Tuesday, January 10, 2012

Client Authentication on VSX with SSL support

If you ever want to enable Client Authentication on VSX with SSL support, here are some tips for you.

First, read carefully SK37001 and How-To-Install-3rd-party-SSL-Certificate.pdf document from Check Point support site.

You will have to modify cpauthd.conf in order to enable SSL-based client authentication. Mind in VSX environment you can do it either globally (for all Virtual System at once) or per VS. The last on is the recommended way. The file is located in $FWDIR/CTX/CTX00xxx/conf/ folder, where xxx is VS ID.

Change file configuration as marked in underlined bold bellow:
---

        :clauth_port (259) 
    :clauth_http_port (443)       << change listening port 
    :clauth_http_ssl (1)          << enable SSL 
    :clauth_http_wap (0) 
    :clauth_http_nickname (Your certificate Nickname) << put third party certificate
        

---
Mind you will have to prepare a third party certificate to use. Some CAs, such as Verisign do not accept default Check Point CSR. You will have to increase the key size to at least 2048. To do that go to Global properties / SmartDashboard Customization / Advanced Configuration and change host_certs_key_size parameter to the required number.

Do not forget to install the certificate on VS as described in "How to" document.

All mentioned changes will be in effect after reboot of your VSX boxes.

2 comments:

  1. Hi there !

    I think there is something wrong with your link.

    http://www.how-to-install-3rd-party-ssl-certificate.pdf/ does not look like a valid url !

    ReplyDelete