Configuring PKI (Public Key Infrastructure) Authentication

Public key infrastructure (PKI) is a set of policies and and procedures for managing public-key encryption. It is used to enable secure communication when simple passwords are insufficient for validating authentication. To configure PKI authentication in Voyager, you need to:

  • Enable the use of a Client Certificate to access secured services

  • Enable authorization using the Client Certificate

Enabling the Use of a Client Certificate

The first step is to enable access to secured services by enabling the use of a Client Certificate.

To enable use of a Client Certificate:

  1. Go to Manage Voyager > Discovery > HTTP Client

  2. Check the box next to Support Client Certificate

  3. Enter the Private Key and Password

  4. (You can also add the CA certificate at this time)

  5. Click Save

Testing the HTTP Client

To test the HTTP client:

  1. Go to Manage Voyager > Discovery > HTTP Client

  2. Enter a secure URL in the Test panel

     

  3. Click Test

If the HTTP Client was configured correctly, you should see the Response Headers in the results section.

Enabling Client Certificate Authentication

The next step is to enable Client Certificate Authentication.

  1. Go to Manage Voyager > Security > Authentication

     

     

  2. Check the box next to Client Certificate and click Configure

     

     

  3. Enter the Private Key and Password

  4. You can also add a trusted certificate here

  5. Click Save

Adding the Certificate to a Browser

In order to use a certificate to authenticate against Voyager, you need to add the certificate to the browser being used to access Voyager.

To install a certificate:

  1. Open the browser settings (in this example, Chrome)

  2. Click Advanced

  3. Click Manage certificates

  4. Click Import and follow the wizard to import the certificate

  5. When you next open Voyager, it will request a certificate

  6. When the certificate is selected, Voyager will authenticate the user  

Generating certificates for testing

To generate certificates that you can use in testing and configuration:

  1. Download Easy RSA from GitHub - OpenVPN/easy-rsa: easy-rsa - Simple shell based CA utility

  2. Edit the vars file modifying these values:

    export KEY_COUNTRY="US" export KEY_PROVINCE="California" export KEY_CITY="Redlands" export KEY_ORG="Voyager Search" export KEY_EMAIL="pki@voyagersearch.com" export KEY_OU="IT" export KEY_NAME="Voyager Search"
  3. Execute those commands in the current shell

    source ./vars
  4.  Clean or initialize the environment

     ./clean-all
  5.  Generate the CA certificate

  6.  Build the server key

  7.  Generate the Diffie-Hellman parameters

  8.  Generate the client certificate

  9.  Convert the certificates to PKCS#12