test

Sun Java System Portal Server Secure Remote Access 7.2 Administration Guide

Configuring Personal Digital Certificate Authentication

PDCs are issued by a Certification Authority (CA) and signed with the CA's private key. The CA validates the identity of a requesting body before issuing a certificate. Thus the presence of a PDC is a powerful authentication mechanism.

PDCs contain the owner's public key, the owner's name, an expiration date, the name of the Certification Authority that issued the Digital Certificate, a serial number, and maybe some other information.

Users can use PDCs and encoded devices such as Smart Cards and Java Cards for authentication in the Portal Server. The encoded devices carry an electronic equivalent of a PDC stored on the card. If a user logs in using one of these mechanisms, no Log in screen displays and no authentication screen is displayed.

    The PDC authentication process involves several steps:

  1. From a browser, the user types a connection request, say https://my.sesta.com.

    The response to this request depends on whether the Gateway to my.sesta.com has been configured to accept certificates.

    Note –

    When a Gateway is configured to accept certificates, it accepts only logins with certificates, not any other kind of login.

    The Gateway checks that the certificate has been issued by a known Certificate Authority, has not expired, and has not been tampered with. If the certificate is valid, the Gateway lets the user proceed to the next step in the authentication process.

  2. The Gateway passes the certificate to the PDC authentication module in the server.

ProcedureTo Configure PDCs and Encoded Devices

  1. Add the following line in the /etc/opt/SUNWam/config/AMConfig.properties file on the Portal Server machine: com.iplanet.authentication.modules.cert.gwAuthEnable=yes.

  2. Import the Required Certificates into the certificate database of the Gateway that you want PDC-enabled. To configure the certificates, see To import the Root CA certificate on the gateway machine

  3. Log into the Access Manager administration console as administrator, do the following:

    1. Select the Identity Management tab and then select an Organization.

    2. Click Services for the Organization from the View drop down menu.

    3. Click Add to register the certificate.

  4. From the Access Manager administration console, do the following:

    1. Select the required organization and click the arrow next to Certificate.

    2. In the Trusted Remote Host list box, highlight none and click Remove.

    3. Enter any in the text field and click Add.

    4. Click Save.

  5. From the Access Manager administration console, do the following:

    1. Choose the required organization and then select Services from the View drop-down menu.

      The list of services is displayed.

    2. Click the arrow next to the Authentication Configuration core service and then click New.

      The New Service Instance page is displayed.

    3. Enter the service instance name as gatewaypdc.

    4. Click Submit.

      The gatewaypdc Service Instance List is displayed.

    5. Click gatewaypdc to edit the service.

      The gatewaypdc show properties page is displayed.

    6. Click Edit link next to Authentication Configuration and then click Add.

      The Add Module page is displayed.

    7. Choose Cert from the Module Name field and REQUIRED for Enforcement criteria, and then click OK.

    8. Click OK to complete.

  6. From the Access Manager administration console, do the following:

    1. Click the arrow next to Core.

    2. In the Organization Authentication modules list box, select gatewaypdc.

    3. Choose Dynamic from the User Profile drop-down menu.

    4. Click Save to complete.

  7. Log into the Portal Server administration console as administrator and do the following:

    1. Select the Secure Remote Access tab and select the appropriate gateway profile.

    2. Select the Security tab.

    3. In the Certificate-enabled Gateway hosts list box, add the Gateway name.

    4. Click Save.

  8. Restart the gateway profile from a terminal window:

    ./psadmin start-sra-instance -u amadmin -f passwordfile -N profilename -t gateway

  9. Install the client certificate issued from CA into the browser one has to access PDC enabled gateway.

  10. Install the client certificate into the JVM keystore. JVM control panel can be accessed as below from the windows machine Start > Setting > Control Panel > Java.

    Add the following to the Applet RunTime parameters:

    • Djavax.net.ssl.keyStore=Path to Keystore

    • Djavax.net.ssl.keyStorePassword=password

    • Djavax.net.ssl.keyStoreType=type

  11. Access your gateway profile and organization:

    https://gateway:instance-port/YourOrganization

    You should be logged in without any prompt for Username and Password with the name of the certificate.

ProcedureTo import the Root CA certificate on the gateway machine

  1. Import the Root CA certificate on the gateway machine.

    1. <Gateway-Install-Dir>/SUNWportal/bin/certadmin -n <gw-profile-name>

      Certadmin menu is listed.

    2. Select option 3. Enter the path for the certificates.

    For more information, see the Chapter 10, Working with Certificates.

  2. Generate a Certificate Signing Request for submitting to the CA.

    1. <Gateway-Install-Dir>/SUNWportal/bin/certadmin -n <gw-profile-name>

      Certadmin menu is listed.

    2. Select option 2. Enter appropriate information.

    3. Save the file.

  3. Submit the Certificate Signing Request to a CA and get it approved. Save the certificate response after CA signing.

  4. Import the Server Certificate after getting approved by CA.

    1. <Gateway-Install-Dir>/SUNWportal/bin/certadmin -n <gw-profile-name>

      Certadmin menu is listed.

    2. Select option 4.

    3. Specify the location of the file containing the Server Certificate.

  5. Import the Root CA certificate on the Portal Server machine.