OMS_CERT_ACCESS - UACL Entry
Description
An OMS_CERT_ACCESS UACL entry supports client authentication by managing access using properties presented by a client's X.509 certificate.
Usage
Method | Syntax | IBM i | HP NonStop | UNIX | Windows | z/OS |
UACL File Keyword | oms_cert_access certid,access |
Values
Valid values for access are
- allow - The OMS Server can accept connection requests from the client.
- deny - The OMS Server should not accept connection requests from the client
Default is allow.
See UACL Entries for details on certid.
OMS_ACCESS Interaction
OMS Server will only evaluate OMS_CERT_ACCESS entries for client connection requests that satisfy the following conditions:
- The client presents an X.509 certificate to OMS Server
- An OMS_ACCESS entry must exist whose host value matches the hostname or IP address reported by the client
- The access value in the matching OMS_ACCESS entry must be allow
- If the access value is deny, the connection request is rejected with no further evaluation
- The certrule value in the matching OMS_ACCESS entry must be cert (see OMS_ACCESS for background on why this interaction exists)
- If the certrule value is nocert, OMS Server will proceed to the next OMS_ACCESS entry.
When these conditions are met, OMS Server will conditionally accept the client connection. Final acceptances depends on the result of OMS_CERT_ACCESS evaluation.
OMS_CERT_ACCESS Evaluation
OMS Server will only evaluate OMS_CERT_ACCESS rules when an client connection request satisfies the conditions listed above. When those conditions are met, OMS Server will conditionally accept the connection, pending the results of the OMS_CERT_ACCESS evaluation, described below.
- OMS Server will look for a CERT_MAP entry that matches information in the client's certificate.
- OMS Server will use that CERT_MAP entry's certid value to locate a matching OMS_CERT_ACCESS entry.
- If OMS Server does not find a match, it will permit the connection.
- If a match is found, OMS Server will permit or reject the connection based on the entry's access value (i.e., allow or deny).
UAG Server Client Certificates
You must set UAG Server's SSL_CLIENT_AUTH option to send any configured certificate/private key from UAG Server to OMS Server.
Additional Certificate Authentication
Prior to UACL rule evaluation, OMS Server may also reject in one of two ways:
- If OMS Server cannot authenticate the client certificate's issuer (i.e., CA validation fails), OMS will refuse the connection.
- If the OMS Server configuration option AUTHENTICATE_PEER is set to yes and the client certificate does not contain a hostname or IP address that matches the client system's DNS Name or IP Address, OMS will refuse the connection.
- When AUTHENTICATE_PEER is no, OMS Server relies solely on the OMS_CERT_ACCESS rules to accept or reject connections based on client certificate information.
CERT_MAP Requirement
If you intend to author OMS_CERT_ACCESS rules into your configuration, you must also have one or more CERT_MAP entries defined. The Universal Agent does not support a configuration where OMS_CERT_ACCESS rules exist without CERT_MAP entries.
Examples
Scenario 1
The following example conditionally grants access to any OMS client (e.g., UAG Server) with an IP address of 10.20.30.40 that presents an X.509 certificate. Before accepting the connection, OMS Server will look for a matching CERT_MAP entry and use its certid value to evaluate the OMS_CERT_ACCESS rules.
oms_access | 10.20.30.40,allow,cert |
Scenario 2a
Given the following CERT_MAP and OMS_CERT_ACCESS entries, OMS Server will accept the above connection.
- OMS will see that the cert_map entry S2A matches the incoming client request
- OMS will apply the OMS_CERT_ACCESS rule with the S2A id, which grants access to client connection requests originating from 10.20.30.40
cert_map | id=S2A,ipaddress=10.20.30.40 |
oms_cert_access | S2A,allow |
oms_cert_access | *,deny |
Scenario 2b
Given the following CERT_MAP and OMS_CERT_ACCESS entries, OMS Server will reject the above connection.
- OMS will fail to find a cert_map entry that matches the incoming client certificate's information
- OMS will apply the global OMS_CERT_ACCESS rule which rejects all connection requests from clients whose certificate information does not match a cert_map entry
cert_map | id=S2A,ipaddress=10.20.40.50 |
oms_cert_access | S2A,allow |
oms_cert_access | *,deny |
Scenario 2
The following example grants access to any OMS client (e.g., UAG Server) with an IP address of 10.20.30.40, provided that client did not provide an X.509 certificate.
oms_access | 10.20.30.40,allow,nocert |
Scenario 3
For a more detailed example, consider the following UACL entries:
1 | oms_access | 10.20.30.40,allow,nocert |
2 | oms_access | all,allow,cert |
3 | oms_access | all,deny,nocert |
1 | oms_cert_access | S4,allow |
2 | oms_cert_access | *,deny |
1 | cert_map | id=S4,ipaddress=10.20.30.40 |
Scenario 3a
A client with a reported IP address of 10.20.30.40 attempts to connect to OMS Server and that client does not provide an X.509 certificate.
Result: OMS Server grants the connection using oms_access rule 1.
Scenario 3b
A client with a reported IP address of 10.20.40.50 attempts to connect to OMS Server and that client does not provide an X.509 certificate.
Result: OMS Server rejects the connection using oms_access rule 3.
Scenario 3c
A client with a reported IP address of 10.20.40.50 attempts to connect to OMS Server. That client presents an X.509 certificate to OMS.
In this case:
- OMS Server will first evaluate oms_access rules with a certrule value of cert.
- OMS Server will conditionally accept the condition based on oms_access rule 2.
- OMS Server will use the information to the client certificate to locate a matching cert_map entry.
- No matching cert_map entry exists, OMS Server proceeds to the next oms_cert_access entry.
Result: OMS Server rejects the connection using oms_cert_access rule 2.
Scenario 3d
A client with a reported IP address of 10.20.30.40 attempts to connect to OMS Server. That client presents an X.509 certificate to OMS.
In this case:
- OMS Server will first evaluate oms_access rules with a certrule value of cert.
- OMS Server will conditionally accept the condition based on oms_access rule 2.
- OMS Server will use the information to the client certificate to locate a matching cert_map entry.
- The cert_map rule is a match.
- OMS Server uses the cert_map's id value to locate a matching oms_cert_access entry.
Result: OMS Server accepts the connection using oms_cert_access rule 1.