Non-redirected login at Access Gateway
In general when user tries to access a protected resource, the authentication procedure at Access Gateway redirects user to Identity Server. But for special user-clients/applications those do not support redirection, one way to achieve authentication is using contract that supports Non-Redirected Login. More details are available here -
When non-redirected login is enabled, Access Gateway prompts user to supply basic authentication credentials. So contract that supports basic authentication credentials such as Name/Password-Basic or Secure Name/Password-Basic can be used to protect resources without redirection. Even though basic authentication over HTTPS is good, sometimes its not acceptable and in many cases customer in not very keen on using the same.
This cool solution is about an alternate method to achieve Non-Redirected Login - X.509 client authentication
To enable X.509 client certificate verification by Access Gateway (AG) with no involvement of Identity Server, please go through following section.
- “Enable SSL between Browser and Access Gateway” is enabled at AG's reverse proxy configuration
- Client certificate is added/exported to user-client
Following steps are to achieve SSL (X.509) client authentication at AG
Copy CA certificate(signer) of user certificate to a location in AG box. Assuming the location is /opt/novell/apache/otherca, ls -l output should be like
drwxr-xr-x 2 root root 4096 Oct 11 16:16 otherca
- Assuming copied CA certificate name is configca.pem. Add following lines to proxy service advance options where corresponding protected resource is configured. E.g.
SSLCACertificateFile /opt/novell/apache2/otherca/configca.pem # full path & name of certificate
SSLVerifyDepth 10 # maximum depth of CA certificate
- Update configuration
In case user wants to use only location/path where certificate is copied, then
- Run /opt/novell/ssllib/bin/c_rehash <full directory name/path>
- Add SSLCACertificatePath <full directory name/path> to advance option instead of SSLCACertificateFile. E.g