Configure Certificate User Authentication
By default, users log on to the Transfer Client with a user name and password. You can also configure authentication using X.509 certificates, for example using a Common Access Card (CAC).
Note: When enabled, certificate authentication applies to all users; it is not possible to configure password authentication for some users and certificate authentication for others.
Before you begin
- PKI Services Manager must be installed, configured, and running, with mapping rules that return a single allowed user for any valid certificate. See Set Up PKI Services Manager.
You can install and configure PKI Services Manager on multiple systems to ensure availability of certificate authentication services. When you add multiple servers to the PKI Servers list, Gateway Administrator contacts the first available server on the list. The reply from this PKI Server (valid or not valid) is used, and no other servers on the list are contacted. All PKI servers must have identical trust anchors, configuration settings, and mapping files to ensure that each of your PKI Services Manager servers returns the same validation for all certificates.
- Confirm the host name or IP address of the PKI server, and the listening port used by this server (18081 is the default).
- Client workstations must be configured to present certificates for user authentication. This can be done using smart cards or by adding certificates to the browser's personal certificate store.
Configure GatewayAdministrator to contact your PKI Services Manager
- Log on to Gateway Administrator using an account in the Administrators group (or any account that has the System setup role enabled).
- On the System tab, click PKI Servers.
- Click New.
- For PKI Server, specify the name or IP address of the system running PKI Services Manager.
- Click Retrieve Public Key.
If the server is running and available, GatewayAdministrator retrieves the public key and displays it. (This key should match the key displayed in the PKI Services Manager console when you go to Utility > View Public Key.)
- Click Test Connection. If GatewayAdministrator can successfully contact PKI Services Manager, you will see a message saying the connection is successful.
- Click Save. This step is required; verifying the connection does not save the configuration.
You will be returned to the PKI Servers tab with your added server visible in the list.
Enable Certificate authentication
- From the Gateway Administrator System tab, click Authentication.
- Select Client X.509 certificate authentication.
- Click Save.
After these changes, subsequent user logins to the Transfer Client will not display a user name and password prompt. If a user certificate is available on the client system, Gateway Administrator will send the certificate to PKI Services Manager for validation. If the certificate is valid, PKI Services Manager will use the preconfigured identity mapping to return the name of the user who is authorized to authenticate with the presented certificate.