Documentation Center

Setting Up Client Certificate Authentication for LiveContent S1000D

Perform these steps to implement client certificate authentication for LiveContent S1000D.

Before you begin

The LiveContent S1000D must be configured for HTTPS.

Procedure

  1. Open the wietmsd_prg.xml file for editing.
  2. Set the value for the app.keystore_location configuration item to the keystore where the client certificate will be stored, as in the following example.
    <configitem name="app.keystore_location">
         <value>./etc/clientkey/clientkeystore</value>
    </configitem>
    The entire certificate chain must be added at the path defined by the app.keystore_location configuration item.
  3. Set the value for the app.keystore_password configuration item to the keystore password from the client certificate, as in the following example.
    <configitem name="app.keystore_password">
         <value>OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</value>
    </configitem>
  4. Set the value for the app.manager_password configuration item to the manager password from the client certificate, as in the following example.
    <configitem name="app.manager_password">
         <value>OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</value>
    </configitem>
  5. Add the following section to the file to configure logins.
    <!-- set up for client certificate authentication →
    <configitem name="app.clientKeystore_location">
        <value>./etc/clientkey/clientkeystore</value>
    </configitem>
    <configitem name="app.client_certificate_required">
        <comment>Default is false, 1 is true</comment>
        <value>1</value>
    </configitem>
    <configitem name="app.administrator_only_login">
        <comment>To allow administrator user to use login screen, these must be set to 1</comment>
        <value>1</value>
    </configitem>
    <configitem name="app.admin_keyvalue">
        <comment>Can be anything as long as the query string is allowed, like 1=1, a=b,etc. will be used only the above item set to 1</comment>
        <comment>The query string has to include this value, case-sensitive, like ?target=main&amp;action=col_win&amp;test=admin&amp;id=987654321</comment>
        <value>test=admin</value>
    </configitem>
  6. Optionally, modify the access the java.msg.deny_access item (which stores the access denial message) in the appropriate language resource (.prop) file(s) in the ...FullSupport/etc/config directory.
  7. Save and close the wietmsd_prg.xml file.
  8. For each LiveContent S1000D user, do the following.
    1. Obtain and install a public key certificate in the client browser.
    2. Configure the user's LiveContent S1000D user name to match the Common Name (CN) in the certificate.