Reset Search
 

 

Article

KB40514 - How to configure certificate authentication with Pulse Linux

« Go Back

Information

 
Last Modified Date4/6/2017 7:05 PM
Synopsis
This article provides the steps to configure certificate authentication with Pulse for Linux.
This feature is available in Pulse for Linux starting with PCS OS 8.3R1 and Pulse 5.3R1.

Click here for the video portion of this article.
 
Problem or Goal
Features:
  • Starting with the release of PCS OS 8.3R1 and Pulse Linux 5.3R1 client certificate authentication is supported with Pulse Linux.
  • Linux users can authenticate and establish a VPN session by selecting a certificate from the Pulse certificate store.
  • There is no additional licensing required to enable this feature.
  • There are no notable impacts to scale or performance with this feature.

Linux client Prerequisites:
  • The Pulse 5.3R1 installer should be saved locally to the Linux client or be available to download from a network share. (The packages can be downloaded from the PCS Admin Installers page or from https://my.pulsesecure.net.  See KB40028 - [Customer Support Tools] How to download software using the Licensing & Download Center at my.pulsesecure.net for instructions on downloading software.)
  • libgnome keyring must be installed.  (This will get installed during Step 1 of the Pulse Linux installation.)
  • Provide the Linux user with the Sign-in URL of PCS device.
  •  The Client-side certificate (and private key file for .der or .pem format) along with the password for private key should be downloaded and saved locally to the Linux client--or available from a network share. 
Certificate formats supported:
  • cert.der - Binary format
  • cert.pem - Base 64encoded ASCII format
  • cert.pfx - Binary format for storing the certificate, any intermediate certificates and private key in one encryptable file.
PCS Device Prerequisites: (Not covered in this article)
  • The certificate authorities for the client-side certificates being used for authentication should be imported to the PCS device trusted client CA store. 
  • A Sign-in URL configured with a realm that authenticates to a certificate server and maps the user to a role that has Pulse configured on it should be configured.
Note:  Certificate authentication will only work using the Pulse UI.  This feature remains unsupported for the CLI.
Cause
Solution


Step 1 - Install the Pulse Client and Depedencies

  1. From the Linux client, run the following command to install the Pulse client:
sudo dpkg --install /mnt/hgfs/shared_dir/pulse-5.3R1.i386.deb
  1. Install the dependency packages by running the following script:
/usr/local/pulse/PulseClient.sh install_dependency_packages
 

Step 2 - Verify Pulse installation

       Go to Applications and confirm that the Pulse client is installed with the following application icon:

      User-added image

Step 3 - Install the client-side certificate to the Pulse certificate store

  1. Run the following command to see the options for installing the certificate to the Pulse certificate store:
/usr/local/pulse/PulseClient.sh install_certficates
  1. Enter 'y' to confirm the client certificate is being installed for the local signed-in user.
  2. The client certificate installation options will be displayed on screen along with options to view and delete certificates from the Pulse Linux certificate store.  

Step 4 - Directions to install a certificate in .pem or .der format

  1. To install the certificate in .pem or .der format, use the following command:​. (For instructions on installing the certificate in .pfx format, go to step 5.)
/usr/local/pulse/PulseClient.sh install_certficates -inpriv </PathtoCertPasswordFile/passwordFile.key> 
-inpub </locationOfCertificate/cert.pem>
  1. Specify the location and file name of the private key password file with the -inpriv option.
  2. Specify the location and file name of the certificate file with the -inpub option.

Example:
/usr/local/pulse/PulseClient.sh install_certificates -inpriv /mnt/hgfs/shared_dir/certs/fruitCert.key 
-inpub /mtn/hgfs/shared_dir/certs/fruitCert.pem
(In the example above the private key password file and the certificate file are located in the same network share directory.  The files can be in different directories.  Just be sure to specify the proper location for each.)
  1. Enter 'y' to verify the certificate is being installed for the local user.
  2. Verify that the certificate was successfully installed with the output: Successfully added certificate to Pulse Certificate store.

Step 5 - Directions to install a certificate in .pfx format

  1. To install the certificate in .pfx format, use the following command:
/usr/local/pulse/PulseClient.sh install_certificates -inpfx /mnt/hgfs/shared_dir/10.30.113.196.pfx
  1. Enter 'y' to confirm the client certificate is being installed for the local signed-in user.
  2. Enter the import password. 
  3. Verify that the certificate was successfully installed with the output: Successfully added certificate to Pulse Certificate store.

Step 6 - Add new connection to Pulse and connect

  1. Launch Pulse and click the '+' button to add a connection.
  2. Add a name for the connection.
  3. Enter the connection URL. (Obtain from PCS admin.)
  4. Click Save.  The connection will be added to the Pulse connection list.
  5. Click Connect to launch the new connection.
  6. If multiple certificates are found in the Pulse certificate store they will be displayed under the connection.  
  7. Click View to display the certificate details for each certificate.
  8. Select the certificate and click Continue.
  9. The "Connect" button will change to "Disconnect" once the connection is complete.
  10. Click the expand button for the active connection to view the status.
  11. Click File > Connections > Advanced to confirm VPN connectivity.
Related Links
Attachment 1 
Created ByKaren Mayberry

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255