Using Digital Client Certificates with Strategi
Product: Strategi
Modified Date:

With Digital Client Certificates, Strategi system administrators can augment their authentication scheme so that user identity far surer than in simple user name & password scenarios. Digital Client Certificates are public/private key pairs which a user can store on a PC, floppy disk, smart card, or other media. For more information on how Public Key Cryptography works, visit Thawte's website .

Support for Client Certificate authentication is fully integrated into the Strategi webserver, and needs only an appropriate license and a little setup to be used. Setting the system up to use Certificates is easy.

System Setup

Before Strategi can use Digital Client Certificates, a few small changes and additions to the Strategi environment must be made

Prerequisites
Support for Digital Client Certificates is a licensed feature, therefore a proper license key must be installed for Certificates to work. Contact your ADVANCED Businesslink sales contact for pricing information. Once the license has been purchased, BusinessLink Technical Support will provide the proper licensing key.

Also note that SSL usage is implied by Certificate usage, because Digital Client Certificates will not work without SSL. See Tech Support Bulletin SEC004 for information on installing SSL.

Website Changes
Once the proper license key has been installed, you must configure your Strategi website to listen on port 444, which is the port used for Digital Certificate authenticated HTTP communication. To do this:
  • Go to the Strategi menu (GO STRATEGI/SGI)
  • Select "Work with Websites"
  • Use option "2" to change the "DEFAULT" website
  • Set the "Secure HTTP" and "Certificate HTTP" parameters to "*HTTP". This will mean that Strategi will be listening for these types of connections on the same address as that set for normal HTTP.
  • Hit the F10 key. The port options will appear. Ensure that HTTP is set to 80, Secure HTTP to port 443, and Certificate HTTP to 444.
  • Hit Enter.
In order for your user's Certificate information to become available to you for your approval, there must be some way for you to not only receive this information, but for that information to be tied to a Strategi user. This is done by creating a "Certificate Acquisition Zone", which will be the first page your user visits with their new Certificate. It will require login as well as requiring a Digital Client Certificate, so that the two pieces of information (Strategi User and Certificate information) can be tied together for approval.
  • From within "Work with Websites", use option "12" against the "DEFAULT" website to work with this website's zones
  • Use F6 to create a new zone. Specify "CERT" for the name of the zone, "/cert" for the subdirectory, "*BASIC" for the authentication requirements, and SSL minimum key length to "40". After hitting enter once, you will be asked for the Digital Certificate requirement. Enter "*YES".
  • Now you will need to create a "homepage.htm" within the CERT zone. The best way to do this is by using Strategi Webmaster (For instructions on how to use Webmaster, see the Strategi Webmaster Implementation technical support bulletin). This page will likely never be seen when going to the "/cert" directory, instead it is a dummy which allows the user to request the "/cert" directory without failing because no file exists. In the end they will see a page relating to whether or not their certificate has been acquired. More on this later in the document...
  • Restart Strategi
Your system is now ready to support Digital Client Certificates.

Using Digital Client Certificates

User Creation
Digital Client Certificates are generally named in "Firstname Lastname" format. It is *CRITICAL* that the Strategi user name match the Digital Certificate name. Therefore, when creating a user which you intend to use Certificates, the Strategi user name will need to be in "Firstname Lastname" format. Also, depending on whether you intend the user to always use Certificates, SSL, or other combinations, you may want to change the SSLRQD and CTFRQD parameters. Finally, you will need to set the Strategi user in a *CERTWAIT state. This can be done by using option "13" against the Strategi user in the "Work with Strategi Users" screen.

Getting a Digital Client Certificate
Your user will now need to purchase a Digital Client Certificate. They can visit Thawte's Website, or another reputable Certificate vendor to purchase one. Once they have purchased the Certificate, it will need to be installed in the browser of choice. The email sent by Thawte with the Certificate will include instructions on how to do this, or in some cases, the Certificate will be installed automatically immediately after ordering.

Other sorts of Digital Certificates may install to smart cards or other media. These will include further instructions on use.

Certificate Acquisition
Now that your user has a Certificate from a certificate vendor, they must submit their information to you, and tie that information to their Strategi user. This will be done by visiting your website's "/cert" directory (for instance "https://www.yourwebaddress.com:444/cert"). When they do so, they will be prompted to select a Digital Certificate from a list of Certificates installed on the browser. After selecting their Certificate, they will be asked to log in with their Strategi user.

Once this is done, they will be sent to a Strategi webpage saying that their certificate details have been captured and that their Strategi user is waiting administrative approval.

Approving a User's Certificate Information
This Strategi user will now be in a state of "*PENDING" instead of "*CERTWAIT". You will want to inspect the Certificate Information of the Strategi user before enabling them. To do this, take option "8" against the Strategi user in "Work with Strategi Users" to look at their user attributes. The CTF group of attributes contains the Certificate information for this user. Depending on the level of verification required, you might simply verify their name, or your might verify every detail. Once you are satisfied this is indeed a valid match, you will use option "11" against the user to change their status to "*ENABLED".

Day to Day Certificate Usage
From now on, if your user wants to access an authenticated zone or use the Strategi java emulation applet, they must use their Certificate. If the zone requires only SSL and authentication, then they need only request it, and they will be redirected in such a way as to require Certificate usage. If the zone requires only authentication, then they must specify to use "https", as well as include "444" at the end of the domain name, eg. "https://www.yourcompany.com:444/whatever/zone/directory".

** End of Technical Support Bulletin **