Launch Tectia Server Configuration GUI.

Select Start > All Programs > Tectia Server > Tectia Server Configuration.

Under GUI Mode, select Advanced to view all available options and groups.

Figure 5.2. Selecting Advanced GUI mode

Go to the Certificate Validation page and select the CA Certificates tab.

Add the trust anchors and intermediate CA certificates that are needed for the certificate validation. Root CA certificates or intermediate CA certificates can be added as trust anchors. Normally you need to add only the CA certificate that can issue certificates for the users into Tectia Server configuration. That is, you need not create the whole trust path in the configuration.

	Note
	CA certificates are by default added to the CA Certificates list as trust anchors, meaning that revocation checks are not performed on them. When adding a new intermediate CA certificate, clear the Trusted CA check box to enable revocation checks.

Figure 5.3. Adding CA certificates

Note

In case you have an LDAP server in use, you only need to add the root CA certificate into the server configuration. Tectia Server can retrieve the intermediate CA certificates that are issued by the root CA certificate automatically from the LDAP server. For example, if Company Users is added as a trust anchor and the intermediate CA certificates are stored in the LDAP, end entities certified by the root or intermediate CA certificates will be trusted.

For more information about certificate validation, see Certificate Validation .

Go to Authentication and select Default Authentication to configure selectors and parameters for the group. Note that this authentication group is available in the default configuration of Tectia Server.

Figure 5.4. Creating authentication group

On the Selectors tab, enter a name for the authentication group.

Leave the selectors list empty, all incoming users are selected into this authentication group and to the authentication method chain. This is the first authentication group that you need to create for the authentication method chain. There will be two authentication groups in the chain.

On the Parameters tab, make sure that the Allow public-key authentication option is selected.

Figure 5.5. Allowing public key authentication

Create a child authentication group which will be used to check certain fields from the end user's certificate. That is, you are configuring your selector for the certificates. Click the Add Child button and enter a name for the child authentication group.

Figure 5.6. Creating a child authentication group

On the Selectors tab of the child authentication group, click the Add Selector button. From the list, select Certificate and click OK.

Figure 5.7. Adding a selector for a certificate

In the Certificate Selector dialog box, select which field on the certificate you wish to authenticate against.

Enter the pattern in the field.

It is extremely important to create a mapping between real OS user accounts and the end users' certificates so that a single end user can only access a single specific OS user account with their personal certificate and not all OS user accounts. For example, if you use subject-name, the pattern could be:

CN=%username-without-domain%, CN=USERS, DC=DEMO, DC=SSH, DC=COM

Figure 5.8. Entering a pattern for the certificate selector

Once you have made your changes, click OK.

Figure 5.9. Completed selector

On the Parameters tab, unselect all authentication methods because the parent authentication group checks whether the public key authentication is successful.

Figure 5.10. Unselecting authentication methods

Click Apply to save your changes.