SSL Authentication

The server can confirm users’ identities with security certificates in two ways:

• Using the information in the client certificate as proof of identity

• Verifying a client certificate published in an LDAP directory (additional)

When the server is configured to use certificate information for authenticating the client, the server:

• Checks to determine if the certificate is from a trusted CA (Certificate Authority). If not, the authentication fails and the transaction ends. To learn how to enable client authentication, see Setting Security Preferences.

• Maps the certificate to a user’s entry using the certmap.conf file, if the certificate is from a trusted CA. To learn how to configure the certificate mapping file, see Using the certmap.conf File.

• Checks the ACL rules specified for that user if the certificate maps correctly. Even if the certificate maps correctly, ACL rules can deny access to the user.

Requiring client authentication for controlling access to specific resources differs from requiring client authentication for all connections to the server. If the server is configured to require client authentication for all connections, the client must only present a valid certificate issued by a trusted CA. If the server is configured to use the SSL method for authentication of users and groups, the following must happen:

• The client must present a valid certificate issued by a trusted CA

• The certificate must be mapped to a valid user in LDAP

• The access control list must evaluate properly

When you require client authentication with access control, SSL ciphers must be enabled for your Proxy Server. See Chapter 5, Using Certificates and Keys for more information about enabling SSL.

To successfully gain access to an SSL-authenticated resource, the client certificate must be from a CA trusted by the Proxy Server. The client certificate must be published in a directory server if the Proxy Server’s certmap.conf file is configured to compare the client’s certificate in the browser with the client certificate in the directory server. However, the certmap.conf file can be configured to only compare selected information from the certificate to the directory server entry. For example, you could configure certmap.conf to only compare the user ID and e-mail address in the browser certificate with the directory server entry. For more information about certmap.conf and certificate mapping, see Chapter 5, Using Certificates and Keys. Also see the Proxy Server 4.0.2 Configuration File Reference.