Related Tips & Info

Non-redirected login at Access Gateway

phimdeep
 
1 Likes

Introduction

In general when user tries to access a protected resource, the  authentication procedure at Access Gateway redirects user to  Identity Server. But for special user-clients/applications those do not support redirection,  one way to achieve authentication is using contract that supports Non-Redirected Login. More details are available here -

https://www.netiq.com/documentation/access-manager-45/admin/data/prlist.html#contractextensions 

https://www.netiq.com/documentation/access-manager-45/admin/data/bojrjyw.html

When non-redirected login is enabled, Access Gateway prompts user to supply basic authentication credentials. So contract that supports basic authentication credentials such as Name/Password-Basic or Secure Name/Password-Basic can be used to protect resources without redirection. Even though  basic authentication over HTTPS is good, sometimes its not acceptable and in many cases customer in not very keen on using the same. 

This cool solution is about an alternate method to achieve Non-Redirected Login - X.509 client authentication

To enable X.509 client certificate verification by Access Gateway (AG) with no involvement of Identity Server, please go through following section.

Solution

 
Prerequisite
  • “Enable SSL between Browser and Access Gateway” is enabled at AG's reverse proxy configuration
  • Client certificate is added/exported to user-client 

Following steps are to achieve SSL (X.509) client authentication at AG

  • Copy CA certificate(signer) of user certificate to a location in AG box. Assuming the location is /opt/novell/apache/otherca, ls -l output should be like

drwxr-xr-x 2 root root 4096 Oct 11 16:16 otherca
  • Assuming copied CA certificate name is configca.pem. Add following lines to proxy service advance options where corresponding protected resource is configured. E.g.
SSLCACertificateFile /opt/novell/apache2/otherca/configca.pem # full path & name of certificate
SSLVerifyClient require
SSLVerifyDepth 10 # maximum depth of CA certificate
  • Update configuration

In case user wants to use only location/path where certificate is copied, then

  • Run /opt/novell/ssllib/bin/c_rehash <full directory name/path>
  • Add SSLCACertificatePath <full directory name/path> to advance option instead of SSLCACertificateFile. E.g
SSLCACertificatePath /opt/novell/apache2/otherca
Reference:

Apache Module mod_ssl

Labels:

How To-Best Practice
Comment List
Related
Recommended

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.