Secure Global Desktop Administration Guide > Users and authentication > Can I use PKI client certificates with web server authentication?
Yes. You can strengthen the security of web server authentication by allowing a user to be authenticated if they have valid Public Key Infrastructure (PKI) certificate installed on the client device.
Secure Global Desktop web server authentication relies on the web
server setting the REMOTE_USER variable to identify
the user. However, when users are authenticated using client certificates this
variable is not set. The following configuration allows you to export the SSL_CLIENT_S_DN_CN variable (which is specific to Apache web servers) to the REMOTE_USER variable. If your web server sets a different variable when using client certificates, see how you can use other web authentication schemes with Secure Global Desktop.
To enable client certificates, configure each member of the array as follows:
/tarantella/cgi-bin/secure/ directory (classic webtop) or
the /sgd URL (browser-based webtop) you need a client
certificate. How you do this depends on your web server. The Secure Global Desktop Web Server includes the Apache mod_ssl module.tarantella config edit --tarantella-config-server-cgibin-bootscript secure/ttaauthclientcert.cgi
SSL_CLIENT_S_DN_CN variable so that the Tomcat component of the Secure Global Desktop Web Server can access them. To do this for Apache component of the Secure Global Desktop Web Server:
/opt/tarantella/webserver/apache/version/conf/httpd.conf file.JkEnvVar SSL_CLIENT_S_DN_CN " "<Location "/sgd">
SSLOptions +StdEnvVars +ExportCertData
</Location>When this configuration is complete, enable web server authentication in Array Manager.
Note We recommend that you use the Sun Secure Global Desktop Security Pack to secure Secure Global Desktop-related connections. We also recommend a secure (HTTPS) web server.
Copyright © 1997-2005 Sun Microsystems, Inc. All rights reserved.