SecurityCenter allows users to use SSL client certificate authentication. This allows use of SSL client certificates, smart cards, personal identity verification (PIV) cards, and common access card (CAC) authentication when the browser is configured for this method.
By default, SecurityCenter uses a password to authenticate. To configure SecurityCenter to allow SSL client certificate authentication the web server must be changed to allow such connections. To do this, the /opt/sc/support/conf/sslverify.conf file must be edited on the SecurityCenter server using any standard text editor. Edit the “SSLVerifyClient” setting to use an option of none, optional, and require as described in the following table.
SSL Client Certificate Configuration Options
When set to “none”, SSL certificates for SecurityCenter will not be accepted by the server for user authentication purposes. This is the default setting for SecurityCenter.
When set to “optional”, valid SSL certificates for SecurityCenter may be used for user authentication. If a valid certificate is not presented, the user may log in using only a password.
Caution: Depending on how they are configured, some web browsers may not connect to SecurityCenter when the “optional” setting is used.
When set to “require”, a valid SSL certificate for SecurityCenter must be presented to gain access to the web interface. If the user has an account that uses a certificate to authenticate, that user will be logged into SecurityCenter. Otherwise the user will be presented with the standard SecurityCenter login page.
When a user is initially created and configured, a password must be created for the user. Users who are configured to use SSL certificates will be prompted to determine if they want to always use the current certificate when they log in to SecurityCenter through a browser. If “Yes” is selected, the certificate will be associated with their account and future access to SecurityCenter will use the client certificate. If “No” is selected, the certificate will be ignored for the current session.
Configure SecurityCenter for Certificates
The first step to allow SSL certificate authentication is to configure the SecurityCenter web server. This process allows the web server to trust certificates created by the Certificate Authority (CA) for authentication.
Run the installCA.php script to create the required files for each CA in /opt/sc/data/CA as follows:
# /opt/sc/support/bin/php /opt/sc/src/tools/installCA.php /tmp/ROOTCA2.cer
Once each of your CAs has been processed, restart the SecurityCenter services with the following command:
# service SecurityCenter restart
After SecurityCenter has been configured with the proper CA certificate(s), users may log in to SecurityCenter using SSL client certificates.
Connect with SSL Certificate Enabled Browser
Note: The following information is provided with the understanding that your browser is configured for SSL certificate authentication. Please refer to your browser’s help files or other documentation to configure this feature.
The process to configure a certificate login begins when a user connects to SecurityCenter for the first time. The process is completed by the user and does not require Administrator intervention.
The browser will present a list of available certificate identities to select from:
Once a certificate has been selected, a prompt for the PIN or password for the certificate is presented (if required) to access your certificate. When the PIN or password is successfully entered, the certificate will be available for the current session with SecurityCenter.
Upon the initial connection, log in using the username to be associated with the selected certificate.
Caution: Only one SecurityCenter user may be associated with a single certificate. If one user holds multiple user names and roles, a unique certificate must be provided for each login name.
Once logged in, a window titled “Certificate Authentication” is presented, asking if the current certificate is to be used to authenticate the current user. If “Yes” is selected, the certificate will be associated with this user. If “No” is selected, the certificate will be ignored for the current session.
Note: If the user’s browser is configured for certificate authentication but is not configured for a SecurityCenter user, the following prompt will be presented for each login.
When a user’s account is associated with a certificate, it is displayed on the user’s profile page.
Note: The “Certificate Details” section for a user only appears if there is an associated certificate and does not display until the user logs in again after the initial certificate configuration.
If a new certificate is available the next time the user logs in, SecurityCenter will again attempt to associate the user with the certificate.
Note: If you log out of the session, you will be presented with the standard SecurityCenter login screen. If you wish to log in again with the same certificate, refresh your browser window. If you need to use a different certificate, you must restart your browser session.