PIV Smart Card Support

This article relates to LoadMaster firmware version 7.2.53.

In LoadMaster firmware version 7.2.53, support was added for Personal Identity Verification (PIV) smart card authentication. PIV guidance is to match certificate fields to "altsecurityidentities" in the Active Directory (AD). Support has been added for both Single Sign On (SSO) and Web User Interface (WUI) authentication.

SSO PIV Support

Additional configuration options have been added to the modify SSO screen for SSO domains with the Authentication Protocol set to Certificates. Prior to LoadMaster firmware version 7.2.53, there was a check box called Check Certificate to User Mapping. As of version 7.2.53, this check box has changed to a drop-down list called Select Certificate to User Mapping with the following values:

  • User Principal Name (default value)

  • Subject

  • Issuer and Subject

  • Issuer and Serial Number

WUI Authentication PIV Support

An additional configuration option called Select Certificate to User Mapping has been added to the Certificates & Security > Remote Access > WUI Authorization Options screen.

This field has the following values:

  • User Principal Name (default value)

  • Subject

  • Issuer and Subject

  • Issuer and Serial Number

Some configuration caveats are below:

  • Session Management must be enabled (Certificates & Security > Admin WUI Access) to see the WUI Authorization Options button.

  • The Admin Login Method in Certificates & Security > Remote Access must be set to a Client certificate method to see the new Select Certificate to User Mapping drop-down list.

  • The Pre-Auth Click Through Banner must be set in Certificates & Security > Admin WUI Access before you can select a Client certificate method as the Admin Login Method in Certificates & Security > Remote Access.

  • After a certificate is revoked, the certificate fails authentication. However, sometimes it remains in the cache so to make it fail instantly ensure to use the Flush OCSPD Cache option in System Configuration > System Administration > Logging Options > Debug Options.

  • If the LDAP query returns more than one match, the login fails.

  • If the Authority Information Access (AIA) is present in the certificate, the LoadMaster attempts to connect with the provided AIA. If this does not work, it tries to connect with the local server.

  • If the LoadMaster cannot get the status of the server configured in the certificate AIA, the LoadMaster does not fail back to the local server.

  • If the certificate cannot be validated because the server is unavailable, there is an option in Certificates & Security > OCSP Configuration called Allow Access on Server Failure where you can decide if you want to pass the authentication or not. Enabling this check box treats an OCSP server connection failure or timeout as if the OCSP server has returned a valid response. That is, the client certificate is treated as valid.

RESTful Application Programming Interface (API) Details

To set the value of the cert_asi API parameter (which corresponds to the Select Certificate to User Mapping field in the Manage Domain screen in the WUI, run the moddomain command. For example:

/access/moddomain?domain=<DomainName>&cert_asi=<0/1/2/3>

Valid values for the cert_asi parameter are as follows:

  • 0 - User Principal Name

  • 1 - Subject

  • 2 - Issuer and Subject

  • 3 - Issuer and Serial Number

The wuicertmapping API parameter (which corresponds to the Select Certificate to User Mapping field in the WUI Authentication and Authorization screen in the WUI, can be retrieved/configured using the get/set commands. For example:

/access/set?param=wuicertmapping&value=<0/1/2/3>

Valid values for the wuicertmapping parameter are as follows:

  • 0 - User Principal Name

  • 1 - Subject

  • 2 - Issuer and Subject

  • 3 - Issuer and Serial Number

Was this article helpful?

0 out of 0 found this helpful

Comments