/cfg/slb/ssl/authpol
Authentication Policy Menu
This menu is used to configure an authentication policy. When you enter the Authentication Policy menu, you are prompted to enter an authentication policy ID. The maximum number of policies is 1024.
When using SSL offloading, you can optionally define a client authentication policy that authenticates the client’s identity. You associate a client authentication policy to an SSL policy, and the SSL policy, in turn, is associated to a virtual service.
For more information on client authentication policy, see the section on offloading SSL encryption and authentication in the Alteon Command Line Interface Application Guide.
 
Authentication Policy Policy_1 Menu]
   name - Set policy name
   validity - Certificate Validation Check Menu
   passinfo - Pass Certificate Information to Backend Servers Menu
   trustca - Set trusted CA certificate
   adverca - Set advertised client’s CA certificate
   cadepth - Set maximum depth to search the trusted CA in the CA certif chain
   caverify - Set certificate's CA verification level
   failurl - Set URL for redirection when authentication fails
   seract - Set server authentication Action on certificate error
   type - Set authentication policy type
   ena - Enable policy
   dis - Disable policy
   del - Delete Policy
   cur - Display current policy configuration
This menu is used for configuring a client authentication policy.
 
Client Authentication Policy Menu 
Command Syntax and Usage
name
 
An optional descriptive name of the policy in addition to the policy ID.
Maximum characters: 128
validity
 
Displays the Certificate Validation Check menu. To view this menu, see /cfg/slb/ssl/authpol/validity Certificate Validation Check Menu.
passinfo
 
Displays the Pass Certificate Information to Backend Servers menu. To view this menu, see /cfg/slb/ssl/authpol/passinfo Pass Certificate Information to Backend Servers Menu.
trustca
 
Specifies one or more (group) Certificate Authority (CA) certificates that are trusted as issuers of regular (client/server) certificates.
When authenticating a client certificate, Alteon sends a Certificate Request message in the SSL handshake. The message includes the common names of the CA certificates defined as trusted, unless a different advertisement list is configured (see the adverca command). The client should send a client certificate that can be validated by Alteon.
When authenticating a server certificate, Alteon checks that the server certificates or Intermediate CA certificate that accompanies the server certificate is signed by a CA configured as Trusted. This validation is very important when the server is external to the organization (outbound SSL traffic).
Note: Trust CA configuration is mandatory.
Values:
*cert — You will be prompted to select a certificate of type Trusted CA from the Certificate Repository.
*group — You will be prompted to select a certificate group of type Trusted CA from the Certificate Repository.
*none
Default: cert
For more information about importing client Trusted CA certificates to Alteon, see /cfg/slb/ssl/certs/trustca Trusted CA Certificate Menu.
adverca [cert|group|none|default]
 
Specifies the list of certificate authorities that should be included in the Certificate Request message, providing greater control over the configuration information shared with unknown clients.
Values:
*cert — You will be prompted to select a trusted CA certificate from the Certificate Repository.
*group — You will be prompted to select a group of trusted CA certificates from the Certificate Repository.
*none — Sends an empty Certificate Authorities list.
*default — Sends the list of Certificate Authorities defined in the trustca command.
cadepth <1 – 9>
 
Specifies the maximum number of certificates to be traversed in a certificate chain while attempting to validate the link between the certificate and the configured trusted CA.
Default: 2
caverify
 
Specifies whether and how strictly to verify that a client certificate is trusted.
Values:
*require — Certificate verification is mandatory. SSL handshake is rejected if the client does not send a certificate, or if the trust verification for a received client certificate fails.
*optional — Certificate verification is optional. If certificate is received from a client, its trust chain is verified. If a client does not send a certificate, the SSL handshake still continues.
*none — No certificate validation is performed, even though Alteon requests a certificate from the client.
Default: require
failurl
 
Specifies the URL to which a client should be redirected when its authentication fails.
seract
 
Displays the Authentication Policy server certificate action menu. To view this menu, see /cfg/slb/ssl/authpol/seract Authentication Policy server certificate action Menu.
type client|server
 
Specifies whether this is a policy for authentication of clients (when Alteon plays the server role through front-end SSL), or for the authentication of servers (when Alteon plays the client role through back-end SSL).
Default: client
ena
 
You must enable the authentication policy for it take effect. For more information, see the authpol command under /cfg/slb/ssl/sslpol SSL Policy Menu.
dis
 
Disables this policy, making it non-operational.
del
 
Deletes this client authentication policy.
cur
 
Displays the current client authentication policy settings.