Skip past navigation linksSecure Global Desktop Administration Guide > Users and authentication > Can I use PKI client certificates with web server authentication?

Can I use PKI client certificates with web server authentication?

Yes. You can strengthen the security of web server authentication by allowing a user to be authenticated if they have valid Public Key Infrastructure (PKI) certificate installed on the client device.

Secure Global Desktop web server authentication relies on the web server setting the REMOTE_USER variable to identify the user. However, when users are authenticated using client certificates this variable is not set. The following configuration allows you to export the SSL_CLIENT_S_DN_CN variable (which is specific to Apache web servers) to the REMOTE_USER variable. If your web server sets a different variable when using client certificates, see how you can use other web authentication schemes with Secure Global Desktop.

To enable client certificates, configure each member of the array as follows:

  1. On the web server, configure web authentication so that to access the /tarantella/cgi-bin/secure/ directory (classic webtop) or the /sgd URL (browser-based webtop) you need a client certificate. How you do this depends on your web server. The Secure Global Desktop Web Server includes the Apache mod_ssl module.
  2. Test that the web server authenticates users who have client certificates.
  3. For the classic webtop, enable support for client certificates by running the following command:
    Skip past command syntax or program codetarantella config edit --tarantella-config-server-cgibin-bootscript secure/ttaauthclientcert.cgi
  4. For the browser-based webtop, configure the web server to export the SSL_CLIENT_S_DN_CN variable so that the Tomcat component of the Secure Global Desktop Web Server can access them. To do this for Apache component of the Secure Global Desktop Web Server:
    1. Edit the /opt/tarantella/webserver/apache/version/conf/httpd.conf file.
    2. Uncomment out the line:
      JkEnvVar SSL_CLIENT_S_DN_CN " "
    3. Uncomment out the lines:
      <Location "/sgd">
      SSLOptions +StdEnvVars +ExportCertData
      </Location>
  5. Restart the Secure Global Desktop Web Server and the Secure Global Desktop server.

When this configuration is complete, enable web server authentication in Array Manager.

Related topics