Setting Up Client Certificate Authentication for LiveContent S1000D
Perform these steps to implement client certificate authentication for LiveContent S1000D.
Before you begin
Procedure
- Open the wietmsd_prg.xml file for editing.
- Set the value for the
app.keystore_locationconfiguration item to the keystore where the client certificate will be stored, as in the following example.
The entire certificate chain must be added at the path defined by the<configitem name="app.keystore_location"> <value>./etc/clientkey/clientkeystore</value> </configitem>app.keystore_locationconfiguration item. - Set the value for the
app.keystore_passwordconfiguration item to the keystore password from the client certificate, as in the following example.<configitem name="app.keystore_password"> <value>OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</value> </configitem> - Set the value for the
app.manager_passwordconfiguration item to the manager password from the client certificate, as in the following example.<configitem name="app.manager_password"> <value>OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</value> </configitem> - Add the following section to the file to configure logins.
<!-- set up for client certificate authentication → <configitem name="app.clientKeystore_location"> <value>./etc/clientkey/clientkeystore</value> </configitem> <configitem name="app.client_certificate_required"> <comment>Default is false, 1 is true</comment> <value>1</value> </configitem> <configitem name="app.administrator_only_login"> <comment>To allow administrator user to use login screen, these must be set to 1</comment> <value>1</value> </configitem> <configitem name="app.admin_keyvalue"> <comment>Can be anything as long as the query string is allowed, like 1=1, a=b,etc. will be used only the above item set to 1</comment> <comment>The query string has to include this value, case-sensitive, like ?target=main&action=col_win&test=admin&id=987654321</comment> <value>test=admin</value> </configitem>Note: The values forapp.clientKeystore_locationandapp.keystore_locationcan be the same or can define separate keystores. - Optionally, modify the access the
java.msg.deny_accessitem (which stores the access denial message) in the appropriate language resource (.prop) file(s) in the ...FullSupport/etc/config directory. - Save and close the wietmsd_prg.xml file.
- For each LiveContent S1000D user, do the following.
- Obtain and install a public key certificate in the client browser. Unless public key certificate is provided another way such as a smartcard plugin.
- Configure the user's LiveContent S1000D user name to match the Common Name (CN) in the certificate. The default user name length is 30 characters if longer usernames are required modify the following file: \LiveContent\etc\skins\Carbom\templates\user_dlg.html to increase the user name length.