Unsupported content This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Using PKI authentication to log on to the reports portal

This topic explains the how to configure BMC Decision Support for Server Automation so it can use public key infrastructure (PKI) to authenticate users who present a type of smart card known as a Common Access Card (CAC). When you insert the smart card and provide the certificate, authentication occurs and the user is logged on to the BMC Decision Support for Server Automation portal.

Note

After you insert your smart card, you do not need to specify any other credentials to access the product.

To configure BMC Decision Support for Server Automation for using PKI to log on to the reports portal

  1. Configure the Apache web server to use the HTTPS protocol.
  2. Follow the instructions in Using-PKI-authentication-to-only-protect-the-web-server
  3. Navigate to the BDSSAInstallationDirectory/webserver/conf/extra folder.

  4. Open the httpd-ssl.conf file and change the section:

    Warning

    Before modifying the httpd-ssl.conf file, BMC recommends that you make a backup copy.

     

     

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/u01/bmc/BladeLogic/reports/webserver/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>

    To look like:

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars +ExportCertData
    SSLUserName SSL_CLIENT_S_DN_CN
    RequestHeader add X-Forwarded-User %{REMOTE_USER}e
    </FilesMatch>
    <Directory "/usr/local/bmc/reports/webserver/cgi-bin">
    SSLOptions +StdEnvVars +ExportCertData
    SSLUserName SSL_CLIENT_S_DN_CN
    RequestHeader add X-Forwarded-User %{REMOTE_USER}e
    </Directory>

  5. Follow the instructions on Setting up a trust store for PKI authentication in the BMC Server Automation documentation and generate the JKS file and copy it to the BDSSAInstallationDirectory/br folder.

    Note

    If you are configuring PKI authentication for use in a U.S. Department of Defense (DoD) environment, use the instructions on Using the DoD InstallRoot tool to create a trust store to create the trust store.

  6. On the reports server, start the Application Server Administration console (the blasadmin utility) as follows:
    • (Windows) Navigate to the BDSSAInstallationDirectory\bin directory and enter the following command: blasadmin.
    • (UNIX) Navigate to the BDSSAInstallationDirectory/br directory and enter the following command: blasadmin.

  7. Run the following commands:

    set Pki TruststorePass password
    set Pki TruststorePath MyStore.jks
    set Pki TruststoreType JKS
    set Pki UseCommon true
  8. (Optional) Set the default authentication type to PKI, as follows:
    1. Open the BDSSAInstallationDirectory/shared/ConfigurationManagement/generic-configuation.properties file with a text editor.

    2. Set the defaultAuthType attribute to 6.  

      Note

      If the user presents a valid PKI token, this step bypasses the log on page and enables user logs on to reports portal directly. If you do not complete this step, the user will be presented with the log on page and the user must click OK (without providing a user name or password) to log on to the portal. If only PKI login is desired then this step is recommended. If a mix of authentication types is desired then this step should not be followed.


  9. Restart the blreports service.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*