Configuring the portal for PKI authentication

When BladeLogic Portal authentication is set up to use public key infrastructure (PKI), it uses a two-way TLS handshake. A PKI implementation requires both client-side and server-side certificates.

This procedure provides instructions for creating a truststore using U.S. Department of Defense (DoD) instructions. The truststore validates client-side certificates that are sent to the portal through a browser.

For server-side certificates, you can use the existing self-signed certificate that is created when you install the portal using an HTTPS deployment, or you can use a valid certificate issued by a CA. The server-side certificate is stored in the keystore file on the Tomcat server. See Manually adding a trusted certificate for instructions how how to add a server-side certificate.

To set up server-side certificates

Do one of the following:

• Install BladeLogic Portal using the HTTPS option. A standard installation creates a self-signed server-side certificate.
• Manually add a trusted certificate.

To set up validation of client-side certificates 

1. Create a truststore on the BladeLogic Portal web server. The truststore authenticates valid user certificates. This link provides instructions for creating a trust store for a U.S. Department of Defense (DoD) environment. The instructions explain how to create a truststore from a certificate using the Java keytool utility.
2. Open the server.xml file for editing. The file is located at <install_location>/portal/tomcat/conf/server.xml. 
3. In server.xml, edit the <Connector/> element as described in the following steps:
   1. Modify the clientAuth attribute so it is set to true. For example: clientAuth="true".
   2. Insert a truststoreFile attribute, which provides the location of the truststore file created in the first step. The path must be an absolute path, or the file must reside in the Tomcat home directory. For example: truststoreFile="C:\Program Files\BMC Software\BladeLogicPortal\portal\configuration\DoDRootTrustStore.jks".

   3. Insert a truststorePass attribute, which provides the trust store password. For example: truststorePass="password".

   The updated <Connector/> element is shown below, with the new and updated attributes highlighted.
   
   <Connector keystorePass="password" keystoreFile="C:\Program Files\BMC Software\BladeLogicPortal\portal\configuration\blpSslCertificate.cert" sslProtocol="TLS" clientAuth="true" secure="true" scheme="https" maxThreads="500" SSLEnabled="true" truststoreFile="C:\Program Files\BMC Software\BladeLogicPortal\portal\configuration\DoDRootTrustStore.jks" truststorePass="password"protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" namePrefix="dcaPortal" useSendfile="false" compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript"></Connector>

4. Restart the portal service:
   
   • (Windows): From the Windows Control Panel on the portal server, select Administrative Tools > Services. Find and right-click the BladeLogic Portal service, and then select Restart. 
   • (Linux): On the portal server, enter the following command: /etc/init.d/BladeLogic_Portal restart