Configuring RAD Transports to Accept X.509 Client Certificates
The rad
daemon permits you to configure transports to accept X.509 (x509
) client certificates that authenticate the client holder of the certificate as a user (root
or privileged user) on the server system.
You can configure the RAD TLS transport by configuring properties in the ssl_port
property group of the svc:/system/rad:remote
SMF instance.
Use the following configuration options to configure the RAD TLS transport:
-
allow_client_certificate
-
Specifies whether to permit the clients to authenticate by using an X.509 client certificate. The default value is
true
.The certificate must be signed by a specific CA, which defaults to the one specified by
client_ca_path
. If the certificate containsUID=
logname in the Subject and user logname exists, the RAD daemon authenticates the connection to that user. -
client_ca_path
-
Specifies the location of the PEM-formatted file that includes a CA certificate with which all client X.509 certificates must be signed. The value defaults to the
certificate/ca/uri
property value of thesvc:/system/identity:cert
SMF instance. -
map_host_certificate_to_root
-
Specifies whether to permit mapping a client X.509 certificate to the
root
user. The default value isfalse
.If the value is
true
and the client X.509 does not have a UID set in the Subject, the RAD daemon determines whether the network peer host is listed in Subject CommonName or in Subject Alternative Name. If the RAD (rad
) daemon finds the network peer host, the RAD daemon authenticates the connection as theroot
user. -
require_client_certificate
-
Specifies whether all clients authenticate by using an X.509 client certificate. The default value is
false
.
The following shell commands show how to enable the client certificates to map to the root
user. This capability is useful when the client program is an HTTP client that can send TLS client certificates and the HTTP client uses the RAD HTTP/REST interface. Map the host certificate to the root
user for the rad:remote
service instance by setting the https_port/map_host_certificate_to_root
property value to true
as follows:
# svccfg -s rad:remote setprop https_port/map_host_certificate_to_root = boolean: true # svcadm refresh rad:remote # svcadm restart rad:remote