TOC & Recently Viewed

Recently Viewed Topics

SSL Client Certificate Authentication

SecurityCenter allows users to use SSL client certificate authentication. This allows use of SSL client certificates, smart cards, personal identity verification (PIV) cards, and common access card (CAC) authentication when the browser is configured for this method.

By default, SecurityCenter uses a password to authenticate. To configure SecurityCenter to allow SSL client certificate authentication the web server must be changed to allow such connections. To do this, the /opt/sc/support/conf/sslverify.conf file must be edited on the SecurityCenter server using any standard text editor. Edit the SSLVerifyClient setting to use an option of none, optional, or require as described in the following table.

Option Description

none

When set to none, SSL certificates for SecurityCenter will not be accepted by the server for user authentication purposes. This is the default setting for SecurityCenter.

optional

When set to optional, valid SSL certificates for SecurityCenter may be used for user authentication. If a valid certificate is not presented, the user may log in using only a password.

Caution: Depending on how they are configured, some web browsers may not connect to SecurityCenter when the optional setting is used.

require

When set to require, a valid SSL certificate for SecurityCenter must be presented to gain access to the web interface. If the user has an account that uses a certificate to authenticate, that user will be logged into SecurityCenter. Otherwise, the user will be presented with the standard SecurityCenter login page.

When a user is initially created and configured, a password must be created for the user. Users who are configured to use SSL certificates will be prompted to determine if they want to always use the current certificate when they log in to SecurityCenter through a browser. If Yes is selected, the certificate will be associated with their account and future access to SecurityCenter will use the client certificate. If No is selected, the certificate will be ignored for the current session.

Before You Begin:

To perform a certificate-based SecurityCenter login:

Note: The following information is provided with the understanding that your browser is configured for SSL certificate authentication. Please refer to your browser’s help files or other documentation to configure this feature.

  1. Open a browser window and navigate to SecurityCenter.

    The browser presents a list of available certificate identities.

  2. Select a certificate.

  3. Click OK.

    An authentication prompt appears (if required to access your certificate).

  4. (Optional) If prompted, type a PIN or password.
  5. Click OK.

    The SecurityCenter login page appears.

  6. Log in using the username to be associated with the selected certificate.

    Caution: Only one SecurityCenter user may be associated with a single certificate. If one user holds multiple user names and roles, a unique certificate must be provided for each login name.

    The Certificate Authentication window appears.

  7. When prompted, specify whether the current certificate is to be used to authenticate the current user. If Yes is selected, the certificate will be associated with this user. If No is selected, the certificate will be ignored for the current session.

    Note: If the user’s browser is configured for certificate authentication but is not configured for a SecurityCenter user, the following prompt will be presented for each login.

    When a user’s account is associated with a certificate, it is displayed on the user’s profile page.

  8. Note: The Certificate Details section for a user only appears if there is an associated certificate and does not display until the user logs in again after the initial certificate configuration.

    If a user’s certificate changes or is required to be revoked, the current certificate may be disassociated from the user by clicking the Clear Certification Details button

    If a new certificate is available the next time the user logs in, SecurityCenter will again attempt to associate the user with the certificate.

  9. Note: If you log out of the session, you will be presented with the standard SecurityCenter login page. If you wish to log in again with the same certificate, refresh your browser window. If you need to use a different certificate, you must restart your browser session.

Copyright 2017-2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.