Certificate Based Authentication

Certificate based authentication has been available since version 2.0 of the product.

If you want to give certificate based auth a try in your CloudBolt instance follow these simple steps:

Configuring PKI in CloudBolt’s Web Interface

  1. Log into CloudBolt as an admin user
  2. From the DB browser page, find the Utilities section and click on ‘+ Add’ in the PKIUtilities row
  3. Enter regex expressions that should evaluate to username, first, last and email fields based on the Subject (or DN) field in the user certificates your company uses
  4. Optionally, you can determine what groups the new users should have requestor, approver, etc roles in.
  5. Save the form

Configuring PKI in CloudBolt’s Server Settings

Edit /var/opt/cloudbolt/proserv/customer_settings.py, and append to the flie this following section:

# Enable PKI section
LOGIN_URL = "/pki/login"

Configuring Apache To Require Client Certificates For The /pki/login URL

  1. scp a copy of the root ca certificate to the CB server. For this article we’ll use /var/opt/cloudbolt/proserv/ca.crt as the path for the certificate
  2. Edit /etc/httpd/conf/httpd.conf, and add the following section:
<Location /pki/login>
    SSLCACertificateFile /var/opt/cloudbolt/proserv/ca.crt
    SSLVerifyClient require
    SSLVerifyDepth 5
    SSLOptions +StdEnvVars
</Location>

If you are using a intermediate CA cert, instead of SSLCACertificateFile use the directive SSLCertificateChainFile

  1. Restart httpd