C.7. Using Client Certificates With the SGD Gateway

You can use client certificates to enhance the security of the SGD Gateway, by restricting access to those users who have a valid certificate.

A client certificate is an SSL certificate that is installed in the browser on the client device. See the online documentation of your browser for details of how to install a client certificate.

See Section C.7.2, “How to Generate a CSR for a Client Certificate” if you need to generate a certificate signing request (CSR) for a new client certificate.

The following procedures use the keytool application. See the JDK Tools and Utilities documentation for details on how to use the keytool application.

C.7.1. How to Configure the SGD Gateway to Use Client Certificates

  1. Log in as superuser (root) on the SGD Gateway host.

  2. Stop the SGD Gateway.

    # /opt/SUNWsgdg/bin/gateway stop
  3. Configure the SGD Gateway to use client certificates for HTTPS client connections.

    Add a <needClientAuth> entry to the /opt/SUNWsgdg/etc/gateway.xml file, as follows:

    <service id="http-ssl-service" class="SSL">
        <needClientAuth>true</needClientAuth>
            <!-- Decrypts HTTPS traffic -->
            <subService id="ssl-splitter">
                <binding>*</binding>
            </subService>
    
  4. (Optional) Import the client certificate into the SGD Gateway client keystore.

    Note

    You do not need to do this step if the client certificate is signed by a trusted Certificate Authority (CA).

    Use the keytool command, as follows:

    # /opt/SUNWsgdg/java/default/bin/keytool -importcert \
    -alias mycert -keystore /opt/SUNWsgdg/proxy/etc/keystore.client \
    -file mycert.crt -storepass ‘cat /opt/SUNWsgdg/etc/password‘

    In this example, the client certificate mycert.crt is imported into the SGD Gateway client keystore. The client certificate is stored using an alias of mycert.

  5. Start the SGD Gateway.

    # /opt/SUNWsgdg/bin/gateway start

C.7.2. How to Generate a CSR for a Client Certificate

To obtain a client certificate that you can use with the Gateway, you first need to generate a CSR. You then send the CSR to a Certificate Authority (CA) for signing.

Note

This procedure describes how you can use the keytool application on the Gateway host to generate a CSR. However, you do not have to use the steps described in this procedure. Instead, you can use your favorite certificate management tool to generate the CSR.

  1. Log in as superuser (root) on the SGD Gateway host.

  2. Generate a self-signed certificate and a corresponding private key.

    Use the keytool command, as follows:

    # /opt/SUNWsgdg/java/default/bin/keytool -genkeypair -keyalg RSA \
    -alias mycert -keystore keystore.mycert -storepass letmein

    In this example, a self-signed certificate and private key are created and stored in a keystore called keystore.mycert. The key pair is stored using an alias of mycert.

  3. Generate a CSR for the self-signed certificate.

    Use the keytool command, as follows:

    # /opt/SUNWsgdg/java/default/bin/keytool -certreq  \
    -alias mycert -keystore keystore.mycert -storepass letmein \
    -file /tmp/gateway-name.csr
    

    In this example, a CSR is generated and stored in the file /tmp/gateway-name.csr, where gateway-name is the name of the Gateway.