|Using Digital Client Certificates with Strategi|
With Digital Client Certificates, Strategi system administrators can augment their
authentication scheme so that user identity far surer than in simple user name & password
scenarios. Digital Client Certificates are public/private key pairs which a user can
store on a PC, floppy disk, smart card, or other media. For more information on how
Public Key Cryptography works, visit Thawte's website
Support for Client Certificate authentication is fully integrated into the Strategi webserver, and needs only an appropriate license and a little setup to be used. Setting the system up to use Certificates is easy.
Before Strategi can use Digital Client Certificates, a few small changes and additions to the Strategi environment must be made
Support for Digital Client Certificates is a licensed feature, therefore a proper license key must be installed for Certificates to work. Contact your ADVANCED Businesslink sales contact for pricing information. Once the license has been purchased, BusinessLink Technical Support will provide the proper licensing key.
Also note that SSL usage is implied by Certificate usage, because Digital Client Certificates will not work without SSL. See Tech Support Bulletin SEC004 for information on installing SSL.
Once the proper license key has been installed, you must configure your Strategi website to listen on port 444, which is the port used for Digital Certificate authenticated HTTP communication. To do this:
Digital Client Certificates are generally named in "Firstname Lastname" format. It is *CRITICAL* that the Strategi user name match the Digital Certificate name. Therefore, when creating a user which you intend to use Certificates, the Strategi user name will need to be in "Firstname Lastname" format. Also, depending on whether you intend the user to always use Certificates, SSL, or other combinations, you may want to change the SSLRQD and CTFRQD parameters. Finally, you will need to set the Strategi user in a *CERTWAIT state. This can be done by using option "13" against the Strategi user in the "Work with Strategi Users" screen.
Getting a Digital Client Certificate
Your user will now need to purchase a Digital Client Certificate. They can visit Thawte's Website, or another reputable Certificate vendor to purchase one. Once they have purchased the Certificate, it will need to be installed in the browser of choice. The email sent by Thawte with the Certificate will include instructions on how to do this, or in some cases, the Certificate will be installed automatically immediately after ordering.
Other sorts of Digital Certificates may install to smart cards or other media. These will include further instructions on use.
Now that your user has a Certificate from a certificate vendor, they must submit their information to you, and tie that information to their Strategi user. This will be done by visiting your website's "/cert" directory (for instance "https://www.yourwebaddress.com:444/cert"). When they do so, they will be prompted to select a Digital Certificate from a list of Certificates installed on the browser. After selecting their Certificate, they will be asked to log in with their Strategi user.
Once this is done, they will be sent to a Strategi webpage saying that their certificate details have been captured and that their Strategi user is waiting administrative approval.
Approving a User's Certificate Information
This Strategi user will now be in a state of "*PENDING" instead of "*CERTWAIT". You will want to inspect the Certificate Information of the Strategi user before enabling them. To do this, take option "8" against the Strategi user in "Work with Strategi Users" to look at their user attributes. The CTF group of attributes contains the Certificate information for this user. Depending on the level of verification required, you might simply verify their name, or your might verify every detail. Once you are satisfied this is indeed a valid match, you will use option "11" against the user to change their status to "*ENABLED".
Day to Day Certificate Usage
From now on, if your user wants to access an authenticated zone or use the Strategi java emulation applet, they must use their Certificate. If the zone requires only SSL and authentication, then they need only request it, and they will be redirected in such a way as to require Certificate usage. If the zone requires only authentication, then they must specify to use "https", as well as include "444" at the end of the domain name, eg. "https://www.yourcompany.com:444/whatever/zone/directory".
** End of Technical Support Bulletin **