Configuring Identity Bridging on Unified Access Gateway
In Google Chrome, click the Unified Access Gateway Admin Console tab to return to the Admin Console.
NOTE: If you are prompted to login again, the username is admin
and the password is VMware1!
1. Configure Certificate Authentication Settings
- Click on Show for the Authentication Settings
- Click the Gear icon next to X.509 Certificate
1.1. Uploading Certificate into Unified Access Gateway Appliance
- Click NO to enable X.509 Certificate, that will show additional options and switch to YES
- Click Select to upload the Root and Intermediate CA Certificates
- Enter
C:\AW Tools
for the path and pressENTER
. - Click on the combo box and select All Files
- Select root-corplocal.pem
- Click Open
1.2. Enable Certificate Revocation
Make sure to read the ToolTip in each of the following 9 steps, just pass the mouse over the INFO icon to obtain the ToolTip.
Unified Access Gateway can perform certificate revocation check in two ways, through CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol), and below you will configure to use OCSP and in case it fails, it will use the CRL.
- Click Yes to Enable Cert Revocation
- Select Use CRL from Certificate
- Enter
http://controlcenter.corp.local/CertEnroll/corp-CONTROLCENTER-CA.crl
for CRL Location - Select Enable OCSP Revocation
- Click Yes for Use CRL in case of OCSP Failure
- Enter
http://controlcenter.corp.local/ocsp
for OCSP URL - Select Use OCSP URL from certificate
- Click Save
2. Configure Keytab
Click the Gear for Upload Keytab Settings under Advanced Settings
2.1. Update the Keytab Settings
- Enter
HTTP/[email protected]
for Principal Name - Click on Select
- Click on Local Disk (C:) folder
- Select
it.keytab
file - Click Open
- Click Save
After hit Save, you should receive a message "Keytab upload is successful".
NOTE: The first Principal Name found on the Keytab file will be used when not provided, if your Keytab contain multiple Principal Names it's recommend that you inform the Principal Name to be used.
3. Configure REALM
Click the Gear for Realm Settings under Advanced Settings.
3.1. Add a Realm Setting
Click Add.
3.2. Configure the Realm Settings
- Enter
CORP.LOCAL
for Name of the realm
NOTE - This entry MUST BE IN CAPITAL. It is advised to copy the value directly or drag and drop it from the VLP Manual for accuracy. - Enter
corp.local
for Key Distribution Centers - Enter
3
for KCD Timeout (in seconds) - Click Save
After hit Save, you should receive a message "Configuration saved successful".
3.3. Close the Realm Settings
Realm settings is done.
Click Close.
4. Configure OCSP Settings
The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.
Unified Access Gateway sends the OCSP request to the specified URL and receives a response that contains information indicating whether or not the certificate is revoked, in order to allow that communication the OCSP Signing Certificate must be upload into the Appliance.
4.1. How to obtain the OCSP Signing Certificate
The OCSP Signing Certificate is available on the Online Responder Management Console and can be export from their, also when the IT administrator installed the Online Responder Management Console from Windows Add/Features and configure, he was requested to create the OCSP Signing Certificate on the CA, so in real world you have here two options to obtain the signing certificate.
For your reference, see below the Online Responder Management Console, which contain the CONTROLCENTER Revocation Configuration and the respective Signing Certificate that you can view and export if needed.
For this exercise the certificate is already available under C:\AW Tools
, named ocsp.crt,
you won't need to export.
4.2. Add OCSP Setting
- Click Add.
4.2.1. Select OCSP Signing Certificate
- Click Select
- Navigate to
C:\AW Tools
. - Change the filter to All Files
- Select the
ocsp.crt
certificate - This is the certificate used to sign your OCSP Responder. - Click Open
- Click Save
4.2.2. Confirm OCSP Settings
After you click Save, confirm that you see the OCSP signing certificate information.
Click Close.
5. Configure Identity Bridging for ITBUDGET Proxy Instance
5.1. Open the ITBUDGET Reverse Proxy Settings
- If the Edge Service Settings are currently hidden, click the Show toggle to display the settings
- Select the Gear icon for Reverse Proxy Settings
5.2. Select ITBUDGET Reverse Proxy Instance
Select the Gear icon for the ITBUDGET Reverse Proxy Instance.
5.3. Update the ITBUDGET Identity Bridging Settings
- Click NO to show the Enable Identity Bridging, it will switch to YES after you click
- Select CERTIFICATE for Authentication Types
- Select HTTP/[email protected] for Keytab
- Enter
HTTP/[email protected]
for Target Service Principal Name - Click Save