Description

An OMS_CERT_ACCESS UACL entry supports client authentication by managing access using properties presented by a client's X.509 certificate.

Usage

Method	Syntax	IBM i	HP NonStop	UNIX	Windows	z/OS
UACL File Keyword	oms_cert_access certid,access

Values

Valid values for access are

allow - The OMS Server can accept connection requests from the client.
deny - The OMS Server should not accept connection requests from the client

Default is allow.

See UACL Entries for details on certid.

OMS_ACCESS Interaction

OMS Server will only evaluate OMS_CERT_ACCESS entries for client connection requests that satisfy the following conditions:

The client presents an X.509 certificate to OMS Server
An OMS_ACCESS entry must exist whose host value matches the hostname or IP address reported by the client
The access value in the matching OMS_ACCESS entry must be allow
- If the access value is deny, the connection request is rejected with no further evaluation
The certrule value in the matching OMS_ACCESS entry must be cert (see OMS_ACCESS for background on why this interaction exists)
- If the certrule value is nocert, OMS Server will proceed to the next OMS_ACCESS entry.

When these conditions are met, OMS Server will conditionally accept the client connection. Final acceptances depends on the result of OMS_CERT_ACCESS evaluation.

OMS_CERT_ACCESS Evaluation

OMS Server will only evaluate OMS_CERT_ACCESS rules when an client connection request satisfies the conditions listed above. When those conditions are met, OMS Server will conditionally accept the connection, pending the results of the OMS_CERT_ACCESS evaluation, described below.

OMS Server will look for a CERT_MAP entry that matches information in the client's certificate.
OMS Server will use that CERT_MAP entry's certid value to locate a matching OMS_CERT_ACCESS entry.
- If OMS Server does not find a match, it will permit the connection.
- If a match is found, OMS Server will permit or reject the connection based on the entry's access value (i.e., allow or deny).

UAG Server Client Certificates

You must set UAG Server's SSL_CLIENT_AUTH option to send any configured certificate/private key from UAG Server to OMS Server.

Additional Certificate Authentication

Prior to UACL rule evaluation, OMS Server may also reject in one of two ways:

If OMS Server cannot authenticate the client certificate's issuer (i.e., CA validation fails), OMS will refuse the connection.
If the OMS Server configuration option AUTHENTICATE_PEER is set to yes and the client certificate does not contain a hostname or IP address that matches the client system's DNS Name or IP Address, OMS will refuse the connection.
- When AUTHENTICATE_PEER is no, OMS Server relies solely on the OMS_CERT_ACCESS rules to accept or reject connections based on client certificate information.

CERT_MAP Requirement

If you intend to author OMS_CERT_ACCESS rules into your configuration, you must also have one or more CERT_MAP entries defined. The Universal Agent does not support a configuration where OMS_CERT_ACCESS rules exist without CERT_MAP entries.

Examples

Scenario 1

The following example conditionally grants access to any OMS client (e.g., UAG Server) with an IP address of 10.20.30.40 that presents an X.509 certificate. Before accepting the connection, OMS Server will look for a matching CERT_MAP entry and use its certid value to evaluate the OMS_CERT_ACCESS rules.

oms_access

10.20.30.40,allow,cert

Scenario 2a

Given the following CERT_MAP and OMS_CERT_ACCESS entries, OMS Server will accept the above connection.

OMS will see that the cert_map entry S2A matches the incoming client request
OMS will apply the OMS_CERT_ACCESS rule with the S2A id, which grants access to client connection requests originating from 10.20.30.40

cert_map	id=S2A,ipaddress=10.20.30.40
oms_cert_access	S2A,allow
oms_cert_access	*,deny

Scenario 2b

Given the following CERT_MAP and OMS_CERT_ACCESS entries, OMS Server will reject the above connection.

OMS will fail to find a cert_map entry that matches the incoming client certificate's information
OMS will apply the global OMS_CERT_ACCESS rule which rejects all connection requests from clients whose certificate information does not match a cert_map entry

cert_map	id=S2A,ipaddress=10.20.40.50
oms_cert_access	S2A,allow
oms_cert_access	*,deny

Scenario 2

The following example grants access to any OMS client (e.g., UAG Server) with an IP address of 10.20.30.40, provided that client did not provide an X.509 certificate.

oms_access

10.20.30.40,allow,nocert

Scenario 3

For a more detailed example, consider the following UACL entries:

1	oms_access	10.20.30.40,allow,nocert
2	oms_access	all,allow,cert
3	oms_access	all,deny,nocert
1	oms_cert_access	S4,allow
2	oms_cert_access	*,deny
1	cert_map	id=S4,ipaddress=10.20.30.40

Scenario 3a

A client with a reported IP address of 10.20.30.40 attempts to connect to OMS Server and that client does not provide an X.509 certificate.

Result: OMS Server grants the connection using oms_access rule 1.

Scenario 3b

A client with a reported IP address of 10.20.40.50 attempts to connect to OMS Server and that client does not provide an X.509 certificate.

Result: OMS Server rejects the connection using oms_access rule 3.

Scenario 3c

A client with a reported IP address of 10.20.40.50 attempts to connect to OMS Server. That client presents an X.509 certificate to OMS.

In this case:

OMS Server will first evaluate oms_access rules with a certrule value of cert.
OMS Server will conditionally accept the condition based on oms_access rule 2.
OMS Server will use the information to the client certificate to locate a matching cert_map entry.
No matching cert_map entry exists, OMS Server proceeds to the next oms_cert_access entry.

Result: OMS Server rejects the connection using oms_cert_access rule 2.

Scenario 3d

A client with a reported IP address of 10.20.30.40 attempts to connect to OMS Server. That client presents an X.509 certificate to OMS.