Product Documentation

    1— Introduction

    This guide walks you through the steps to configure SKSO with TLS Client Authentication.


    2— Prerequisite

    Following are required to follow this guide:

    • Access to strongauth account on the VMs where SKSO is installed.

    • Root/Subordinate CA Certificates from your PKI which will be used to verify Client certificates/

    • An End Entity/ Client certificate to access SKSO after TLS Client Auth setup is complete

     

    3— Steps

    1. SSH into the SKSO VM as strongauth user

    2. Import the trusted Root/Subordinate certificates of the end-entity certificates into the Payara cacerts.p12 TrustStore file in the config directory. Run the following command for the Root certificate and Subordinate(if any) with different aliases.

       

      $ keytool -import -keystore /usr/local/strongauth/payara6/glassfish/domains/domain1/config/cacerts.p12 -file <certificate-filename>.pem -alias <alias-name-for-the-certificate>

       

    3. Create a SKSO BCFKS TrustStore for the trusted Root/Subordinate certificates that SKSO will use to perform PKIX validation.

       

      $ keytool -importcert -file <certificate-file>.pem -keystore skso-truststore.bcfks -alias <alias-name-for-the-certificate> -storetype BCFKS -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /usr/local/strongauth/lib/bc-fips-1.0.2.3.jar

       

      When you run this command, keytool will ask for the password you want to use for this truststore use any desired password. Keep a note of the password and location of the generated truststore, they will be used for configuration properties in step 5.

       

    4. Enable TLS Client Auth for http-listener-2 in Payara configuration by running the following command.

       

      $ asadmin set configs.config.server-config.network-config.protocols.protocol.http-listener-2.ssl.client-auth-enabled=true

       

    5. Configure SKSO Properties to enable TLS Client Authentication;

      Enable PKIX Client Certificate validation by changing skso.cfg.property.pkix.clientauth property to true, specify PKIX TrustStore path for SKSO which you created in step 3 by changing skso.cfg.property.pkix.truststore.location property and specify the password for that TrustStore by changing the skso.cfg.property.pkix.truststore.password property.

      Following are all the TLS Client Auth related properties:

       

      # Should perform Client Auth Certificate PKIX Validation
skso.cfg.property.pkix.clientauth=false

# Truststore for PKIX validation
skso.cfg.property.pkix.truststore.location=/usr/local/strongauth/skso/etc/skso-truststore.bcfks

# Truststore password for PKIX validation
skso.cfg.property.pkix.truststore.password=changeit