Setting Up Client Certificate Authentication for Contenta Web
After you configure Tomcat and the web server to support PKI authentication, Contenta Web and Contenta Server setup is required to implement client certificate authentication for Contenta Web or to .
About this task
Note: The desktop's External User Id and password must match the CN and password of its corresponding certificate. If the Contenta sysadmin desktop needs to be externally authenticated, use the setupexternaluserid utility to configure the External User Id(s) to match the user's LDAP user name(s). For further information about using the setupexternaluserid command, see Using the Setup External User ID utility.
Warning: Once assigned an external user ID, a desktop cannot be rolled back to use Contenta user/password authentication.
Procedure
- Set the value of value of the XYE_PDM_AUTHENTICATION system variable from its default of INTERNAL for Contenta Web and Contenta Server as follows:
- In a Windows environment, set the value of XYE_PDM_AUTHENTICATION in the following registry keys:
- Windows Contenta Web Registry Key: HKLM\Software\Wow6432Node\XyEnterprise\Content@\Web\Settings
- Windows Contenta Server Registry Key: HKLM\Software\Wow6432Node\XyEnterprise\Content@ Server\3.0
To implement client certificate authentication, set this value to EXTERNAL_CERT_AUTH.To implement client certificate authentication and configure the Contenta sysadmin desktop to use external authentication, set this value to EXTERNAL_CERT_LDAP_AUTH.
- In a Linux environment, do one of the following:
- Configure the cw.cshrc (Contenta Web) and pdm.cshrc (Contenta Server) files with one of the following values and re-source the files.
- To implement client certificate authentication, set this value to EXTERNAL_CERT_AUTH.
- To implement client certificate authentication and configure the Contenta sysadmin desktop to use external authentication, set this value to EXTERNAL_CERT_LDAP_AUTH.
- Update the XYE_PDM_AUTHENTICATION key in unixuser.dat with one of the following values.
- To implement client certificate authentication, set this value to EXTERNAL_CERT_AUTH.
- To implement client certificate authentication and configure the Contenta sysadmin desktop to use external authentication, set this value to EXTERNAL_CERT_LDAP_AUTH.
For example: ./fileregedit update "{Local Machine}" "/Software/XyEnterprise/Content@/Web/Settings" XYE_PDM_AUTHENTICATION STRING EXTERNAL_CERT_AUTH
- Configure the cw.cshrc (Contenta Web) and pdm.cshrc (Contenta Server) files with one of the following values and re-source the files.
- In a Windows environment, set the value of XYE_PDM_AUTHENTICATION in the following registry keys:
- Configure the trust key between Contenta Server and Contenta Web by using the Contenta Password Manager utility (dbpwdmgr.exe) on both systems. For further information about the utility, see Using the Contenta Password Manager utility.
- Restart Apache HTTPD, Apache Tomcat, and Contenta Server for these changes to go into effect.
- For each Contenta Web desktop:
- Obtain and install a public key certificate in the client browser.
- Import the client certificate into the browser Java certificate store using the Java Control Panel.
- Set the path to the login screen to the location of the CWSSOLogin.jsp form.
- Configure the External User Id to match the user's Common Name (CN) in the certificate.
You can use thesetupexternaluseridutility to configure the User ID for each desktop. For more information, see Using the setupexternaluserid utility.