Configuring the portal for PKI authentication

Note

PKI authentication was introduced in BladeLogic Portal version 2.2.00.001.

When BladeLogic Portal authentication is set up to use public key infrastructure (PKI), it uses a two-way TLS handshake. A PKI implementation requires both client-side and server-side certificates.

This procedure provides instructions for creating a truststore using U.S. Department of Defense (DoD) instructions. The truststore validates client-side certificates that are sent to the portal through a browser.

For server-side certificates, you can use the existing self-signed certificate that is created when you install the portal using an HTTPS deployment, or you can use a valid certificate issued by a CA. The server-side certificate is stored in the keystore file on the Tomcat server. See Manually adding a trusted certificate for instructions how how to add a server-side certificate.

Note

  • PKI is only supported for a BMC Server Automation site; it is not supported for BMC Network Automation.
  • When PKI is implemented, users attempting to log in are always presented with the login dialog for PKI. They cannot log in using other forms of authentication.

To set up server-side certificates

Do one of the following:

To set up validation of client-side certificates 

  1. Create a truststore on the BladeLogic Portal web server. The truststore authenticates valid user certificates. This link provides instructions for creating a trust store for a U.S. Department of Defense (DoD) environment. The instructions explain how to create a truststore from a certificate using the Java keytool utility.
  2. Open the server.xml file for editing. The file is located at <install_location>/portal/tomcat/conf/server.xml. 
  3. In server.xml, edit the <Connector/> element as described in the following steps:
    1. Modify the clientAuth attribute so it is set to true. For example: clientAuth="true".
    2. Insert a truststoreFile attribute, which provides the location of the truststore file created in the first step. The path must be an absolute path, or the file must reside in the Tomcat home directory. For example: truststoreFile="C:\Program Files\BMC Software\BladeLogicPortal\portal\configuration\DoDRootTrustStore.jks".
    3. Insert a truststorePass attribute, which provides the trust store password. For example: truststorePass="password".

    The updated <Connector/> element is shown below, with the new and updated attributes highlighted.

    <Connector keystorePass="password" keystoreFile="C:\Program Files\BMC Software\BladeLogicPortal\portal\configuration\blpSslCertificate.cert" sslProtocol="TLS" clientAuth="true" secure="true" scheme="https" maxThreads="500" SSLEnabled="true" truststoreFile="C:\Program Files\BMC Software\BladeLogicPortal\portal\configuration\DoDRootTrustStore.jks" truststorePass="password"protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" namePrefix="dcaPortal" useSendfile="false" compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript"></Connector>

  4. Restart the portal service:
    • (Windows): From the Windows Control Panel on the portal server, select Administrative Tools > Services. Find and right-click the BladeLogic Portal service, and then select Restart
    • (Linux): On the portal server, enter the following command: /etc/init.d/BladeLogic_Portal restart
Was this page helpful? Yes No Submitting... Thank you

Comments