beautypg.com

Client certificate-based authentication, Enabling user authentication by x.509 certificate – Google Search Appliance Managing Search for Controlled-Access Content User Manual

Page 24

background image

Google Search Appliance: Managing Search for Controlled-Access Content

24

6.

Optionally, type the number of seconds that the verification of user credentials will be trusted in
the Trust Duration box.

7.

Click Save.

Adding a Credential Group Rule for NTLM

To add a credential group rule for NTLM authentication:

1.

Click Serving > Universal Login Auth Mechanisms > HTTP.

2.

Select a credential group from the pull-down menu.

3.

Click the NTLM check box.

4.

In the Mechanism Name box, type a unique name for the authentication mechanism. A
mechanism name must not be the same as another mechanism name or credential group name.
Mechanism names are case-sensitive and can be up to 200 characters long, and can contain only
alphanumeric characters, underscores, and hyphens. A name cannot begin with a hyphen.

5.

Type a sample URL for the site in the Sample URL box.

6.

Optionally, change the default time for the search appliance to make a network connection by
entering the number of seconds in the Timeout box.

7.

Optionally, type the number of seconds that the verification of user credentials will be trusted in
the Trust Duration box.

8.

Click Save.

For more information about how to configure a credential group for HTTP-based authentication or
NTLM, click Help Center > Serving > Universal Login Auth Mechanisms > HTTP.

Client Certificate-Based Authentication

The search appliance can check a user’s SSL certificate to verify that it was issued by a trusted certificate
authority before serving secure results. This section provides a general overview of how to configure a
search appliance to require X.509 Certificate Authentication from users who submit search queries.

Configure a search appliance for client certificate-based user authentication by performing the
following tasks:

1.

“Enabling User Authentication by X.509 Certificate” on page 24

2.

“Configuring a Credential Group for Client Certificate-Based Authentication” on page 25

Enabling User Authentication by X.509 Certificate

To enable user authentication by X.509 certificate, the search appliance must have a digital certificate
that permits crawl and serve over HTTPS. Also, client certificate authentication cannot be used for the
head requestor, therefore configure policy ACLs (see “Policy Access Control Lists” on page 40) or the
SAML authorization SPI (see “The SAML Authorization Service Provider Interface” on page 47). The
preloaded certificate authorities are enabled by default. You can disable them or re-enable them.

To configure the search appliance to require X.509 Certificate Authentication for search requests from
users:

1.

Log in to the Admin Console.