Non-redirected login at Access Gateway



In general when user tries to access a protected resource, the  authentication procedure at Access Gateway redirects user to  Identity Server. But for special user-clients/applications those do not support redirection,  one way to achieve authentication is using contract that supports Non-Redirected Login. More details are available here -

When non-redirected login is enabled, Access Gateway prompts user to supply basic authentication credentials. So contract that supports basic authentication credentials such as Name/Password-Basic or Secure Name/Password-Basic can be used to protect resources without redirection. Even though  basic authentication over HTTPS is good, sometimes its not acceptable and in many cases customer in not very keen on using the same. 

This cool solution is about an alternate method to achieve Non-Redirected Login - X.509 client authentication

To enable X.509 client certificate verification by Access Gateway (AG) with no involvement of Identity Server, please go through following section.


  • “Enable SSL between Browser and Access Gateway” is enabled at AG's reverse proxy configuration
  • Client certificate is added/exported to user-client 

Following steps are to achieve SSL (X.509) client authentication at AG

  • Copy CA certificate(signer) of user certificate to a location in AG box. Assuming the location is /opt/novell/apache/otherca, ls -l output should be like

drwxr-xr-x 2 root root 4096 Oct 11 16:16 otherca
  • Assuming copied CA certificate name is configca.pem. Add following lines to proxy service advance options where corresponding protected resource is configured. E.g.
SSLCACertificateFile /opt/novell/apache2/otherca/configca.pem # full path & name of certificate
SSLVerifyClient require
SSLVerifyDepth 10 # maximum depth of CA certificate
  • Update configuration

In case user wants to use only location/path where certificate is copied, then

  • Run /opt/novell/ssllib/bin/c_rehash <full directory name/path>
  • Add SSLCACertificatePath <full directory name/path> to advance option instead of SSLCACertificateFile. E.g
SSLCACertificatePath /opt/novell/apache2/otherca

Apache Module mod_ssl


How To-Best Practice
Comment List