Description
An OMS_CERT_ACCESS UACL entry supports client authentication by managing access using properties presented by a client's X.509 certificate.
...
- allow - The OMS Server can accept connection requests from the client.
- deny - The OMS Server should not accept connection requests from the client
Default is allow.
See UACL Entries for details on certid.
OMS_ACCESS Interaction
...
- The client presents an X.509 certificate to OMS Server
- An OMS_ACCESS entry must exist whose host value matches the hostname or IP address reported by the client
- The access value in the matching OMS_ACCESS entry must be allow
- If the access value is deny, the connection request is rejected with no further evaluation
- The certrule value in the matching OMS_ACCESS entry must be cert (see OMS_ACCESS for background on why this interaction exists)
- If the certrule value is nocert, OMS Server will proceed to the next OMS_ACCESS entry.
...
- OMS Server will look for a CERT_MAP entry that matches information in the client's certificate.
- OMS Server will use that CERT_MAP entry's certid value to locate a matching OMS_CERT_ACCESS entry.
- If OMS Server does not find a match, it will permit the connection.
- If a match is found, OMS Server will permit or reject the connection based on the entry's access value (i.e., allow or deny).
...
Info | ||
---|---|---|
| ||
You must set UAG Server's SSL_CLIENT_AUTH option to send any configured certificate/private key from UAG Server to OMS Server. |
...
Info | ||
---|---|---|
| ||
Prior to UACL rule evaluation, OMS Server may also reject in one of two ways:
|
...
Info | ||
---|---|---|
| ||
If you intend to author OMS_CERT_ACCESS rules into your configuration, you must also have one or more CERT_MAP entries defined. The Universal Agent does not support a configuration where OMS_CERT_ACCESS rules exist without CERT_MAP entries. |
...
The following example conditionally grants access to any OMS client (e.g., UAG Server) with an IP address of 10.20.30.40 that presents an X.509 certificate. Before accepting the connection, OMS Server will look for a matching CERT_MAP entry and use its certid value to evaluate the OMS_CERT_ACCESS rules.
...
Scenario 2a
Given the following CERT_MAP and OMS_CERT_ACCESS entries, OMS Server will accept the above connection.
...
Scenario 2b
Given the following CERT_MAP and OMS_CERT_ACCESS entries, OMS Server will reject the above connection.
...