Server Configuration

Step 2 - Configuring Digi-Access™ on the Server

The instructions below are for the two most popular servers (i.e. IIS and Apache). If you are using different web server software, use the online contact form for Support [1] and they will supply the instructions for your server.

Allow 30 Minutes

Enabling Digi-Access™ client certificates for two factor authentication will take you 30 minutes (or less). Configure your server by following these simple steps:

Apache [2]		IIS [3]
For full detailed instructions and explanations, read the Apache Support [2] pages. 1. Download and save this certificate bundle: CA Bundle for Digi-Acess™ [4] 2. Open the httpd.conf file for editing and locate the Virtual Host section for your SSL secured site 3. Add the following directive line into your site/directory configuration section: SSLOptions +StdEnvVars +ExportCertData Once the StdEnvVars is enabled, the standard set of SSL related CGI/SSI environment variables are created. CGI and SSI requests are disabled by default. This is for performance reasons and we do not recommend changing this unless you are an experienced Apache Administrator. For further details and instructions, refer to the Apache Support [2] page 4.Add the following directive line into your site/directory configuration section: SSLVerifyClient require This directive sets the certificate verification level for the Client Certificate Authentication. This directive can be used both on a per-server and a per-directory context. In the per-server context, the client authentication process is applied during the standard SSL handshake when a connection is established. In per-directory context, it forces the SSL re-negotiation with the reconfigured client verification level after the HTTP request was read but before the HTTP response is sent. We recommend that you use the 'require' variable unless you are an experienced Apache Administrator. For further details and instructions, refer to the Apache Support [2] page 5.Add the following directive line into your site/directory configuration section: SSLVerifyDepth 10 This directive sets the depth of 10. This means that the client certificate has to be signed by a CA that is directly known to the server (i.e.: the CA's certificate is under SSLCACertificatePath). We recommend that you use the '10' variable unless you are an experienced Apache Administrator. You can also add the following directive(s) to enable a customised authentication rule, if you choose the Apache web server to be the authentication level: SSL Require This directive specifies a general access requirement which has to be fulfilled in order to allow access. It's a very powerful directive because the requirement specification is an arbitrarily complex Boolean expression containing any number of access checks. We recommend do not recommend using this unless you are an experienced Apache Administrator. For further details and instructions, refer to the Apache Support [2] page Note:- If you are implementing a CGI application with Digi-Access™ some Apache versions may require the following directive to be present:    SetEnvIf User-Agent ".*MSIE.*" \    nokeepalive ssl-unclean-shutdown \    downgrade-1.0 force-response-1.0 For further details and instructions, refer to the Apache Support [2] page 6. Save your httpd.conf file 7. Restart Apache		For full detailed instructions and screenshots, read the IIS Support [3] pages. 1. Download and save these two certificates:    Digi-Sign Root CA [5]    Digi-Sign CA Digi-Access™ Xs [6] 2. On the server, click the Start button, select Run and type MMC, before clicking the 'OK' button 3. You should now be in the Microsoft Management Console and should follow these steps: Click File and select Add/Remove Snap-in Select Add, select Certificates from the Add Standalone Snap-in box and click Add Select Computer Account, then Local Computer and click Finish Close the Add Standalone Snap-in box and click OK in the Add/Remove Snap-in Return to the Microsoft Management Console 4. Now all you need to do is import the Digi-Access™ Root certificate, following these steps: Right click the Trusted Root Certification Authorities, select All Tasks, and then select Import After clicking Next > you should browse to the Digi-Sign CA Digi-Access Xs [6] Ensure that the Digi-Sign_Root_CA.cer certificate appears under Trusted Root Certification Authorities Then click Next > and then Finish 5. Then import the Digi-Access™ intermediate certificate, as follows: Right click the Intermediate Certification Authorities, select All Tasks, and then select Import After clicking Next > you should browse to the Digi-Sign CA Digi-Access Xs [6] Ensure that the Digi-Sign_CA_Digi-Access_Xs.cer appears under Intermediate Certification Authorities Then click Next > and then Finish Restart the IISAdmin service, or reboot the computer to complete the installation 6. Go to Windows Administrative Tools and open the properties window for the website that you have enabled SSL on. Open the Directory Security by right clicking on the Directory Security tab and then follow these steps: Click Edit in the Anonymous access and authentication control section. The Authentication Methods window will appear Make sure that all options (check boxes) in this section are disabled, including the Anonymous Access, Basic Authentication, Digest Authentication and Integrated Windows Authentication Click OK to apply changes Click Edit in Secure communications section and the Secure Communications window will appear Ensure that both the 'Require secure channel (SSL)' option and the 'Require 128-bit encryption' option are enabled Ensure that Require client certificates radio button is enabled Then ensure that the 'Enable client certificate mapping' option is enabled and that the 'Ensure that Enable certificate trust list' option is enabled Move to the 'Under Current CTL' and click New, followed by Next > and a Certificate Trust List Wizard window will appear Browse for the Digi-Sign_Root_CA.cer Certificate file and click Open, followed by Next> In the Friendly Name field enter: Digi-Access In the Description field enter: Digi-Access Two Factor Client Authentication Click Next > and then Finish You should now see your Certificate Trust List [CTL] List on the Secure Communications window Click OK and then OK again 7. Start Internet Services Manager, or open the MMC that contains the IIS snap-in. Right-click the Web site for which you want to configure authentication (for example, Default Web Site), and then click Properties Click the Directory Security tab, and then under Secure communications, click Edit Click to select the Enable client certificate mapping check box, and then click Edit Click the Many-to-1 tab, and then click Add In the General dialog box, type 'Digi-Access' as the name for the rule, and then Next In the Rules dialog box, click New In the Edit Rule Element dialog box that appears, configure the settings that you want for the rule There are two fields from client certificates that can be used as criteria for many-to-one rules: * Issuer - This field specifies information about the Certification Authority [CA] that issued the Digi-Access™ certificate * Subject - This field specifies information about the entity to whom the Digi-Access™ certificate was issued Each of these fields can contain common LDAP sub fields for example:        * CN = commonName (for example, "Bob Smith")        * OU = organizationalUnitName (for example, "Sales")        * OU = organizationalUnitName [7] (for example, "dsacme")        * OU = organizationalUnitName [7] (for example, "ds10003")        * O = organizationName (for example, "Acme, Inc.")        * L = localityName (for example, "Dublin")        * S = stateOrProvinceName (for example, "Dublin")        * C = countryName (for example, "IE") To create a mapping, you create a rule based on a field/subfield pair for a specific value. For example, you could create a rule that matched the Subject's O subfield with 'Acme' to allow access to all clients with certificates that were issued for the Acme organization. This effectively eliminates client connections from any clients that are not part of the Acme organization. When finished creating the rule settings, click OK, and then click Next IMPORTANT NOTE:- In addition to the above parameters you enter, two additional rule sets will be generated by the Registration Authority [RA] that will be used to distribute [8] the the end users' Digi-Access™ certificates. These two rule sets are based on Organizational Unit Name [OU] fields and will be 'silently' pre-appended to each Digi-Access™ Certificate issued by the Digi-Access™ CA. These OU field values distinguish end users as belonging to your specific user domain. You must obtain these values from Digi-Access™ RA Certificate Management Console where these two rule sets can be found in the Certificate Manager's 'Distinguished Name' policy configuration. In the Mapping dialog box, click Accept this certificate for Logon Authentication, and then in the Account box, type, or click Browse to browse to the Windows user account that you want to map. Type the password of the user account in the Password box. Click OK three times, and then quit Internet Services Manager, or close the IIS snap-in

---

Your web server is now ready to start using Digi-Access™ client certificates for two factor authentication.


Follow the right side link below to learn how easily each user can get their Digi-Access™ certificate.