Certificate Based Authentication¶
Certificate based authentication has been available since version 2.0 of the product.
If you want to give certificate based auth a try in your CloudBolt instance follow these simple steps:
Configuring PKI in CloudBolt’s Web Interface¶
- Log into CloudBolt as an admin user
- From the DB browser page, find the Utilities section and click on ‘+ Add’ in the PKIUtilities row
- Enter regex expressions that should evaluate to username, first, last and email fields based on the Subject (or DN) field in the user certificates your company uses
- Optionally, you can determine what groups the new users should have requestor, approver, etc roles in.
- Save the form
Configuring PKI in CloudBolt’s Server Settings¶
Edit /var/opt/cloudbolt/proserv/customer_settings.py, and append to the flie this following section:
# Enable PKI section LOGIN_URL = "/pki/login"
Configuring Apache To Require Client Certificates For The /pki/login URL¶
- scp a copy of the root ca certificate to the CB server. For this article we’ll use /var/opt/cloudbolt/proserv/ca.crt as the path for the certificate
- Edit /etc/httpd/conf/httpd.conf, and add the following section:
<Location /pki/login> SSLCACertificateFile /var/opt/cloudbolt/proserv/ca.crt SSLVerifyClient require SSLVerifyDepth 5 SSLOptions +StdEnvVars </Location>
If you are using a intermediate CA cert, instead of SSLCACertificateFile use the directive SSLCertificateChainFile
- Restart httpd