Reference Guide
Kron PAM Administration
PKI Authentication
pki authentication is a security method that verifies the identities of users, devices, or applications using digital certificates and public private key pairs it relies on a trusted certificate authority (ca) to issue certificates, ensuring secure and authenticated connections across networks kron pam supports pki authentication the creation of the client certificate will not be discussed here in a well configured microsoft domain, client certificates are automatically produced when the endpoint, which is joined to the domain, is logged into by the end user client certificates are issued by a certificate authority (ca) this ca certificate must be placed into the kron pam certificate store, and therefore, the ca certificate must be obtained a trust store for tomcat must be created this trust store should contain the ca certificates that will be used to verify clients as mentioned, this certificate is the one issued to the client certificates to create a trust store, the following command must be executed ca cert pem is the ca certificate make an ssh connection to kron pam navigate to the /pam/gui/conf/cert directory run the following command keytool import alias tomcat keystore pam truststore jks file ca cert pem a keystore password will be prompted enter a password after creation, assign the necessary permissions for the keystore to pamuser edit the server xml file to include the keystore file specified above vi /pam/gui/conf/server xml add the red red highlighted part below ensure that the passwords for the trust store and certificates are changed accordingly " \<connector port="443" protocol="org apache coyote http11 http11nioprotocol" maxthreads="200" scheme="https" secure="true" sslenabled="true" server="pam server" allowtrace="false"> \<sslhostconfig protocols="tlsv1 2" ciphers="tls ecdhe ecdsa with aes 128 gcm sha256, tls ecdhe ecdsa with aes 256 gcm sha384, tls ecdh rsa with aes 256 gcm sha384, tls ecdh ecdsa with aes 256 gcm sha384, tls ecdh rsa with aes 128 gcm sha256, tls ecdh ecdsa with aes 128 gcm sha256, tls ecdhe rsa with aes 128 gcm sha256, tls ecdhe rsa with aes 256 gcm sha384"> \<certificate certificatekeystorefile="/pam/gui/conf/cert/pam certificate jks" certificatekeystorepassword="password of the pam certificate" certificatekeyalias="tomcat" type="rsa"/> \</sslhostconfig> \<sslhostconfig \<sslhostconfig hostname="pki pam com" hostname="pki pam com" certificateverification="optional" certificateverification="optional" truststorefile="/pam/gui/conf/cert/pam truststore jks" truststorefile="/pam/gui/conf/cert/pam truststore jks" truststorepassword="password of the trust store" truststorepassword="password of the trust store" protocols="tlsv1 2" protocols="tlsv1 2" ciphers="tls ecdhe ecdsa with aes 128 gcm sha256, ciphers="tls ecdhe ecdsa with aes 128 gcm sha256, tls ecdhe ecdsa with aes 256 gcm sha384, tls ecdhe ecdsa with aes 256 gcm sha384, tls ecdh rsa with aes 256 gcm sha384, tls ecdh rsa with aes 256 gcm sha384, tls ecdh ecdsa with aes 256 gcm sha384, tls ecdh ecdsa with aes 256 gcm sha384, tls ecdh rsa with aes 128 gcm sha256, tls ecdh rsa with aes 128 gcm sha256, tls ecdh ecdsa with aes 128 gcm sha256, tls ecdh ecdsa with aes 128 gcm sha256, tls ecdhe rsa with aes 128 gcm sha256, tls ecdhe rsa with aes 128 gcm sha256, tls ecdhe rsa with aes 256 gcm sha384"> tls ecdhe rsa with aes 256 gcm sha384"> \<certificate \<certificate certificatekeystorefile="/pam/gui/conf/cert/pam certificate jks" certificatekeystorefile="/pam/gui/conf/cert/pam certificate jks" certificatekeystorepassword="password of the pam certificate" certificatekeystorepassword="password of the pam certificate" certificatekeyalias="tomcat" certificatekeyalias="tomcat" type="rsa"/> type="rsa"/> \</sslhostconfig> \</sslhostconfig> \</connector> \</connector> edit web xml file to allow tomcat cors filter for https //pam com vi /pam/gui/conf/web xml if not exist, in the web xml file add the following parameter as well \<init param> \<param name>cors support credentials\</param name> \<param value>true\</param value> \</init param> pki authentication must now be enabled on the gui follow the steps below open administration > syst config man > pki authentication click the toggle button to enable it the username attribute value on the client certificate can also be specified this means that the subject alternate name (san) on the client certificate must contain this attribute, which is verified by the ca certificate by default, samaccountname will be checked by the ca if the client certificate is signed by the imported ca authority and the username attribute is properly imported from ldap, the signing operation will be successful the following parameter must be added to the system configuration parameters navigate to administration > syst config man > add new parameter netright cookie domain = pam com the pam gui service must be restarted using the following command an ssh connection must be made to the pam server, and the following command must be executed systemctl restart pam gui service lastly, two dns records for pki authentication must be created on the dns server " for instance, if the ip address of the pam server on dns is 1 1 1 1, the configuration requires the following two dns records 1 1 1 1 pam com 1 1 1 1 pki pam com if a load balancer (lb) is used and 1 1 1 1 is the lb address, the same configuration should be applied to test this the endpoint must be logged in with a domain user, and the pam com dns record must be accessible next, click the login with pki authentication button the browser should prompt for a client certificate, which must be selected to proceed with the login