docmain.css" /> X.509 Certificates - Setup Requirements - Management and Security Server Administrator Guide

7.4 X.509 Certificates - Setup Requirements

To authenticate users with X.509 client certificates, such as a certificate stored on a smart card, be sure these requirements are met. Some settings are client-specific.

In addition, you can use X.509 authentication to log in to the Administrative Console. .

7.4.1 Client requirements

These settings are required for any client using X.509 certificates.

Table 7-4

X.509 must be enabled in the Administrative Console: Configure Settings - Authentication & Authorization > X.509.

Each client that is authorized to use Management and Security Server resources must have a client certificate, such as a certificate stored on a smart card, and a valid user account in LDAP.

The issuer of the client certificates must be trusted by Management and Security. For more information, refer to Trusted Certificates.

If using Replication, be sure to configure the Replicated servers.

Check the requirements for your client:

Host Access for the Cloud clients

These additional settings must be in place for Host Access for the Cloud.

Table 7-5

A port configured for TLS client authentication must be enabled on the Management and Security Server.

This secure port listens for and authenticates communications between MSS and the Host Access for the Cloud Session Server. This port is automatically configured when using the MSS automated installer or an MSS configuration utility.

Note: A certificate to trust the Host Access for the Cloud Session Sever is configured by the automated installer.

No further action is needed, unless you want to manually add a CA-signed certificate to the MSS trust store.

If using Replication, be sure to configure the Replicated servers.

To manually add a CA-signed or other certificate to the MSS trust store:

  1. In the Administrative Console, open Configure Settings - Trusted Certificates.

  2. Click Management and Security Server, and click +Import.

  3. Enter the keystore file name, password, and friendly name.

    Note: Make sure the file containing the certificate is on the Administrative Server in this folder:

    /var/opt/microfocus/mss/mssdata/certificates

  4. Click Import to add the certificate.

  5. Restart the MSS Administrative Server.

Windows-based clients

These additional settings must be in place for Windows-based clients.

Table 7-6

A port configured for TLS client authentication must be enabled on the Management and Security Server. This secure port authenticates end-user certificates presented by Windows-based clients (such as Reflection or Rumba+).

Note: When using the MSS automated installer or an MSS configuration utility, this port is automatically configured.

The Administrative Server must be restarted after adding a CA-signed certificate.

If using Replication, be sure to configure the Replicated servers.

7.4.2 Replicated servers

If you are using X.509 authentication and Replication, you must manually move your CA certificates for X.509 authentication, along with the system.bcfks, to the same location on each MSS Slave server in the replication cluster.

On each Slave server:

  1. Locate the MSSData directory. This path is displayed in the Administrative Console: About > Product Information.

  2. Copy the CA certificates to the MSSData\certificates directory.

  3. Use the Administrative Console (Configure Settings > Trusted Certificates) to import the certificates into the Management and Security Server Trusted Certificate List. See Help for assistance.

  4. Copy the system.bcfks from the Master to the same location on the MSS Slave: MSS\server\etc

  5. Restart the MSS Service on the Slave server (required for the changes to take effect).

  6. Repeat these steps for each Slave server in the replication cluster.

7.4.3 Optional: Administrative Console login

You can use X.509 authentication to log in to the Administrative Console. In this instance, the Adminstative Console acts as a client to the core MSS Adminstrative Server.

Use the Java keytool application to place the certificate in the expected location.

  1. Add the root CA certificate to the MSS servletcontainer trust store.

    keytool -importcert -no-prompt -file daso_rootca.crt -keystore servletcontainer.bcfks -providername BCFIPS -storetype bcfks -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath ../lib/bc-fips-*.jar -storepass changeit -alias daso_rootca

  2. Configure the Administrative Console to use HTTPS to access MSS web services.

    Open <installpath>\MSS\server\conf\container.properties and edit this setting to use HTTPS:

    management.server.url=https://<servername>:8443/mss

  3. Navigate to the server URL using HTTPS.

    Assuming that the user certificate is configured in the browser (details vary by browser), you can navigate to the adminconsole url:

    https://<servername>:8443/adminconsole