Limit NAM X.509 Authentication to specific Certificate Authority

Limit NAM X.509 Authentication to specific Certificate Authority

Introduction


 
.NAM support X.509 certificate mutual authentication. Mutual authentication is used when a user is issued an X.509 certificate from a trusted source, and certificate is then used to identify the user. Trusted Certificate Authority has to import to NAM trust store. This is an issue in some of the use cases.

Issue


 
NAM trust store hold many other trusted certificate authorities. It means that if user submits User certificate issued with different certificate authority, authentication will be succeeded.
This behaviour is not one want in some of the scenarios where many smart cards and X.509 authentications are used in an enterprise. So desired behaviour is, contract should succeed only if user submit X.509 user certificate one issued from one particular certificate authority. For example, trusted authority is godaddy, user authentication should succeed only if x509 certificate issued from godaddy.

Why is this useful?


 
This solution will help to limit mutual authentication contract to certain group people where user certificates are issued from one trusted authority. Any other user certificates issued by another trusted certificate authority authentication will fail even though this trusted certificate authority is in NAM trust store.

Solution


 
NetIQ Access Manager provides documentation which enlists steps how to configure X.509 authentication. Please read them, that will help in configuring this solution with NAM. This solution has new extended class for X.509 class, this has to be configured as custom class.
This Solution will guide basic steps to setting up NAM custom X.509 authentication.

Configuration steps


 

  1. Download x509-contract-specific-auth zip file and extract to temporary folder
  2. Copy the jar file to NAM IDP lib folder location /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib
  3. Copy the custom properties file to classes folder location /opt/novell/nam/idp/webapps/nidp/WEB-INF/classes
  4. Restart IDP /etc/init.d/novell-idp restart
  5. Login to Admin Console
  6. Create custom X.509 authentication

    1. Navigate to Local --> classes --> New
    2. Select “Java Class” as “Other” from dropdown list
    3. Type display name
    4. “Java class path” as “com.novell.nidp.authentication.local.X509ExtClasss”
      x509extclass
    5. Click next
    6. Properties add the following property, “TRUSTED_CERT_ALIAS” as name and enter values with comma separated of certificate authority chain alias names given while importing to NAM trust store. ( complete certificate chain, root, intermediate etc.,)
      x509extclass_props

    7. If one need additional configuration of X.509 class like crl, ocsp settings etc., please do map X.509 authentication class configuration from UI to following properties.
      The following properties are associated with default x509 class. If any property is configured with default x509 need to be configured with custom class as name=value under properties section. (try to map values to default x509 class properties) Note: in case no values configured properties configuration not required, you can ignore one attribute mandatory with default x509 class, with custom class we don’t use it)

      IssuerNameSerialNumberAttribute=
      DirectoryNameAttribute=,
      OCSPURL=,
      OCSPResponderCertificateAlias=,
      RevocationMethod=OCSP-CRL,
      DirectoryNamePosition=4,
      forceRestartMsg=true,
      EmailNamePosition=2,
      enableErrJsp=false,
      ObjectClassAttribute=,
      DisableRootCARevocation=false,
      SubjectNamePosition=1,
      IssuerNameSerialNumberPosition=3,
      LECP=false,
      SubjectNameAttribute=,
      SignOCSPRequest=false,
      EmailNameAttribute=mail,
      CRLURL=,
      AutoProvision=false,

    8. Click ok
    9. Navigate to methods and click “New” and create method with this custom class
    10. Select userstore and click ok
    11. Navigate to Contracs and click “New”
    12. Create new contract with method created on previous step and follow the documentation for contract configuration.
    13. Click OK
    14. And update IDP configuration


  7. Test your setup, any issues make sure alias names are typed proper and look for IDP logs for additional information of failure


References


 
https://www.netiq.com/documentation/access-manager-42-appliance/admin/data/b1tvhkg.html#x509validation
https://www.novell.com/developer/ndk/novell_access_manager_developer_tools_and_examples.html


Please share your comments!!


Labels (1)
Attachments

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
3 of 3
Last update:
‎2020-01-31 22:07
Updated by:
Micro Focus Contributor
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.