Source:Configuring Certificate-Based Authentication: Difference between revisions
(Marked this version for translation) |
(Ready for review.) |
||
(One intermediate revision by the same user not shown) | |||
Line 10: | Line 10: | ||
{|style="margin: auto; margin-bottom:1em; width:100%; border:0px solid grey;" | {|style="margin: auto; margin-bottom:1em; width:100%; border:0px solid grey;" | ||
| rowspan="2" style="padding:0px 10px 0px;" | [[File:SEP_next.png|45px|link= | | rowspan="2" style="padding:0px 10px 0px;" | [[File:SEP_next.png|45px|link=5_0_0:About_Authentication_and_Authorization]] | ||
| style="padding:0px 40px 0px 10px; color: grey; font-size: 90%; text-align:left;" |<translate><!--T:5--> See also: [[Special:MyLanguage/ | | style="padding:0px 40px 0px 10px; color: grey; font-size: 90%; text-align:left;" |<translate><!--T:5--> See also: [[Special:MyLanguage/Configuring_SSL_Secured_Communication_for_SEP_sesam_Backup_Network|Configuring SSL Secured Communication for SEP sesam Backup Network]] – [[Special:MyLanguage/5_0_0:About_Authentication_and_Authorization|About Authentication and Authorization]] – [[Special:MyLanguage/4_4_3_Grolar:Configuring_Database-Based_Authentication|Configuring Database-Based Authentication]]</translate> | ||
|} | |} | ||
Line 31: | Line 31: | ||
<translate><!--T:9--> | <translate><!--T:9--> | ||
As of SEP sesam v. [[SEP_sesam_Release_Versions|5.0.0 ''Jaglion'']], if [[Special:MyLanguage/ | As of SEP sesam v. [[SEP_sesam_Release_Versions|5.0.0 ''Jaglion'']], if [[Special:MyLanguage/5_0_0:About_Authentication_and_Authorization#database|database-based authentication]] is enabled, it is possible to authenticate users via a signed certificate instead of using a username and password. | ||
<!--T:10--> | <!--T:10--> | ||
However, if you combine ''database-based'' authentication with ''LDAP'' or ''AD'' authentication, | However, if you combine ''database-based'' authentication with ''LDAP'' or ''AD'' authentication, users from external authentication sources (LDAP/AD) '''cannot use certificate-based authentication'''; LDAP/AD authentication requires password-based authentication. For more details on SEP sesam authentication, see [[Special:MyLanguage/5_0_0:About_Authentication_and_Authorization|About Authentication and Authorization]]. | ||
=={{anchor|configuration}}Configuring authentication | =={{anchor|configuration}}Configuring authentication using a signed certificate== <!--T:11--> | ||
Configuring authentication with a signed certificate requires [[Special:MyLanguage/5_0_0:SEP_sesam_User_Types|superuser]] privileges. You have to create a user authentication certificate and assign it to a user account. The easiest way is to [[Special:MyLanguage/5_0_0:Configuring_Certificate-Based_Authentication#GUI|use the SEP sesam GUI]], where the certificate is automatically created and assigned to a user account. Optionally, you can also [[Special:MyLanguage/5_0_0:Configuring_Certificate-Based_Authentication#manually|create and assign a certificate manually]], but this requires additional steps. | |||
Configuring authentication | |||
==={{anchor|signing_request}}Creating a user authentication certificate signing request (user side)=== <!--T:16--> | Then the [[Special:MyLanguage/5_0_0:Configuring_Certificate-Based_Authentication#authentication|user can authenticate via the certificate]] in one of the SEP sesam interfaces ([[Special:MyLanguage/SEP_sesam_Glossary#GUI|SEP sesam GUI]], [[Special:MyLanguage/SEP_sesam_Glossary#SEP_sesam_web_UI|SEP sesam Web UI]], [[Special:MyLanguage/SEP_sesam_Glossary#CLI|SEP sesam CLI]]). | ||
==={{anchor|GUI}}Creating a user authentication certificate in the GUI=== | |||
In the SEP sesam GUI, you can easily set a user authentication certificate that is automatically created and assigned to a user.</translate> | |||
<ol><li><translate>From the SEP sesam GUI menu bar, select '''Configuration''' ‐> '''Permission Management'''.</translate></li> | |||
<li><translate>Double-click the ''user'' for whom you want to create a user authentication certificate. In the new window ''Change User'' click '''New'''.</translate></li> | |||
<translate>[[Image:Authentication_via_certificate_new.jpg|link=]]</translate> | |||
<br clear=all> | |||
<li><translate>Select a folder on your computer where you want to save the certificate and click '''Save'''. The certificate and thumbprint are created automatically.</translate></li> | |||
<translate>[[Image:Authentication_via_certificate_save.jpg|link=]]</translate> | |||
<br clear=all> | |||
<li><translate>In both open dialogs, click '''OK''' to set the certificate.</translate></li> | |||
</ol> | |||
<translate>==={{anchor|manually}}Creating a user authentication certificate manually=== | |||
Optionally, you can also create and assign a user authentication certificate manually. This procedure involves the following steps:</translate> | |||
#<translate><!--T:13--> A user [[Special:MyLanguage/5_0_0:Configuring_Certificate-Based_Authentication#signing_request|creates a user authentication certificate signing request (CSR)]] and sends it to an administrator with superuser privileges.</translate> | |||
#<translate>The superuser (system administrator) [[Special:MyLanguage/5_0_0:Configuring_Certificate-Based_Authentication#sign_certificate|signs the certificate]].</translate> | |||
#<translate>The superuser then [[Special:MyLanguage/5_0_0:Configuring_Certificate-Based_Authentication#assign_certificate|assigns the certificate to a user account]]. | |||
===={{anchor|signing_request}}Creating a user authentication certificate signing request (user side)==== <!--T:16--> | |||
<!--T:17--> | <!--T:17--> | ||
If you already have an SSL private key that you want to create a certificate for, skip ''step 1'' and go to ''step 2''.</translate> | |||
<ol><li><translate><!--T:18--> Create a new private key as follows:</translate></li> | <ol><li><translate><!--T:18--> Create a new private key as follows:</translate></li> | ||
openssl genrsa -out <translate><!--T:19--> <key name></translate>.key | openssl genrsa -out <translate><!--T:19--> <key name></translate>.key | ||
Line 56: | Line 73: | ||
</ol> | </ol> | ||
<translate>==={{anchor|sign_certificate}}Signing the user authentication certificate (by a user with superuser | <translate>===={{anchor|sign_certificate}}Signing the user authentication certificate (by a user with superuser privileges)==== <!--T:24--></translate> | ||
<ol><li><translate><!--T:25--> Navigate to the directory where you | <ol><li><translate><!--T:25--> Navigate to the directory where you placed the user CSR file and sign the CSR with the ''REST server user authentication certificate'':</translate></li> | ||
openssl x509 -trustout -days <translate><!--T:26--> <days></translate> -req -signkey <SESAM_VAR>/ini/ssl/sesam.auth.key -in <translate><!--T:27--> <key name></translate>.csr -out <translate><!--T:28--> <key name></translate>.crt | openssl x509 -trustout -days <translate><!--T:26--> <days></translate> -req -signkey <SESAM_VAR>/ini/ssl/sesam.auth.key -in <translate><!--T:27--> <key name></translate>.csr -out <translate><!--T:28--> <key name></translate>.crt | ||
{{<translate><!--T:29--> Note</translate>|<translate><!--T:30--> In SEP sesam v. < 5.0.0 ''Jaglion'', the REST server user authentication certificate signing key is named <tt>sesam.gui.key</tt>.</translate>}} | {{<translate><!--T:29--> Note</translate>|<translate><!--T:30--> In SEP sesam v. < 5.0.0 ''Jaglion'', the REST server user authentication certificate signing key is named <tt>sesam.gui.key</tt>.</translate>}} | ||
<li><translate><!--T:31--> | <li><translate><!--T:31--> Get the thumbprint of the signed user authentication certificate:</translate></li> | ||
openssl x509 -noout -fingerprint -sha1 -inform pem -in <key name>.crt | openssl x509 -noout -fingerprint -sha1 -inform pem -in <key name>.crt | ||
<li><translate><!--T:32--> Send the user authentication certificate (<tt>crt</tt>) back to the user.</translate></li> | <li><translate><!--T:32--> Send the user authentication certificate (<tt>crt</tt>) back to the user.</translate></li> | ||
</ol> | </ol> | ||
<translate>==={{anchor|assign_certificate}}Assigning the user authentication certificate to a user account (by a user with superuser rights)=== <!--T:33--> | <translate>===={{anchor|assign_certificate}}Assigning the user authentication certificate to a user account (by a user with superuser rights)==== <!--T:33--> | ||
<!--T:34--> | <!--T:34--> | ||
To assign the user authentication certificate to a user account, | To assign the user authentication certificate to a user account, do the following:</translate> | ||
<ol><li><translate><!--T:35--> | <ol><li><translate><!--T:35--> From the SEP sesam GUI menu bar, select '''Configuration''' ‐> '''Permission Management'''.</translate></li> | ||
<li><translate><!--T:36--> Double-click the ''user account'' to which a user authentication certificate | <li><translate><!--T:36--> Double-click the ''user account'' to which a user authentication certificate should be assigned. The new window ''Change User'' opens.</translate></li> | ||
<li><translate><!--T:37--> Click the '''+''' (plus) button and in the ''Add Thumbprint'' window | <li><translate><!--T:37--> Click the '''+''' (plus) button and enter or paste the user authentication certificate thumbprint in the ''Add Thumbprint'' window.</translate></li> | ||
<translate><!--T:38--> [[Image:Authentication_via_certificate_add_thumbprint.jpg|link=]]</translate> | <translate><!--T:38--> [[Image:Authentication_via_certificate_add_thumbprint.jpg|link=]]</translate> | ||
<br clear=all> | <br clear=all> | ||
<li><translate><!--T:39--> | <li><translate><!--T:39--> In both open dialogs, click '''OK''' to add the certificate to the ''Certificate Thumbprints'' list.</translate></li> | ||
</ol> | </ol> | ||
Line 83: | Line 100: | ||
<!--T:41--> | <!--T:41--> | ||
A user | A user obtains the authentication certificate from the administrator (with superuser privileges) and must store it in a location that is readable only by the user. Once this is done, the user should be able to authenticate via the certificate using one of the SEP sesam interfaces ([[Special:MyLanguage/SEP_sesam_Glossary#GUI|SEP sesam GUI]], [[Special:MyLanguage/SEP_sesam_Glossary#SEP_sesam_web_UI|SEP sesam Web UI]], [[Special:MyLanguage/SEP_sesam_Glossary#CLI|SEP sesam CLI]]) as described below. | ||
===={{anchor|GUI}}Authentication in the GUI==== <!--T:42--> | ===={{anchor|GUI}}Authentication in the GUI==== <!--T:42--> | ||
Line 90: | Line 107: | ||
To authenticate via a certificate in the GUI, proceed as follows:</translate> | To authenticate via a certificate in the GUI, proceed as follows:</translate> | ||
<ol><li><translate><!--T:44--> | <ol><li><translate><!--T:44--> Start the SEP sesam GUI as administrator and verify that the user name is correct.</translate></li> | ||
<li><translate><!--T:45--> Use the ''Browse'' button to select the user authentication certificate or enter the absolute path to the user authentication certificate file in the ''Certificate file'' field.</translate></li> | <li><translate><!--T:45--> Use the ''Browse'' button to select the user authentication certificate or enter the absolute path to the user authentication certificate file in the ''Certificate file'' field.</translate></li> | ||
<translate><!--T:46--> [[Image:Authentication_via_certificate_GUI.jpg|link=]]</translate> | <translate><!--T:46--> [[Image:Authentication_via_certificate_GUI.jpg|link=]]</translate> | ||
<br clear=all> | <br clear=all> | ||
<li><translate><!--T:47--> Click the '''Login''' button or press '''Enter''' to authenticate the user | <li><translate><!--T:47--> Click the '''Login''' button or press '''Enter''' to authenticate the user to the SEP sesam Server and open the SEP sesam GUI.</translate></li></ol> | ||
{{<translate><!--T:48--> Note</translate>|<translate><!--T:49--> The user authentication certificate can be | {{<translate><!--T:48--> Note</translate>|<translate><!--T:49--> The user authentication certificate can also be specified when starting the SEP sesam Administrator GUI using the {{Path|<nowiki>-z <absolute path of the user authentication certificate file></nowiki>}} parameter. If the authentication is successful, the login dialog will not be displayed and the GUI will open immediately.</translate>}} | ||
<translate>===={{anchor|Web_UI}}Authentication in the Web UI==== <!--T:50--> | <translate>===={{anchor|Web_UI}}Authentication in the Web UI==== <!--T:50--> | ||
<!--T:51--> | <!--T:51--> | ||
To authenticate via certificate in the Web UI, proceed as follows:</translate> | To authenticate via a certificate in the Web UI, proceed as follows:</translate> | ||
<ol><li><translate><!--T:52--> Enter the administrator | <ol><li><translate><!--T:52--> Enter the administrator username.</translate></li> | ||
<li><translate><!--T:53--> Use the ''Choose File'' button to select the user authentication certificate file from your computer.</translate></li> | <li><translate><!--T:53--> Use the ''Choose File'' button to select the user authentication certificate file from your computer.</translate></li> | ||
<translate><!--T:54--> [[Image:Authentication_via_certificate_Web_UI.jpg|670px|link=]]</translate> | <translate><!--T:54--> [[Image:Authentication_via_certificate_Web_UI.jpg|670px|link=]]</translate> | ||
<br clear=all> | <br clear=all> | ||
<li><translate><!--T:55--> Click the '''Sign in''' button or press '''Enter''' to authenticate the user | <li><translate><!--T:55--> Click the '''Sign in''' button or press '''Enter''' to authenticate the user to the SEP sesam Server and open the [[Special:MyLanguage/SEP_sesam_Glossary#SEP_sesam_web_UI|SEP sesam Web UI]].</translate></li></ol> | ||
<translate>===={{anchor|CLI}}Authentication in the SEP sesam CLI==== <!--T:56--> | <translate>===={{anchor|CLI}}Authentication in the SEP sesam CLI==== <!--T:56--> | ||
<!--T:57--> | <!--T:57--> | ||
To authenticate | To authenticate using a certificate in the SEP sesam CLI, use the following command line options:</translate> | ||
sm_cmd ... -U <translate><!--T:58--> <user name></translate> -z <translate><!--T:59--> <absolute path of the user authentication certificate file></translate> ... | sm_cmd ... -U <translate><!--T:58--> <user name></translate> -z <translate><!--T:59--> <absolute path of the user authentication certificate file></translate> ... | ||
Line 117: | Line 134: | ||
<!--T:61--> | <!--T:61--> | ||
As soon as the REST server starts, it generates a self-signed ''user authentication server certificate'' and ''private key''. Normally, these are sufficient to enable the certificate-based user authentication described above. | |||
<!--T:62--> | <!--T:62--> | ||
However, a server administrator (superuser) may want to replace the self-signed certificate with the official company certificate (root user authentication certificate) | However, a server administrator (superuser) may want to replace the self-signed certificate with the official company certificate (root user authentication certificate) signed by a publicly trusted certificate authority (CA). If you want to use the certificate and the private key as ''root user authentication certificate'', add both to the {{Path|<SESAM_VAR>/ini/ssl}} and name the files ''sesam.auth.crt'' (certificate) and ''sesam.auth.key'' (private key). | ||
<!--T:63--> | <!--T:63--> | ||
In this case, | In this case, the REST server will perform the following on startup to find the ''root user authentication certificate'':</translate> | ||
<ol><li><translate><!--T:64--> If a certificate and | <ol><li><translate><!--T:64--> If a certificate and associated private key are specified via command line options ({{Path|<nowiki>[-Z|--sesamUserSslCertificate] <absolute file name certificate>, [-K|--sesamUserSslPrivateKey> <absolute file name private key></nowiki>}}), it attempts to use the specified files.</translate></li> | ||
<li><translate><!--T:65--> If the variable ''gv_ro_ssl_auth'' | <li><translate><!--T:65--> If the variable ''gv_ro_ssl_auth'' is present in ''sm.ini'' (<tt>PATHES</tt> section), this location is probed next using the default file names.</translate></li> | ||
<li><translate><!--T:66--> If the variable ''gv_ro_ssl'' | <li><translate><!--T:66--> If the variable ''gv_ro_ssl'' is present in ''sm.ini'' (<tt>PATHES</tt> section), this location is checked next using the default file names.</translate></li> | ||
<li><translate><!--T:67--> Looks at the default location using the default file names (''default location'' = {{Path|<SESAM_VAR>/ini/ssl}}, ''default file names'' = <tt>sesam.auth.crt, sesam.auth.key</tt>).</translate></li> | <li><translate><!--T:67--> Looks at the default location using the default file names (''default location'' = {{Path|<SESAM_VAR>/ini/ssl}}, ''default file names'' = <tt>sesam.auth.crt, sesam.auth.key</tt>).</translate></li> | ||
</ol> | </ol> | ||
<translate><!--T:68--> To verify that the correct ''root user authentication certificate'' is used, in the ''sm_gui_server.log'' look for a line | <translate><!--T:68--> To verify that the correct ''root user authentication certificate'' is used, in the ''sm_gui_server.log'' look for a line that reads:</translate> | ||
Enabling certificate-based user authentication using root certificate file <translate><!--T:69--> | Enabling certificate-based user authentication using root certificate file <translate><!--T:69--> | ||
<absolute path of the certificate file used> | <absolute path of the certificate file used> | ||
Line 136: | Line 153: | ||
<!--T:70--> | <!--T:70--> | ||
<noinclude>==See also== | <noinclude>==See also== | ||
[[Special:MyLanguage/ | [[Special:MyLanguage/Configuring_SSL_Secured_Communication_for_SEP_sesam_Backup_Network|Configuring SSL Secured Communication for SEP sesam Backup Network]] – [[Special:MyLanguage/5_0_0:About_Authentication_and_Authorization|About Authentication and Authorization]] – [[Special:MyLanguage/4_4_3_Grolar:Configuring_Database-Based_Authentication|Configuring Database-Based Authentication]]</noinclude></translate> |
Revision as of 12:45, 23 September 2021
Overview
As of SEP sesam v. 5.0.0 Jaglion, if database-based authentication is enabled, it is possible to authenticate users via a signed certificate instead of using a username and password.
However, if you combine database-based authentication with LDAP or AD authentication, users from external authentication sources (LDAP/AD) cannot use certificate-based authentication; LDAP/AD authentication requires password-based authentication. For more details on SEP sesam authentication, see About Authentication and Authorization.
Configuring authentication using a signed certificate
Configuring authentication with a signed certificate requires superuser privileges. You have to create a user authentication certificate and assign it to a user account. The easiest way is to use the SEP sesam GUI, where the certificate is automatically created and assigned to a user account. Optionally, you can also create and assign a certificate manually, but this requires additional steps.
Then the user can authenticate via the certificate in one of the SEP sesam interfaces (SEP sesam GUI, SEP sesam Web UI, SEP sesam CLI).
Creating a user authentication certificate in the GUI
In the SEP sesam GUI, you can easily set a user authentication certificate that is automatically created and assigned to a user.
- From the SEP sesam GUI menu bar, select Configuration ‐> Permission Management.
- Double-click the user for whom you want to create a user authentication certificate. In the new window Change User click New.
- Select a folder on your computer where you want to save the certificate and click Save. The certificate and thumbprint are created automatically.
- In both open dialogs, click OK to set the certificate.
Creating a user authentication certificate manually
Optionally, you can also create and assign a user authentication certificate manually. This procedure involves the following steps:
- A user creates a user authentication certificate signing request (CSR) and sends it to an administrator with superuser privileges.
- The superuser (system administrator) signs the certificate.
- The superuser then assigns the certificate to a user account.
Creating a user authentication certificate signing request (user side)
If you already have an SSL private key that you want to create a certificate for, skip step 1 and go to step 2.
- Create a new private key as follows: openssl genrsa -out <key name>.key
- Create a certificate signing request (CSR) from the private key: openssl req -new -key <key name>.key -out <key name>.csr
- Send the CSR to your system administrator.
Signing the user authentication certificate (by a user with superuser privileges)
- Navigate to the directory where you placed the user CSR file and sign the CSR with the REST server user authentication certificate: openssl x509 -trustout -days <days> -req -signkey <SESAM_VAR>/ini/ssl/sesam.auth.key -in <key name>.csr -out <key name>.crt
- Get the thumbprint of the signed user authentication certificate: openssl x509 -noout -fingerprint -sha1 -inform pem -in <key name>.crt
- Send the user authentication certificate (crt) back to the user.
Note | |
In SEP sesam v. < 5.0.0 Jaglion, the REST server user authentication certificate signing key is named sesam.gui.key. |
Assigning the user authentication certificate to a user account (by a user with superuser rights)
To assign the user authentication certificate to a user account, do the following:
- From the SEP sesam GUI menu bar, select Configuration ‐> Permission Management.
- Double-click the user account to which a user authentication certificate should be assigned. The new window Change User opens.
- Click the + (plus) button and enter or paste the user authentication certificate thumbprint in the Add Thumbprint window.
- In both open dialogs, click OK to add the certificate to the Certificate Thumbprints list.
Using the user authentication certificate for authentication (user side)
A user obtains the authentication certificate from the administrator (with superuser privileges) and must store it in a location that is readable only by the user. Once this is done, the user should be able to authenticate via the certificate using one of the SEP sesam interfaces (SEP sesam GUI, SEP sesam Web UI, SEP sesam CLI) as described below.
Authentication in the GUI
To authenticate via a certificate in the GUI, proceed as follows:
- Start the SEP sesam GUI as administrator and verify that the user name is correct.
- Use the Browse button to select the user authentication certificate or enter the absolute path to the user authentication certificate file in the Certificate file field.
- Click the Login button or press Enter to authenticate the user to the SEP sesam Server and open the SEP sesam GUI.
Note | |
The user authentication certificate can also be specified when starting the SEP sesam Administrator GUI using the -z <absolute path of the user authentication certificate file> parameter. If the authentication is successful, the login dialog will not be displayed and the GUI will open immediately.
|
Authentication in the Web UI
To authenticate via a certificate in the Web UI, proceed as follows:
- Enter the administrator username.
- Use the Choose File button to select the user authentication certificate file from your computer.
- Click the Sign in button or press Enter to authenticate the user to the SEP sesam Server and open the SEP sesam Web UI.
Authentication in the SEP sesam CLI
To authenticate using a certificate in the SEP sesam CLI, use the following command line options:
sm_cmd ... -U <user name> -z <absolute path of the user authentication certificate file> ...
Replacing the self-signed certificate with a custom user authentication server certificate
As soon as the REST server starts, it generates a self-signed user authentication server certificate and private key. Normally, these are sufficient to enable the certificate-based user authentication described above.
However, a server administrator (superuser) may want to replace the self-signed certificate with the official company certificate (root user authentication certificate) signed by a publicly trusted certificate authority (CA). If you want to use the certificate and the private key as root user authentication certificate, add both to the <SESAM_VAR>/ini/ssl
and name the files sesam.auth.crt (certificate) and sesam.auth.key (private key).
In this case, the REST server will perform the following on startup to find the root user authentication certificate:
- If a certificate and associated private key are specified via command line options (
[-Z|--sesamUserSslCertificate] <absolute file name certificate>, [-K|--sesamUserSslPrivateKey> <absolute file name private key>
), it attempts to use the specified files. - If the variable gv_ro_ssl_auth is present in sm.ini (PATHES section), this location is probed next using the default file names.
- If the variable gv_ro_ssl is present in sm.ini (PATHES section), this location is checked next using the default file names.
- Looks at the default location using the default file names (default location =
<SESAM_VAR>/ini/ssl
, default file names = sesam.auth.crt, sesam.auth.key).
To verify that the correct root user authentication certificate is used, in the sm_gui_server.log look for a line that reads:
Enabling certificate-based user authentication using root certificate file <absolute path of the certificate file used>
See also
Configuring SSL Secured Communication for SEP sesam Backup Network – About Authentication and Authorization – Configuring Database-Based Authentication