Installation guide
23
SSL Client Certificate Authentication
SecurityCenter 4.6 allows users to use SSL client certificate authentication. This allows use of SSL client certificates,
smart cards, and CAC authentication when the browser is configured for this method.
By default, SecurityCenter uses a password to authenticate. To configure SecurityCenter to allow SSL client certificate
authentication the web server must be configured to allow such connections. To do this, the
/opt/sc4/support/conf/sslverify.conf file must be edited on the SecurityCenter server using any standard text
editor. Edit the “SSLVerifyClient” setting to use an option of none, optional, and require as described in the
following table.
Table 7 – SSL Client Certificate Configuration Options
Option
Description
none
When set to “none”, SSL certificates for SecurityCenter will not be accepted by the
server for user authentication purposes.
optional
When set to “optional”, valid SSL certificates for SecurityCenter may be used for user
authentication. If a valid certificate is not presented, the user may log in using only a
password.
Depending on how they are configured, some web browsers may not
connect to SecurityCenter when the “optional” setting is used.
require
When set to “require”, a valid SSL certificate for SecurityCenter must be presented to
gain access to the web interface. If the user has an account that uses a certificate to
authenticate, that user will be logged into SecurityCenter. Otherwise the user will be
presented with the standard SecurityCenter login page.
When a user is initially created and configured, a password must be created for the user. Users who are configured to use
SSL certificates will be prompted to determine if they want to always use the current certificate when they log in to
SecurityCenter through a browser. If “Yes” is selected, the certificate will be associated with their account and future
access to SecurityCenter will use the client certificate. If “No” is selected, the certificate will be ignored for the current
session.
Configure SecurityCenter for Certificates
The first step to allow SSL certificate authentication is to configure the SecurityCenter web server. This process allows the
web server to trust certificates created by the Certificate Authority (CA) for authentication.
1. Copy the required PEM-encoded CA certificate (and intermediary CA, if needed) to the SecurityCenter server’s
/tmp directory. For this example, the file is named ROOTCA2.cer.
2. Run the installCA.php script to create the required files for each CA in /opt/sc4/data/CA as follows:
# /opt/sc4/support/bin/php /opt/sc4/src/tools/installCA.php /tmp/ROOTCA2.cer
3. Once each of your CAs has been processed, restart the SecurityCenter services with the following command:
# service SecurityCenter restart
After SecurityCenter has been configured with the proper CA certificate(s), users may log in to SecurityCenter using SSL
client certificates.