7.0
Table Of Contents
- Deploying and Configuring Access Point
- Contents
- Deploying and Configuring Access Point
- Introduction to Access Point
- System Requirements and Deployment
- Configuring Access Point
- Collecting Logs from the Access Point Appliance
- Setting Up Smart Card Authentication
- Setting Up Two-Factor Authentication
- Index
Configure Smart Card Settings on the Access Point Appliance
On the Access Point appliance, you must enable smart card authentication, copy in the certificate, and
change the authentication type to smart card authentication.
Prerequisites
n
Get the trusted CA issuer certificate that was used to sign the X.509 certificates for the smart cards. See
“Obtain the Certificate Authority Certificates,” on page 56. for the certificate that will be put on the
smart card.
n
Convert the certificate to a PEM-format file that contains the certificate chain. See “Convert Certificate
Files to One-Line PEM Format,” on page 41. If you have an intermediate certificate, that certificate must
immediately follow the first certificate, and both certificates must be on the same one line.
n
Verify that you have copied Access Point SAML metadata to the service provider and copied the service
provider SAML metadata to Access Point appliance. See “Generate Access Point SAML Metadata,” on
page 50 and “Copy Service Provider SAML Metadata to Access Point,” on page 55.
n
Familiarize yourself with the smart card certificate properties and determine which settings to use. See
“Smart Card Certificate Properties for Advanced Options,” on page 58.
n
If you use a load balancer between Access Point and the service provider instances, verify that TLS/SSL
termination is not done on the load balancer. The load balancer must be configured to pass
authentication through to the back-end service provider, such as View Connection Server.
Procedure
1 Use a REST client, such as curl or postman, to invoke the Access Point REST API and get the default
certificate settings.
The following example uses a curl command. In the example, access-point-appliance.example.com is the
fully qualified domain name of the Access Point appliance.
curl -k -u 'admin' https://access-point-appliance.example.com:
9443/rest/v1/config/authmethod/certificate-auth
2 Paste this information into a JSON request for enabling smart card authentication and pasting in the
certificate.
The following two properties are the required properties to configure. You can also change the defaults
for the other properties.
{
"enabled": "true",
"caCertificates": "-----BEGIN CERTIFICATE------ ... -----END CERTIFICATE------"
}
In this example, the ellipses (...) indicates the middle content of the certificate text. The format of
certificate text must be one-line format that can be passed in a JSON string to the Access Point REST
API, as described in the prerequisites.
For caCertificates, you can specify multiple certificates using spaces as separators. When a user
initiates a connection to the Access Point appliance, Access Point sends a list of trusted certificate
authorities (CAs) to the client system. The client system checks the list of trusted CAs against the
available user certificates, selects a suitable certificate, and then prompts the user to enter a smart card
PIN. If there are multiple valid user certificates, the client system prompts the user to select a certificate.
Chapter 5 Setting Up Smart Card Authentication
VMware, Inc. 57