Skip to main content
Version: 4.6.x.x LTS

Enabling dynamic X.509 certificates

Some content providers such as Microsoft SharePoint offer authentication and authorization on the basis of X.509 client certificates. To enable single sign-on integration of such content providers via Nevis, the nevisProxy offers dynamic generation of client certificates. The client certificate is not statically configured, but bound to a user session. In other words, a distinct user session will have a distinct TLS session.

Configuration

The following sections describe how the involved components (nevisProxy, nevisAuth and Content Provider) have to be configured to enable dynamic generation of client certificates.

nevisProxy

For nevisProxy, configure an TLS-enabled content provider using an HttpsConnectorServlet with the 'SSLDynamicClientCertificate' set to 'true'.

<servlet>
<servlet-name>DynCertContentConnector</servlet-name>
<servlet-class>
ch::nevis::isiweb4::servlet::connector::http::HttpsConnectorServlet
</servlet-class>
<init-param>
<param-name>InetAddress</param-name>
<param-value>svappl.mycompany.com:44300</param-value>
</init-param>
<init-param>
<param-name>KeepAlive</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>SSLCache</param-name>
<param-value>session</param-value>
</init-param>
<init-param>
<param-name>SSLDynamicClientCertificate</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>SSLCACertificateFile</param-name>
<param-value>/var/spool/keybox/default/node_truststore.pem</param-value>
</init-param>
</servlet>

nevisAuth

The AuthState ‚DynCert' needs to be configured. For details, refer to the nevisAuth reference guide section „Dynamic X.509 Certificate Generation Plug-in", which also includes a configuration example.

Content provider

The content provider must be configured to:

  • accept X.509 client certificate authentication
  • trust certificates issued by the signer certificate configured in the DynCert auth state.

Performance considerations

Key pair generation is an expensive process. Make sure the machine on which nevisAuth is running possesses sufficient CPU resources.

It is possible to continuously generate key pairs in the background (property 'preComputeKeys') to already have the keys prepared when an authentication requires the generation of a certificate. Use of this feature is highly recommended.