Tarantella Administration Guide > Users and authentication > Can I use client certificates with web server authentication?

Can I use client certificates with web server authentication?

Yes. You can strengthen the security of web server authentication by requiring that clients have a valid SSL (X.509) certificate.

To configure Tarantella to accept users who have been authenticated using client certificates:

1. Configure Tarantella web server authentication in the normal way.
2. Test that web server authentication works.
3. Configure your web server so that to access the /tarantella/cgi-bin/secure/ web server directory you need a client certificate. How you do this depends on your web server. The Tarantella Web Server includes the Apache mod_ssl module.
4. Test that the client certificates work.
5. Log in as root on the Tarantella host and run the following command:

   tarantella config edit --tarantella-config-server-cgibin-bootscript secure/ttaauthclientcert.cgi

6. Restart the Tarantella server.
7. You should now be able to log in automatically with client SSL certificates.

Note We recommend that you use the Tarantella Security Pack to secure Tarantella-related connections. We also recommend a secure (HTTPS) web server.

Notes

• Tarantella web server authentication relies on the web server setting the REMOTE_USER cgi-bin environment variable to identify the user. However, if users are authenticated using client certificates this variable is not set and so users can't be authenticated to Tarantella. This above configuration implements a cgi wrapper script, ttaauthclientcert.cgi. This script exports the SSL_CLIENT_S_DN_CN variable to the REMOTE_USER variable and allows users to be authenticated to Tarantella.
• The SSL_CLIENT_S_DN_CN variable is specific to Apache web servers (the Tarantella Web Server is an Apache web server). If your web server sets a different variable when using client certificates, you will need to create your own wrapper script to set the environment variable.