hi,
i have a certificate, listed in loginscreen of netxms.
how must i set up the useraccount to login using this certificate?
the CA certificate has already been added to the "Certificates".
thanks
Hi!
You should go to properties of user account and set authentication method to "Certificate". Then, you should select certificate mapping method - either "Subject" or "Public key" - and enter appropriate information into "certificate mapping data" field. I usually use "subject" mapping. You can use openssl to read certificate's subject:
C:\Source\NetXMS-1.0.x>openssl x509 -subject -in victor.crt
subject= /C=LV/ST=Riga/L=Riga/O=Raden Solutions/CN=victor/emailAddress=email@domain
-----snip-----
or any other tool.
Best regards,
Victor
thanks, it works.
but it seams to me not to be very secure?
i think everybody can import the public available cetificate and so is able to login.
No, it's secure. Login process using certificate is following:
1. Server send random challenge to client
2. Client sign server's challenge with his certificate's private key and send signed challenge along with public part of certificate to server
3. Server validates certificate using CA certificate
4. If certificate is valid, server validates challenge signature using certificate's public key
5. If signature is valid, server compares certificate subject with mapping data from user record
6. If mapping data match with certificate subject, access is granted
So, to login successfully, user must posses valid certificate with private key. Having just public part of certificate is not enough. Authentication by certificate also allows smart card login - you just need to store certificate used for login on smart card instead of local certificate store.
Best regards,
Victor
Thanks :)