Setting Up Client Certificate Authentication for LiveContent S1000D

Perform these steps to implement client certificate authentication for LiveContent S1000D.

Before you begin

The LiveContent S1000D must be configured for HTTPS.

Procedure

  1. Open the wietmsd_prg.xml file for editing.
  2. Set the value for the app.keystore_location configuration item to the keystore where the client certificate will be stored, as in the following example.
    <configitem name="app.keystore_location">
         <value>./etc/clientkey/clientkeystore</value>
    </configitem>
    The entire certificate chain must be added at the path defined by the app.keystore_location configuration item.
  3. Set the value for the app.keystore_password configuration item to the keystore password from the client certificate, as in the following example.
    <configitem name="app.keystore_password">
         <value>OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</value>
    </configitem>
  4. Set the value for the app.manager_password configuration item to the manager password from the client certificate, as in the following example.
    <configitem name="app.manager_password">
         <value>OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</value>
    </configitem>
  5. Add the following section to the file to configure logins.
    <!-- set up for client certificate authentication →
    <configitem name="app.clientKeystore_location">
        <value>./etc/clientkey/clientkeystore</value>
    </configitem>
    <configitem name="app.client_certificate_required">
        <comment>Default is false, 1 is true</comment>
        <value>1</value>
    </configitem>
    <configitem name="app.administrator_only_login">
        <comment>To allow administrator user to use login screen, these must be set to 1</comment>
        <value>1</value>
    </configitem>
    <configitem name="app.admin_keyvalue">
        <comment>Can be anything as long as the query string is allowed, like 1=1, a=b,etc. will be used only the above item set to 1</comment>
        <comment>The query string has to include this value, case-sensitive, like ?target=main&amp;action=col_win&amp;test=admin&amp;id=987654321</comment>
        <value>test=admin</value>
    </configitem>
  6. Optionally, modify the access the java.msg.deny_access item (which stores the access denial message) in the appropriate language resource (.prop) file(s) in the ...FullSupport/etc/config directory.
  7. Save and close the wietmsd_prg.xml file.
  8. For each LiveContent S1000D user, do the following.
    1. Obtain and install a public key certificate in the client browser. Unless public key certificate is provided another way such as a smartcard plugin.
    2. Configure the user's LiveContent S1000D user name to match the Common Name (CN) in the certificate. The default user name length is 30 characters if longer usernames are required modify the following file: \LiveContent\etc\skins\Carbom\templates\user_dlg.html to increase the user name length.