Configure runtime security services for client certificate authentication between WebSEAL and AAC

Configure runtime security services for client certificate authentication between WebSEAL and Advanced Access Control. Before selecting the client certificate authentication option provided in the isamcfg tool, Perform the following general steps for the client certificate:

1. Generate a certificate representing the user who will be authenticating from WebSEAL, or the web reverse proxy, to Advanced Access Control. For example, use easuser.
2. Import that certificate into the WebSEAL or web reverse proxy key database as a personal certificate.
3. Import the signer of this certificate as a trusted certificate in the Advanced Access Control keystore.
4. Set Accept Client Certificates to True on the appliance.

Setup steps:

Steps

1. Create a client certificate for user easusercert.

   1. In the local management interface, go to...
      System > Secure Settings > SSL Certificates > pdsrv certificate database > Manage > Edit SSL Certificate Database > Personal Certificates > New

   2. Provide the following information:
      • Certificate Label: easusercert
      • Certificate Distinguished Name: cn=easuser
      • Key Size: 2048
      • Expiration Time (in days): 365

   3. Click Save.

2. Deploy pending changes. See Deploying pending changes.

3. Restart the reverse proxy instances.

4. Export the client certificate.

   1. Select the pdsrv certificate database.

   2. Click...
      Manage > Edit SSL Certificate Database > Personal Certificates > easusercert certificate > Manage > Export

5. Import the exported personal certificate as a signer certificate on the appliance. The signer of the client certificate needs to be trusted. The certificate is self-signed. Importing the easusercert as a signer certificate into the appliances allows that trust.

   1. Click...
      System > Secure Settings > SSL Certificates > rt_profiles_keys certificate database > Manage > Edit SSL Certificate Database > Signer Certificates > Manage > Import > Browse

   2. Browse to the directory containing the file to be imported and select the file. Click Open.

   3. Click Import. A message that indicates successful import is displayed.

6. Deploy pending changes. See Deploying pending changes.

7. Configure the appliance for client certificate authentication.

   1. In the local management interface, go to...
      AAC > Global Settings > Runtime Parameters > Accept Client Certificates > Edit

      ...and set the value as True.

8. Restart the runtime.

What to do next

Run the isamcfg tool. Respond to the following isamcfg prompts appropriately:

• When answering the question Select the method for authentication between WebSEAL and the Advanced Access Control rumtime listening interface in the isamcfg tool, select Certificate Authentication.

• When prompted to enter the Advanced Access Control rumtime listening interface SSL keyfile label, enter the label of the certificate that represents the user who will be authenticating from WebSEAL or web reverse proxy to Advanced Access Control.

For information, see isamcfg ISAM appliance configuration worksheet.

Parent topic: Runtime security services external authorization service