Source:Configuring Certificate-Based Authentication: Difference between revisions
(Updating as proposed by UST/KAD (#27549).) |
(Marked this version for translation) |
||
(11 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
<noinclude><div class="noprint"><languages /> | <noinclude><div class="noprint"><languages /> | ||
<translate>==Overview== <!--T:3--></translate> | <translate>==Overview== <!--T:3--></translate> | ||
</div></noinclude><translate><!--T:9--> | |||
As of SEP sesam v. [[SEP_sesam_Release_Versions|5.0.0 ''Jaglion'']], if [[Special:MyLanguage/About_Authentication_and_Authorization#database|database-based authentication]] is enabled, it is possible to authenticate users via a signed certificate instead of using a username and password.</translate> | |||
=={{anchor|configuration}}<translate><!--T:11--> | |||
Configuring authentication using a signed certificate== | |||
<!--T:71--> | |||
Configuring authentication with a signed certificate requires [[Special:MyLanguage/SEP_sesam_User_Types|superuser]] privileges. You have to create a user authentication certificate and assign it to a user account. The easiest way is to [[#GUI|use the SEP sesam GUI]], where the certificate is automatically created and assigned to a user account. Optionally, you can also [[#manually|create and assign a certificate manually]], but this requires additional steps. | |||
<!--T: | <!--T:72--> | ||
Then the [[#authentication|user can authenticate via the certificate]] in one of the SEP sesam interfaces ([[Special:MyLanguage/SEP_sesam_Glossary#GUI|SEP sesam GUI]], [[Special:MyLanguage/SEP_sesam_Glossary#SEP_sesam_web_UI|SEP sesam Web UI]], [[Special:MyLanguage/SEP_sesam_Glossary#CLI|SEP sesam CLI]]).</translate> | |||
=={{anchor| | ==={{anchor|GUI}}<translate><!--T:73--> | ||
Creating a user authentication certificate in the GUI=== | |||
<!--T:74--> | |||
In the SEP sesam GUI, you can easily set a user authentication certificate that is automatically created and assigned to a user.</translate> | In the SEP sesam GUI, you can easily set a user authentication certificate that is automatically created and assigned to a user.</translate> | ||
<ol><li><translate> | <ol><li><translate><!--T:75--> From the SEP sesam GUI menu bar, select '''Configuration''' ‐> '''Permission Management'''.</translate></li> | ||
<li><translate>Double-click the ''user'' for whom you want to create a user authentication certificate. In the new window ''Change User'' click '''New'''.</translate></li> | <li><translate><!--T:76--> Double-click the ''user'' for whom you want to create a user authentication certificate. In the new window ''Change User'' click '''New'''.</translate></li> | ||
<translate>[[Image:Authentication_via_certificate_new.jpg|link=]]</translate> | <translate><!--T:77--> [[Image:Authentication_via_certificate_new.jpg|link=]]</translate> | ||
<br clear=all> | <br clear=all> | ||
<li><translate>Select a folder on your computer where you want to | <li><translate><!--T:78--> Select a folder on your computer where you want to save the certificate and click '''Save'''. The certificate and thumbprint are created automatically.</translate></li> | ||
<translate>[[Image:Authentication_via_certificate_save.jpg|link=]]</translate> | <translate><!--T:79--> [[Image:Authentication_via_certificate_save.jpg|link=]]</translate> | ||
<br clear=all> | <br clear=all> | ||
<li><translate>In both open dialogs, click '''OK''' to set the certificate.</translate></li> | <li><translate><!--T:80--> In both open dialogs, click '''OK''' to set the certificate.</translate></li> | ||
</ol> | </ol> | ||
==={{anchor|manually}}<translate><!--T:81--> | |||
Creating a user authentication certificate manually=== | |||
<!--T:82--> | |||
Optionally, you can also create and assign a user authentication certificate manually. This procedure involves the following steps:</translate> | |||
#<translate><!--T:13--> A user [[#signing_request|creates a user authentication certificate signing request (CSR)]] and sends it to an administrator with superuser privileges.</translate> | |||
#<translate><!--T:83--> The superuser (system administrator) [[#sign_certificate|signs the certificate]].</translate> | |||
#<translate><!--T:84--> | |||
The superuser then [[#assign_certificate|assigns the certificate to a user account]].</translate> | |||
#<translate><!--T:86--> For LDAP/AD based authentication, the administrator binds the certificate to the user in LDAP/AD. For instructions refer to the corresponding LDAP/AD server documentation.</translate> | |||
===={{anchor|signing_request}}<translate><!--T:16--> Creating a user authentication certificate signing request (user side)</translate>==== | |||
{{Note|<translate> <!--T:88--> The private key must be in PKCS8 format. If you have a key in another format, you need to convert it to PKCS8 first. For this you can use the <code>openssl</code> utility.</translate>}} | |||
<!--T:17--> | <translate><!--T:17--> | ||
If you already have an SSL private key that you want to create a certificate for, skip ''step 1'' and go to ''step 2''.</translate> | If you already have an SSL private key that you want to create a certificate for, skip ''step 1'' and go to ''step 2''.</translate> | ||
<ol><li><translate><!--T:18--> Create a new private key as follows:</translate></li> | <ol><li><translate><!--T:18--> Create a new private key as follows:</translate></li> | ||
<pre> openssl genrsa -out <translate><!--T:19--> <key name></translate>.key</pre> | |||
<li><translate><!--T:20--> Create a certificate signing request (CSR) from the private key:</translate></li> | <li><translate><!--T:20--> Create a certificate signing request (CSR) from the private key:</translate></li> | ||
<pre> openssl req -new -key <translate><!--T:21--> <key name></translate>.key -out <translate><!--T:22--> <key name></translate>.csr</pre> | |||
<li><translate><!--T:23--> Send the CSR to your system administrator.</translate></li> | <li><translate><!--T:23--> Send the CSR to your system administrator.</translate></li> | ||
</ol> | </ol> | ||
===={{anchor|sign_certificate}}<translate><!--T:24--> Signing the user authentication certificate (by a user with superuser privileges)</translate>==== | |||
<ol><li><translate><!--T:25--> Navigate to the directory where you placed the user CSR file and sign the CSR with the ''REST server user authentication certificate'':</translate></li> | <ol><li><translate><!--T:25--> Navigate to the directory where you placed the user CSR file and sign the CSR with the ''REST server user authentication certificate'':</translate></li> | ||
<pre> openssl x509 -trustout -days <translate><!--T:26--> <days></translate> -req -signkey <SESAM_VAR>/ini/ssl/sesam.auth.key -in <translate><!--T:27--> <key name></translate>.csr -out <translate><!--T:28--> <key name></translate>.crt</pre> | |||
{{ | {{Note|<translate><!--T:30--> In SEP sesam v. < 5.0.0 ''Jaglion'', the REST server user authentication certificate signing key is named <tt>sesam.gui.key</tt>.</translate>}} | ||
<li><translate><!--T:31--> Get the thumbprint of the signed user authentication certificate:</translate></li> | <li><translate><!--T:31--> Get the thumbprint of the signed user authentication certificate:</translate></li> | ||
<translate> | |||
<!--T:85--> | |||
<pre> | |||
openssl x509 -noout -fingerprint -sha1 -inform pem -in <key name>.crt</translate></pre> | |||
<li><translate><!--T:32--> Send the user authentication certificate (<tt>crt</tt>) back to the user.</translate></li> | <li><translate><!--T:32--> Send the user authentication certificate (<tt>crt</tt>) back to the user.</translate></li> | ||
</ol> | </ol> | ||
===={{anchor|assign_certificate}}<translate><!--T:33--> | |||
Assigning the user authentication certificate to a user account (by a user with superuser rights)==== | |||
<!--T:34--> | <!--T:34--> | ||
To assign the user authentication certificate to a user account, do the following:</translate> | To assign the user authentication certificate to a user account, do the following:</translate> | ||
<ol><li><translate><!--T:35--> | <ol><li><translate><!--T:35--> From the SEP sesam GUI menu bar, select '''Configuration''' ‐> '''Permission Management'''.</translate></li> | ||
<li><translate><!--T:36--> Double-click the ''user account'' to which a user authentication certificate should be assigned. The new window ''Change User'' opens.</translate></li> | <li><translate><!--T:36--> Double-click the ''user account'' to which a user authentication certificate should be assigned. The new window ''Change User'' opens.</translate></li> | ||
<li><translate><!--T:37--> Click the '''+''' (plus) button and enter or paste the user authentication certificate thumbprint in the ''Add Thumbprint'' window.</translate></li> | <li><translate><!--T:37--> Click the '''+''' (plus) button and enter or paste the user authentication certificate thumbprint in the ''Add Thumbprint'' window.</translate></li> | ||
Line 97: | Line 82: | ||
</ol> | </ol> | ||
==={{anchor|authentication}}<translate><!--T:40--> | |||
Using the user authentication certificate for authentication (user side)=== | |||
<!--T:41--> | <!--T:41--> | ||
A user obtains the authentication certificate from the administrator (with superuser privileges) and must store it in a location that is readable only by the user. Once this is done, the user should be able to authenticate via the certificate using one of the SEP sesam interfaces ([[Special:MyLanguage/SEP_sesam_Glossary#GUI|SEP sesam GUI]], [[Special:MyLanguage/SEP_sesam_Glossary#SEP_sesam_web_UI|SEP sesam Web UI]], [[Special:MyLanguage/SEP_sesam_Glossary#CLI|SEP sesam CLI]]) as described below. | A user obtains the authentication certificate from the administrator (with superuser privileges) and must store it in a location that is readable only by the user. Once this is done, the user should be able to authenticate via the certificate using one of the SEP sesam interfaces ([[Special:MyLanguage/SEP_sesam_Glossary#GUI|SEP sesam GUI]], [[Special:MyLanguage/SEP_sesam_Glossary#SEP_sesam_web_UI|SEP sesam Web UI]], [[Special:MyLanguage/SEP_sesam_Glossary#CLI|SEP sesam CLI]]) as described below.</translate> | ||
===={{anchor|GUI}} | ===={{anchor|GUI}}<translate><!--T:42--> | ||
Authentication in the GUI==== | |||
<!--T:43--> | <!--T:43--> | ||
Line 113: | Line 100: | ||
<li><translate><!--T:47--> Click the '''Login''' button or press '''Enter''' to authenticate the user to the SEP sesam Server and open the SEP sesam GUI.</translate></li></ol> | <li><translate><!--T:47--> Click the '''Login''' button or press '''Enter''' to authenticate the user to the SEP sesam Server and open the SEP sesam GUI.</translate></li></ol> | ||
{{ | {{Note|<translate><!--T:49--> The user authentication certificate can also be specified when starting the SEP sesam Administrator GUI using the {{Path|<nowiki>-z <absolute path of the user authentication certificate file></nowiki>}} parameter. If the authentication is successful, the login dialog will not be displayed and the GUI will open immediately.</translate>}} | ||
===={{anchor|Web_UI}}<translate><!--T:50--> | |||
Authentication in the Web UI==== | |||
<!--T:51--> | <!--T:51--> | ||
Line 121: | Line 109: | ||
<ol><li><translate><!--T:52--> Enter the administrator username.</translate></li> | <ol><li><translate><!--T:52--> Enter the administrator username.</translate></li> | ||
<li><translate><!--T:53--> Use the ''Choose File'' button to select the user authentication certificate file from your computer.</translate></li> | <li><translate><!--T:53--> Use the ''Choose File'' button to select the user authentication certificate file from your computer.</translate></li> | ||
<translate><!--T:54--> [[Image: | <translate><!--T:54--> [[Image:Authentication_via_certificate_Web_UI_Jaglion.jpg|450px|link=]]</translate> | ||
<br clear=all> | <br clear=all> | ||
<li><translate><!--T:55--> Click the '''Sign in''' button or press '''Enter''' to authenticate the user to the SEP sesam Server and open the [[Special:MyLanguage/SEP_sesam_Glossary#SEP_sesam_web_UI|SEP sesam Web UI]].</translate></li></ol> | <li><translate><!--T:55--> Click the '''Sign in''' button or press '''Enter''' to authenticate the user to the SEP sesam Server and open the [[Special:MyLanguage/SEP_sesam_Glossary#SEP_sesam_web_UI|SEP sesam Web UI]].</translate></li></ol> | ||
===={{anchor|CLI}}<translate><!--T:56--> | |||
Authentication in the SEP sesam CLI==== | |||
<!--T:57--> | <!--T:57--> | ||
Line 131: | Line 120: | ||
sm_cmd ... -U <translate><!--T:58--> <user name></translate> -z <translate><!--T:59--> <absolute path of the user authentication certificate file></translate> ... | sm_cmd ... -U <translate><!--T:58--> <user name></translate> -z <translate><!--T:59--> <absolute path of the user authentication certificate file></translate> ... | ||
=={{anchor|custom_certificate}}<translate><!--T:60--> | |||
Replacing the self-signed certificate with a custom user authentication server certificate== | |||
<!--T:61--> | <!--T:61--> | ||
Line 149: | Line 139: | ||
<translate><!--T:68--> To verify that the correct ''root user authentication certificate'' is used, in the ''sm_gui_server.log'' look for a line that reads:</translate> | <translate><!--T:68--> To verify that the correct ''root user authentication certificate'' is used, in the ''sm_gui_server.log'' look for a line that reads:</translate> | ||
Enabling certificate-based user authentication using root certificate file <translate><!--T:69--> | Enabling certificate-based user authentication using root certificate file <translate><!--T:69--> | ||
<absolute path of the certificate file used> | <absolute path of the certificate file used></translate> | ||
<noinclude>{{Copyright}}</noinclude> | |||
<noinclude> | |||
Latest revision as of 09:31, 11 April 2023
As of SEP sesam v. 5.0.0 Jaglion, if database-based authentication is enabled, it is possible to authenticate users via a signed certificate instead of using a username and password.
Configuring authentication using a signed certificate
Configuring authentication with a signed certificate requires superuser privileges. You have to create a user authentication certificate and assign it to a user account. The easiest way is to use the SEP sesam GUI, where the certificate is automatically created and assigned to a user account. Optionally, you can also create and assign a certificate manually, but this requires additional steps.
Then the user can authenticate via the certificate in one of the SEP sesam interfaces (SEP sesam GUI, SEP sesam Web UI, SEP sesam CLI).
Creating a user authentication certificate in the GUI
In the SEP sesam GUI, you can easily set a user authentication certificate that is automatically created and assigned to a user.
- From the SEP sesam GUI menu bar, select Configuration ‐> Permission Management.
- Double-click the user for whom you want to create a user authentication certificate. In the new window Change User click New.
- Select a folder on your computer where you want to save the certificate and click Save. The certificate and thumbprint are created automatically.
- In both open dialogs, click OK to set the certificate.
Creating a user authentication certificate manually
Optionally, you can also create and assign a user authentication certificate manually. This procedure involves the following steps:
- A user creates a user authentication certificate signing request (CSR) and sends it to an administrator with superuser privileges.
- The superuser (system administrator) signs the certificate.
- The superuser then assigns the certificate to a user account.
- For LDAP/AD based authentication, the administrator binds the certificate to the user in LDAP/AD. For instructions refer to the corresponding LDAP/AD server documentation.
Creating a user authentication certificate signing request (user side)
Note | |
The private key must be in PKCS8 format. If you have a key in another format, you need to convert it to PKCS8 first. For this you can use the openssl utility.
|
If you already have an SSL private key that you want to create a certificate for, skip step 1 and go to step 2.
- Create a new private key as follows:
- Create a certificate signing request (CSR) from the private key:
- Send the CSR to your system administrator.
openssl genrsa -out <key name>.key
openssl req -new -key <key name>.key -out <key name>.csr
Signing the user authentication certificate (by a user with superuser privileges)
- Navigate to the directory where you placed the user CSR file and sign the CSR with the REST server user authentication certificate:
- Get the thumbprint of the signed user authentication certificate:
- Send the user authentication certificate (crt) back to the user.
openssl x509 -trustout -days <days> -req -signkey <SESAM_VAR>/ini/ssl/sesam.auth.key -in <key name>.csr -out <key name>.crt
Note | |
In SEP sesam v. < 5.0.0 Jaglion, the REST server user authentication certificate signing key is named sesam.gui.key. |
openssl x509 -noout -fingerprint -sha1 -inform pem -in <key name>.crt
Assigning the user authentication certificate to a user account (by a user with superuser rights)
To assign the user authentication certificate to a user account, do the following:
- From the SEP sesam GUI menu bar, select Configuration ‐> Permission Management.
- Double-click the user account to which a user authentication certificate should be assigned. The new window Change User opens.
- Click the + (plus) button and enter or paste the user authentication certificate thumbprint in the Add Thumbprint window.
- In both open dialogs, click OK to add the certificate to the Certificate Thumbprints list.
Using the user authentication certificate for authentication (user side)
A user obtains the authentication certificate from the administrator (with superuser privileges) and must store it in a location that is readable only by the user. Once this is done, the user should be able to authenticate via the certificate using one of the SEP sesam interfaces (SEP sesam GUI, SEP sesam Web UI, SEP sesam CLI) as described below.
Authentication in the GUI
To authenticate via a certificate in the GUI, proceed as follows:
- Start the SEP sesam GUI as administrator and verify that the user name is correct.
- Use the Browse button to select the user authentication certificate or enter the absolute path to the user authentication certificate file in the Certificate file field.
- Click the Login button or press Enter to authenticate the user to the SEP sesam Server and open the SEP sesam GUI.
Note | |
The user authentication certificate can also be specified when starting the SEP sesam Administrator GUI using the -z <absolute path of the user authentication certificate file> parameter. If the authentication is successful, the login dialog will not be displayed and the GUI will open immediately.
|
Authentication in the Web UI
To authenticate via a certificate in the Web UI, proceed as follows:
- Enter the administrator username.
- Use the Choose File button to select the user authentication certificate file from your computer.
- Click the Sign in button or press Enter to authenticate the user to the SEP sesam Server and open the SEP sesam Web UI.
Authentication in the SEP sesam CLI
To authenticate using a certificate in the SEP sesam CLI, use the following command line options:
sm_cmd ... -U <user name> -z <absolute path of the user authentication certificate file> ...
Replacing the self-signed certificate with a custom user authentication server certificate
As soon as the REST server starts, it generates a self-signed user authentication server certificate and private key. Normally, these are sufficient to enable the certificate-based user authentication described above.
However, a server administrator (superuser) may want to replace the self-signed certificate with the official company certificate (root user authentication certificate) signed by a publicly trusted certificate authority (CA). If you want to use the certificate and the private key as root user authentication certificate, add both to the <SESAM_VAR>/ini/ssl
and name the files sesam.auth.crt (certificate) and sesam.auth.key (private key).
In this case, the REST server will perform the following on startup to find the root user authentication certificate:
- If a certificate and associated private key are specified via command line options (
[-Z|--sesamUserSslCertificate] <absolute file name certificate>, [-K|--sesamUserSslPrivateKey> <absolute file name private key>
), it attempts to use the specified files. - If the variable gv_ro_ssl_auth is present in sm.ini (PATHES section), this location is probed next using the default file names.
- If the variable gv_ro_ssl is present in sm.ini (PATHES section), this location is checked next using the default file names.
- Looks at the default location using the default file names (default location =
<SESAM_VAR>/ini/ssl
, default file names = sesam.auth.crt, sesam.auth.key).
To verify that the correct root user authentication certificate is used, in the sm_gui_server.log look for a line that reads:
Enabling certificate-based user authentication using root certificate file <absolute path of the certificate file used>