PKI Authentication

pki authentication is a security method that verifies the identities of users, devices, or applications using digital certificates and public private key pairs it relies on a trusted certificate authority (ca) to issue certificates, ensuring secure and authenticated connections across networks kron pam supports pki authentication the creation of the client certificate is beyond the scope of this document, but in a well configured microsoft domain, client certificates are automatically produced when the end user logs into the endpoint joined to the domain client certificates are issued by a certificate authority (ca) this ca certificate must be placed into the kron pam certificate store, and therefore, the ca certificate must be obtained beforehand a trust store to contain the client verifying ca certificates needs to be set up with the following command make an ssh connection to kron pam navigate to the /pam/gui/conf/cert directory run the following command (ca cert pem is the ca certificate) keytool import alias tomcat keystore pam truststore jks file ca cert pem set a keystore password when prompted after creation, assign the necessary permissions for the keystore to pamuser edit the server xml file to include the keystore file specified above vi /pam/gui/conf/server xml add the part following the 26th line in the sample xml below ensure that the passwords for the trust store and certificates are changed accordingly " \<connector port="443" protocol="org apache coyote http11 http11nioprotocol" maxthreads="200" scheme="https" secure="true" sslenabled="true" server="pam server" allowtrace="false"> \<sslhostconfig protocols="tlsv1 2" ciphers="tls ecdhe ecdsa with aes 128 gcm sha256, tls ecdhe ecdsa with aes 256 gcm sha384, tls ecdh rsa with aes 256 gcm sha384, tls ecdh ecdsa with aes 256 gcm sha384, tls ecdh rsa with aes 128 gcm sha256, tls ecdh ecdsa with aes 128 gcm sha256, tls ecdhe rsa with aes 128 gcm sha256, tls ecdhe rsa with aes 256 gcm sha384"> \<certificate certificatekeystorefile="/pam/gui/conf/cert/pam certificate jks" certificatekeystorepassword="password of the pam certificate" certificatekeyalias="tomcat" type="rsa"/> \</sslhostconfig> ////////add everything below this line//////// \<sslhostconfig hostname="pki pam com" certificateverification="optional" truststorefile="/pam/gui/conf/cert/pam truststore jks" truststorepassword="password of the trust store" protocols="tlsv1 2" ciphers="tls ecdhe ecdsa with aes 128 gcm sha256, tls ecdhe ecdsa with aes 256 gcm sha384, tls ecdh rsa with aes 256 gcm sha384, tls ecdh ecdsa with aes 256 gcm sha384, tls ecdh rsa with aes 128 gcm sha256, tls ecdh ecdsa with aes 128 gcm sha256, tls ecdhe rsa with aes 128 gcm sha256, tls ecdhe rsa with aes 256 gcm sha384"> \<certificate certificatekeystorefile="/pam/gui/conf/cert/pam certificate jks" certificatekeystorepassword="password of the pam certificate" certificatekeyalias="tomcat" type="rsa"/> \</sslhostconfig> \</connector> edit web xml file to allow tomcat cors filter for https // pam com vi /pam/gui/conf/web xml if not present, add the following to web xml as well \<init param> \<param name>cors support credentials\</param name> \<param value>true\</param value> \</init param> pki authentication must now be enabled on the gui follow the steps below open administration > syst config man > pki authentication click the toggle button to enable it the username attribute value on the client certificate can also be specified this means that the subject alternate name (san) on the client certificate must contain this attribute, which is verified by the ca certificate by default, samaccountname will be checked by the ca if the client certificate is signed by the imported ca authority and the username attribute is properly imported from ldap, the signing operation will be successful the following parameter must be added to the system configuration parameters navigate to administration > syst config man > add new parameter netright cookie domain = pam com the pam gui service must be restarted using the following command an ssh connection must be made to the pam server, and the following command must be executed systemctl restart pam gui service lastly, two dns records for pki authentication must be created on the dns server " for instance, if the ip address of the pam server on dns is 1 1 1 1, the configuration requires the following two dns records 1 1 1 1 pam com 1 1 1 1 pki pam com if a load balancer (lb) is used and 1 1 1 1 is the lb address, the same configuration should be applied to test this the endpoint must be logged in with a domain user, and the pam com dns record must be accessible next, click the login with pki authentication button the browser should prompt for a client certificate, which must be selected to proceed with the login