Using PKI authentication to only protect the web server

This topic explains how to configure BMC Decision Support for Server Automation so it can use Common Access Card (CAC), a type of smart card, to require user to present a valid certificate to access the BMC Decision Support for Server Automation portal login page.  The user can then use another authentication mechanism to login to the application.

To configure BMC Decision Support for Server Automation for using PKI to only protect the web server

1. Ensure that BMC Decision Support for Server Automationis configured to use the HTTPS protocol. 

   Using HTTPS ensures that you have the Apache environment variables SSLCertificateFile and SSLCertificateKeyFile defined so they identify the correct files.

2. Make sure you have the following files available with you:

   • Certification Authority (CA) certificate chain in PEM format
     Make sure to obtain the entire CA chain 

   • Certificate Revocation List (CRL) (optional if you want to enforce certificate revocations)
     Make sure you obtain CRL from your CA. 

3. If the certificates in the CA chain are not in PEM format, convert them by using the following command (assuming DER input):

   openssl x509 -inform der -in myCA.cert -out myCA.pem -subject -issuer

   If you have more than one CA certificate, combine them into a single file. For example, you might create a CA file called C:/webserver/conf/cac_ca_chain.pem that contains multiple certificates. The following file is a sample combined file:
   
   

   subject=/C=US/O=Company/OU=Org/CN=Root CA 1
   issuer=/C=US/O=Company/OU=Org/CN=Root CA 1
   -----BEGIN CERTIFICATE-----
   <certificate>
   -----END CERTIFICATE-----
   subject=/C=US/O=Company/OU=Org/CN=Intermediate CA 1
   issuer=/C=US/O=Company/OU=Org/CN=Intermediate CA 1
   -----BEGIN CERTIFICATE-----
   <certificate>
   -----END CERTIFICATE-----
   subject=/C=US/O=Company/OU=Org/CN=Signing CA 1
   issuer=/C=US/O=Company/OU=Org/CN=Signing CA 1
   -----BEGIN CERTIFICATE-----
   <certificate>
   -----END CERTIFICATE-----
   

4. If the CRL is not in a PEM format, use the following command to convert the CRL. If you are using multiple CRLs, repeat the process for each list.
   
   

   openssl crl -in <certficateRevocationList> -inform DER  -out <encodedCRL> -outform pem

     

5. Edit the Apache configuration file at BDSSAInstallationDirectory/webserver/conf/extra/httpd-ssl.conf by doing the following steps:

   1. For the SSLCACertificateFile entry, enter the following text:

      SSLCACertificateFile "<certificatesFile>"

      
      <certificatesFile> is the CA certificates file you obtained in step 2. For example, you might enter:

      SSLCACertificateFile "C:/webserver/conf/cac_ca_chain.pem"

      
      After you create this entry, make sure any other entries for SSLCACertificateFile are commented out.

   2. Locate the SSLCARevocationFile entry and enter the following text:

      SSLCARevocationFile "<CRLFile>"

      
      <CRLFile> is the certificate revocation list you converted to PEM in step 4. For example, you might enter:

      SSLCARevocationFile "C:/webserver/conf/crl.pem"

      
      When you make this entry, make sure any other entries for SSLCARevocationFile are commented out.

   3. Enable client authentication by adding the following entries to the configuration file:

      SSLVerifyClient require
      SSLVerifyDepth 10

6. Restart the Apache Web Server.