Enabling CA Access Gateway (formerly Secure Proxy Server) to send client certificate for authentication to a backend server

Document ID : KB000046086
Last Modified Date : 14/02/2018
Show Technical Document Details

 

Introduction/Summary: 

 

The CA Access Gateway (formerly CA Secure Proxy Server) is used as a reverse proxy to connect users via the SPS to backend servers.  The connections from SPS to the backend servers will often be over SSL (ie accessed using HTTPS:) and the SPS may be required to present a client certificateto the backend server as part of the SSL handshake.    This article shows how to setup the client SSL certificate in SPS.

 

Background:  

 

The SPS may be required to authenticate to the backend server using a client X.509 certificate.  TO do this the SPS needs to store the client certificate and the private key securely and then present them to the backend server when required.   

 

Environment:  

 

all (windows, linux, solaris)

 

Instructions: 

For CA Access Gateway when connecting to a backend server, some configurations require not just an SSL connection, but also that the SPS identifies  itself with a client X.509 certificate.  These instructions are how to create and install the client certificate.

The requirements are mostly spelt out in the server.conf file : 

# SSL client authentication is enabled.

       # Location of the Key file : <install-dir>\SSL\clientcert\key\

       # Location of public certs : <install-dir>\SSL\clientcert\certs\

       # NOTE: Only put DER encoded, password encrypted pkcs8 keyfile.

       # Client pass phrase should be encrypted using EncryptUtil tool.

 

The points to take away are :

·         Both the cert and the keyfile need to be DER encoded,

·         The keyfile has to be DER encoded and encrypted (it cannot be in the clear)

·         SPS does a search and loads all certs in clientcert/certs directory.

 

Here are the steps : 

 

   Create the Cert Request

cd <install-dir>\SSL

..\bin\openssl req -out client2-CSR.csr -new -newkey rsa:2048 -nodes -keyout client2-privateKey.key -config ..\bin\openssl.cnf

 

Sign the Request

 

For this you send it to the Certificate Authority to sign and send you back the certificate from the request.

Generally for testing purposes your IT department will have some process for creating "test" certificates. 

 

In my case I have a small test CA I have small batch file CA that can do it gives a client2-CERT.pem  

(check what you get sometimes you have a .cer extension but the content is actually base64encoded PEM format).

 

Convert cert to DER encoding

..\bin\openssl x509 –in client2-Cert_x509.pem -out client2-Cert_x509.cer -outform der

 

Convert private key to encrypted pkcs#8 DER encoding

..\bin\openssl.exe pkcs8 -in client2-privateKey.key -topk8 -v2 des3 -out client2-privateKey-DER.key -outform DER

 


Put files in right location:

     Place DER encoded client cert in :  <install-dir>\SSL\clientcert\certs\

            client-Cert_x509.cer

 

     Place encrypted DER encoded private key in :  <install-dir>\SSL\clientcert\key\

            client2-privateKey-DER.key

 

Generate Encrypted Password for server.conf file:

cd <install-dir>\SSL\bin
EncryptUtil.bat password

Encrypted string: U2FsdGVkX18VcMWDmBEJG7CL2edypl03V6Ig1F3gON4=

   

Modify the server.conf file :

             

              ClientKeyFile="client2-privateKey-DER.key"

              ClientPassPhrase=U2FsdGVkX1+wxoEp8DCUZ6/pcaHpitr6v88GproScgQ=

 

Restart SPS and check the server.log file: 

All being well, you should see :  

 

[17/Mar/2016:00:43:54-948] [INFO] - NoodleFileKeyStore.java : Loading 1 root certificates.

[17/Mar/2016:00:43:54-980] [INFO] - NoodleFileKeyStore.java : Successfully loaded keyfile.

[17/Mar/2016:00:43:54-995] [INFO] - Password is password

[17/Mar/2016:00:43:54-995] [INFO] - loaded priv key

[17/Mar/2016:00:43:55-433] [INFO] - RSASSLConfig.java : Successfully loaded keystore.

 

The client and CA Certificate that were generated and used in this example are attached to this document. 

 

Additional Information:

 Java SE Debugging SSL/TLS Connections 
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html

 

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 Download
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

 

Details about SSL/TLS
https://en.wikipedia.org/wiki/Transport_Layer_Security

 

Test Certificate Authority I used to sign the certificates 
https://jamielinux.com/docs/openssl-certificate-authority/index.html 

 

 

File Attachments:
TEC1059255.zip