Configuring Mutual Authentication using Novell's CA
(Last modified: 28Jan2003)
This document (10066648) is provided subject to the disclaimer at the end of this document.
Configuring Mutual Authentication using Novell's CA
Verify date/time settings
Check the date/time settings on iChain and the Certificate Server that will be signing the request. If they are not the same (or very close) the certificate may not work.
Create a Certificate Signing Request (CSR)
Using the iChain Web Management utility, create a certificate from the Certificate Maintenance tab on the home page. When creating, choose the defaults. Name it something you'll remember. For the Subject name, make sure it matches the DNS name of the reverse accelerator. This will prevent any errors with the certificate name check. Use an External certificate authority. Fill in the Organization, City/town, State/province and Country fields. Click OK and Apply.
This will create a CSR. Use the view CSR Button to view the CSR in a browser window. The Status will read "CSR in progress" at this point. Click on File > Save as. Name it CSR.B64 so that you can keep track.
Signing the CSR
Use ConsoleOne to go to your authentication tree. Login as admin. Highlight the tree. Click Tools from the dropdown menu, and select issue a Certificate. Browse your CSR (CSR.B64) file and add into the window. Click Next. Choose the Organizational CA. Click Next. For type, leave as Unspecified. Click Next. Make sure subject name is the URL of your domain. Set your period for 2 years (or whatever, you choose). Click Next, and Click Finish.
Choose the Base64 format and save the certificate as SERVER.B64.
Create a Trusted Root or "Self Signed" Certificate
Now, go to your organizational CA (in the Security Container of your Authentication Tree). Click the Certificates tab, and make sure you are on the Self Signed Certificate part of that tab. Click export. Export it in Base64 format. Save it to your hard drive. Change the filename to CA-SelfSignedCert.B64 (or keep the default filename) and save.
Import Trusted Root/Signed Certificate into the Server Certificate
Switch back to the iChain Web Management tool. Select the Certificate Maintenance tab on the Home page. Select the certificate that you created before. Click the Store Certificate button at the bottom.
You should have two fields. One for the CA Certificate Contents, and one for the Server certificate contents. The text of CA-SelfSignedCert.B64 file CA goes in the CA one; The SERVER.B64 file goes in the Server one. Use WordPad to open, copy and paste the text. Notepad has a tendency to add box characters in place of carriage returns and the certificate will not be valid.
Click Create. Everything should go as expected, and then you click the apply button on the iChain Web Management button.
Create the Mutual Authentication Profile
You are now ready to setup your accelerator for mutual authentication with your Authentication tree (LDAP Tree).
Go to the Configure Page, the Authentication Tab. Click Insert. Name the profile (like Mutual), and choose the Background SSL Mutual Authentication radio button. Click OK. There's nothing else to configure.
Create the Accelerator
Now choose the Web Server Accelerator tab. Create a new accelerator the way you would create any accelerator. Set the IP addresses, DNS Names (must match the Subject name in step 1), etc. Click the Enable authentication box. Click the Authentication Options box. Select the Mutual Profile and Add it to the Service Profiles side. Click OK.
You don't need to enable Secure Exchange, but you do need to make sure that you are using a unique SSL listening port (for that IP address) and that you choose the name of the certificate that you created in the drop down box. Click OK.
Prepare ConsoleOne and the workstation
See TID 10065296 before proceeding. You must use NICI Client 2.0.2 for Windows and Novell Certificate Server v2.0 Snapin Version 2.21 (or later) for ConsoleOne to create the user certificates!
The correct files can be found on the Client CD shipped with iChain 2.0 or can be downloaded from WWW.NOVELL.COM/DOWNLOADS. If installing from the CD, install NICI Client 2.0.2 for Windows, ConsoleOne and the NetWare 6 ConsoleOne Snapins.
Create User Certificate to Import into Internet Explorer
Login to the Authentication tree as Administrator. Click on the user object that you want to be able to authenticate with a certificate. Go to the properties of this object, and the Security Certificates tab. Click the Create button. Name the certificate (The user's CN is good) and choose to create it with the Custom method. Choose the Organizational CA as the signing authority. Click Next. Certificate's usage is unspecified, and pick the appropriate key size (1024 works well for 128bit SSL). Make sure the Allow private key to be used for authentication box is checked. Click Next. Put in an e-mail address, make sure the validity period is good, the signature Algorithm is RSA w/ SHA-1 hash, and Click next. Click Finish.
Export the User·s Private Key
Log out of the Authentication tree. Log back into the Authentication tree as the user you just gave a certificate to. Browse to the user object again. Open the properties, go to the Security / Certificates tab. Click Export. Make sure the private key gets exported with the certificate. Make sure the Include all certificates in the certification path box is checked. Set a name for the file, and also a password to protect the Private Key. Click Next, and then Finish. Save the .PFX file so that it can be imported into the Browser.
Import the Private Key into Internet Explorer
Launch IE and go to File, then Open. Browse to the user·s private certificate that you just exported and saved (the .PFX file). Click Open and OK. Click Next to continue importing the certificate. Click Next again to import the selected file. The next screen will prompt for the password that was used to create the user certificate during the export process. Click Next. The next screen asks where you want to store the certificate. Choose the default to automatically install. Click on Next, then Finish, and Yes to add the certificate.
1) Can·t see the Certificate to select when configuring the accelerator.
There are constantly problems when copying/pasting the certificate text file. Open the file in Notepad and make sure there are no "box" characters in the text. They may appear at the very end of the text, or the entire text may appear to be only one or two lines; all carriage returns show up as a box character. Delete them and try it again. The certificates need to be in the following format:
-----BEGIN NEW CERTIFICATE REQUEST-----
-----END NEW CERTIFICATE REQUEST-----
2) There is no prompt to select t.he proper certificate when you connect to the accelerator.
View the User certificate you imported into Internet Explorer and the Organization CA and verify that the Issuer name matches (Tools > Internet Options > Content > Certificates > Highlight the certificate > View > Details Tab.)
3) Turn on advanced troubleshooting error messages by adding the following to PROXY.CFG on the iChain box:
Then restart the server. The browser should then receive more meaningful error messages. Do not leave this turned on. Doing so will give "hackers" an advantage.
**Don't forget to configure your ISO object and your ACL rules to allow the user into the protected resource. .
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.
- Document ID:
- Solution ID: NOVL65634
- Creation Date: 07Dec2001
- Modified Date: 28Jan2003
- NovellConnectivity Products
Did this document solve your problem? Provide Feedback