Setting Up Client Certificate Verification

You can configure OneSpan Authentication Server to require a client certificate whenever a client attempts to establish a connection. Currently, client certificate verification is supported for SOAP or SEAL clients. This is particularly useful to secure connections between the Administration Web Interface and OneSpan Authentication Server if the former is installed on a remote host.

In this context, client certificate verification for the Administration Web Interface secures the connection between the Administration Web Interface remote host and OneSpan Authentication Server. In contrast, the Apache Tomcat TLS/SSL certificates created by OneSpan Authentication Server during installation are used to secure the browser connections to the Administration Web Interface (see Figure: Clients communicating with OneSpan Authentication Server via TLS/SSL-secured connections).

Figure:  Clients communicating with OneSpan Authentication Server via TLS/SSL-secured connections

To set up client certificate verification for OneSpan Authentication Server clients, you need the following:

• The client certificate.
• The client certificate's private key file.
• The certification authority (CA) certificate file (if self-signed, this will be the same file as the client certificate).

The client certificate must use Base64 encoding. Its private key file must meet the following requirements:

• It should be unencrypted.
• It must be stored in PKCS #8 format.
• It uses DER encoding.

The private key will be encoded as required via the following procedures. The first step in setting up client verification is the installation of the client certificate:

To install a client certificate to be used for client certificate verification

1. Copy the client certificate to the client machine.
2. Open a Command Prompt window.
3. Change to the Web Administration Service installation folder.

4. Type the following command:

   admintool certificate add certificate_fileprivate_key_filekeystore_password

   where:

   • certificate_file is the location and file name of the client certificate.
   • private_key_file is the location and file name of the private key file for the client certificate.
   • keystore_password is the password to set for the private key file when encrypting it.

After installing the client certificate, configure OneSpan Authentication Server accordingly:

To configure OneSpan Authentication Server to use client certificate verification

1. Copy the certification authority (CA) certificate file to the OneSpan Authentication Server machine.
2. Open the Configuration Utility.
3. Click Communicators.
4. Switch to the appropriate communicator tab used by the client. For example, if you are setting up client certificate verification for the Administration Web Interface, then select the SOAP communicator.

5. Configure the settings in the Client Certificate Verification section.

   • Select the appropriate security level (Optional, Required, or Required – Signed Address Only).
   • Browse to the path of the client certificate file.

   Select the Re-Verify on Re-Negotiation checkbox if you want to re-verify the client certificate each time a connection is established.

   Enabling the Re-Verify on Re-Negotiation option may incur a performance penalty. As such, do not do so unless absolutely necessary.

   For SEAL clients, you can also configure OneSpan Authentication Server to automatically trust certificates via the Automatically trust certificates checkbox. Select this checkbox to skip the certificate verification and automatically accept and trust any certificate that is sent by the client. This option makes connections potentially insecure.

6. Click Apply, then click OK.