Unsupported content

 

This version of the product is in limited support. However, the documentation is available for your convenience. You will not be able to leave comments.

Certificate-based authentication process

Remedy Single Sign-On (Remedy SSO) supports certificate-based authentication. To use the certificate-based authentication, you must ensure that:

  • Client has a valid Public Key Certificate
  • SSL support is configured for the server
  • Client authentication is configured on the server

The following image shows the tasks that you need to perform to configure the certificate-based authentication in Remedy SSO.

CertificateBasedAuthentication

Configuring the Tomcat server to ask clients for certificates

If you are using using a load balancer and SSL termination is done on the load balancer, there is no need to configure the Tomcat server. If you are not using a load balancer, you must configure the Tomcat server that host the Remedy SSO application to ask clients for certificates. You must also configure the Tomcat server truststore with trusted CA certificates.

  1. Stop the Apache Tomcat server that is being used for Remedy SSO.
  2. Open the <TomcatInstallationDirectory>/conf/server.xml file and modify the <Connector> tag.
  3. Set the clientAuth attribute to want as specified in the following code block.
<Connector port="18443" protocol="HTTP/1.1" SSLEnabled="true"
		maxThreads="150" scheme="https" secure="true"
		clientAuth="want" sslProtocol="TLS"
		keystoreFile="conf/cert/server-keystore.jks"
		keystorePass="changeit"
		truststoreFile="conf/cert/server-truststore.jks" 
		truststorePass="changeit" />

Important

Do not set the clientAuth attribute to true, because it becomes mandatory for the client to provide a trusted certificate to the server that might break certain communication between Remedy SSO and an agent.


Configuring the certificate-based authentication  

Before you begin

  • Ensure that you have performed the Remedy SSO server configuration. For more information on server configuration, see Configuring the Remedy SSO server.
  • Configure a realm for the authentication. For more information on realm configuration, see Configuring Realms.
  • Obtain the following information:
    • The required digital certificate filed name to get the user ID from the client certificate.
    • Custom responder URI if you want to enable OCSP validation.
    • Custom CRL DP URI if you want to enable CRL validation.

To configure certificate-based authentication

  1. (Optional) Click Enable Chaining Mode and perform the following steps to enable authentication chaining. For more information about the authentications that you can chain with cert-based authentication, see Authentication chaining.
    1. Click Add Authentication.
    2. Select the required authentication type and enter the authentication details.
    3. Repeat Step a through Step b to add more authentications for the realm.

Importing CA certificates to a truststore

You can import CA certificates on the following two truststores as required:

  • Truststore of the the Tomcat server or the load balancer: Used for certificate-based authentication that enables the Tomcat server or the load balancer to send an appropriate information to the client so that the client returns only the trusted certificate.
  • Truststore used by Remedy SSO for certificate validation: Used if you want Remedy SSO to perform an extra validation on the client certificate, such as OCSP or CRL check. Certificate validation including OCSP or CRL check might be supported on the Tomcat server or the load balancer. If all the necessary validations are already enabled on the Tomcat server or the load balancer, you might skip the validation at Remedy SSO level.

    Note

    If customer has intermediate certificates, they must be imported into the truststore as well.

Related topics

Transforming User ID to match Login ID

Troubleshooting authentication issues

Was this page helpful? Yes No Submitting... Thank you

Comments