×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

Important

   

This space contains documentation for TrueSight Smart Reporting for Server Automation 20.02.01. For earlier releases, see TrueSight Smart Reporting for Sever Automation 19.2 Open link .
TrueSight Smart Reporting for Server Automation 20.02.01 ... Administering Implementing authentication

PKI authentication

This topic was edited by a BMC Contributor and has not been approved.  More information.

PKI authentication with smart cards is used for authentication between the Authentication Server and TrueSight Server Automation - Data Warehouse. Smart cards store the digital certificates that you obtain from the certification authority. 

To enable PKI authentication for TrueSight Smart Reporting for Server Automation, complete the following tasks:

  1. Set up CA-signed certificates for TSSADW.
  2. Create the PKI TrustStore
  3. Configure the Authentication Server for PKI authentication.
  4. Configure Tomcat for PKI authentication

Setup CA-signed certificates for TSSADW

Do the following:

  1. Follow the instructions here: Implementing private certificates in TrueSight Server Automation - Data Warehouse <make sure this is the right link>

Create the PKI TrustStore

  1. Obtain the CA certificates for both the CA that signs your user tokens and the CA certificates that signed the TSSR-P certificate in the previous step.  These may be different certificate authorities.  There should be one certificate file for each CA in the chain.  For example, if there are root, intermediate, and signing CAs in the chain, then you should have three files, each with a single certificate in it.
  2. Log in to the system where TrueSight Server Automation - Data Warehouse is installed.

  3. Create a new keystore in the <TSSA-DW_installation_directory>/br directory and import the CA certs used to sign the user tokens, as well as the CA certs used to sign the TSSR-P certificate, starting with the root cert in each chain.

    1. Run this command:
      Example:

      <TSSA-DW_installation_directory>/jre/bin/keytool -import -keystore <pki keystore> -storepass <pki keystore password> -file <ca_cert file> -alias <alias for cert>

      (Windows)

      "C:\Program Files\BMC Software\TSSA-DW\jre\bin\keytool.exe" -import -keystore "C:\Program Files\BMC Software\TSSA-DW\br\PkiTrustStore.jks" -storepass password -file ca_root_cert.pem -alias caroot

      (Linux)

      /opt/bmc/TSSA-DW/jre/bin/keytool -import -keystore /opt/bmc/TSSA-DW/br/PkiTrustStore.jks" -storepass password -file ca_root_cert.pem -alias caroot

    2. Repeat the above command for each cert in the CA chain, using a different alias for each one.  In addition to the root certificate, there may be multiple intermediate and signing certificates to import.

    3. If the TSSR-P certificate was signed by a different CA chain, repeat the above steps with those CA certificates.

    4. (Linux), ensure the blauth user has permission to the new keystore file:

      • chown blauth:blauth <TSSADW_installation_directory>/br/PkiTrustStore.jks

Configure the TSSADW Authentication Server for PKI authentication

Do the following:

  1. Configure the auth service with the blasadmin command line utility:

    On the TrueSight Server Automation - Data Warehouse server, start the Administration console of Authentication Server:

    • (Windows) At the command prompt, change to the <TSSADW_installation_directory>\bin directory and run the following command:

      blasadmin

    • (UNIX) At the command prompt, change to the <TSSADW_installation_directory>/br directory and run the following command:
      blasadmin

  2. Run the following commands:

    set PkiAuth IsEnabled true
set PkiAuth TruststorePathname <pki keystore filename>
set PkiAuth TruststoreType JKS
set PkiAuth TruststorePassword <pki keystore password>
set PkiAuth UseCommon true
syncfile
  3. Exit the blasadmin utility.

Configuring Tomcat for PKI authentication

Do the following:

  1. Log in to the system where TrueSight Server Automation - Data Warehouse is installed.

  2. Navigate to the following directory: <TSSADW_installation_directory>\tomcat\conf
  3. Do the following:

    1. Get the blenc has for the Pki keystore by running the below command:

      Example:

      <TSSA-DWInstallationDirectory>\bin\blenc.exe <pki keystore password>

      (Windows)

      "C:\Program Files\BMC Software\TSSA-DW\bin\blenc.exe" password

      (Linux)

      /opt/bmc/TSSA-DW/bin/blenc password

    2. Note the encrypted password after BLencrypt: in the output.

    3. In a text editor, open the server.xml file.

    4. Modify the following parameters in the SSL connector block:

      • truststoreFile="<TSSADW_installation_directory>/br/PkiTrustStore.jks"
      • trustStorePass="<pki keystore password in blenc>"

      • clientAuth="true"
        For example:
        (Windows)

        <Connector port="9443"

        SSLEnabled="true"

        sslEnabledProtocols="TLSv1.2"

        protocol="com.bmc.bbds.security.Http11NioProtocol"

        maxHttpHeaderSize="8192"

        maxThreads="150"

        minSpareThreads="25"

        enableLookups="false"

        disableUploadTimeout="true"

        acceptCount="100"

        scheme="https"

        secure="true"

        keystoreFile="C:\PROGRA~1\BMCSOF~1\TSSA-DW\tomcat\conf\bdsSslCertificate.cert"

        keystorePass=<password>

        truststoreFile="C:\PROGRA~1\BMCSOF~1\TSSA-DW\br\PkiTrustStore.jks"

        trustStorePass=<The password used for the truststore in the blenc format>

        clientAuth="true"

        sslProtocol="TLS"

        ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>

        (Linux)

        <Connector port="9443"

        SSLEnabled="true"

        sslEnabledProtocols="TLSv1.2"

        protocol="com.bmc.bbds.security.Http11NioProtocol"

        maxHttpHeaderSize="8192"

        maxThreads="150"

        minSpareThreads="25"

        enableLookups="false"

        disableUploadTimeout="true"

        acceptCount="100"

        scheme="https"

        secure="true"

        keystoreFile="/opt/bmc/TSSA-DW/tomcat/conf/bdsSslCertificate.cert"

        keystorePass=<password>

        truststoreFile="/opt/bmc/TSSA-DW/br/PkiTrustStore.jks"

        trustStorePass=<The password used for the truststore in the blenc format>

        clientAuth="true"

        sslProtocol="TLS"

        ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>

    5. Save the server.xml file.

  4. Restart the following services:
    • TrueSight Server Automation - Data Warehouse
    • Authentication Server
Was this page helpful? Yes No Submitting... Thank you
Last modified by Bill Robinson on Nov 17, 2020
security authentication contributor_unapproved

Comments

Log in or register to comment.

LDAP authentication
Configuring Inventory reporting
© Copyright 1996-2020 BladeLogic, Inc.
© Copyright 2014-2020 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.