7.4 X.509 Certificates - Setup Requirements

To authenticate users with X.509 client certificates, such as a certificate stored on a smart card, be sure these requirements are met. Some settings are client-specific.

In addition, you can use X.509 authentication to log in to the Administrative Console.

7.4.1 Client requirements

These settings are required for any client using X.509 certificates.

Table 7-4

X.509 must be enabled in the Administrative Console: Configure Settings - Authentication & Authorization > X.509.

Each client that is authorized to use Management and Security Server resources must have a client certificate, such as a certificate stored on a smart card, and a valid user account in LDAP.

The issuer of the client certificates must be trusted by Management and Security. For more information, refer to Trusted Certificates.

If using Clustering, be sure to configure the servers that will be replicated. See Servers in a Cluster.

Check the requirements for your client:

Host Access for the Cloud clients

These additional settings must be in place for Host Access for the Cloud.

Table 7-5

A port configured for TLS client authentication must be enabled on the Management and Security Server.

This secure port listens for and authenticates communications between MSS and the Host Access for the Cloud Session Server. This port is automatically configured when using the MSS automated installer or an MSS configuration utility.

Note: A certificate to trust the Host Access for the Cloud Session Sever is configured by the automated installer.

No further action is needed, unless you want to manually add a CA-signed certificate to the MSS trust store.

If using Clustering, be sure to configure the servers that will be replicated. See Servers in a Cluster.

To manually add a CA-signed or other certificate to the MSS trust store:

  1. In the Administrative Console, open Configure Settings - Trusted Certificates.

  2. Click Management and Security Server, and click +Import.

  3. Enter the keystore file name, password, and friendly name.

    Note: Make sure the file containing the certificate is on the Administrative Server in this folder:

    /var/opt/microfocus/mss/mssdata/certificates

  4. Click Import to add the certificate.

  5. Restart the MSS Administrative Server.

Windows-based clients

These additional settings must be in place for Windows-based clients.

Table 7-6

A port configured for TLS client authentication must be enabled on the Management and Security Server. This secure port authenticates end-user certificates presented by Windows-based clients (such as Reflection or Rumba+).

Note: When using the MSS automated installer or an MSS configuration utility, this port is automatically configured.

The Administrative Server must be restarted after adding a CA-signed certificate.

If using Clustering, be sure to configure the servers that will be replicated. See Servers in a Cluster.

7.4.2 Servers in a Cluster

If you are using X.509 authentication and Clustering, you must manually move your CA certificates for X.509 authentication to the same location on each MSS server in the cluster.

On each server:

  1. Locate the MSSData directory. This path is displayed in the Administrative Console: About > Product Information.

  2. Copy the CA certificates to the MSSData\certificates directory.

  3. Use the Administrative Console (Configure Settings > Trusted Certificates) to import the certificates into the Management and Security Server Trusted Certificate List. See Help for assistance.

  4. Copy system-trustcerts.bcfks from the one MSS server to the same location on another clustered server: MSS\server\etc.

  5. Restart the MSS Service on the server (required for the changes to take effect).

  6. Repeat these steps for each server in the replication cluster.

7.4.3 Optional: Administrative Console login

You can use X.509 authentication to log in to the Administrative Console. In this instance, the Administrative Console acts as a client to the core MSS Administrative Server.

Use the Java keytool application to place the certificate in the expected location.

  1. Add the root CA certificate to the MSS servletcontainer trust store.

    keytool -importcert -no-prompt -file daso_rootca.crt -keystore servletcontainer.bcfks -providername BCFIPS -storetype bcfks -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath ../lib/bc-fips-*.jar -storepass changeit -alias daso_rootca

  2. Configure the Administrative Console to use HTTPS to access MSS web services.

    Open <installpath>\MSS\server\conf\container.properties and edit this setting to use HTTPS:

    management.server.url=https://<servername>:8443/mss

  3. Navigate to the server URL using HTTPS.

    Assuming that the user certificate is configured in the browser (details vary by browser), you can navigate to the adminconsole url:

    https://<servername>:8443/adminconsole