Smartcard Authentication

Overview

Since Password Manager Pro serves as the vault for sensitive passwords, it is essential to have a strong authentication mechanism to grant access to the software. PMP provides various authentication options and users can choose the ones that suit their environment better. Apart from PMP's local authentication, there is provision for leveraging the authentication of external identity stores such as Active Directory / LDAP.

To bolster the security further, PMP offers Smart Card Authentication, which makes the authentication stronger because, to get access to PMP, the user must possess the smart card and should know the personal identification number (PIN) as well.

Smart Card authentication in PMP serves as the Primary Authentication and it should not be confused with the Two Factor Authentication.

If you have a smart card authentication system in your environment, you can configure PMP to authenticate users with their smart cards, bypassing other first factor authentication methods like AD, LDAP or Local Authentication.

How Does Smart Card Authentication Work in PMP?

When the user attempts to access PMP web-interface, he would be allowed to proceed further only if he had already completed the smart card authentication in the machine by presenting the smart card and subsequently entering the PIN. PMP's web-interface supplements smart card technology with SSL communication. So, the user is prompted to specify their X.509 certificate for getting access.

The users can chose to provide the certificate from the smart card or the local certificate store, in which case PMP performs the steps to authenticate the user with the certificate.

The users can also choose to decline providing the certificate and PMP takes them to the usual login page for authentication.

Smartcard Authentication Workflow

    1. User tries to connect to the PMP server
    2. The PMP server presents its certificate to the client (web-inteface)
    3. The client verifies the server's certificate with that of the browser certificate authority
    4. If the above process is successful, the client sends the user's smartcard certificate to the server
    5. The server verifies the client certificate with the server's trustStore and then checks the revocation status with the OCSP server (if applicable); finally checks if the user certificate is same as the one in the AD/LDAP or PMP user store.
    6. If the above process also succeeds, the PMP server grants the user access to the web interface

Enabling Smart Card Authentication

Summary of Steps

  • Importing the root of the CA in case of internal certificates (your own certificate). This is the certificate authority issuing the X.509 user certificates to the PMP users. If you are using a certificate signed by third-party CA, you may skip this step.
  • Mapping user details between Smartcard Certificate and the PMP user store
  • Configuring status check for user certificates
  • User certificates verification for authentication
  • Enabling Smart Card Authentication in PMP
  • Restart PMP Server & Web Browser

Step 1 - Importing the Root of CA

In case, you are using an already available internal certificate (your own certificate), you need to specify the root of the CA. If you are using a certificate signed by third-party CA, you may skip this step.

To import the root of the CA,

    1. Go to Admin >> Smart card / PKI / Certificate
    2. In the UI that opens, click "Import Now" button in Step 1
    3. Specify the path of the root of the CA
    4. Restart PMP server

Once you execute the above, the root of the CA will be recorded in PMP. All the certificates signed by the particular CA will henceforth be automatically taken.

Step 2 - Mapping user details between smartcard certificate and PMP user store

The next step is to choose the mapping between the smartcard certificate and the PMP user database. That means, the attribute in the smartcard certificate that uniquely identifies the user should match with the corresponding value in the PMP user database.

This mapping involves two things:

    1. Specifying which attribute in certificate should be taken up for comparison
    2. Specifying the corresponding matching attribute in PMP user store

Specifying the certificate attribute

  • PMP provides the flexibility to specify any attribute of the smartcard certificate that you feel uniquely identifies the user in your environment. You may choose any attribute among SAN.OtherName, SAN.RFC822Name, SAN.DirName, SAN.DNSName, SAN.URI and Common Name. During authentication, PMP reads the value corresponding to this attribute and compares it with the attribute in PMP user store.
  • From the drop-down "Certificate Attribute", select the desired attribute.

Note: In case, in your environment, if any other attribute is used to uniquely identify the user, contact PMP support to add that attribute.

Specifying the matching PMP user name

After specifying the Certificate Attribute, you need to specify the mapping attribute in PMP user store. That means, you need to specify the particular attribute that uniquely identifies the user in PMP user store. This depends on how the user was added in PMP - whether by manual addition or imported from Active Directory / LDAP.

    Users manually added

    For the users manually added into PMP, username in PMP is probably the only attribute that could be taken up for comparison with the corresponding attribute in certificate. So, just leave this text field with the default value "username".

    Users imported from Active Directory / LDAP

    In the case of the users imported from Active Directory/LDAP, normally the attribute 'userPrincipalName' is used to uniquely identify the user. It is quite possible that in your environment, some other attribute like 'distinguishedName' might uniquely identify the user. So, specify the attribute accordingly.

Finally, Save the settings.

Step 3 - Configuring Status Check for User Certificates

During authentication, PMP checks for certificate revocation status against an Online Certificate Status Protocol (OCSP) server, with details available in the certificate itself. If some certificates do not have OCSP information, the information provided in the settings here will be used. This check can be disabled by changing the property ocsp.check to false in 'System Properties' file found in conf directory of PMP.

Also, authentication through OCSP will require access to the internet. In enterprise network setup, you might need to go through a proxy server to access the internet. You may specify proxy server settings if you have not specified it already.

Click the button "Configure Now" and enter OCSP server details such as OCSP server name, port and if required, the proxy server settings.

Step 4 - Comparing User Certificates for Verifying Authentication

Another step in the authentication process is comparison of the user certificates presented by the user and the ones stored in the system or Active Directory/LDAP. For the users who were added manually, the X.509 certificate stored in the PMP database will be compared with the one presented by the user.

Another step in the authentication process is comparison of the user certificates presented by the user and the ones stored in the system or Active Directory/LDAP. For the users who were added manually, the X.509 certificate stored in the PMP database will be compared with the one presented by the user.

Important Note:

In case, you do not have AD or LDAP in your environment, you need to manually put the x.509 format SSL certificate used for smartcard authentication into PMP.

  • You can do this from Admin >> General >> Change Login Password GUI.
  • Choose the option 'Change Certificate' to specify the path of the x.509 format SSL certificate

Step 5 - Enabling Smart Card Authentication

After carrying out the settings, you need to enable Smart Card Authentication. Before enabling this, you need to ensure that AD/LDAP authentication is disabled.

Click "Enable" to enable smart card authentication.

Step 6 - Restart PMP Server & Web Browser

After completing aforesaid steps, restart PMP server and the web server once to give effect to the settings. Whenever you enable or disable Smart Card authentication in PMP, you need to restart the server and the browser to give effect to the change.

Important Note:

  • Once you enable Smart Card authentication, it will take effect globally - that means, Smart Card authentication will be applied to all the users. However, the users for whom Smart Card authentication is not applicable, will be prompted to use local authentication automatically. For those Smart Card authentication is applicable, they will be prompted to proceed with Smart Card authentication
  • When Smart Card Authentication is enabled, AD or LDAP authentication will remain suspended for all users. So, you need to choose between AD, LDAP and Smart Card

Smart Card Authentication in PMP - Workflow

  • User tries to access PMP web-interface
  • The attribute that uniquely identifies the user in the smartcard certificate is compared with the corresponding attribute in PMP userstore.
  • Then, the user certificate - the X.509 certificate stored in the PMP database in the case of users manually added will be compared with the one presented by the user. In the case of users imported from Active Directory / LDAP, the certificate will be retrieved from AD/LDAP for comparison.
  • If there is perfect matching, user is allowed access.

Smart Card Authentication in High Availability Scenario

If you have configured high availability and if you have enabled smart card authentication in Primary, the same has to be configured in the secondary server too.

To do this,

  • Stop PMP primary server
  • Connect to the PMP secondary server
  • Go to Admin >> Users >> Smart Card Authentication
  • In the UI that opens, perform Step 1 and Step 5 alone (for details, refer to the section 'enabling smart card authentication' above)
  • Restart secondary after completing the above steps

Troubleshooting Tip

  • In case, you do not get the pop-up that prompts you to select the client certificate during authentication, try again after restarting the browser

©2014, ZOHO Corp. All Rights Reserved.

Top