Setting Up Client Certificate Authentication for LiveContent S1000D
Perform these steps to implement client certificate authentication for LiveContent S1000D.
Before you begin
Procedure
- Open the wietmsd_prg.xml file for editing.
- Set the value for the
app.keystore_locationconfiguration item to the keystore where the client certificate will be stored, as in the following example.
The entire certificate chain must be added at the path defined by the<configitem name="app.keystore_location"> <value>./etc/clientkey/clientkeystore</value> </configitem>app.keystore_locationconfiguration item. - Set the value for the
app.keystore_passwordconfiguration item to the keystore password from the client certificate, as in the following example.<configitem name="app.keystore_password"> <value>OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</value> </configitem> - Set the value for the
app.manager_passwordconfiguration item to the manager password from the client certificate, as in the following example.<configitem name="app.manager_password"> <value>OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</value> </configitem> - Add the following section to the file to configure logins.
<!-- set up for client certificate authentication → <configitem name="app.clientKeystore_location"> <value>./etc/clientkey/clientkeystore</value> </configitem> <configitem name="app.client_certificate_required"> <comment>Default is false, 1 is true</comment> <value>1</value> </configitem> <configitem name="app.administrator_only_login"> <comment>To allow administrator user to use login screen, these must be set to 1</comment> <value>1</value> </configitem> <configitem name="app.admin_keyvalue"> <comment>Can be anything as long as the query string is allowed, like 1=1, a=b,etc. will be used only the above item set to 1</comment> <comment>The query string has to include this value, case-sensitive, like ?target=main&action=col_win&test=admin&id=987654321</comment> <value>test=admin</value> </configitem>Note: The values forapp.clientKeystore_locationandapp.keystore_locationcan be the same or can define separate keystores. - Optionally, modify the access the
java.msg.deny_accessitem (which stores the access denial message) in the appropriate language resource (.prop) file(s) in the ...FullSupport/etc/config directory. - Save and close the wietmsd_prg.xml file.
- For each LiveContent S1000D user, do the following.
- Obtain and install a public key certificate in the client browser.
- Configure the user's LiveContent S1000D user name to match the Common Name (CN) in the certificate.