6.1 Setup Client-cert Authentication

Information

Client-cert authentication requires that each client connecting to the server have a certificate to authenticate. This is generally regarded as stronger authentication than a password as it requires the client to have the certificate and not just know a password.

Rationale:

Certificate based authentication is more secure than password based authentication.

Solution

In the Connector element, set the clientAuth parameter to true and the certificateVerification to required

<-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->

<Connector
port='8443' minProcessors='5' maxProcessors='75'
enableLookups='true' disableUploadTimeout='true'
acceptCount='100' debug='0' scheme='https' secure='true';
clientAuth='true' sslProtocol='TLS'/>
...
<Connector ...>
<SSLHostConfig
certificateVerification='required'
/>

Default Value:

Not configured

See Also

https://workbench.cisecurity.org/benchmarks/11652

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|16.4

Plugin: Unix

Control ID: 94ad7e1db679b0b7baa36fb5f66a0825c4b9de5146510b9ca54cf1d938a43ef3