To Configure Personal Digital Certificate Authentication

Before You Begin

• Ensure that the Gateway and Portal Server are up and running.

1. Edit the AMConfig.properties file on the Portal Server node.

   The AMConfig.properties file is located in the AccessManager_base/SUNWam/config directory.

   1. Add the following line in the AMConfig.properties file.

      com.iplanet.authentication.modules.cert.gwAuthEnable=yes

2. Import the certificates to the certificate database of the Gateway.

3. Import the Root Certificate Authority on the Gateway machine.

4. Add the Root Certificate Authority to the Gateway profile.

   1. Run the following command:

      PortalServer_base/SUNWportal/bin/certadmin -n gateway-profile-name

   2. Select Option 3 in the command-line interface.

      You are prompted to provide the certificate path. When you provide a valid path, the certificate is added. You will get a message that the certificate is added successfully.

5. Generate a Certificate Signing Request for submitting to the Certificate Authority.

   1. Run the following command:

      PortalServer_base/SUNWportal/bin/certadmin -n gateway-profile-name

   2. Select Option 2 in the command-line interface.

   3. Enter values when prompted.

   4. Save the request in a file.

6. Submit the Certificate Signing Request to a Certificate Authority and get it approved.

7. Save the certificate response on a file after Certificate Authority has signed it.

8. Import the certificate response file.

   1. Run the following command:

      PortalServer_base/SUNWportal/bin/certadmin -n gateway-profile-name

   2. Select Option 4 in the Certadmin menu.

   3. Provide the location of the certificate response file.

9. Import the Root CA certificate on the Portal Server machine.

   ./certutil -A -n rootca -t "TCu,TCu,TCuw" -d /var/opt/SUNWappserver/domains/domain1/config -a -i rootca-path

10. Register Certificate as an Authentication module.

    1. Log in to amconsole as the administrator.

    2. Click the Identity Management tab.

    3. Select the Organization.

    4. Select Services in the View drop-down list.

    5. Verify whether the Certificate is displayed in the left pane under the Authentication Modules option.

    6. Click Add if the Certificate Service is not displayed in the left pane.

    7. Select Certificate in the right pane.

       Certificate is displayed under the Authentication Modules option.

    8. Click OK.

       Certificate is displayed under the Authentication Modules option in the left pane.

11. Allow Certificate Authentication to trust any remote host.

    1. Log in to amconsole as the administrator.

    2. Click the Identity Management tab.

    3. Select the Organization.

    4. Select Services in the View drop-down list.

    5. Click the Arrow button displayed with the Certificate option.

    6. Select the None option displayed in the Trusted Remote Hosts list box.

    7. Click Remove.

    8. Type Any in the text box displayed with the Trusted Remote Hosts list box.

    9. Click Add, and click Save in the right panel.

12. Add Certificate as a required enforcement criterion.

    1. Log in to amconsole as the administrator.

    2. Click the Identity Management tab.

    3. Select the Organization.

    4. Select Services in the View drop-down list.

    5. Click the Arrow button that is displayed with the Authentication Configuration option.

       The Service Instance screen appears.

    6. Click New in the Service Instance screen.

       The New Service Instance List screen appears.

    7. Enter the service instance name as gatewaypdc.

    8. Click Submit.

       The Service Instance List screen appears.

    9. Click gatewaypdc option.

       The gatewaypdc Show Properties screen appears.

    10. Click the Edit link.

    11. Click Add.

        The Add Authentication Modules pop-up window appears.

    12. Select Cert as the Module Name.

    13. Select Required for Enforcement Criteria.

    14. Click OK.

        The Authentication Modules pop-up window appears.

    15. Click OK and close the pop-up window.

13. Add a dynamic user.

    1. Log in to amconsole as the administrator.

    2. Click the Arrow button displayed with Core option in the Identity Management tab.

    3. Select gatewaypdc in the Organization Authentication Modules list box.

    4. Select Dynamic from the User Profile drop-down list.

    5. Click Save.

14. Add Gateway host in the Portal Server administration console.

    1. Log in to Portal Server administration.

    2. Click Secure Remote Access.

    3. Click the Gateway profile.

       The Profile screen appears.

    4. Click the Security tab.

       The Security Options screen appears.

    5. Add the Gateway host name in the Certificate-enabled Gateway Hosts list box.

    6. Click Add and click Save.

15. Restart the server.

    ---

    Note –

    This is mandatory because the Amconfig.Properties is updated.

    ---

16. Restart the Gateway profile.

17. Install the client certificate issued by the Certificate Authority into the browser.

    Access the PDC enabled Gateway.

18. Install the client certificate to the JVM keystore.

    1. Click Start > Settings > Control Panel > Java.

    2. Add the following parameters in the Applet Run Time parameters:

       -Djavax.net.ssl.keyStore=keystore-path -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.keyStoreType=type

19. Add portal services to the dynamic user created.

    1. Log in to Access Manager administrator console as the administrator.

    2. Click the Identity Management tab.

    3. Select the Organization.

    4. Select Users in the View drop-down list.

    5. Add Services to the dynamic user created.

20. Add a dynamic user to the Distinguished Name (DN).

    1. Log in to the Portal Server administrator console.

    2. Click Portals > Portal name.

    3. Add the dynamic user to the DN.

    4. Change the Parent Container to JSPTabContainer.

    5. Change Desktop Type of the user to developer_sample, enterprise_sample, or community_sample.