Skip to content

X.509 Certificates - Setup Requirements

To authenticate users with X.509 client certificates, such as a certificate stored on a smart card, be sure these requirements are met. Some settings are client-specific.

X.509 authentication can be used to access the Assigned Sessions list but currently not the MSS Administrative Console.

Setup requirements

These settings are required for any client using X.509 certificates.

Each client that is authorized to use MSS resources must have a client certificate, such as a certificate stored on a smart card.

The client certificates cannot be signed with the SHA-1 hash algorithm.

The Cluster DNS must be set to a non IP address (See the Cluster Management - Settings help).

The issuer of the client certificates must be installed as a Kubernetes secret.

The issuer of the client certificates must be trusted by MSS.

X.509 must be enabled in the MSS Administrative Console.

Kubernetes secret

To add a CA-signed certificate as a Kubernetes secret:

  1. Install the Kubernetes command line tool (kubectl).

  2. In the Administrative Console, from the drop-down menu, select Cluster Management. Then click Advanced and the Download KubeConfig File button to save locally.

  3. In a terminal run the following command:

    kubectl --kubeconfig <kubeconfig-file> -n mss create secret generic mss-mss-server-x509-signing-cert --from-file=ca.crt=<ca-cert.pem>

    Note

    The CA-signed certificate must be in PEM format.

MSS trust store

To add a CA-signed or other certificate to the MSS trust store:

  1. In the Administrative Console, open Configure Settings - Trusted Certificates.

  2. Click Management and Security Server, and click +IMPORT.

  3. Click UPLOAD and select the file containing the certificate to upload to the MSS Server.

  4. Enter the Keystore file name, Keystore password, and Friendly name.

  5. Click IMPORT to add the certificate.

Enabling X.509

  1. First, enable OAuth.

  2. Then, after the CA-signed certificate is added as a Kubernetes secret, in the MSS Administrative Console, click Configure Settings - Authentication & Authorization > X.509.