一個關于SSL,CDP和 x509的問題 - 資安

※ [本文轉錄自 Prob_Solve 看板]

作者: outdance (美國要掛了，我會失業嗎) 站內: Prob_Solve
標題: [問題] 一個關于SSL,CDP和 x509的問題
時間: Mon Jan 12 21:50:36 2009

我的頭解決不了這問題，到處在尋求答案

要是誰有點思路，小弟定當感激不盡，下面是他的問題

The current task we are doing is two factors authentication, which is used
to authenticate users against both their client certificates and their accounts
.

Now we configured a web server successfully, which requires clients certificates
when users access it. And then try to make it working with SiteMinder( the
SSO application).
We need use SiteMinder to validate both of the users certificates and user
accounts. But after we installed SiteMinder agent for the web server, the
SiteMinder can not get the clients certificates from web server side.
The information we got is that there are something in IIS preventing SiteMinder
from getting the clients certificates. SiteMinder support said we need disable
a option in IIS, named CDP checking.
CDP means CRL Distribution Point, and CRL means Certificate Revocation List
.
Actually, we disabled the CRL checking of IIS by setting CertCheckMode to
1 in IIS. But it doesn't resolve this problem.

All members in SSO team are not familiar with x509 certificate and advanced
SSL configuration for IIS.
So we want ask for helps from who are experienced in x509 certificate, SSL
configuration for IIS, especially CRL and CDP. If anybody are familiar with
SiteMinder x509 configuration, it will be perfect.

--