Client-side Authentication Setup
To enable client-side authentication, LiveWire must be given one or more digital certificates for the root certificate authorities that digitally sign the user certificates that LiveWire should trust. LiveWire will then accept any client certificate provided by a user that is signed by one of these root certificate authorities.
Optionally, the security of client-side authentication can be enhanced by enabling additional verification of client certificates using the Online Certificate Status Protocol (OCSP). When this protocol is enabled and a client certificate is presented to LiveWire, LiveWire will attempt to contact the certificate authority that signed the client's certificate to ensure it hasn't been revoked. To use this feature, OCSP information, in the form of a certificate extension, must be embedded into both the client's certificate and the root certificate authority's certificate. If either certificate lacks this extension, this feature cannot be used. Note that LiveWire has no control over whether or not the certificates contain an OCSP extension: The administrator must confirm its presence if they wish to use this feature.
The following steps are needed to enable client-side authentication. In this example, we use the NIST Test PIV Card PKI infrastructure, assume the administrator is using the Linux operating system, and assume the DNS name of the LiveWire appliance is `Omnipeek.` For a real PIV/CAC deployment, the DoD root certificates should be used, which can be found at https://pkaps.pki.state.gov/webcardtest/downloads.aspx.
NOTE: Your organization may use alternate or intermediate certificate authorities that require additional certificates.
To enable client-side authentication:
1. Obtain certificates for root certificate authorities.
Obtain the certificate for each certificate authority that issues certificates to clients that you wish to allow access to LiveWire. Here, we download the NIST Test PIV Card root certificate which will allow LiveWire to trust users who are using those cards.
curl -O https://csrc.nist.gov/CSRC/media/Projects/piv/documents/TestPIVCardsv2TrustAnchorRootCA.cer
2. Convert certificate(s) to PEM format.
LiveWire requires that certificates be in the text-based PEM format. If one or more certificates is in an alternate form, such as binary DER, they must be converted. In this case, the certificate downloaded is DER format and must be converted with the following command:
openssl x509 -inform der -in TestPIVCardsv2TrustAnchorRootCA.cer -out TestPIVCardsv2TrustAnchorRootCA.pem
3. Concatenate root certificates
If more than one certificate authorities' certificates are to be trusted, their certificates must be concatenated into a single file (the "certificate bundle"). In our example, only a single certificate authority is trusted so concatenation is not required but we include it here for completeness.
cat TestPIVCardsv2TrustAnchorRootCA.pem > client-ca.pem
4. Upload certificate bundle to LiveWire
LiveWire assumes the certificate bundle is located at /lib/ssl/liveaction/client-ca.pem on the LiveWire appliance. Uploading is a multi-step process that requires administrator access to LiveWire.
5. Upload the certificate bundle to the appliance
scp client-ca.pem admin@Omnipeek:~
6. Move the certificate bundle to the proper location
ssh admin@Omnipeek sudo -S mv /home/admin/client-ca.pem /lib/ssl/liveaction/
7. LiveWire will detect the new certificate bundle and automatically restart with client-side authentication enabled. If you wish to disable client-side authentication, simply remove the certificate bundle:
ssh admin@Omnipeek sudo -S rm /lib/ssl/liveaction/client-ca.pem