Looking for:
Add authentication certificate to cac |
Activating a PIV Authentication Certificate
Version: Latest CAC Authentication. SL1 supports CAC authentication. The CAC is a United States DoD smartcard issued as standard identification for active duty military personnel, reserve personnel, civilian employees, and eligible contractor personnel. This client-side certificate allows the CAC to authenticate with web servers that include the server-side security certificate from the DoD certificate authority.
Web servers with the server-side security certificate are deemed secure for DoD use. You can install server-side certificates on the user interface appliances and then authenticate access to those web servers with a CAC or a client-side certificate associated with a user's web browser.
When authentication of the client-side certificate against the server-side certificate is successful, the CAC is used as the user's authentication to SL1.
Follow the steps described in this section to configure your CAC authentication, regardless of which user interface you use. NOTE : Currently, SL1 does not support client-side certificate authentication for login to the console, either through SSH or through a keyboard connected to the appliance.
Use the following menu options to navigate the SL1 user interface:. This section includes the following topics:. To use client certificate authentication with SL1 , you must first meet the following requirements:. If you want to extract part of the Common Name to customize the username that is displayed in SL1 after CAC authentication, you can edit the ScienceLogic configuration file to customize the displayed username. You do not need to do this if you are using the msUPN.
SSL uses a private key to encrypt data to be transferred over an Internet connection. It is a best practice to check each certificate file before attempting to import the file.
If you encounter an error, resolve that error before you continue. Description of the certificate. CA File. Browse for the server-side certificate file on your local computer. If this meets your requirements, then you do not need to update the configuration file and can skip this section. However, if you require that SL1 use only a portion of the CN, then you can edit the certificate configuration file to parse out a username from the CN in the certificate.
For example, in some instances you might want to use an employee's ID number as the username. To do that, you must edit the Nginx configuration file. Modify the file to extract the CN from the full Distinguished Name DN found in the certificate based on how you want to map the username to an LDAP system or how you want the usernames to look if you are using SL1 internal as the backend of your authentication configuration.
Modify the string to extract the name. The following is a regular expression that extracts the CN from the full DN found in the certificate:. When you define a CAC or client-side certificate on a web browser, you are actually selecting a server-side certificate on the SL1 appliance and testing the client-side certificate on your browser or your CAC against the certificate on the appliance.
You can also define some custom settings for client-side certificate authentication. You can define error messages that are displayed to the end user if authentication fails. Optionally, you can also define IP addresses in this modal for which the user interface will not perform certificate authentication, if you have not already created an Authentication Profile for this purpose.
When authentication is successful, the user interface displays the ScienceLogic Login page to the user. To define the authentication settings:. Supply a value in each of the following fields: Root CA Certificates. Your client-side certificate will be authenticated against the selected server-side root and intermediate certificates.
You cannot save your authentication settings until you enter text in the "Auth Failure Message" field. Ignore Networks. In this field, you can enter a list of networks and hosts from which certificate authentication is not required.
During each login, the platform will compare the client's IP address to the list entered in this field. If the client's IP address is included in this field, SL1 will not require certificate authentication from that client. If you are using Authentication Profiles to configure access from specific resources from which certificate authentication is not required, you do not need to use the Ignore Networks field.
In the list of IPs to ignore, you can enter only the first octet, only the first and second octet, only the first, second, and third octet, or all four octets. For example:. Click the Save button to save your settings. The user interface displays the message: Settings Saved Successfully. Configuration must be tested in order to take effect. Do not click the Test link at this time. After you have imported your SSL certificates and configured your client certificate chain, it is important to verify the your certificate files were imported correctly and are valid in SL1.
All of the following must be true. If any of these are not true, then the certificate file was not imported and saved correctly in SL1 :. This will ensure the best outcome when testing. After you define the certificate authentication settings, you must test your client-side certificate against the server-side certificate you selected in the Root CA Certificates field. Testing your configuration is required to prevent an incorrect configuration from preventing administrator access to the user interface.
If the test is successful, the certificate authentication settings will be applied. If the test is unsuccessful, the certificate authentication settings will not be applied. To test certificate authentication settings:. After defining the certificate, you will see the following message at the top of the pane: Configuration must be tested in order to take effect: TEST.
If the test authentication is successful, SL1 will display the following message at the top of the pane and end users with the appropriate client certificate or CAC can now access the user interface using client certificate authentication: Configuration verified and enabled. You can select one of the following values for this field: Allowed.
This is the default value. If a CAC user does not have an account defined in the platform, the login screen is displayed. NOTE: ScienceLogic recommends that you set this field to Locked unless your implementation specifically requires one of the other options.
For example, the following are some reasons you might want to use another authentication type:. By default, SL1 is configured to handle the typical certificate hierarchy, which comprises three levels: root, intermediate, and client certificates. This represents a depth of 2 from the root to the client certificate. Skip To Main Content. All Files. Submit Search. Use the following menu options to navigate the SL1 user interface: To view a pop-out list of menu options, click the menu icon.
To view a page containing all the menu options, click the Advanced menu icon.
No comments:
Post a Comment