RSA ClearTrust Ready Implementation Guide For Certificate Authority Products


4 Δεκ 2013 (πριν από 4 χρόνια και 7 μήνες)

505 εμφανίσεις

Page: 1

RSA ClearTrust Ready Implementation Guide
For Certificate Authority Products
Last Modified December 22, 2003
1. Partner Information
Partner Name Microsoft Corporation
Web Site

Product Name Windows Server 2003 Certificate Services
Version & Platform Windows Server 2003
Product Description Certificate Services provides customizable services for issuing and
managing certificates that are used in software security systems that
employ public key technology. Certificate Services is available on
computers running Microsoft® Windows® Server 2003, Standard
Edition; Microsoft® Windows® Server 2003, Enterprise Edition; and
Microsoft® Windows® Server 2003, Datacenter Edition.
Product Category Public Key Infrastructure (PKI)

2. Contact Information

Sales contact
Support Contact


Page: 2
3. Integration Overview
To use Microsoft CA certificates with RSA ClearTrust, the RSA ClearTrust Web Agent is installed and
configured on Microsoft Internet Information Services (IIS). IIS is then configured to request a client
certificate from those users who are accessing IIS resources. The ClearTrust Web Agent is then
configured to use certificate authentication to provide authorization and web access management for
web-based resources.
4. Product Requirements
Hardware and Software Requirements
For a complete list of hardware and software requirements, and a comprehensive list of
prerequisite checklists to complete before deploying Microsoft Certification Authorities (CAs) and a
public key infrastructure (PKI), visit the Windows Server 2003 Certificate Services documentation

Page: 3
5. Product Configuration
Configuration Prerequisites
Certificate authentication in the RSA ClearTrust Web Agent 4.5 for Microsoft IIS supports X.509
certificates for authentication, such as those issued by the RSA Keon Certificate Authority or
Microsoft Certificate Services. For more information on configuring IIS 6.0 to use certificate
authentication, see "About Certificates" in IIS 6.0 Help, which is accessible from IIS Manager.
Note: Whenever a user's certificate DN is entered into RSA ClearTrust, make sure that the DN
entry is in the following format: CN=gpinto,OU=ssg,O=bigcorp,L=chennai,ST=tamil
You must have an identity and CA root certificate installed on the IIS web server. See the IIS 6
documentation for details on how to do this. Note also that before you can enable RSA ClearTrust
Certificate authentication, you must configure IIS6 to require client certificates.
Configuring the IIS Web Server to Use Certificates
Before you can enable RSA ClearTrust Certificate authentication, you must configure IIS6 to
require client certificates. To do this, perform the following steps:
1. Open Microsoft IIS Manager, right-click on the Web Site you wish to configure (Default
Web Site, for example), and select Properties.
2. Select the Directory Security tab to access the Secure Communications dialog at the
bottom of the page:

Page: 4
3. Select Edit to bring up the Secure Communications dialog box:

4. Select the Require client certificates radio button and click OK. For information on
configuring other options on this screen such as 128-bit encryption or client certificate
mapping, please consult the IIS6 documentation.
Configuring RSA ClearTrust Certificate Authentication
To configure the RSA ClearTrust Web Agent 4.5 for Microsoft IIS to use certificate authentication,
perform the following steps:
1. Ensure that IIS6 is properly requesting client certificates as described above.
2. Define which resources require Certificate authentication, and specify CERTIFICATE for
those resources in webagent.conf. See .the auth_resource_list and .default_auth_mode
parameter definitions in webagent.conf for more information.
3. Configure your client machines for certificates. The user must be issued a browser
certificate or personal certificate from the CA, which must then be installed and configured
in the browser. See your Internet Explorer documentation for details.
4. The distinguished name (DN) of the client-side certificate must match the DN in the user's
account in the RSA ClearTrust data store. The dn
parameter in ldap.conf specifies the LDAP attribute that stores the user's certificate DN.
5. If the user entry DN in the LDAP directory is not the same as the DN of the user's browser
certificate, change the LDAP attribute from dn to ctscUserDN, or to another modifiable
attribute in your user object class. In Active Directory, in order for Certificate authentication
to work, the selected or added attribute must have a syntax type of "Unicode String" or
"Directory String". Also note that it is necessary to set the:

Page: 5
parameter in webagent.conf.
For Microsoft Active Directory: Note that the DN value specified absolutely must be valid within
the DIT, due to the directory's active maintenance of referential integrity. According to Microsoft
documentation, "If the referenced object is renamed or moved, Active Directory ensures that the
attribute reflects the change. If the attribute is reset with a new DN, the attribute is referenced to the
object represented by the new DN." See the DN mapping parameters in the Servers Installation
and Configuration Guide for more information.
Important: IIS Web Server maintains certificates in memory until the session is closed. If a user
logs out but does not close the browser, the user may be able to access resources without re-
authenticating. If you use certificate authentication on IIS Web Server, you should use form-based
authentication and have the logout form close the browser instance.
End-User Experience
When a user accesses a ClearTrust-protected resource, they will be prompted by IIS6 to present
their client certificate:

If the User’s certificate is valid and he or she is entitled to the resource in the RSA ClearTrust
system, they will be granted access.

Page: 6
If the user’s certificate has been revoked by a Microsoft CA Administrator, and the corresponding
CRL has been updated, they will see the following error message (The page requires a valid SSL
client certificate):

If a user presents a valid end-entity certificate that has not been revoked, but they are not entitled
to access the resource in the RSA ClearTrust system, they will see the following ClearTrust
Access Denied message:

Page: 7
Using RSA ClearTrust Authentication with Microsoft IIS Authentication
Note the following regarding RSA ClearTrust Web Agent behavior if you are using Integrated
Windows Authentication (IWA) to protect resources on Microsoft IIS:
• Certificate or IWA authentication is always performed first, regardless of the listing order.
• Certificate and IWA authentication cannot be combined with each other, and cannot be
combined with other authentication types using the OR operator.
Protocol Transition with Certificate Authentication
Because protocol transition behaves differently with certificates, RSA Security recommends using
client-certificate mapping to achieve SSO into OWA using certificates as the authentication type.
Microsoft IIS allows administrators to map user certificates to user accounts in Active Directory as
part of IWA authentication. This achieves the same result as using protocol transition to access
OWA with the certificate authentication type, except that the ClearTrust session token
authentication bit is set to IWA instead of CERTIFICATE.
This can be done by enabling the Windows directory service mapper from the Directory
Security tab of the global Web Sites Properites in ISM:

…or by enabling client certificate mapping on each individual web site.
See client-certificate mapping and Directory Service Mapper in your Microsoft documentation
for more information on how to do this.

Page: 8
6. Certification Checklist for Certificate Authority Products
Date Tested: December 22, 2003
Tested Version
RSA ClearTrust 5.5
RSA ClearTrust Agent 4.5
Microsoft Certificate Services Windows Server 2003

Test Case


RSA ClearTrust Certificate Authentication

Successful login for authorized user with valid certificate P
Access Denied for user with invalid/untrusted certificate P
Access Denied for unauthorized user with valid certificate P
Access Denied for user with revoked certificate P

JEC *P=Pass or Yes F=Fail N/A=Non-available function
7. Known Issues