Using PKI authentication to log on to the reports portal
This topic explains the how to configure BMC Decision Support for Server Automation so it can use public key infrastructure (PKI) to authenticate users who present a type of smart card known as a Common Access Card (CAC). When you insert the smart card and provide the certificate, authentication occurs and the user is logged on to the BMC Decision Support for Server Automation portal.
To configure BMC Decision Support for Server Automation for using PKI to log on to the reports portal
- Configure the Apache web server to use the HTTPS protocol.
- Follow the instructions in Using-PKI-authentication-to-only-protect-the-web-server
- Navigate to the BDSSAInstallationDirectory/webserver/conf/extra folder.
Open the httpd-ssl.conf file and change the section:
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/u01/bmc/BladeLogic/reports/webserver/cgi-bin">
SSLOptions +StdEnvVars
</Directory>To look like:
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars +ExportCertData
SSLUserName SSL_CLIENT_S_DN_CN
RequestHeader add X-Forwarded-User %{REMOTE_USER}e
</FilesMatch>
<Directory "/usr/local/bmc/reports/webserver/cgi-bin">
SSLOptions +StdEnvVars +ExportCertData
SSLUserName SSL_CLIENT_S_DN_CN
RequestHeader add X-Forwarded-User %{REMOTE_USER}e
</Directory>Follow the instructions on Setting up a trust store for PKI authentication in the BMC Server Automation documentation and generate the JKS file and copy it to the BDSSAInstallationDirectory/br folder.
- On the reports server, start the Application Server Administration console (the blasadmin utility) as follows:
- (Windows) Navigate to the BDSSAInstallationDirectory\bin directory and enter the following command: blasadmin.
- (UNIX) Navigate to the BDSSAInstallationDirectory/br directory and enter the following command: blasadmin.
Run the following commands:
set Pki TruststorePass password
set Pki TruststorePath MyStore.jks
set Pki TruststoreType JKS
set Pki UseCommon true- (Optional) Set the default authentication type to PKI, as follows:
- Open the BDSSAInstallationDirectory/shared/ConfigurationManagement/generic-configuation.properties file with a text editor.
Set the defaultAuthType attribute to 6.
- Restart the blreports service.
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*