Installation guide
26
8. If a new certificate is available the next time the user logs in, SecurityCenter will again attempt to associate the
user with the certificate.
If you log out of the session, you will be presented with the standard SecurityCenter login screen. If you wish
to log in again with the same certificate, refresh your browser window. If you need to use a different certificate,
you must restart your browser session.
CoSign Configuration Instructions
Misconfiguration of the CoSign authentication configuration can cause you to lose access to SecurityCenter.
Please contact Tenable Support for possible recovery options.
The information presented in this section assumes an existing, working CoSign service solution. More
information about CoSign authentication servers may be found at http://weblogin.org.
SecurityCenter 4.6 introduces a new server authentication method that uses the CoSign single sign-on solution. Once
enabled, the TNS and LDAP authentication methods are no longer available for use. SecurityCenter 4.6.0 only supports
username/password authentication via CoSign; support for additional methods may be added later.
If CoSign authentication is enabled, usernames in SecurityCenter must be matched to those in the CoSign system. Before
enabling CoSign authentication, ensure that at least one administrator-level user exists with an acceptable username for
CoSign authentication. If a user exists within SecurityCenter without a matching CoSign user, access to that user will be
lost after the conversion to CoSign authentication.
The first step to configuring CoSign authentication is to install a valid SSL CA certificate and a client SSL certificate and
key provided by your CoSign administrator in a .pem format. Copy this key to the SecurityCenter server, as the user ‘tns’
(“su – tns”) and run the command:
# /opt/sc4/support/bin/php /opt/sc4/src/tools/installCA.php /path/to/consign_ca.pem
This allows SecurityCenter to install the CA certificate with the appropriate permissions to enable secure communication
between the SecurityCenter server and the CoSign server. Copy the client SSL certificate and key files to the
/opt/sc4/support/cosign directory. Ensure that the ownership of the files is tns:tns and its permissions allow the
owner to at least read the file. For example, if the files are named modcosign.crt and mod_cosign.key, the following
commands will set the ownership correctly:
# chown tns:tns /opt/sc4/support/cosign mod_cosign.crt
# chown tns:tns /opt/sc4/support/cosign mod_cosign.key
Next, the Apache CoSign module must be enabled. Edit the /opt/sc4/support/conf/module.conf file using any
standard text editor to enable the mod_cosign.so module by removing the # at the beginning of the line as follows:
LoadModule cosign_module modules/mod_cosign.so