Using PKI authentication to log on to the reports portal

This topic explains the how to configure BMC Decision Support for Server Automation so it can use public key infrastructure (PKI) to authenticate users who present a type of smart card known as a Common Access Card (CAC). When you insert the smart card and provide the certificate, authentication occurs and the user is logged on to the BMC Decision Support for Server Automation portal.

To configure BMC Decision Support for Server Automation for using PKI to log on to the reports portal

1. Configure the Apache web server to use the HTTPS protocol.
2. Follow the instructions in Using PKI authentication to only protect the web server
3. Navigate to the BDSSAInstallationDirectory/webserver/conf/extra folder.

4. Open the httpd-ssl.conf file and change the section:

   Warning

   Before modifying the httpd-ssl.conf file, BMC recommends that you make a backup copy.

   <FilesMatch "\.(cgi|shtml|phtml|php)$">
       SSLOptions +StdEnvVars
   </FilesMatch>
   <Directory "/u01/bmc/BladeLogic/reports/webserver/cgi-bin">
       SSLOptions +StdEnvVars
   </Directory>
   
   

   To look like:

   <FilesMatch "\.(cgi|shtml|phtml|php)$">
   SSLOptions +StdEnvVars +ExportCertData
   SSLUserName SSL_CLIENT_S_DN_CN
   RequestHeader add X-Forwarded-User %{REMOTE_USER}e
   </FilesMatch>
   <Directory "/usr/local/bmc/reports/webserver/cgi-bin">
   SSLOptions +StdEnvVars +ExportCertData
   SSLUserName SSL_CLIENT_S_DN_CN
   RequestHeader add X-Forwarded-User %{REMOTE_USER}e
   </Directory>
   

5. Follow the instructions on Setting up a trust store for PKI authentication in the BMC Server Automation documentation and generate the JKS file and copy it to the BDSSAInstallationDirectory/br folder.

   Note

   If you are configuring PKI authentication for use in a U.S. Department of Defense (DoD) environment, use the instructions on Using the DoD InstallRoot tool to create a trust store to create the trust store.

6. On the reports server, start the Application Server Administration console (the blasadmin utility) as follows:

   • (Windows) Navigate to the BDSSAInstallationDirectory\bin directory and enter the following command: blasadmin.

   • (UNIX) Navigate to the BDSSAInstallationDirectory/br directory and enter the following command: blasadmin.

7. Run the following commands:

   set Pki TruststorePass password
   set Pki TruststorePath MyStore.jks
   set Pki TruststoreType JKS
   set Pki UseCommon true
   

8. (Optional) Set the default authentication type to PKI, as follows:

   1. Open the BDSSAInstallationDirectory/shared/ConfigurationManagement/generic-configuation.properties file with a text editor.

   2. Set the defaultAuthType attribute to 6.  

      Note

      If the user presents a valid PKI token, this step bypasses the log on page and enables user logs on to reports portal directly. If you do not complete this step, the user will be presented with the log on page and the user must click OK (without providing a user name or password) to log on to the portal. If only PKI login is desired then this step is recommended. If a mix of authentication types is desired then this step should not be followed.

      
      
      

9. Restart the blreports service.