Configuring the portal for PKI authentication
Note
PKI authentication was introduced in BladeLogic Portal version 2.2.00.001.
When BladeLogic Portal authentication is set up to use public key infrastructure (PKI), it uses a two-way TLS handshake. A PKI implementation requires both client-side and server-side certificates.
This procedure provides instructions for creating a truststore using U.S. Department of Defense (DoD) instructions. The truststore validates client-side certificates that are sent to the portal through a browser.
For server-side certificates, you can use the existing self-signed certificate that is created when you install the portal using an HTTPS deployment, or you can use a valid certificate issued by a CA. The server-side certificate is stored in the keystore file on the Tomcat server. See Manually adding a trusted certificate for instructions how how to add a server-side certificate.
Note
- PKI is only supported for a BMC Server Automation site; it is not supported for BMC Network Automation.
- When PKI is implemented, users attempting to log in are always presented with the login dialog for PKI. They cannot log in using other forms of authentication.
To set up server-side certificates
Do one of the following:
- Install BladeLogic Portal using the HTTPS option. A standard installation creates a self-signed server-side certificate.
- Manually add a trusted certificate.
To set up validation of client-side certificates
- Create a truststore on the BladeLogic Portal web server. The truststore authenticates valid user certificates. This link provides instructions for creating a trust store for a U.S. Department of Defense (DoD) environment. The instructions explain how to create a truststore from a certificate using the Java keytool utility.
- Open the server.xml file for editing. The file is located at <install_location>/portal/tomcat/conf/server.xml.
- In server.xml, edit the
<Connector/>
element as described in the following steps:- Modify the
clientAuth
attribute so it is set to true. For example:clientAuth="true"
. - Insert a
truststoreFile
attribute, which provides the location of the truststore file created in the first step. The path must be an absolute path, or the file must reside in the Tomcat home directory. For example:truststoreFile="C:\Program Files\BMC Software\BladeLogicPortal\portal\configuration\DoDRootTrustStore.jks".
Insert a
truststorePass
attribute, which provides the trust store password. For example:truststorePass="password".
The updated <Connector/> element is shown below, with the new and updated attributes highlighted.
<Connector keystorePass="password" keystoreFile="C:\Program Files\BMC Software\BladeLogicPortal\portal\configuration\blpSslCertificate.cert" sslProtocol="TLS" clientAuth="true" secure="true" scheme="https" maxThreads="500" SSLEnabled="true" truststoreFile="C:\Program Files\BMC Software\BladeLogicPortal\portal\configuration\DoDRootTrustStore.jks" truststorePass="password"protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" namePrefix="dcaPortal" useSendfile="false" compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript"></Connector>
- Modify the
- Restart the portal service:
- (Windows): From the Windows Control Panel on the portal server, select Administrative Tools > Services. Find and right-click the BladeLogic Portal service, and then select Restart.
- (Linux): On the portal server, enter the following command:
/etc/init.d/BladeLogic_Portal restart
Comments
Log in or register to comment.