PKI authentication
PKI authentication with smart cards is used for authentication between the Authentication Server and TrueSight Server Automation - Data Warehouse. Smart cards store the digital certificates that you obtain from the certification authority.
To enable PKI authentication for TrueSight Smart Reporting for Server Automation, complete the following tasks:
Setup CA-signed certificates for TSSADW
Do the following:
- Follow the instructions here: Implementing private certificates in TrueSight Server Automation - Data Warehouse <make sure this is the right link>
Create the PKI TrustStore
- Obtain the CA certificates for both the CA that signs your user tokens and the CA certificates that signed the TSSR-P certificate in the previous step. These may be different certificate authorities. There should be one certificate file for each CA in the chain. For example, if there are root, intermediate, and signing CAs in the chain, then you should have three files, each with a single certificate in it.
- Log in to the system where TrueSight Server Automation - Data Warehouse is installed.
Create a new keystore in the <TSSA-DW_installation_directory>/br directory and import the CA certs used to sign the user tokens, as well as the CA certs used to sign the TSSR-P certificate, starting with the root cert in each chain.
Run this command:
Example:<TSSA-DW_installation_directory>/jre/bin/keytool -import -keystore <pki keystore> -storepass <pki keystore password> -file <ca_cert file> -alias <alias for cert>
(Windows)
"C:\Program Files\BMC Software\TSSA-DW\jre\bin\keytool.exe" -import -keystore "C:\Program Files\BMC Software\TSSA-DW\br\PkiTrustStore.jks" -storepass password -file ca_root_cert.pem -alias caroot
(Linux)
/opt/bmc/TSSA-DW/jre/bin/keytool -import -keystore /opt/bmc/TSSA-DW/br/PkiTrustStore.jks" -storepass password -file ca_root_cert.pem -alias caroot
Repeat the above command for each cert in the CA chain, using a different alias for each one. In addition to the root certificate, there may be multiple intermediate and signing certificates to import.
- If the TSSR-P certificate was signed by a different CA chain, repeat the above steps with those CA certificates.
(Linux), ensure the blauth user has permission to the new keystore file:
chown blauth:blauth <TSSADW_installation_directory>/br/PkiTrustStore.jks
Configure the TSSADW Authentication Server for PKI authentication
Do the following:
Configure the auth service with the blasadmin command line utility:
On the TrueSight Server Automation - Data Warehouse server, start the Administration console of Authentication Server:
(Windows) At the command prompt, change to the <TSSADW_installation_directory>\bin directory and run the following command:
blasadmin
(UNIX) At the command prompt, change to the <TSSADW_installation_directory>/br directory and run the following command:
blasadmin
Run the following commands:
set PkiAuth IsEnabled true set PkiAuth TruststorePathname <pki keystore filename> set PkiAuth TruststoreType JKS set PkiAuth TruststorePassword <pki keystore password> set PkiAuth UseCommon true syncfile
- Exit the
blasadmin
utility.
Configuring Tomcat for PKI authentication
Do the following:
Log in to the system where TrueSight Server Automation - Data Warehouse is installed.
- Navigate to the following directory: <TSSADW_installation_directory>\tomcat\conf
- Do the following:
Get the blenc has for the Pki keystore by running the below command:
Example:
<TSSA-DWInstallationDirectory>\bin\blenc.exe <pki keystore password>
(Windows)
"C:\Program Files\BMC Software\TSSA-DW\bin\blenc.exe" password
(Linux)
/opt/bmc/TSSA-DW/bin/blenc password
Note the encrypted password after BLencrypt: in the output.
In a text editor, open the server.xml file.
Modify the following parameters in the SSL connector block:
- truststoreFile="<TSSADW_installation_directory>/br/PkiTrustStore.jks"
- trustStorePass="<pki keystore password in blenc>"
clientAuth="true"
For example:
(Windows)<Connector port="9443"
SSLEnabled="true"
sslEnabledProtocols="TLSv1.2"
protocol="com.bmc.bbds.security.Http11NioProtocol"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
keystoreFile="C:\PROGRA~1\BMCSOF~1\TSSA-DW\tomcat\conf\bdsSslCertificate.cert"
keystorePass=<password>
truststoreFile="C:\PROGRA~1\BMCSOF~1\TSSA-DW\br\PkiTrustStore.jks"
trustStorePass=<The password used for the truststore in the blenc format>
clientAuth="true"
sslProtocol="TLS"
ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>
(Linux)
<Connector port="9443"
SSLEnabled="true"
sslEnabledProtocols="TLSv1.2"
protocol="com.bmc.bbds.security.Http11NioProtocol"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
keystoreFile="/opt/bmc/TSSA-DW/tomcat/conf/bdsSslCertificate.cert"
keystorePass=<password>
truststoreFile="/opt/bmc/TSSA-DW/br/PkiTrustStore.jks"
trustStorePass=<The password used for the truststore in the blenc format>
clientAuth="true"
sslProtocol="TLS"
ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>
Save the server.xml file.
- Restart the following services:
- TrueSight Server Automation - Data Warehouse
- Authentication Server
Comments
Log in or register to comment.