Smartcard Authentication

Overview

Since Password Manager Pro serves as the vault for sensitive passwords, it is essential to have a strong authentication mechanism to grant access to the software.  PMP provides various authentication options and users can choose the ones that suit their environment better. Apart from PMP's local authentication, there is provision for leveraging the authentication of external identity stores such as Active Directory / LDAP.  

 

To bolster the security further, PMP offers Smart Card Authentication, which makes the authentication stronger because, to get access to PMP, the user must possess the smart card and should know the personal identification number (PIN) as well.

 

Smart Card authentication in PMP serves as the Primary Authentication and it should not be confused with the Two Factor Authentication.

 

If you have a smart card authentication system in your environment, you can configure PMP to authenticate users with their smart cards, bypassing other first factor authentication methods like AD, LDAP or Local Authentication.

 

How Does Smart Card Authentication Work in PMP?

When the user attempts to access PMP web-interface, he would be allowed to proceed further only if he had already completed the smart card authentication in the machine by presenting the smart card and subsequently entering the PIN. PMP's web-interface supplements smart card technology with SSL communication. So, the user is prompted to specify their X.509 certificate for getting access.

 

The users can chose to provide the certificate from the smart card or the local certificate store, in which case PMP performs the steps to authenticate the user with the certificate.

 

The users can also choose to decline providing the certificate and PMP takes them to the usual login page for authentication.

 

Smartcard Authentication Workflow

 

  1. User tries to connect to the PMP server

  2. The PMP server presents its certificate to the client (web-inteface)

  3. The client verifies the server's certificate with that of the browser certificate authority

  4. If the above process is successful, the client sends the user's smartcard certificate to the server

  5. The server verifies the client certificate with the server's trustStore and then checks the revocation status with the OCSP server (if applicable); finally checks if the user certificate is same as the one in the AD/LDAP or PMP user store.

  6. If the above process also succeeds, the PMP server grants the user access to the web interface

 

 

Smartcard Authentication Flow

 

 

 

Enabling Smart Card Authentication

Summary of Steps

 

  1. Importing the root of the CA in case of internal certificates (your own certificate). This is the certificate authority issuing the X.509 user certificates to the PMP users. If you are using a certificate signed by third-party CA, you may skip this step.

  2. Mapping user details between Smartcard Certificate and the PMP user store

  3. Configuring status check for user certificates

  4. User certificates verification for authentication

  5. Enabling Smart Card Authentication in PMP

  6. Restart PMP Server & Web Browser

 

Step 1 - Importing the Root of CA

In case, you are using an already available internal certificate (your own certificate), you need to specify the root of the CA. If you are using a certificate signed by third-party CA, you may skip this step.

 

To import the root of the CA,

 

  1. Go to Admin >> Users >> Smart Card Authentication

  2. In the UI that opens, click "Import Now" button in Step 1

  3. Specify the path of the root of the CA

  4. Restart PMP server

 

Once you execute the above, the root of the CA will be recorded in PMP. All the certificates signed by the particular CA will henceforth be automatically taken.

 

Step 2 - Mapping user details between smartcard certificate and PMP user store

The next step is to choose the mapping between the smartcard certificate and the PMP user database.  That means, the attribute in the smartcard certificate that uniquely identifies the user should match with the corresponding value in the PMP user database.

 

This mapping involves two things:

 

  1. Specifying which attribute in certificate should be taken up for comparison

  2. Specifying the corresponding matching attribute in PMP user store

 

Specifying the certificate attribute

 

 

Note: In case, in your environment, if any other attribute is used to uniquely identify the user, contact PMP support to add that attribute.

 

Specifying the matching PMP user name

 

After specifying the Certificate Attribute, you need to specify the mapping attribute in PMP user store. That means, you need to specify the particular attribute that uniquely identifies the user in PMP user store. This depends on how the user was added in PMP - whether by manual addition or imported from Active Directory / LDAP.

 

Users manually added

 

For the users manually added into PMP, username in PMP is probably the only attribute that could be taken up for comparison with the corresponding attribute in certificate. So, just leave this text field with the default value "username".

 

Users imported from Active Directory / LDAP

 

In the case of the users imported from Active Directory/LDAP, normally the attribute 'userPrincipalName' is used to uniquely identify the user. It is quite possible that in your environment, some other attribute like 'distinguishedName' might uniquely identify the user. So, specify the attribute accordingly.

 

Finally, Save the settings.

 

Step 3 - Configuring Status Check for User Certificates

During authentication, PMP checks for certificate revocation status against an Online Certificate Status Protocol (OCSP) server, with details available in the certificate itself. If some certificates do not have OCSP information, the information provided in the settings here will be used. This check can be disabled by changing the property ocsp.check to false in 'System Properties' file found in conf directory of PMP.

 

Also, authentication through OCSP will require access to the internet. In enterprise network setup, you might need to go through a proxy server to access the internet. You may specify proxy server settings if you have not specified it already.

 

Click the button "Configure Now" and enter OCSP server details such as OCSP server name, port and if required, the proxy server settings.

 

Step 4 - Comparing User Certificates for Verifying Authentication

Another step in the authentication process is comparison of the user certificates presented by the user and the ones stored in the system or Active Directory/LDAP. For the users who were added manually, the X.509 certificate stored in the PMP database will be compared with the one presented by the user.  

 

In the case of users imported from Active Directory / LDAP, you need to specify the attribute with which the certificate could be retrieved for comparison. For example, if the certificate is stored with the attribute 'userCertificate', you may specify that here.

 

Important Note:

 

In case, you do not have AD or LDAP in your environment, you need to manually put the x.509 format SSL certificate used for smartcard authentication into PMP.

 

Step 5 - Enabling Smart Card Authentication

 

After carrying out the settings, you need to enable Smart Card Authentication. Before enabling this, you need to ensure that AD/LDAP authentication is disabled.

 

Click "Enable" to enable smart card authentication.

 

Step 6 - Restart PMP Server & Web Browser

After completing aforesaid steps, restart PMP server and the web server once to give effect to the settings. Whenever you enable or disable Smart Card authentication in PMP, you need to restart the server and the browser to give effect to the change.

 

Important Note:

 

Smart Card Authentication in PMP - Workflow

 

Smart Card Authentication in High Availability Scenario

If you have configured high availability and if you have enabled smart card authentication in Primary, the same has to be configured in the secondary server too.

 

To do this,

 

 

Troubleshooting Tip

 

 


© 2014, ZOHO Corp. All Rights Reserved.