Applies to Barracuda SSL VPN.
SafeNet iKEY 2032 takes the form of a small USB key device that is small enough to be carried as part of a bunch of keys on a chain. It uses SSL client certificate authentication to present a certificate to the appliance, making textbook use of the "something you know, something you have" security methodology by combining a secret passphrase with the certificate on the device.
The SafeNet iKey 2032 requires a special utility (CIP Utilities) installed on the client PC. The software deals with certificate management as well as performing tasks such as requesting passphrase when connecting to secure Web Sites. When the device is inserted into the USB slot, the client software loads the certificate into the Windows Certificate Store where it may be accessed by the client’s browser and presented to the appliance.
The following are the steps to set up the Barracuda SSL VPN to use SafeNet iKey 2032 for authentication:
- Configure SSL client certificate authentication.
- Create SSL client certificates to authenticate your users via one of the following:
- Generating an SSL client for your users using the built-in CA.
- Importing an existing SSL client certificates purchased from a CA.
SafeNet CIP Utilities
The first thing you should do is to create a passphrase for each of your USB devices. This is an additional layer of security that is used in addition to the certificate itself, and prevents an unscrupulous individual from using a found or stolen key without knowing this passphrase.
Importing SSL Certificates
Next, import onto the key the certificate that is generated from the appliance. You will be prompted for a *.p12 file. This refers to the format of the certificate file that is generated by the appliance. Select the relevant certificate for this user’s key and select OK.
You will then be prompted to enter the password for the certificate. This is the password that was set when the certificates were generated in the appliance. Once the correct password has been entered, the certificate is imported and you can view its details in the right hand column.
Next, right-click on the certificate and choose Copy certificate to the system. This will copy the certificate to the Windows Certificate Store, but will be useless without the corresponding private key which always remains on the USB device.
The key is now configured. Since the appliance knows which certificate to associate with each user, you should now be able to connect using the new SSL client certificate scheme. Note that you will be prompted by the browser to select an SSL client certificate to present to the Barracuda SSL VPN server.
For the final step in the authentication process, you will be prompted by the CIP Utilities software to enter your iKey passphrase. Once this is entered successfully, the authentication process is complete.
Link to this page: