TOC & Recently Viewed

Recently Viewed Topics

SSL Client Certificate Authentication

SecurityCenter allows users to use SSL client certificate authentication. This allows use of SSL client certificates, smart cards, personal identity verification (PIV) cards, and common access card (CAC) authentication when the browser is configured for this method.

By default, SecurityCenter uses a password to authenticate. To configure SecurityCenter to allow SSL client certificate authentication the web server must be changed to allow such connections. To do this, the /opt/sc/support/conf/sslverify.conf file must be edited on the SecurityCenter server using any standard text editor. Edit the SSLVerifyClient setting to use an option of none, optional, and require as described in the following table.

SSL Client Certificate Configuration Options

Option Description

none

When set to none, SSL certificates for SecurityCenter will not be accepted by the server for user authentication purposes. This is the default setting for SecurityCenter.

optional

When set to optional, valid SSL certificates for SecurityCenter may be used for user authentication. If a valid certificate is not presented, the user may log in using only a password.

Caution: Depending on how they are configured, some web browsers may not connect to SecurityCenter when the optional setting is used.

require

When set to require, a valid SSL certificate for SecurityCenter must be presented to gain access to the web interface. If the user has an account that uses a certificate to authenticate, that user will be logged into SecurityCenter. Otherwise the user will be presented with the standard SecurityCenter login page.

When a user is initially created and configured, a password must be created for the user. Users who are configured to use SSL certificates will be prompted to determine if they want to always use the current certificate when they log in to SecurityCenter through a browser. If Yes is selected, the certificate will be associated with their account and future access to SecurityCenter will use the client certificate. If No is selected, the certificate will be ignored for the current session.

Configure SecurityCenter for Certificates

The first step to allow SSL certificate authentication is to configure the SecurityCenter web server. This process allows the web server to trust certificates created by the Certificate Authority (CA) for authentication.

  1. Copy the required PEM-encoded CA certificate (and intermediary CA, if needed) to the SecurityCenter server’s /tmp directory. For this example, the file is named ROOTCA2.cer.
  2. Run the installCA.php script to create the required files for each CA in /opt/sc/data/CA as follows:

    # /opt/sc/support/bin/php /opt/sc/src/tools/installCA.php /tmp/ROOTCA2.cer

  1. Once each of your CAs has been processed, restart the SecurityCenter services with the following command:

    # service SecurityCenter restart

    After SecurityCenter has been configured with the proper CA certificate(s), users may log in to SecurityCenter using SSL client certificates.

Connect with SSL Certificate Enabled Browser

Note: The following information is provided with the understanding that your browser is configured for SSL certificate authentication. Please refer to your browser’s help files or other documentation to configure this feature.

The process to configure a certificate login begins when a user connects to SecurityCenter for the first time. The process is completed by the user and does not require Administrator intervention.

  1. Launch a browser and navigate to SecurityCenter.
  2. The browser will present a list of available certificate identities to select from:

  3. Once a certificate has been selected, a prompt for the PIN or password for the certificate is presented (if required) to access your certificate. When the PIN or password is successfully entered, the certificate will be available for the current session with SecurityCenter.

  4. Upon the initial connection, log in using the username to be associated with the selected certificate.

    Caution: Only one SecurityCenter user may be associated with a single certificate. If one user holds multiple user names and roles, a unique certificate must be provided for each login name.

  5. Once logged in, a window titled Certificate Authentication is presented, asking if the current certificate is to be used to authenticate the current user. If Yes is selected, the certificate will be associated with this user. If No is selected, the certificate will be ignored for the current session.

    Note: If the user’s browser is configured for certificate authentication but is not configured for a SecurityCenter user, the following prompt will be presented for each login.

  6. When a user’s account is associated with a certificate, it is displayed on the user’s profile page.

    Note: The Certificate Details section for a user only appears if there is an associated certificate and does not display until the user logs in again after the initial certificate configuration.

  7. If a user’s certificate changes or is required to be revoked, the current certificate may be disassociated from the user by clicking the Clear Certification Details button.
  8. If a new certificate is available the next time the user logs in, SecurityCenter will again attempt to associate the user with the certificate.

    Note: If you log out of the session, you will be presented with the standard SecurityCenter login screen. If you wish to log in again with the same certificate, refresh your browser window. If you need to use a different certificate, you must restart your browser session.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.  Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc.  All other products or services are trademarks of their respective owners.