11-31
User
Guide

for

the

Cisco

Application

Networking

Manager

5.2
OL-26572-01
Chapter
11






Configuring

SSL
Enabling
Client

Authentication
Enabling
Client

Authentication
During
the

flow

of

a

normal

SSL

handshake,

the

SSL

server

sends

its

certificate

to

the

client.

Then

the
client
verifies

the

identity

of

the

server

through

the

certificate.

However,

the

client

does

not

send

any
identification
of

its

own

to

the

server.

When

you

enable

the

client

authentication

feature

on

the

ACE,

it
will
require

that

the

client

send

a

certificate

to

the

server.

Then

the

server

verifies

the

following
information
on

the

certificate:


A
recognized

CA

issued

the

certificate.


The
valid
period

of
the
certificate
is

still

in

effect.


The
certificate
signature
is
valid

and

not

tampered.


The
CA

has

not

revoked

the

certificate.


At
least

one

SSL

certificate

is

available.
Use
the

following

procedures

to

enable

or

disable

client

authentication:


Configuring
SSL

Proxy

Service,

page
11-27


Configuring
SSL

Authentication

Groups,

page
11-31


Configuring
CRLs

for

Client

Authentication,

page
11-33
Configuring
SSL

Authentication

Groups
You
can

specify

the

certificate

authentication

groups

t

hat

t

he

ACE

uses

during

the

SSL

ha

ndshake

and
enable
client

authentication

on

this

SSL-proxy

service.

The

ACE

includes

the

certificates

configured

in
the
group

along

with

the

certificate

that

you

specified

for

the

SSL

proxy

service.
On
the

ACE,

you

can

implement

a

group

of

certificates

that

are

trusted

as

certificate

signers

by

creating
an
authentication

group.

After

creating

the

authentication

group

and

assigning

its

certificates,

then

you
can
assign

the

authentication

group

t

o

a

proxy

ser

vice

in

an

SSL

t

ermination

configuration

t

o

enable
client
authentication.

For

information

on

client

authentication,

see

the

“Enabling

Client

Authentication”
section
on

page

11-31 .
For
i

nformation

on

se

rver

authentication

and

assigning

an

authentication

group,

see

t

he

“Configuring
SSL
Proxy

Service”

section

on

page

11-27 .
Note
You
cannot

create

an

authorization

group

in

Building

Blocks
(Config
>
Global
>
All

Building
Blocks);
You
can

only

create

SSL

authentication

groups

while

configuring

virtual

contexts

in

specific

modules.
Assumptions


At
least

one

SSL

certificate

is

available.


Your
ACE

supports

authentication

groups.

See

t

he

Supported

Devices

Table

for

Cisco

Application
Networking
Manager

for

details.
Procedure
Step
1
Choose

Config

>

Devices

>

context

>

SSL

>

Auth

Group

Parameters.
The
Auth

Group

Parameters

table

appears.