Configuring a realm for certificate-based authentication

After you have configured SSL for the Tomcat server on which Remedy Single Sign-On is hosted, you need to configure a realm for certificate-based authentication in the Remedy SSO console.  

Before you begin

Add a realm and configure its general settings. For more information on realm configuration, see Configuring Realms.

To configure certificate-based authentication

1. In the left navigation panel of the Add Realm or Edit Realm page, click Authentication .

2. In the Authentication Type field, click CERT.

3. Enter the following certificate-based authentication details.

   
   

   Field	Description
   User ID	This field is used to get the user ID from the client certificate. If you select Custom Attribute, you must save the information and edit the realm again to provide the name or OID of the attribute. The maximum length for the User ID field is 80 characters. If the User ID value exceeds 80 characters after transformation, it causes a redirection loop when the user tries to access the integrated Remedy applications and the browser shows the 'Page cannot be displayed' message.
   User ID Attribute	You must complete this field only if you selected Custom Attribute value for User ID. Enter attribute name or OID value.
   Forwarded Certificate	Select this option if the following conditions are met: The client certificate chain is passed through HTTP headers. The load balancer or reverse proxy is used in front of Tomcat servers, and SSL termination is done on the load balancer or the reverse proxy. When you select this option, you must enter the HTTP header names in the HTTP Header Name field.
   HTTP Header Name	The HTTP header names construct the certificate chain. Enter comma separated header names following the same order as client certificate chain from the end-entity certificate to the root CA certificate: Forward client certificate example # this option is mandatory to force apache to forward the client cert data to tomcat SSLOptions +ExportCertData RequestHeader set X-Client-Cert "%{SSL_CLIENT_CERT}s" RequestHeader set X-Client-Cert-Chain-0 "%{SSL_CLIENT_Chain_0}s" RequestHeader set X-Client-Cert-Chain-1 "%{SSL_CLIENT_Chain_1}s"

4. (Optional) To transform the user ID obtained from the client, select a value in the User ID Transformation field. See Transforming User ID to match Login ID.
5. (Optional) Select the Enable AR authentication for bypass check box to enable bypass URL to authenticate against AR. 
   For more information about enabling BMC Remedy AR System authentication for bypass, see Enabling AR authentication for bypassing other authentication methods.
6. (Optional) Click Enable Chaining Mode and perform steps to enable authentication chaining. For more information about the authentications that you can chain with cert-based authentication, see Enabling authentication chaining mode.

7. Click Save.

Where to go from here 

Validating a certificate