To authenticate users with X.509 client certificates, such as a certificate stored on a smart card, several elements must be in place.
Be sure the requirements for All clients are met in addition to those for your specific Reflection ZFE clients or Windows-based clients.
These settings are required for any client using X.509 certificates.
X.509 must be enabled in the Administrative Console: Configure Settings > Authentication & Authorization > X.509.
Each client that is authorized to use Management and Security Server resources must have a client certificate, such as a certificate stored on a smart card, and a valid user account in LDAP.
The issuer of the client certificates must be trusted by the Administrative Server. For more information, refer to Trusted Certificates.
In addition to the requirement for All clients, these settings must be in place.
A port configured for TLS client authentication must be enabled on the Management and Security Server. This secure port listens for and authenticates communications between MSS and the Reflection ZFE Session Server. This port is automatically configured when using the MSS automated installer or an MSS configuration utility.
A certificate to trust the Reflection ZFE Session Sever is configured by the automated installer. No further action is needed.
However, if you need to manually add a certificate to the trust store, (such as a CA-signed certificate), follow these steps:
Use the Java keytool application to import the certificate into the file named system.bcfks, located in MSS\server\etc.
Example:
C:\Program Files\Micro Focus\MSS\jre\jre\bin>keytool -importcert -alias alias -file certificate.cer -storetype bcfks -storepass changeit -providerpath ..\..\server\lib\bc-fips-*.jar -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -keystore ..\..\server\etc\system.bcfks
Restart the Administrative Server.
If you are using Reflection ZFE with X.509 authentication and Replication, you must manually move your CA certificates for X.509 authentication, along with the system.bcfks, to the same location on each MSS Slave server in the replication cluster.
On each Slave server:
Locate the MSSData directory. This path is displayed in the Administrative Console: About > Product Information.
Copy the CA certificates to the MSSData\certificates directory.
Use the Administrative Console (Configure Settings > Trusted Certificates) to import the certificates into the Management and Security Server Trusted Certificate List. See Help for assistance.
Copy the system.bcfks from the Master to the same location on the MSS Slave: MSS\server\etc
Restart the MSS Service on the Slave server (required for the changes to take effect).
Repeat these steps for each Slave server in the replication cluster.
In addition to the requirement for All clients, these actions must take place.
A port configured for TLS client authentication must be enabled on the Management and Security Server. This secure port authenticates end-user certificates presented by Windows-based clients (such as Reflection or Rumba).
Note: When using the MSS automated installer or an MSS configuration utility, this port is automatically configured.
The Administrative Server must be restarted after adding a CA-signed certificate.