Configuring Certificate Security

You can use personal-certificate security with ARCHIBUS if your site's authentication server protects the application server that runs ARCHIBUS as a certificate-protected resource.

To configure workstations to use certificate security, follow these steps.

Step 1: Configure the computer where Smart Client is installed.

1.1. Install the client security certificate for the current user

  1. To start this process, you will need a personal client certificate and password for the private key. They should be provided to you by your system administrator.
  2. Start Internet Explorer.
  3. Import the personal certificate into Internet Explorer, using Tools > Internet Options > Content > Certificates > Import. Select the file with the personal client certificate. You will need to enter a password for the private key. Accept all defaults, and click “Finish”.
  4. You will see a message that the import was successful.

1.2. Configure Internet Explorer: Don't prompt for client certificate selection when only one certificate exists

Condition: if there is a single certificate suitable for the particular request, Internet Explorer can be configured to use it automatically.

  1. Start Internet Explorer.
  2. In Tools > Internet Options > Security > Custom Level, enable “Don't prompt for client certificate selection when only one certificate exists” option:

Don't prompt for client certificate

  1. In Tools > Internet Options > Security > Trusted sites, add URL of your server to the trusted zone:

  1. Close Internet Explorer.
  2. Start Internet Explorer.
  3. Enter the URL of the Web Central server, for example: https://ubuntu/archibus/. You will see the Web Central Process Navigator. There should be no error messages.

2. Use your personal security certificate in the Smart Client

  1. Start Smart Client
  2. Click on “Sign In” button.
  3. On the “Sign In” form, click on “Select Server” button.
  4. On the “Select Server” form, enter the URL of the server which is configured to require client certificate. Your URL must begin with "https". Otherwise, ARCHIBUS will not enable the personal security certificate option.
  5. Check “Use personal security certificate” option.
  6. Click on “Select” button, and select security certificate.
  7. Click on “OK”, the “Select Server” form will close.
  8. Click on “OK”, the “Sign In” form will close.
  9. You will see the Process Navigator in Smart Client.

Technical details

Beginning with V20.1 of Smart Client, there is an option on the “Select Server” form: “Use personal security certificate”. The Smart Client only enables this option if the URL the user tries to connect to begins with "https". The Smart Client does so in order to prevent any queries, even the initial handshaking queries, from going out over an insecure connection.

When the user signs in, the Smart Client Web Services will present that certificate to the server for the client authentication. These Web Services provide all the information the Smart Client needs for features like the Smart Client Process Navigator, the Grid, and the Extensions for AutoCAD and Revit.

Some views within the Smart Client are Web forms that load within an embedded Web browser control. The Smart Client also invokes the embedded Web browser control when the user clicks on the "Web Central" button on the Smart Client ribbon toolbar. If you have set the Internet Explorer to automatically use a "suitable" certificate if it finds that one exists on the local workstation (via Tools > Internet Options > Security > Custom Level-> “Don't prompt for client certificate selection when only one certificate exists.”), then the embedded Web browser control will automatically use that same certificate. If you do not use this setting, then the embedded Web browser control prompts for the certificate the first time the user tries to access a Web resource protected by certificate security.

If there is more than one certificate on the workstation, the user may select one certificate for the Smart Client and a different one for Internet Explorer (and thereby embedded Web Browser). In this case, in theory, they could log into ARCHIBUS as two different identities (e.g. "ABERNATHY" for the Smart Client and "CARLO" for IE and the embedded Web browser). However, this "dual identity" condition is unlikely, as the reason sites authorize certificate authorities and issue personal certificates to individual users is to identify that user in particular person. If they have different identities, it's for a deliberate reason, and they aren't likely to be authorized to use two different personal certificates against the same Web resource (in this case proxy server for ARCHIBUS).