docmain.css" />
X.509 client authentication allows clients to authenticate to servers with certificates rather than with a username and password by leveraging the X.509 public key infrastructure (PKI) standard.
Prerequisite
Using the procedure described for a manual configuration in Securing Reflection ZFE Session Server and Management Component to MSS verify that a trusted certificate has been installed in the certificate store. The procedure may vary depending on your operating system and browser.
Basic steps:
Add Reflection ZFE certificates to the MSS Trusted Subsystem.
Enable the MSS Trusted Subsystem.
Install the signing authorities certificate into MSS and Reflection ZFE.
Restart the servers.
Configure X.509 in the Management and Security Server Administrative Console.
Step 1. Add Reflection ZFE certificates to the MSS Trusted Subsystem
NOTE:Specify the certificate file’s name for the “-file” argument. If you are using the provided self-signed certificate, use a value of “servletcontainer.cer”. Root certificates provided by a Certificate Authority will have a different certificate file name
This step makes sure that MSS can trust connections from the Reflection ZFE session server and management components.
Add the Reflection ZFE session server certificate to the MSS Trusted Subsystem:
In <MSS_install_directory>\server\etc add the certificate: keytool -importcert -file <RZFE_install_directory>\sessionserver\etc\servletcontainer.cer -alias zfesessionserver -keystore system.jks -storetype jceks -storepass not-secure
Add the management component certificate to the MSS Trusted Subsystem:
In <MSS_install_directory>\server\etc add the certificate: keytool -importcert -file <RZFE_install_directory>\managementserver\etc\servletcontainer.cer -alias zfemgtserver -keystore system.jks -storetype jceks -storepass not-secure
Step 2. Enable the MSS Trusted Subsystem
Open <MSS_install_directory>\server\conf\container.properties.
Add servletengine.system.ports= <unused network port> and save the file.
Step 3. Install the signing authorities certificate into MSS and Reflection ZFE
MSS’s trusted store may already contain your signing authority certificate. This is often the case with well-known certificate signing authorities, and if so, then you can skip this step.
To check:
If your certificate is not listed you need to install your signing root CA into MSS and into the Reflection ZFE session server.
Installing into MSS:
Copy the certificate to the MSS server: %PROGRAMDATA%\Micro Focus\MSS\MSSData\certificates.
Open the Administrative WebStation. From the Start menu, open Micro Focus Host Access Management and Security Server | Administrative Server | Administrative WebStation.
In the Administrative WebStation, click Security Setup in the left panel, then click the Certificates tab. From the Administer Management and Security Server Trusted Certificate List section, click View or modify certificates trusted by the Management and Security Server.
Click Import in the Import Trusted Certificates section and fill out the fields to point to your certificate, specify its password and to give the certificate a friendly name
Click Submit and verify the certificate is listed.
Installing the certificate into the Reflection ZFE session server and management component:
In <RZFE_install_directory>\sessionserver\etc import the certificate: keytool -importcert -file <path to certificate> -alias zfesessionserver -keystore servletcontainer.jks -storetype jceks -storepass not-secure
In <RZFE_install_directory>\managementserver\etc import the certificate: keytool -importcert -file <path to certificate> -alias zfemgtserver -keystore servletcontainer.jks -storetype jceks -storepass not-secure
Step 4. Restart all the servers
For the configuration to take affect, you must restart all servers.
Step 5. Configuring X.509 with LDAP fail over in the MSS Administrative Console
Once the certificates are in place, you can enable X.509 with LDAP fail over in Management and Security Server Administrative Console | Access Control Setup. See the Administrative Console online help for descriptions of the configuration options.