HID Wallix WAB and CMS User Manual

Download

Page 1

How to integrate CMS Appliance

Wallix AdminBastion

Version 1.0 | Date 24/04/2012

Page 2

P 2

Table of Contents

1.0 Introduction ................................................................................................................................................ 3

1.1 Context and objective .......................................................................................................................... 3

3.0 CMS Appliance prerequisites .................................................................................................................... 4

4.0 Certificate generation ................................................................................................................................. 5

5.0 Wallix configuration .................................................................................................................................... 6

5.1 Wallix Prerequisites ............................................................................................................................. 6

5.2 Certificates installation ........................................................................................................................ 6

5.3 Users configuration ............................................................................................................................. 8

5.3.1 Prerequisites .............................................................................................................................. 8

6.0 Synopsis of use ........................................................................................................................................ 10

6.1 Scenario # 1 : Authentication with a smartcard and client certificate in the Sign-Page .................... 10

Page 3

P 3

1.0 Introduction

This document describes how to configure CMS Appliance and Wallix AdminBastion for a client authentication by certificate and smartcard.

1.1 Context and objective

1. Objectives: a. Provide an integrated way to authenticate users with a smartcard and client certificate in a Wallix

AdminBastion context

2. Prerequisites a. CMS Appliance b. OpenSSL c. Wallix AdminBastion version > 3.x d. Wallix Option “X509” License e. Smartcard issued by CMSA Appliance

Page 4

P 4

3.0 CMS Appliance prerequisites

Before configuring the Wallix Appliance, it’s necessary to obtain:

1. The root CA certificate (Localized in the Backup Network Share location of the CMS Appliance – for more information, refer to the documentation ActivID_CMS_Appliance_UserGuide.pdf)

2. The root CA password (use the passgen tool localized in the Backup Network Share location of the CMS Appliance – for more information, refer to the documentation ActivID_CMS_Appliance_UserGuide.pdf)

3. The master password used during the CMS installation is mandatory to obtain the CMS CA Keystore:

Page 5

P 5

4.0 Certificate generation

1. Download and install Openssl (http://gnuwin32.sourceforge.net/packages/openssl.htm)

2. Extract the CMS root CA private key and certificate from the p12 of CMS Appliance

pkcs12 -in ActivIDCMS1.p12 -nocerts -out ca.key pkcs12 -in ActivIDCMS1.p12 -clcerts -nokeys -out ca.crt

3. Generate Wallix Web server keys

genrsa -des3 -out server.key 1024

4. Remove the password from the key - you first need to copy the key in server.key.org

rsa -in server.key.org -out server.key

5. Generate CSR for the Web server

req -new -key server.key -out server.csr

6. Create server certificate from CMS CA

x509 -req -days 360 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt

7. Create a p12 file for the Wallix Web Server

pkcs12 -export -in server.crt -inkey server.key -out server.p12

8. Extract private key and pem from p12 of the Wallix Web server

pkcs12 -in server.p12 -clcerts -nokeys -out server.pem

9. Extract private key and pem from p12 of the CMS CA

pkcs12 -in ActivIDCMS1.p12 -clcerts -nokeys -out ca.pem

Page 6

P 6

5.0 Wallix configuration

This section describes how to manage Wallix.

5.1 Wallix Prerequisites

Before, this step, it’s necessary to obtain (see chapter 4.0):

4. The private key (server.key) of the Wallix web server.

5. The public key (server.pem) of the Wallix web server.

6. The public key (ca.pem) of the CMS Root CA.

5.2 Certificates installation

1. Launch the Wallix console, and enter in the shell:

$ sudo –i $ WABX509Setup

2. Launch the web interface on port 8082 (http://your_ip_addr:8082) & click “start”:

Page 7

P 7

3. Specify the ca.pem:

4. Specify the server.key

5. Specify the server.pem

6. Click on “Start WABGUI”

Page 8

P 8

5.3 Users configuration

5.3.1 Prerequisites

Obtain the subject of the user certificate via ActivClient:

Page 9

P 9

Create a new user in Wallix:

It’s important to respect the syntax of the Certificate DN:

If the certificate subject is: Cn=fred2,OU=Unaffiliated,DC=commander04, DC=com Specify in Wallix: /DC=com/DC=commander04/OU=Unaffiliated/CN=fred2

Page 10

P 10

6.0 Synopsis of use

6.1 Scenario # 1 : Authentication with a smartcard and client certificate in the Sign-Page

1. Launch the Wallix User Portal:

2. Click on “sign in with a SSL certificate”

3. As the certificate is configure for the authentication enforcement:

Page 11

P 11

4. Present the PIN

5. The authentication is successful

Page 12

HID Wallix WAB and CMS User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual