Mapping Types
To review the basics of SSL, see Web Security and Commerce by Simson Garfinkel and Gene Spafford.
SSL provides:
Mutual SSL provides the same things as SSL, with the addition of authentication and nonrepudiation of the client, using digital signatures.
There are many different certificate authority vendors and varying methods to configure Mutual SSL. Although it is not possible to cover all the possibilities, the following is an example using the Novell Certificate Authority of the LDAP servers:
In the browser-based management tool, click Home > Certificate Maintenance > Create.
Enter an appropriate name for the certificate and subject name.
Click the Signature Algorithm drop-down list > select the algorithm you want to use (SHA-1 or MD-5).
Click the RSA Key Size drop-down list > select the RSA key size that you want to use.
You cannot select a key size larger than the maximum key size on the appliance.
Click Use External Certificate Authority.
If desired, enter a name for your organization or division.
This is commonly referred to as the Organizational Unit and is used to differentiate between organizational divisions or to describe departments or divisions.
Enter the city or town where your organization does business.
Enter the unabbreviated name of the state or province where the organization does business.
This is commonly referred to as the state.
Enter the International Standards Organization country code for the country where the organization does business.
This is commonly referred to as the country and must be a valid, two-character country code.
Click OK.
Examine the Action and Status fields. The Action field should have red arrows on the left and the word Request displayed on a green background. The Status should be Building. The red arrows and green background indicate that you need to click Apply.
Click Apply.
If any errors occur during the certificate request process, they will be displayed in the Error field on a red background.
If an error occurs:
Click View CSR to open a new browser window that displays the CSR contents.
Select and copy the complete CSR text into your computer's clipboard.
Internet Explorer and other browsers combine them with the CSR text that is in between. Clicking the browser refresh/reload button will often fix the problem. If it doesn't, simply insert the appropriate carriage returns during the next step. After you have copied the text, you can close the browser window. If you don't fix the defect, you can view the source of the HTML file and copy and paste from the source file.
Paste the CSR text from the clipboard to the e-mail message or HTML form as required by your CA. The method for sending the CSR will vary depending on the authority. VeriSign, for example, uses a Web page interface.
IMPORTANT: The header and trailer must be on lines separate from the body of the CSR. The header line will be similar to the following:
----- BEGIN NEW CERTIFICATE REQUEST -----
The trailer line will be similar to the following:
------ END NEW CERTIFICATE REQUEST -----
If required, you must use hard returns to separate these two lines from the body of the CSR.
In ConsoleOne click on Issue Certificate on the Tools Menu, then paste the CSR and follow the prompts to sign the certificate.
Click Finish and save the file in a .b64 format.
In ConsoleOne, go to the Organization CA object's properties page (in the Security container). Go to Certicates > Self Signed Certificate page, then export the Self Signed Certificate in .b64 format.
After the external CA responds with the certificate:
In the browser-based management tool, click Home > Certificate Maintenance > click the name of the certificate you want to store > click Store Certificate.
In the Store Certificates dialog box, paste the CA certificate into the CA Certificate Contents box. If you are using Novell CA, this is where the Self Signed Certificate should be placed.
NOTE: If the CA Certificate Contents and the Server Certificate Contents are in the same Base-64 encoded file, check the No trusted root certificate available check box. This will gray out the CA Certificate Contents box and allow the single Base-64 encoded file containing the entire certificate chain to be pasted into the Server Certificate Contents box.
Paste your newly issued certificate in the Server Certificate Contents box.
Click Create.
Examine the Action and Status fields. The Action field should have red arrows on the left and the word Create displayed on a green background. The Status should be CSR in Process. The red arrows and green background indicate that you need to click Apply.
Click Apply.
If no error occurs during the certificate creation process, the status will change to Active.
If an error occurs during the certificate creation process, it will be displayed in the Error field on a red background.
If an error occurs:
Select Configure > Authentication > Insert > enter a name for the profile (for example, "Secure Exchange").
Select Secure Exchange Certificate mutual authentication > click OK > Apply.
Add the new profile to the Web Server Accelerator by selecting Configure > Web Server Accelerator.
Click Authentication Options > select the newly created profile.
Click Add > And Profiles > OK.
At the Accelerator tab, highlight the accelerator > click Modify.
At the Secure Exchange Key ID, select the name of the certificate you created > click OK > Apply.
You can also select Mutual Options if you need to configure certificate mapping.
NOTE: Secure Exchange can also be set up between the iChain appliance and the Web server.
Using the iChain browser GUI, select Configure > Web Server Accelerator.
Choose the appropriate Web accelerator > click Modify > Enable Secure Exchange.
Leave the SSL Listening Port as the default (443).
In ConsoleOne as an administrator go to the user object's properties on the Security tab > click Certificates > Create.
Select the default options (for example, with the private key, etc.). Change only what you need to change (for example, the expiration, etc.).
NOTE: Do not change the subject name if it is shown in reverse (for example, o=novell,ou=stress,cn=user1020).
Save the file in .PFX format with a password.
At the browser, select Tools > Internet Options.
Select Content > Certificates.
Import a Personal Certificate that has been signed by the same Certificate Authority.
Follow the prompts to import the certificate. You will be prompted to enter a password.
When using SSL Mutual Authentication, there must be a user in the iChain LDAP Authentication tree that corresponds with the user certificate. Certificate Mapping gives four different ways to map the user certificate to a user in the iChain LDAP Authentication tree. The four mapping types are directory name, mail, serial number & issuer name, and subject name. The proxy server can be configured to use any combination of the four mapping types. Note that when searching for a user with the configured mappings, the first user found will be the user that is used for authentication and access control, even if the other users will map to the same certificate.
At least one search base needs to be configured for Certificate Mapping. The search base is the location in the iChain LDAP Authentication tree to search for user objects that the certificate may map to. More than one search base can be configured. The search will look for matches starting at the search base. All containers below the search base are included in the search.
To add a search base, go to the iChain Proxy Server console and enter the following:
add authentication aclcheck ldap searchbase = <context>
where <context> is the LDAP context where you want the search to start. For example, ou=users;o=novell. Note that the syntax for the context uses a semi-colon (;) for the delimiter between containers for the full context.
The certificate mapping types are configured from the iChain Proxy Server utility.
To configure certificate mapping types:
At the iChain Proxy Server utility, choose Configure > Authentication.
Highlight an authentication profile of type Mutual.
Click Modify > Mutual Options (see Figure 11).
Figure 11
Mapping Types
With directory name mapping, the Subject Alternative Name field in the user certificate, with a name type of Directory Name, will be used to identify the certificate portion of the user (see Figure 12). The name in the certificate can be from root to leaf or from leaf to root.
Figure 12
Subject Alternative Name
A user in the LDAP Authentication Tree matching the Directory Name in the Subject Alternative Name field of the certificate will be checked first. If a user is not found and Use sasAllowableSubjectName is also enabled for directory mapping (see Figure 11), the LDAP Authentication Tree will be searched for a user containing an sasAllowableSubjectName attribute matching the Directory Name in the Subject Alternative Name field of the certificate. If sasAllowableSubjectName is enabled, the LDAP Authentication tree should be configured so that there is no duplication of allowed names between users in the sasAllowableSubjectName attribute.
The sasAllowableSubjectName attribute is the same attribute currently used by NMAS for certificate mapping. The ConsoleOne snap-ins and schema updates are part of the NMAS installation on the Authorization Server CD. Figure 13 shows the sasAllowableSubjectName attribute in ConsoleOne.
Figure 13
sasAllowableSubjectName Attribute
With Email mapping, there are two possible fields in the user certificate that can be used to identify the certificate portion of the user. The first is the Subject Alternative Name field in the user certificate, with a name type of RFC822 (see Figure 12). The second is when an e-mail name is embedded in the Subject field of the certificate (see Figure 14). If both the Subject field and the Subject Alternative Name field contain an e-mail address, the Subject Alternative Name will be the only field used.
Figure 14
Email Name Embedded in Certificate Subject Field
The LDAP attribute configured in the Email attribute mapping (see Figure 11) will be used to match the Email address from the certificate when searching for a user in the LDAP Authentication tree. The default LDAP attribute is mail, which is the attribute currently used by GroupWise and Novell Certificate Server. The LDAP Authentication tree should be configured so that there is no duplication of Email addresses between users in the configured e-mail attribute mapping.
With directory name mapping, the Subject field in the user certificate will be used to identify the certificate portion of the user (see Figure 15). The Subject name in the certificate can be from root to leaf or from leaf to root.
Figure 15
Subject Field in the User Certificate
A user in the LDAP Authentication tree matching the Subject Name field of the certificate will be checked first. If a user is not found and the Use sasAllowableSubjectName is also enabled for directory name mapping (see Figure 11), the LDAP Authentication tree will be searched for a user containing a sasAllowableSubjectName attribute matching the Subject Name field of the certificate. If the sasAllowableSubjectName attribute is enabled, the LDAP Authentication tree should be configured so that there is no duplication of allowed names between users in the sasAllowableSubjectName attribute.
The sasAllowableSubjectName is the same attribute currently used by NMAS for certificate mapping. The ConsoleOne snap-ins and schema updates are part of the NMAS installation on the Authorization Server CD. Figure 13 shows the sasAllowableSubjectName in ConsoleOne.
With Serial Number & Issuer Name mapping, both the serial number and the issuer name fields from the certificate will be used together to identify the certificate portion of the user (see Figure 16).
Figure 16
Serial Number & Issue Name Mapping
Both the issuer name and the serial number need to be put into the same LDAP attribute of the user. The LDAP attribute that is used is specified in the Serial number and issuer name Attribute mapping field (see Figure 11) of the iChain Proxy Server utility. The LDAP attribute can be any Case Ignore List or Case Ignore String attribute of the user. If you are configuring your own attribute, make sure the attribute is added to the Person class.
When using a Case Ignore List attribute, both the issuer name and the serial number need to be in the same list. The issuer name needs to be the first item in the list, with the serial number being the second and last item in the list.
When using a Case Ignore String attribute, both the issuer name and the serial number need to be in the same attribute separated by a dollar sign ($) character. The issuer name needs to be in front of the $ character, with the serial number following the $ character. Do not use any spaces in front of or behind the $ character. (For example, O=CURLY.OU=Organization CA$021C0562C5C4... could be used for the certificate displayed in Figure 16).
The issuer name can be from root to leaf or from leaf to root. The issuer name is dot-delimited without a preceding dot. (For example, O=CURLY.OU=Organization CA or OU=Organization CA.O=CURLY could be used for the certificate displayed in Figure 16.
NOTE: The certificate number is displayed in Internet Explorer with a space after every fourth digit. The certificate number needs to be entered without spaces. For example, the certificate number displayed in Figure 16 is shown with spaces, but should be entered as: 021C0562C5C46960313BE0573FE79DF34E2E7EAB9C1C8138B066A3F735A602021D6D.