Smart Card / PKI / Certificate Authentication
Since PAM360 serves as the vault for sensitive passwords, it is essential to have a strong authentication mechanism to grant access to the software. PAM360 provides various authentication options and users can choose the ones that suit their environment better. Apart from PAM360's local authentication, there is provision for leveraging the authentication of external identity stores such as Active Directory/LDAP.
To bolster the security further, PAM360 offers Smart Card Authentication, which makes the authentication stronger because, to get access to PAM360, the user must possess the smart card and should know the personal identification number (PIN) as well.
Smart Card authentication in PAM360 serves as the Primary Authentication and it should not be confused with the Two Factor Authentication.
If you have a smart card authentication system in your environment, you can configure PAM360 to authenticate users with their smart cards, bypassing other first factor authentication methods like AD, LDAP or Local Authentication.
Enabling Smart Card authentication involves the following steps:
- How does the Authentication Mechanism Work?
- Importing the Root of CA
- Mapping User Details
- Configuring Status Check for User Certificates
- Comparing User Certificates for Verifying Authentication
- Enabling Smart Card Authentication
- Restarting PAM360 Server & Web Browser
- Smart Card Authentication in High Availability Scenario
1. How Does the Authentication Mechanism Work? (PAM360)
When the user attempts to access PAM360 web-interface, he would be allowed to proceed further only if he had already completed the smart card authentication in the machine by presenting the smart card and subsequently entering the PIN. PAM360's web-interface supplements smart card technology with SSL communication. So, the user is prompted to specify their X.509 certificate for getting access.
The users can chose to provide the certificate from the smart card or the local certificate store, in which case PAM360 performs the steps to authenticate the user with the certificate. The users can also choose to decline providing the certificate and PAM360 takes them to the usual login page for authentication.
2.1 Smartcard Authentication Workflow
- User tries to connect to the PAM360 server.
- The PAM360 server presents its certificate to the client. (web-interface)
- The client verifies the server's certificate with that of the browser certificate authority.
- If the above process is successful, the client sends the user's smartcard certificate to the server.
- The server verifies the client certificate with the server's trustStore and then checks the revocation status with the OCSP server (if applicable); finally checks if the user certificate is same as the one in the AD/LDAP or PAM360 user store.
- If the above process also succeeds, the PAM360 server grants the user access to the web interface.
2.2 Smart Card Authentication in PAM360
- User tries to access PAM360 web-interface.
- The attribute that uniquely identifies the user in the smartcard certificate is compared with the corresponding attribute in PAM360 userstore.
- Then, the user certificate - the X.509 certificate stored in the PAM360 database in the case of users manually added will be compared with the one presented by the user. In the case of users imported from Active Directory / LDAP, the certificate will be retrieved from AD/LDAP for comparison.
- If there is perfect matching, user is allowed access.
3. Importing the Root of CA
In case, you are using an already available internal certificate (your own certificate), you need to specify the root of the CA. This is the certificate authority issuing the X.509 user certificates to the PAM360 users. If you are using a certificate signed by third-party CA, you may skip this step.
To import the root of the CA,
- Navigate to Admin >> Authentication >> Smart card / PKI / Certificate.
- In the UI that opens, specify the path of the root of the CA and click Import Now button in Step 1.
- Restart PAM360 server.
Once you execute the above, the root of the CA will be recorded in PAM360. All the certificates signed by the particular CA will henceforth be automatically taken.
4. Mapping User Details (between smartcard certificate and PAM360 user store)
The next step is to choose the mapping between the smartcard certificate and the PAM360 user database. That means, the attribute in the smartcard certificate that uniquely identifies the user should match with the corresponding value in the PAM360 user database.
This mapping involves two things:
- Specifying which attribute in certificate should be taken up for comparison.
- Specifying the corresponding matching attribute in PAM360 user store.
4.1 Specifying the certificate attribute
- PAM360 provides the flexibility to specify any attribute of the smartcard certificate that you feel uniquely identifies the user in your environment. You may choose any attribute among SAN.OtherName, SAN.RFC822Name, SAN.DirName, SAN.DNSName, SAN.URI and Common Name. During authentication, PAM360 reads the value corresponding to this attribute and compares it with the attribute in PAM360 user store.
- From the drop-down Certificate Attribute, select the desired attribute.
Note: In case, in your environment, if any other attribute is used to uniquely identify the user, contact PAM360 support to add that attribute.
4.2 Specifying the matching PAM360 user name
After specifying the Certificate Attribute, you need to specify the mapping attribute in PAM360 user store. That means, you need to specify the particular attribute that uniquely identifies the user in PAM360 user store. This depends on how the user was added in PAM360 - whether by manual addition or imported from Active Directory / LDAP.
4.3 Users manually added
For the users manually added into PAM360, username in PAM360 is probably the only attribute that could be taken up for comparison with the corresponding attribute in certificate. So, just leave this text field with the default value username.
4.4 Users imported from Active Directory / LDAP
In the case of the users imported from Active Directory/LDAP, normally the attribute userPrincipalName is used to uniquely identify the user. It is quite possible that in your environment, some other attribute like distinguishedName might uniquely identify the user. So, specify the attribute accordingly.
5. Configuring Status Check for User Certificates
During authentication, PAM360 checks for certificate revocation status against an Online Certificate Status Protocol (OCSP) server, with details available in the certificate itself. If some certificates do not have OCSP information, the information provided in the settings here will be used. This check can be disabled by changing the property ocsp.check to false in System Properties file found in conf directory of PAM360.
Also, authentication through OCSP will require access to the internet. In enterprise network setup, you might need to go through a proxy server to access the internet. You may specify proxy server settings if you have not specified it already.
- Click the button Configure Now.
- In the pop-up form that opens,
6. Comparing User Certificates for Verifying Authentication
Another step in the authentication process is comparison of the user certificates presented by the user and the ones stored in the system or Active Directory/LDAP. For the users who were added manually, the X.509 certificate stored in the PAM360 database will be compared with the one presented by the user.
Note: In case, you do not have AD or LDAP in your environment, you need to manually put the x.509 format SSL certificate used for smartcard authentication into PAM360.
- Navigate to Admin >> Settings >> Change PAM360 Login Password.
- In the pop-up form that opens, change the User Certificate to specify the path of the x.509 format SSL certificate.
- Click Save.
7. Enabling Smart Card Authentication (PAM360)
After carrying out the settings, you need to enable Smart Card Authentication. Before enabling this, you need to ensure that AD/LDAP authentication is disabled.
8. Restarting PAM360 Server & Web Browser
After completing aforesaid steps, restart PAM360 server and the web server once to give effect to the settings. Whenever you enable or disable Smart Card authentication in PAM360, you need to restart the server and the browser to give effect to the change.
- Once you enable smart card authentication, it will take effect globally - that means, Smart card authentication will be applied to all the users. However, the users for whom smart card authentication is not applicable, will be prompted to use local authentication automatically.
- When smart card authentication is enabled, AD or LDAP authentication will remain suspended for all users. So, you need to choose between AD, LDAP and Smart card.
9. Smart Card Authentication in High Availability Scenario
If you have configured high availability and if you have enabled smart card authentication in Primary, the same has to be configured in the secondary server too.
To do this,
- Stop PAM360 primary server
- Connect to the PAM360 secondary server
- Go to Admin >> Authentication >> Smart card / PKI / Certificate.
- In the UI that opens, perform Step 1 and Step 5 alone (for details, refer to the section enabling smart card authentication above)
- Restart secondary after completing the above steps
10. Troubleshooting Tip
In case, you do not get the pop-up that prompts you to select the client certificate during authentication, try again after restarting the browser.