$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
 
 

Unsupported content

 

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

BMC Decision Support for Server Automation 8.6 ... Installing Configuring after installation Administering security Implementing authentication PKI authentication

Using PKI authentication to only protect the web server

This topic explains how to configure 

    MultiExcerpt named 'Product_Name' was not found
The multiexcerpt named 'Product_Name' was not found. Please check the page name and MultiExcerpt name used in the MultiExcerpt Include macro. so it can use Common Access Card (CAC), a type of smart card, to require user to present a valid certificate to access the BMC Decision Support for Server Automation portal login page.  The user can then use another authentication mechanism to login to the application.

To configure BMC Decision Support for Server Automation for using PKI to only protect the web server

  1. Ensure that 

      MultiExcerpt named 'Product_Name' was not found
    The multiexcerpt named 'Product_Name' was not found. Please check the page name and MultiExcerpt name used in the MultiExcerpt Include macro.is configured to use the HTTPS protocol. 

    Using HTTPS ensures that you have the Apache environment variables SSLCertificateFile and SSLCertificateKeyFile defined so they identify the correct files.

  2. Make sure you have the following files available with you:

    • Certification Authority (CA) certificate chain in PEM format
      Make sure to obtain the entire CA chain 

    • Certificate Revocation List (CRL) (optional if you want to enforce certificate revocations)
      Make sure you obtain CRL from your CA. 

  3. If the certificates in the CA chain are not in PEM format, convert them by using the following command (assuming DER input):

    openssl x509 -inform der -in myCA.cert -out myCA.pem -subject -issuer

    If you have more than one CA certificate, combine them into a single file. For example, you might create a CA file called C:/webserver/conf/cac_ca_chain.pem that contains multiple certificates. The following file is a sample combined file:

    subject=/C=US/O=Company/OU=Org/CN=Root CA 1
issuer=/C=US/O=Company/OU=Org/CN=Root CA 1
-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----
subject=/C=US/O=Company/OU=Org/CN=Intermediate CA 1
issuer=/C=US/O=Company/OU=Org/CN=Intermediate CA 1
-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----
subject=/C=US/O=Company/OU=Org/CN=Signing CA 1
issuer=/C=US/O=Company/OU=Org/CN=Signing CA 1
-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----

  4. If the CRL is not in a PEM format, use the following command to convert the CRL. If you are using multiple CRLs, repeat the process for each list.

    openssl crl -in <certficateRevocationList> -inform DER  -out <encodedCRL> -outform pem

      

  5. Edit the Apache configuration file at BDSSAInstallationDirectory/webserver/conf/extra/httpd-ssl.conf by doing the following steps:

    1. For the SSLCACertificateFile entry, enter the following text:

      SSLCACertificateFile "<certificatesFile>"


      <certificatesFile> is the CA certificates file you obtained in step 2. For example, you might enter:

      SSLCACertificateFile "C:/webserver/conf/cac_ca_chain.pem"


      After you create this entry, make sure any other entries for SSLCACertificateFile are commented out.

    2. Locate the SSLCARevocationFile entry and enter the following text:

      SSLCARevocationFile "<CRLFile>"


      <CRLFile> is the certificate revocation list you converted to PEM in step 4. For example, you might enter:

      SSLCARevocationFile "C:/webserver/conf/crl.pem"


      When you make this entry, make sure any other entries for SSLCARevocationFile are commented out.

    3. Enable client authentication by adding the following entries to the configuration file:

      SSLVerifyClient require
SSLVerifyDepth 10
  6. Restart the Apache Web Server.
Was this page helpful? Yes No Submitting... Thank you
Last modified by Sulekha Gulati on Oct 15, 2014
contributor-updated report_administration configuation cac_authentication common_access_card

Comments

Using PKI authentication to log on to the reports portal
Adding a Popup Logon Banner
© Copyright 2020 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2020 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.