1. Remote Administration Daemon Client User's Guide
  2. Introduction to the Remote Administration Daemon
  3. Configuring RAD Transports
  4. Configuring RAD Transports to Accept X.509 Client Certificates

Configuring RAD Transports to Accept X.509 Client Certificates

The rad daemon permits you to configure transports to accept X.509 (x509) client certificates that authenticate the client holder of the certificate as a user (root or privileged user) on the server system.

You can configure the RAD TLS transport by configuring properties in the ssl_port property group of the svc:/system/rad:remote SMF instance.

Use the following configuration options to configure the RAD TLS transport:

allow_client_certificate

Specifies whether to permit the clients to authenticate by using an X.509 client certificate. The default value is true.

The certificate must be signed by a specific CA, which defaults to the one specified by client_ca_path. If the certificate contains UID= logname in the Subject and user logname exists, the RAD daemon authenticates the connection to that user.

client_ca_path

Specifies the location of the PEM-formatted file that includes a CA certificate with which all client X.509 certificates must be signed. The value defaults to the certificate/ca/uri property value of the svc:/system/identity:cert SMF instance.

map_host_certificate_to_root

Specifies whether to permit mapping a client X.509 certificate to the root user. The default value is false.

If the value is true and the client X.509 does not have a UID set in the Subject, the RAD daemon determines whether the network peer host is listed in Subject CommonName or in Subject Alternative Name. If the RAD (rad) daemon finds the network peer host, the RAD daemon authenticates the connection as the root user.

require_client_certificate

Specifies whether all clients authenticate by using an X.509 client certificate. The default value is false.

The following shell commands show how to enable the client certificates to map to the root user. This capability is useful when the client program is an HTTP client that can send TLS client certificates and the HTTP client uses the RAD HTTP/REST interface. Map the host certificate to the root user for the rad:remote service instance by setting the https_port/map_host_certificate_to_root property value to true as follows: 

# svccfg -s rad:remote setprop https_port/map_host_certificate_to_root = boolean: true
# svcadm refresh rad:remote
# svcadm restart rad:remote