80A==
---END NEW CERTIFICATE REQUEST---
- There is no prompt to select the proper certificate when you connect to the accelerator.
View the User certificate you imported into Internet Explorer and the Organization CA and verify that the Issuer name matches (Tools > Internet Options > Content > Certificates > Highlight the certificate > View > Details Tab.)
- Turn on advanced troublshooting error messages by adding the following to PROXY.CFG on the iChain box:
Then restart the server. The browser should then receive more meaningful error messages. Do not leave this turned on. Doing so will give "hackers" and advantage.
**Don't forget to configure your ISO object and your ACL rules to allow the user that you are letting into the web site actually get in.
For more information see TID 10066648
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com