Implementing PKI authentication
The BMC Server Automation Authentication Server can use public key infrastructure (PKI) to authenticate users who present a type of smart card known as a common access card (CAC). A BMC Server Automation client can access the appropriate certificate and private key on the smart card to authenticate the user through two middleware approaches:
If you are using the ActivClient middleware, the RCP console requests for an ActivClient PIN to connect, as shown in the following figure:
For BMC Server Automation to support ActivClient version 7.x, perform the following prerequisite steps:
- Locate the sunpkcs11.cfg file in %AppData%\BladeLogic, and open it with any text editor.
- In the path to the ActivClient directory, modify the Program Files directory name according to the 8.3 filename convention.
For example, change C:\Program Files (x86)\ActivIdentity\ActivClient to C:\Progra~2\ActivIdentity\ActivClient.
Ensure that the path does not include any space characters.
For 90meter middleware, PKI configuration file Sunpkcs11.cfg is not created by default. To create the file use the following blcred command:
blcred config pki -provider <path to the LitPKCS11.dll from the install directory>
You can also create the file manually in the home directory (for example, on Windows 7, the location is: C:\Users\<username>\AppData\Roaming\BladeLogic) with following contents:
- library=c:\Program Files\90meter\CACPIVMD\pkcs11\x86\LitPKCS11.dll
Notelibrary should have the full path to the LitPKCS11.dll file and slotListIndex should be the slot id where smart card is inserted. Typically it is 0, but in some cases where more than one smart cards are inserted on the server, it could be 1 or more also.
Separate prompt for the PIN/password is not shown. Enter the Password on the login panel of RCP console to login successfully, as shown in the following figure:
If you are authenticating the 90meter smart card through BLCLI command,
blcred cred -acquire, you are not prompted for the password and login results as unsuccessful. Not entering the password on CLI will result in an authentication failure and also an invalid PIN attempt against the card
blcred cred -acquire -profile <name of pki auth profile> -password <password>
Following message appears when PKI authentication profile is selected on the login panel of RCP console to ensure a password is entered when using 90meter. This does not result in failed authentication.
Login failed: Please enter the password and try it again.
To verify that a certificate is currently valid, the Authentication Server can access an OCSP Responder. By default, OCSP verification is enabled for PKI authentication. For more information about setting up OCSP, see Setting up certificate verification using OCSP.
PKI authentication does not work in BMC Server Automation 8.7 or later if OCSP verification is enabled, due to issues in JRE 1.8, which is shipped with BMC BladeLogic Server Automation. See defect QM001884045 in 8901Known and corrected issues. For instructions on disabling OCSP verification, see To enable or disable OCSP verification.
BMC Server Automation does not provide a default set of trusted CA certificates for use with PKI authentication. If you are implementing PKI, you must obtain certificates from a CA.
For a procedure describing how to set up PKI authentication, see Configuring PKI authentication.
In this release, PKI authentication is not supported by the BMC Server Automation Console on 64-bit Windows systems. On a Windows 64-bit system, install and use the 32-bit BMC Server Automation Console.