Kerberos-based authentication – Google Search Appliance Managing Search for Controlled-Access Content User Manual

Google Search Appliance: Managing Search for Controlled-Access Content

25

2.

Choose Administration > SSL Settings. Configure the search appliance to permit crawl and serve
over HTTPS by installing an SSL certificate. For details, see “Configuring Crawl and Serve Over
HTTPS” on page 11.

3.

On the Administration > SSL Settings page, check the settings for Force secure connections
when serving?

If No is selected, you must change it to one of the following options: Use HTTPS when serving
secure results, but not when serving public results or Use HTTPS when serving both public
and secure results.

4.

Choose Administration > Certificate Authorities. Under Add more Certificate Authorities,
enter the .pem file that contains your root CA certificate. The search appliance will trust certificates
issued by this root certificate.

5.

Choose Administration > Certificate Authorities. Under Add Certificate Revocation List, enter
the file that contains the current certificate revocation list (CRL). The search appliance will NOT trust
certificates that appear in this list. The CRL prevents a user with a revoked certificate from accessing
secure content.

6.

Optionally, to disable default certificate authorities, clear the Enable default Certificate
Authorities checkbox under Default Certificate Authorities.

7.

Click Save Settings.

Configuring a Credential Group for Client Certificate-Based
Authentication

To add a credential group rule for client certificate-based authentication to a credential group:

1.

Click Serving > Universal Login Auth Mechanisms > Client Certificate.

2.

Select a credential group from the pull-down menu.

3.

Click Enable client certificate authentication support.

4.

In the Mechanism Name box, type a unique name for the authentication mechanism. A
mechanism name must not be the same as another mechanism name or credential group name.
Mechanism names are case-sensitive and can be up to 200 characters long, and can contain only
alphanumeric characters, underscores, and hyphens. A name cannot begin with a hyphen.

5.

Click Save.

Kerberos-Based Authentication

Kerberos is a network authentication protocol that enables client and server applications to perform
mutual authentication for the duration of a user’s login session. The search appliance can use Kerberos
authentication by issuing a head request to confirm a user’s right to view controlled-access documents.
The search appliance only performs this check during secure serve for content on HTTP servers.

Kerberos supports the following encryption methods:

•

rc4

•

aes128-cts-hmac-sha1-96

•

arcfour-hmac

•

des3-cbc-sha1