Configuring Identity Bridging on Unified Access Gateway

In Google Chrome, click the Unified Access Gateway Admin Console tab to return to the Admin Console.

NOTE: If you are prompted to login again, the username is admin and the password is VMware1!

1. Configure Certificate Authentication Settings

Enable Certificate
  1. Click on Show for the Authentication Settings
  2. Click the Gear icon next to X.509 Certificate

1.1. Uploading Certificate into Unified Access Gateway Appliance

Access the instance configuration
  1. Click NO to enable X.509 Certificate, that will show additional options and switch to YES
  2. Click Select to upload the Root and Intermediate CA Certificates
  3. Enter C:\AW Tools for the path and press ENTER.
  4. Click on the combo box and select All Files
  5. Select root-corplocal.pem
  6. Click Open

1.2. Enable Certificate Revocation

Cert Revocation

Make sure to read the ToolTip in each of the following 9 steps, just pass the mouse over the INFO icon to obtain the ToolTip.

Unified Access Gateway can perform certificate revocation check in two ways, through CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol), and below you will configure to use OCSP and in case it fails, it will use the CRL.

  1. Click Yes to Enable Cert Revocation
  2. Select Use CRL from Certificate
  3. Enter http://controlcenter.corp.local/CertEnroll/corp-CONTROLCENTER-CA.crl for CRL Location
  4. Select Enable OCSP Revocation
  5. Click Yes for Use CRL in case of OCSP Failure
  6. Enter http://controlcenter.corp.local/ocsp for OCSP URL
  7. Select Use OCSP URL from certificate
  8. Click Save

2. Configure Keytab

Advanced Settings Keytab

Click the Gear for Upload Keytab Settings under Advanced Settings

2.1. Update the Keytab Settings

Set Keytab
  1. Enter HTTP/[email protected] for Principal Name
  2. Click on Select
  3. Click on Local Disk (C:) folder
  4. Select it.keytab file
  5. Click Open
  6. Click Save

After hit Save, you should receive a message "Keytab upload is successful".

NOTE: The first Principal Name found on the Keytab file will be used when not provided, if your Keytab contain multiple Principal Names it's recommend that you inform the Principal Name to be used.

3. Configure REALM

Advanced Settings Realm

Click the Gear for Realm Settings under Advanced Settings.

3.1. Add a Realm Setting

Add Relm Settings

Click Add.

3.2. Configure the Realm Settings

Realm Settings
  1. Enter CORP.LOCAL for Name of the realm
    NOTE - This entry MUST BE IN CAPITAL.  It is advised to copy the value directly or drag and drop it from the VLP Manual for accuracy.
  2. Enter corp.local for Key Distribution Centers
  3. Enter 3 for KCD Timeout (in seconds)
  4. Click Save

After hit Save, you should receive a message "Configuration saved successful".

3.3. Close the Realm Settings

Realm configured

Realm settings is done.

Click Close.

4. Configure OCSP Settings

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.

Unified Access Gateway sends the OCSP request to the specified URL and receives a response that contains information indicating whether or not the certificate is revoked, in order to allow that communication the OCSP Signing Certificate must be upload into the Appliance.


OCSP Settings

4.1. How to obtain the OCSP Signing Certificate

The OCSP Signing Certificate is available on the Online Responder Management Console and can be export from their, also when the IT administrator installed the Online Responder Management Console from Windows Add/Features and configure, he was requested to create the OCSP Signing Certificate on the CA, so in real world you have here two options to obtain the signing certificate.


For your reference, see below the Online Responder Management Console, which contain the CONTROLCENTER Revocation Configuration and the respective Signing Certificate that you can view and export if needed.

For this exercise the certificate is already available under C:\AW Tools, named ocsp.crt, you won't need to export.

OCSP Console

4.2. Add OCSP Setting

  1. Click Add.

4.2.1. Select OCSP Signing Certificate

Select OCSP Certificate
  1. Click Select
  2. Navigate to C:\AW Tools.
  3. Change the filter to All Files
  4. Select the ocsp.crt certificate - This is the certificate used to sign your OCSP Responder.
  5. Click Open
  6. Click Save

4.2.2. Confirm OCSP Settings


After you click Save, confirm that you see the OCSP signing certificate information.

Click Close.

5. Configure Identity Bridging for ITBUDGET Proxy Instance

5.1. Open the ITBUDGET Reverse Proxy Settings

Access Reverse Proxy settings
  1. If the Edge Service Settings are currently hidden, click the Show toggle to display the settings
  2. Select the Gear icon for Reverse Proxy Settings

5.2. Select ITBUDGET Reverse Proxy Instance

Setup itbudget instance

Select the Gear icon for the ITBUDGET Reverse Proxy Instance.

5.3. Update the ITBUDGET Identity Bridging Settings

Config identity bridging
  1. Click NO to show the Enable Identity Bridging, it will switch to YES after you click
  2. Select CERTIFICATE for Authentication Types
  3. Select HTTP/[email protected] for Keytab
  4. Enter HTTP/[email protected] for Target Service Principal Name
  5. Click Save

5.4. Confirm the Identity Bridging Settings Saved

Configuration saved sucessfully

Confirm the Configuration is saved successfully message is displayed.