action.skip

X.509 Configuration

Use this configuration to enable users to authenticate with X.509 client certificates. Optionally, you can specify settings to fall back to LDAP authentication if certificate-based authentication fails.

X.509 authentication can be used to access the Assigned Sessions list as well as the MSS Administrative Console.

Steps at a glance

  1. Be sure the X.509 Certificate - Setup Requirements are met.

    • Add a CA-signed certificate as a Kubernetes secret.
    • Add a CA-signed certificate to the MSS trust store.
    • Enable X.509.
  2. Configure X.509 Settings in the MSS Administrative Console.

    • Choose LDAP options.
    • See Certificate revocations checking.
    • Confirm or add LDAP server.

X.509 Certificate Prerequisites

Be sure the X.509 Certificate - Setup Requirements are met before configuring X.509 in the Administrative Console.

X.509 Settings in the MSS Administrative Console

After you click X.509 as the Authentication method, click Use LDAP to restrict access to sessions under Authorization method.

Choose your LDAP options for authentication

  • Fallback to LDAP authentication

    Use this option to prompt the user for LDAP credentials when certificate-based authentication fails.

  • Validate LDAP User Account

    Account validation is always enabled and causes authentication to fail when an LDAP search fails to resolve a Distinguished Name (DN) for the name value obtained from the user’s certificate. If you are using Microsoft Active Directory as your LDAP server type, additional validation is performed. User authentication will fail when the user’s Active Directory account is either disabled or expired.

Certificate Revocation Checking

Changes to the certificate revocation checking settings below do not take effect until the server is restarted.

Note

If you enable both OCSP and CRL checking, then OCSP will always be tried first. If the revocation status cannot be determined using OCSP, the validation will fall back to using CRL.

Enable Online Certificate Status Protocol (OCSP)

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. Use this option to specify Online Certificate Status Protocol (OCSP) settings that verify the TLS client certificate chain. OCSP is an alternative to Certificate Revocation Lists (CRLs), and is often implemented in a Public Key Infrastructure (PKI).

An OCSP server, also called a responder, may return a signed response signifying that the certificate specified in the request is good, revoked, or unknown. If it cannot process the request, it may return an error code.

When you check Enable Online Certificate Status Protocol (OCSP), the OCSP server URL (specified in the AIA extension of a certificate) is used to check the certificate revocation status using OCSP. The Authority Information Access (AIA) extension indicates how to access Certificate Authority information and services for the issuer of the certificate in which the extension appears.

Enable Certificate Revocation List (CRL)

Use this option when the revocation status cannot be determined using OCSP.

When you check Enable Certificate Revocation List (CRL), the CRL server URL (specified in the CRLDP extension of a certificate) is used to retrieve the Certificate Revocation List. The CRL Distribution Point (CRLDP) extension indicates how to access Certificate Authority information and services for the issuer of the certificate in which the extension appears.

LDAP Servers

Confirm the listed server or add another LDAP server, which is used to authorize access to sessions.