Configuring client certificate authentication for SafeLinx Clients

You can configure an authentication profile that requires SafeLinx Clients to present X.509 certificates when they log in.

About this task

You can enable the SafeLinx Server to validate third-party X.509 certificates that SafeLinx Clients submit for authentication.

To require SafeLinx Clients to authenticate by submitting X.509 certificates, you create a certificate-based authentication profile, assign it to a connection profile, and then obtain and store the key certificates. You must obtain personal certificates for each SafeLinx Client. You must also store the signer certificate for the client certificates in a PKCS12 keystore file on the SafeLinx Server or on the remote directory server that is configured for authentication. For information about obtaining and storing certificates, see Managing certificates for HCL SafeLinx.

To create an authentication profile that requires SafeLinx Clients to present X.509 certificates when they log in, complete the following procedure.

Procedure

  1. From the SafeLinx Administrator Resources page, right-click the OU in which you want to create the authentication profile.
  2. Click Add Resource > Authentication profile > Certificate-based Authentication.
  3. From the Add a New Authentication Profile wizard, specify a common name for the profile and provide a description.
  4. On the next page, specify how you want to verify the client certificate authenticity by completing the following fields:
    OptionDescription
    Verify validity period Select this field if you want to check the dates on certificates to verify that they are not expired.
    Verify certificate issuer Select this field if you want to check certificates against the certificate authority (CA) information in the PKCS12 keystore file to verify that they were issued by legitimate CAs. If you select this option, you must also specify the following information:
    PKCS12 keystore file
    The name and path of the PKCS12 keystore file that is stored on the SafeLinx Server..
    Keystore password
    The password for the PKCS12 keystore file.
    Directory containing certificate revocation lists
    The name and path of the directory on the SafeLinx Server that contains certificate revocation lists (CRLS). If you do not specify a valid directory, CRL validation does not work.
    Verify certificate subject attributes Select this field to compare attributes in the subject key of certificates that SafeLinx Clients submit for authentication against user account records. If you select this option, you must also select a Validation method.
    Validation method The validation method specifies the source of the user account records that you want the authentication profile to use to verify information in certificate subjects. You can choose of the following options:
    Verify user account attributes
    The authentication profile searches the local SafeLinx Server account database for attribute values that match the ones in the certificate. By default, this validation method searches for the DN attribute, but you can specify a different attribute. For more information about how to configure attribute matching, see Specifying the certificate user key and subject key attributes to search.
    Verify using directory server
    The authentication profile searches a configured directory server for a DN value that matches the one in the certificate. If you select this option, choose a directory from the Directory Server field.

    If you validate user through a directory server, you can configure the SafeLinx Server to check whether the matching user record is associated with any groups.