7.0
Table Of Contents
- Deploying and Configuring Access Point
- Contents
- Deploying and Configuring Access Point
- Introduction to Access Point
- System Requirements and Deployment
- Configuring Access Point
- Collecting Logs from the Access Point Appliance
- Setting Up Smart Card Authentication
- Setting Up Two-Factor Authentication
- Index
3 Use a REST client, such as curl or postman, to use the JSON request to invoke the Access Point REST
API and store the certificate on the Access Point appliance and enable smart card authentication.
The following example uses a curl command. In the example, access-point-appliance.example.com is the
fully qualified domain name of the Access Point appliance, and smartcard.json is the JSON request you
created in the previous step.
curl -k -d @- -u 'admin' -H "Content-Type: application/json" -X PUT https://access-point-
appliance.example.com:9443/rest/v1/config/authmethod/certificate-auth < ~/smartcard.json
4 Use a REST client to get the default edge service settings for the edge service you are using.
curl -k -u 'admin' https://access-point-appliance.example.com:
9443/rest/v1/config/edgeservice/VIEW
This example uses the VIEW edge service because for this release smart card authentication is
supported only if you use the VIEW edge service.
5 Paste this information into a JSON request for enabling smart card authentication for the View server
and add the authMethods and samlSP properties.
{
"identifier": "VIEW",
"enabled": true,
"authMethods": "certificate-auth",
"samlSP": "connection-server-sp"
}
For readability, this example shows only the required properties for configuring smart card
authentication, and not the long list of properties included in edge service configuration. When you
create the JSON request, copy and paste all of the edge service settings you are using and be sure to add
or configure these smart card properties.
connection-server-sp is an example of a service provider name. You specified a service provider name
when you copied the service provider metadata to the Access Point appliance.
6 Use a REST client to send the JSON request to the Access Point API and configure the edge service to
use smart card authentication.
In the following example, smartauth.json is the JSON request you created in the previous step.
curl -k -d @- -u 'admin' -H "Content-Type: application/json" -X PUT https://access-point-
appliance.example.com:9443/rest/v1/config/edgeservice/VIEW < ~/smartauth.json
End users can now use smart cards when logging in to Access Point.
Smart Card Certificate Properties for Advanced Options
Smart card authentication properties provide functionality for certificate revocation, consent forms, and
configuring the subject alternative name.
You can prevent users who have revoked user certificates from authenticating with smart cards by
configuring certificate revocation checking. Certificates are often revoked when a user leaves an
organization, loses a smart card, or moves from one department to another.
Access Point supports certificate revocation checking with certificate revocation lists (CRLs) and with the
Online Certificate Status Protocol (OCSP). A CRL is a list of revoked certificates published by the CA that
issued the certificates. OCSP is a certificate validation protocol that is used to get the revocation status of an
X.509 certificate.
When you configure both types of certificate revocation checking, Access Point attempts to use OCSP first
and can be configured to fall back to CRL if OCSP fails. Access Point does not fall back to OCSP if CRL fails.
The CA must be accessible from the Access Point host.
Deploying and Configuring Access Point
58 VMware, Inc.