Enabling dynamic X.509 certificates
Some content providers such as Microsoft SharePoint offer authentication and authorization on the basis of X.509 client certificates. To enable single sign-on integration of such content providers via Nevis, the nevisProxy offers dynamic generation of client certificates. The client certificate is not statically configured, but bound to a user session. In other words, a distinct user session will have a distinct TLS session.
Configuration
The following sections describe how the involved components (nevisProxy, nevisAuth and Content Provider) have to be configured to enable dynamic generation of client certificates.
nevisProxy
For nevisProxy, configure an TLS-enabled content provider using an HttpsConnectorServlet with the 'SSLDynamicClientCertificate' set to 'true'.
<servlet>
<servlet-name>DynCertContentConnector</servlet-name>
<servlet-class>
ch::nevis::isiweb4::servlet::connector::http::HttpsConnectorServlet
</servlet-class>
<init-param>
<param-name>InetAddress</param-name>
<param-value>svappl.mycompany.com:44300</param-value>
</init-param>
<init-param>
<param-name>KeepAlive</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>SSLCache</param-name>
<param-value>session</param-value>
</init-param>
<init-param>
<param-name>SSLDynamicClientCertificate</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>SSLCACertificateFile</param-name>
<param-value>/var/spool/keybox/default/node_truststore.pem</param-value>
</init-param>
</servlet>
nevisAuth
The AuthState ‚DynCert' needs to be configured. For details, refer to the nevisAuth reference guide section „Dynamic X.509 Certificate Generation Plug-in", which also includes a configuration example.
Content provider
The content provider must be configured to:
- accept X.509 client certificate authentication
- trust certificates issued by the signer certificate configured in the DynCert auth state.
Performance considerations
Key pair generation is an expensive process. Make sure the machine on which nevisAuth is running possesses sufficient CPU resources.
It is possible to continuously generate key pairs in the background (property 'preComputeKeys') to already have the keys prepared when an authentication requires the generation of a certificate. Use of this feature is highly recommended.