Configuring KEMP WUI certificate based login LMOS 7.1.35

0

 

There are multiple steps to enable certificate login on a LoadMaster.

1 – Enable Session Management and disable Basic Authentication on LoadMaster 

2 – Ensure you have selected correct Administrative Certificate for WUI. Use self signed if using LoadMaster to create user certificate, use a DoD PKI issued SSL Server cert if using a DoD CAC based user certificate.

3 – Ensure all issuing and associated root certificates are loaded on both LoadMaster and management workstation

4 – Login in to LaodMaster under Session Management. Download the LoadMaster certificate.

5 – Create an account on LoadMaster without a password

6 – Either use LoadMaster to create a user certificate for this account or use the UPN off an externally issued certificate (e.g. 0123456789@mil from a DoD CAC certificate) to do step 3

7 – Import certificates and associated issuing CA into management workstation (If using DoD CAC, this has already been done)

8 – Setup LoadMaster OCSP validation process (if using external PKI for user certificate (e.g. DoD CAC)

9 – When all the above is complete, enable LoadMaster WUI to use a certificate (Certificates & Checking / Remote Access menu – Admin Login Method option setting.)

 

 

 

Step 1  – Enable Session Management and disable Basic Authentication.

Step 2 – Ensure you have selected correct Administrative Certificate for WUI. Use self signed if using LoadMaster to create user certificate, use a DoD PKI issued SSL Server cert if using a DoD CAC based user certificate.

 

Step 3 – Ensure all issuing and associated root certificates are loaded on both LoadMaster and management workstation

Step 4 – Download LoadMaser Root CA.  It is typical to get a certificate error the first time you connect to a LoadMaster.  Our instructions on initial setup direct you to ignore this error. To make the error go away, after initial setup you will see an option on the letf side bottom of the KEMP homepage to Download Root Certificate. Select this option and save the file. You should rename it to something easy to remember like CERT-LoadMaster.cer. Then import it using Internet Explorer of certmgr.msc. This cert needs to go into your trusted root CA container on your workstation.

 Step 5 – Create User Account without a password



Step 6 – Create user Certificate – select modify account – assign rights and click Generate then click Download

 

You will either download a file (if you entered a passphrase) or display the below

Use a text editor and cut and paste the certificate section into a file “filename.cer” and the private key info into a file names “filename.key”.

 

Below is an example of the content for the filename.crt file:

-----BEGIN CERTIFICATE-----

MIIDtjCCAp4CBBJIJhgwDQYJKoZIhvcNAQELBQAwgaoxCzAJBgNVBAYTAlVTMREw

DwYDVQQIDAhOZXcgWW9yazERMA8GA1UEBwwITmV3IFlvcmsxGjAYBgNVBAoMEUtF

TVAgVGVjaG5vbG9naWVzMRAwDgYDVQQLDAdTdXBwb3J0MSswKQYJKoZIhvcNAQkB

FhxzdXBwb3J0QGtlbXB0ZWNobm9sb2dpZXMuY29tMRowGAYDVQQDDBFLRU1QIFRl

Y2hub2xvZ2llczAeFw0xNjA2MDkwOTQ5MTFaFw0zMDAyMTYwOTQ5MTFaMIGTMQsw

CQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxGjAYBgNVBAoMEUtFTVAgVGVj

aG5vbG9naWVzMRAwDgYDVQQLDAdTdXBwb3J0MRYwFAYDVQQDDA10ZXN0QEtFTVBU

RUNIMSswKQYJKoZIhvcNAQkBFhxzdXBwb3J0QGtlbXB0ZWNobm9sb2dpZXMuY29t

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqN1aRcnN8tpKRjyuxGxK

lXw3il/yG2esgZ3tacaVOq4aVzNipO3cusQEguYuaSwiZ8WJ4T6uuiTGoSpxuDMv

AbfbYldPuSSMQT0Vn0QX5JVZIYTdH42Irvrdkr+YJKDO+sv80RgmfT2MFn2XykcP

3C/Dokswa+52Y2Bk1taFWMsNouNYex+sLnwLtypRlZvws0osyVr0bfZgPxOOMFaX

CLPzKNGQ5bNRQTk01YXsTj4sN0ZI1nEBdVtGJKlhg6sbolEW74z1PhTO8lFCB4a6

x4vHVXiePThDwCwA28Y/gbgM22Lr8ik3BT+Sbx3u1zh4GZwsfUHz+E6mH318D78T

IwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBk8RUoHtInEIHH4vCmCUB6PG+YnR30

ihuHY2mzVKRQr9OnUkMdfYqO/yLFVBUaneAyiYMJ8z7JwBTaKgesKp0m1ESUuFQK

sgYh/aOzGDxEpr7yYx81Z5yoxzAN/7vDoBrURwyu2mUCkzd+5IhvPpbgMYJ5XFGA

2s3voWqnCJg9XtCqVIxDfHPfs5h/02lPsm9FmNy14TMSKadalsy6SShmn5tAZUgC

jenm7scLE2liH+Rxod9y9f1VviECLECzGemGKgpnffEheC9oFNg9eWuVjRokR/hs

yLFeChOlRkGJZH0OQC4J6WxWPR8hnFyQosa7pkVYsbaB1ErcdcwqMgBf

-----END CERTIFICATE-----

 

Below is an example of the content of the filename.key file:

-----BEGIN RSA PRIVATE KEY-----

MIIEowIBAAKCAQEAqN1aRcnN8tpKRjyuxGxKlXw3il/yG2esgZ3tacaVOq4aVzNi

pO3cusQEguYuaSwiZ8WJ4T6uuiTGoSpxuDMvAbfbYldPuSSMQT0Vn0QX5JVZIYTd

H42Irvrdkr+YJKDO+sv80RgmfT2MFn2XykcP3C/Dokswa+52Y2Bk1taFWMsNouNY

ex+sLnwLtypRlZvws0osyVr0bfZgPxOOMFaXCLPzKNGQ5bNRQTk01YXsTj4sN0ZI

1nEBdVtGJKlhg6sbolEW74z1PhTO8lFCB4a6x4vHVXiePThDwCwA28Y/gbgM22Lr

8ik3BT+Sbx3u1zh4GZwsfUHz+E6mH318D78TIwIDAQABAoIBAEJUiJQnPAWr50cF

qSSw4O8tFuf83i4ToDhd35cQESg2oVQldBcS9ARM4PTGE+7uDimy94EJzTqDHZ7K

/FZ9jHZhUQSlBUTVbV5m7ypbZgM9AwDenrk5MDqDgiuVpN6maActv4YmtV+2oGNp

PAmRtlIoVPFYFZIf3lMU1ydopoKExKRwDi/fnt7jXsPksR343Re24LRepq3og4ef

ggsAKp/cuwx0m8PyqjwQaXttu/RaJZh7REO9l0ixI6OzuY1qUn8GZ7h+wn8Kpj7j

CCzJKWuwMZ4IT8YgfohlLYx958gQpgucbnQ4VB77aNs1baYpIKjrniOTP3vagNjO

Xf+WH9kCgYEA26/1H60eJZqdMI2gocRqarIGnJEJjzVntYUvPVrivluKIftsxpEi

scAYCjQ13czCMWG3hfnzTXyOmRMWErG2Ll5go7k8KBsWf8sDJ7Om7c5G5WQrx2UZ

OEtCI0+s50mY5k/3Lj9HeyH6piqKCGwaV/0JW+XGV84lrx04NxGgCM0CgYEAxMbX

AV13bf1omaK57+mY6k8R0SosZEAxVXiTilFO/vjjBgAZo1AOSg3vwc6oQpgOpB9O

nK85rscutITEsINWUE8EsxEE58UYsGAGhaZj0jdGzIAGC+7r1Y8SAHSgJhwDrtIf

BNhGawlKofTwkuYpn31XFn1GfwGtIS4iKFfZS68CgYEApBUfO0J9Es8RerM9d7WR

WhGPuJ7niev0gvJv3x6j3lPWrxzwGLtMM4DrM6vdU8Vcga+feFTA8W4Hv7MuuFW9

YZKiEYcHtFjPDDHgMGYRVurLrweLX0lWdeJYCrG2zaT9q3+segFPbVtqr3N0V2gO

oQtgUyAibXCOWuWzGAZ1Bj0CgYABWFqf58OpPNI6OqKKwU4KTAATLfafuNCdhPV9

PJENrSXgJKAIPcPbPb0l1gPQcLmo5Y3kBE6gozvuf/nYOw2b/u5JSxR9gRtqGT3y

K/ECvt39B+MCsd9q1k+JMULm/8oGp+kOX2wbzzRzZvk+B9TBAlpWDQUuWRSV5XrW

S8NwgQKBgG/2iblv9fF7prRLK6dz00JehlUIol5JZTVCq+X1mbRAeXwAuuwIaqTT

16YqvdHXpF2G9UhgOx/ngJ/cnOXokLFk64+XeW0Qbabli/bGfmgn6TcGFCHhbXQU

gxy56r/ba9MC7O5EG0ZlUg+0rZC1+xf7a0yxYS+hAa27+Fvp0YhY

-----END RSA PRIVATE KEY-----

 

There is a nice web site that can quickly convert these files to a .pfx file.

https://www.sslshopper.com/ssl-converter.html

 

Below is an example

 

Step 7 – Import user certificate (.pfx format) into management workstation using Internet Explorer or certmgr.msc utility. This certificate should go into your user certificate container.  Remember Firefox does not use the Windows certificate store, so if you are going to use FireFox to manage your KEMP appliance, you will need to use the settings section in FireFox to import the .pfx file.

Step 8 – Setup LoadMaster OCSP validation process (if using external PKI for user certificate (e.g. DoD CAC)

Step 9 – When all the above is complete, enable LoadMaster WUI to use a certificate (Certificates & Checking / Remote Access menu – Admin Login Method option setting.)

You can also combine these two files using OpenSSL.

Instructions below.

 

To get OpenSSL you can look for a windows binary, install and configure OpenSSL for Windows or you can look for a unix shell for windows (.babun is recommended in this document.)

Once you have installed .babun, you should be able to use Windows File Explorer to navigate to the folder you downloaded the KEMP user cert to, use right click, and start .babun. (Open Babun here).

The openssl command to combine the .crt and .key files is below. Substitute the actual filenames you used to create the .crt and .key files and run this command.

openssl pkcs12 -export -out filename.pfx -inkey filename.key -in filename.crt

You will be prompted twice for a password to protect the .pfx file.

You can use the additional argument “-certfile more.crt” to append additional .crt files to the pfx file you are creating. This is often done as Windows can import the certificate chain, not just the individual certificate, all in one step if the certificate chain (issuing CA and root CA) are appended to the .pfx file.

Once you have created the filename.pfx you can import it into Windows (and FireFox).

To load the .pfx in Windows, simply double click on the filename.pfx and enter the password. Use the defaults for any prompts generated by the Windows certificate import utility.

 

 

 

0 comments