Identity Broker

This template contains the mandatory parameters to configure the Identity Broker on a PDP Publisher that works with two PDP Subscribers.

See:

• Configuring an Identity Broker.

• Example of a Configured Identity Broker.

#############################################################
#  Configuration file for Identity Broker - Identity Distribution between PDPs.
#  For more information , please refer to Identity Awareness Admin Guide.
#############################################################
(
  :sharing_id (ENTER_UNIQUE_SHARING_ID_FOR_THIS_PUBLISHER_GATEWAY)
  :identity_subscribers (
    : (
      :Name (DESCRIPTIVE_NAME_OF_SUBSCRIBER_GATEWAY_1)
      :sharing_id (UNIQUE_SHARING_ID_OF_SUBSCRIBER_GATEWAY_1)
      :ipaddr (IP_ADDRESS_OF_INTERFACE_ON_SUBSCRIBER_GATEWAY_1)
      :certificate_subject ("CERTIFICATE_SUBJECT_OF_SUBSCRIBER_GATEWAY_1")
    )
    : (
      :Name (DESCRIPTIVE_NAME_OF_SUBSCRIBER_GATEWAY_2)
      :sharing_id (UNIQUE_SHARING_ID_OF_SUBSCRIBER_GATEWAY_2)
      :ipaddr (IP_ADDRESS_OF_INTERFACE_ON_SUBSCRIBER_GATEWAY_2)
      :certificate_subject ("CERTIFICATE_SUBJECT_OF_SUBSCRIBER_GATEWAY_2")
    )
  )
)

This template contains the mandatory parameters to configure the Identity Broker on a PDP Subscriber that works with two PDP Publishers.

See:

• Configuring an Identity Broker.

• Example of a Configured Identity Broker.

#############################################################
#  Configuration file for Identity Broker - Identity Distribution between PDPs.
#  For more information , please refer to Identity Awareness Admin Guide.
#############################################################
(
  :sharing_id (ENTER_UNIQUE_SHARING_ID_FOR_THIS_SUBSCRIBER_GATEWAY)
  :identity_publishers (
    : (
      :Name (DESCRIPTIVE_NAME_OF_PUBLISHER_GATEWAY_1)
      :sharing_id (UNIQUE_SHARING_ID_OF_PUBLISHER_GATEWAY_1)
      :ipaddr (IP_ADDRESS_OF_INTERFACE_ON_PUBLISHER_GATEWAY_1)
    )
    : (
      :Name (DESCRIPTIVE_NAME_OF_PUBLISHER_GATEWAY_2)
      :sharing_id (UNIQUE_SHARING_ID_OF_PUBLISHER_GATEWAY_2)
      :ipaddr (IP_ADDRESS_OF_INTERFACE_ON_PUBLISHER_GATEWAY_2)
    )
  )
)

This template contains all supported parameters to configure the Identity Broker.

See:

• Configuring an Identity Broker.

• Example of a Configured Identity Broker.

######################################################################################
#    Configuration file for Identity Broker - Identity Distribution between PDPs.    #
#    For more information, see  the Identity Awareness Administration Guide.         #
######################################################################################
(
  :sharing_id ()
  :identity_subscribers (
    : (
      :Name ()
      :sharing_id ()
      :ipaddr ()
      :certificate_subject ("")
      :crl_validation_config (fail_closed)
      :share_only_local_sessions (false)
      :filter (
        :include_users_and_machines ()
        :exclude_users_and_machines ()
        :include_networks ()
        :exclude_networks ()
        :include_identity_source ()
        :exclude_identity_source ()
        :include_domains ()
        :exclude_domains ()
        :include_roles ()
        :exclude_roles ()
        :include_distinguished_names ()
        :exclude_distinguished_names ()
        :include_owners ()
        :exclude_owners ()
        :include_immediate_publishers ()
        :exclude_immediate_publishers ()
      )
    )
  )
  :identity_publishers (
    : (
      :Name ()
      :sharing_id ()
      :ipaddr ()
      :recalculate_access_roles (false)
      :filter (
        :include_users_and_machines ()
        :exclude_users_and_machines ()
        :include_networks ()
        :exclude_networks ()
        :include_identity_source ()
        :exclude_identity_source ()
        :include_domains ()
        :exclude_domains ()
        :include_roles ()
        :exclude_roles ()
        :include_distinguished_names ()
        :exclude_distinguished_names ()
        :include_owners ()
        :exclude_owners ()
        :include_immediate_publishers ()
        :exclude_immediate_publishers ()
      )
    )
  )
  :global_outgoing_filter (
    :include_users_and_machines ()
    :exclude_users_and_machines ()
    :include_networks ()
    :exclude_networks ()
    :include_identity_source ()
    :exclude_identity_source ()
    :include_domains ()
    :exclude_domains ()
    :include_roles ()
    :exclude_roles ()
    :include_distinguished_names ()
    :exclude_distinguished_names ()
    :include_owners ()
    :exclude_owners ()
    :include_immediate_publishers ()
    :exclude_immediate_publishers ()
  )
  :global_incoming_filter (
    :include_users_and_machines ()
    :exclude_users_and_machines ()
    :include_networks ()
    :exclude_networks ()
    :include_identity_source ()
    :exclude_identity_source ()
    :include_domains ()
    :exclude_domains ()
    :include_roles ()
    :exclude_roles ()
    :include_distinguished_names ()
    :exclude_distinguished_names ()
    :include_owners ()
    :exclude_owners ()
    :include_immediate_publishers ()
    :exclude_immediate_publishers ()
  )
)

See Example of a Configured Identity Broker.

A Publisher Security Gateway shares identities with other Security Gateways that are considered Identity Subscribers.

For a Publisher Security Gateway to share identities, you must configure the Identity Subscribers in the $FWDIR/conf/identity_broker.C file on the Publisher Security Gateway.

Part 1 of 2 - PDP Publisher Configuration in SmartConsole

1. From the left navigation panel, click Gateways & Servers.

2. Double-click the Security Gateway / Cluster object.

3. Enable the Identity Awareness Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. and complete the Identity Awareness Configuration wizard.

4. From the left tree, click Identity Awareness.

5. Select the applicable Identity Sources - the Identity Providers from which to get the identities.

   Near each Identity Source you selected, click Settings and configure the applicable settings.

6. Optional: Configure this Security Gateway / Cluster as a Subscriber of a different Identity Awareness Security Gateway / Cluster.

7. Click OK.

8. Install the Access Control Policy on this Security Gateway / Cluster object.

Part 2 of 2 - PDP Publisher Configuration in Command Line

1. Connect to the command line on this Security Gateway / each Cluster Member.

2. Log in to the Expert mode.

3. Back up the current file:

   cp -v $FWDIR/conf/identity_broker.C{,_BKP}

4. Edit the current file:

   vi $FWDIR/conf/identity_broker.C

   See Example of a Configured Identity Broker.

5. In the section ":sharing_id()", enter an alphanumeric unique identifier for this PDP Publisher.

   Enter at minimum 16 characters. You can use a UUID generator.

   You use this identifier in the $FWDIR/conf/identity_broker.C file on Subscribers in the section ":identity_publishers ()".

   For example:

   :sharing_id (b2L4Sri5K9HxJw63GjAb)

6. In the section ":identity_subscribers ()", enter the applicable data for each Subscriber Security Gateway / Cluster.

Parameter	Description
Name	Specifies a descriptive name for this Subscriber Security Gateway / Cluster. Best Practice - Use the object name of this Subscriber Security Gateway / Cluster as configured in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..
sharing_id	Specifies the unique identifier of the Subscriber Security Gateway / Cluster. Get this value from the $FWDIR/conf/identity_broker.C file on the Subscriber - from the top section ":sharing_id ()". Note - The sharing_id must be identical to all cluster members and set the IP address to one of the cluster's VIPs. From the subscriber's perspective, the Cluster Publisher is seen as a single publisher in common cluster topologies.
ipaddr	Specifies the IPv4 address of the applicable interface on the Subscriber Security Gateway / Cluster, to which this Publisher connects. Important - If this IP address changes in the Subscriber Security Gateway / Cluster object, you must update it in the $FWDIR/conf/identity_broker.C file. Note - For IPv6, use "ipaddr6".
certificate_subject	Note - You can perform this procedure only after you enable "Get Identities from Identity Broker" in the Subscriber Security Gateway object in SmartConsole. Fetch the Server Certificate from the Subscriber. On the Publisher Security Gateway / each Cluster Member, run: $FWDIR/bin/BrokerCertFetcher <IP Address of Subscriber> Make sure the CA Fingerprint and the "Subject" for the Subscriber Security Gateway are correct. Configure the "Subject" for the Subscriber Security Gateway in the "certificate_subject" field. Make sure this file exists: stat $FWDIR/nac/broker_ca_certs/<IP_Address_of_Subscriber>.pem
crl_validation_config	Optional: Specifies the mode for CRL (Certificate Revocation List) validation. The options are: fail_closed - Start to download the CRL list. If the download fails, deny the connection (default). fail_open - Start to download the CRL list. If the download fails, allow the connection. skip_crl_check - Do not use CRL to validate the Certificate.
share_only_local_sessions	Optional: Specifies to publish only local sessions to this Subscriber. Identities of local sessions are those identities that are directly learned from the locally connected identity sources. The options are: true false (default)
filter	Optional: Specifies an outgoing filter for this specific Subscriber. Follow the instructions in Configuring Identity Filters.

A Subscriber Security Gateway gets its identities from other Security Gateways. These are considered Identity Publishers.

For a Subscriber Security Gateway to get identities, you must configure the Identity Publishers in the $FWDIR/conf/identity_broker.C file on the Subscriber Security Gateway.

Part 1 of 2 - PDP Subscriber Configuration in SmartConsole

1. From the left navigation panel, click Gateways & Servers.

2. Double-click the Security Gateway / Cluster object.

3. Enable the Identity Awareness Software Blade and complete the Identity Awareness Configuration wizard.

4. From the left tree, click Identity Awareness > Identity Sharing.

5. In the right pane:

   1. Enable Get Identities from Identity Broker.

   2. Click Settings.

      The Portal Access Settings window opens.

6. Import a dedicated internal CA certificate for the Subscriber to present to the Publishers as an HTTPS Server certificate:

   1. Connect to the command line on the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

   2. Log in to the Expert mode.

   3. Run this command for the Security Gateway / Cluster object you configure:

      cpca_client create_cert -n "CN=<Name of Security Gateway / Cluster Object>.broker.portal" -f <Name of Security Gateway / Cluster Object>_broker.p12 -k IKE -w "<Password>"

   4. Transfer this P12 file from the Management Server to the SmartConsole Client computer.

   5. In the Certificate section, click Import.

   6. Select the P12 file and click Open.

7. Configure the Accessibility settings.

   By default, the Publisher Security Gateway tries to connect to the internal interface of the Subscriber Security Gateway.

   If one of the Publisher Security Gateways connects to the Subscriber Security Gateway through a different interface:

   1. In the Accessibility section, click Edit.

   2. Select the applicable option.

   3. Click OK to close the Portal Access Settings window.

8. Click OK.

9. Install the Access Control Policy on the Security Gateway / Cluster object.

Part 2 of 2 - PDP Subscriber Configuration in Command Line

1. Connect to the command line on the Subscriber Security Gateway / each Cluster Member.

2. Log in to the Expert mode.

3. Back up the current file:

   cp -v $FWDIR/conf/identity_broker.C{,_BKP}

4. Edit the current file:

   vi $FWDIR/conf/identity_broker.C

   See Example of a Configured Identity Broker.

5. In the section ":sharing_id()", enter an alphanumeric unique identifier for this PDP Subscriber.

   Enter at minimum 16 characters. You can use a UUID generator.

   You use this identifier in the $FWDIR/conf/identity_broker.C file on Publishers in the section ":identity_subscribers ()".

   For example:

   :sharing_id (b2L4Sri5K9HxJw63GjAb)

6. In the section ":identity_publishers ()", enter the applicable data for each Publisher Security Gateway / Cluster.

   Parameter	Description
   Name	Specifies a descriptive name for this Publisher Security Gateway / Cluster. Best Practice - Use the object name of this Publisher Security Gateway / Cluster as configured in SmartConsole.
   sharing_id	Specifies the unique identifier of the Publisher Security Gateway / Cluster. Get this value from the $FWDIR/conf/identity_broker.C file on the Publisher - from the top section ":sharing_id ()". Note - The sharing_id must be identical to all cluster members and set the IP address to one of the cluster's VIPs. From the subscriber's perspective, the Cluster Publisher is seen as a single publisher in common cluster topologies.
   ipaddr	Specifies the IPv4 address of the applicable interface on the Publisher Security Gateway to which this Subscriber connects. Important - If this IP address changes in the Subscriber Security Gateway / Cluster object, you must update it in the $FWDIR/conf/identity_broker.C file. Note - For IPv6, use "ipaddr6".
   filter	Optional: Specifies an incoming filter for this specific Publisher. Follow the instructions in Configuring Identity Filters.
   recalculate_access_roles	Optional: Specifies if recalculation of Access Roles is needed for each shared session from this Publisher. This way, the Subscriber can use the Access Roles from the Access Control Policy instead of the Access Roles from the Publisher. This feature is disabled by default. For more information, see sk164474.