Add an X.509 Authenticator to Address Manager.
To add an X.509 Authenticator:
- Select the Administration tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Administration page.
- Under User Management, click Secure Access.
- Click the X.509 Authenticators tab and click New.
Under X.509 Authenticator, set the following
- Name—a descriptive name for an X.509 authenticator.
- X.509 Primary Server URL—the HTTP URL of the primary OCSP Responder, used for testing the status of client certificates.
- Enable Secondary X.509 Authenticator—enables the use of a secondary (fallback) X.509 authenticator. If selected, you must provide the URL of the secondary OCSP server.
- X.509 Secondary Server URL—the URL of the secondary OCSP server. This field is enabled when the Enable Secondary X.509 Authenticator option is selected. This server will be contacted only if the Primary can't be contacted.
- Custom User Prefix Match—when selected, matching of users in LDAP will be performed using the Subject CN from the client certificate and the attribute specified in the User Prefix field of the LDAP authenticator. You can't specify Strict DN Match when selecting Custom User Prefix Match.
- Strict DN Match—when selected, matching of users in LDAP will be performed using the full Subject DN from the client certificate. When unchecked, a match will be performed using the final CN (Common Name) from the Subject DN. You can't specify Custom User Prefix Match when selecting Strict DN Match.
- CA Certificate—one or more certificate(s) for the CA(s) issuing client certificates. If an issuing CA is an intermediate (or sub-) CA, the chain of CA certificates up to and including a root CA must also be present. All certificates must be in PEM format, and must be contained in a single file (bundle).
- Click Update.
Once you have added an X.509 authenticator, the next step is to enable X.509 authentication.