Non-redirected login at Access Gateway

Non-redirected login at Access Gateway

Introduction

In general when user tries to access a protected resource, the  authentication procedure at Access Gateway redirects user to  Identity Server. But for special user-clients/applications those do not support redirection,  one way to achieve authentication is using contract that supports Non-Redirected Login. More details are available here -

https://www.netiq.com/documentation/access-manager-45/admin/data/prlist.html#contractextensions 

https://www.netiq.com/documentation/access-manager-45/admin/data/bojrjyw.html

When non-redirected login is enabled, Access Gateway prompts user to supply basic authentication credentials. So contract that supports basic authentication credentials such as Name/Password-Basic or Secure Name/Password-Basic can be used to protect resources without redirection. Even though  basic authentication over HTTPS is good, sometimes its not acceptable and in many cases customer in not very keen on using the same. 

This cool solution is about an alternate method to achieve Non-Redirected Login - X.509 client authentication

To enable X.509 client certificate verification by Access Gateway (AG) with no involvement of Identity Server, please go through following section.

Solution

 
Prerequisite
  • “Enable SSL between Browser and Access Gateway” is enabled at AG's reverse proxy configuration
  • Client certificate is added/exported to user-client 

Following steps are to achieve SSL (X.509) client authentication at AG

  • Copy CA certificate(signer) of user certificate to a location in AG box. Assuming the location is /opt/novell/apache/otherca, ls -l output should be like

drwxr-xr-x 2 root root 4096 Oct 11 16:16 otherca
  • Assuming copied CA certificate name is configca.pem. Add following lines to proxy service advance options where corresponding protected resource is configured. E.g.
SSLCACertificateFile /opt/novell/apache2/otherca/configca.pem # full path & name of certificate
SSLVerifyClient require
SSLVerifyDepth 10 # maximum depth of CA certificate
  • Update configuration

In case user wants to use only location/path where certificate is copied, then

  • Run /opt/novell/ssllib/bin/c_rehash <full directory name/path>
  • Add SSLCACertificatePath <full directory name/path> to advance option instead of SSLCACertificateFile. E.g
SSLCACertificatePath /opt/novell/apache2/otherca
Reference:

Apache Module mod_ssl

Labels (1)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
7 of 7
Last update:
‎2019-10-16 14:59
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.