Implementing PKI authentication

The BMC Server Automation Authentication Server can use public key infrastructure (PKI) to authenticate users who present a type of smart card known as a common access card (CAC). A BMC Server Automation client can access the appropriate certificate and private key on the smart card to authenticate the user through two middleware approaches:

  • ActivClient

    If you are using the ActivClient middleware, the RCP console requests for an ActivClient PIN to connect, as shown in the following figure:

    Note

    For BMC Server Automation to support ActivClient version 7.x, perform the following prerequisite steps:

    1. Locate the sunpkcs11.cfg file in %AppData%\BladeLogic, and open it with any text editor.
    2. In the path to the ActivClient directory, modify the Program Files directory name according to the 8.3 filename convention.
      For example, change C:\Program Files (x86)\ActivIdentity\ActivClient to C:\Progra~2\ActivIdentity\ActivClient.
      Ensure that the path does not include any space characters.
  • 90meter

    For 90meter middleware, PKI configuration file Sunpkcs11.cfg is not created by default. To create the file use the following blcred command:

    blcred config pki -provider <path to the LitPKCS11.dll from the install directory>

    You can also create the file manually in the home directory (for example, on Windows 7, the location is: C:\Users\<username>\AppData\Roaming\BladeLogic) with following contents:

    • name=CryptokiProvider
    • library=c:\Program Files\90meter\CACPIVMD\pkcs11\x86\LitPKCS11.dll
    • slotListIndex=0

    Note

    library should have the full path to the LitPKCS11.dll file and slotListIndex should be the slot id where smart card is inserted. Typically it is 0, but in some cases where more than one smart cards are inserted on the server, it could be 1 or more also.

    Separate prompt for the PIN/password is not shown. Enter the Password on the login panel of RCP console to login successfully, as shown in the following figure:

    Info

    If you are authenticating the 90meter smart card through BLCLI command, blcred cred -acquire, you are not prompted for the password and login results as unsuccessful. Not entering the password on CLI will result in an authentication failure and also an invalid PIN attempt against the card

    blcred cred -acquire -profile <name of pki auth profile> -password <password>

    Note

    Following message appears when PKI authentication profile is selected on the login panel of RCP console to ensure a password is entered when using 90meter. This does not result in failed authentication.

    Login failed: Please enter the password and try it again.

To verify that a certificate is currently valid, the Authentication Server can access an OCSP Responder. By default, OCSP verification is enabled for PKI authentication. For more information about setting up OCSP, see Setting up certificate verification using OCSP.

Note

PKI authentication does not work in BMC Server Automation 8.7 or later if OCSP verification is enabled, due to issues in JRE 1.8, which is shipped with BMC BladeLogic Server Automation. See defect QM001884045 in 8901Known and corrected issues. For instructions on disabling OCSP verification, see To enable or disable OCSP verification.

While logging into a BMC Server Automation client, the user must insert a smart card into a card reader and enter a PIN. If the information the user enters is valid and the OCSP Responder verifies the validity of the user's certificate, the Authentication Service issues the client a session credential.

BMC Server Automation does not provide a default set of trusted CA certificates for use with PKI authentication. If you are implementing PKI, you must obtain certificates from a CA.

For a procedure describing how to set up PKI authentication, see Configuring PKI authentication.

Note

In this release, PKI authentication is not supported by the BMC Server Automation Console on 64-bit Windows systems. On a Windows 64-bit system, install and use the 32-bit BMC Server Automation Console.

Was this page helpful? Yes No Submitting... Thank you

Comments