?
Solved

SSL Client auth

Posted on 2014-03-21
3
Medium Priority
?
432 Views
Last Modified: 2014-03-21
I read some sites on SSL client auth, but am having trouble wit this concept.

Apparently the client is authroized by n X.509 certificate unique to the client, and no uid and pw is required.

Is this correct, and where does the x.509 client certificate get stored, in the server or the client.

How does htat work
0
Comment
Question by:Anthony Lucia
  • 2
3 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39945892
The concept works this way:

1 A key (cert) is generated and the server Access Control list is updated to include the key

2 When the client connects to the server if a client ssl is required the client checks it's store for the relevant cert (Current user if user based - local machine if computer based)

3 In most instances serial or thumbprint or both or other aspects are matched and the server authenticates the client.

Since certificate based authentication is key pair based the client may in some instances have both the public and private keys, while the server would have a copy of the public or the thumbprint etc depending on how this is designed.


See here for more detailed info:
http://docs.oracle.com/cd/E19424-01/820-4811/aakhe/index.html
0
 

Author Comment

by:Anthony Lucia
ID: 39946000
Regarding the following:

1 A key (cert) is generated and the server Access Control list is updated to include the key

Open in new window


How does this happen.  Is this a manual process, and is the user cert preloaded or forcibly loaded into the server SSL (kind of like the cert authority in regular SSL)  ?
0
 
LVL 29

Accepted Solution

by:
becraig earned 2000 total points
ID: 39946051
Any number of ways:

If this is a server to server call, the client server can simply request a certificate from a publicly trusted CA and then share the public key with the Web server requiring client auth.

This can also be done in an enterprise environment by having the Enterprise CA issue the certificate for the clients.

It all depends on the model you wish to implement:
Internal or external solution
Server to server or user to server.
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
This blog will spread awareness about Dropbox. We have given the statements based upon our experience. Along with this, there is a section of some new plans that should be added in Dropbox this year. This will make the storage service enhanced from …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question