Configuring the Tomcat server for certificate-based authentication
To configure certificate-based authentication for your realm, the first task you need to complete is to configure the Tomcat server that hosts the Remedy SSO server to do the following:
- Ask clients for CA certificates
- Add CA certificates to the truststore
In a high availability mode, if you are using a load balancer and SSL termination is done on a load balancer, there is no need to configure the Tomcat.
Before you begin
Configure SSL for Tomcat installed on the Remedy SSO server. For information about how to do do this, refer to online documentation.
To configure the Tomcat server to ask clients for certificates
- Stop the Apache Tomcat server that is being used for Remedy SSO.
Open the <TomcatInstallationDirectory>/conf/server.xml file and modify the
clientAuthattribute to want as specified in the following code:
<Connector port="18443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" keystoreFile="conf/cert/server-keystore.jks" keystorePass="changeit" truststoreFile="conf/cert/server-truststore.jks" truststorePass="changeit" />
Do not set the
clientAuth attribute to true, because it becomes mandatory for the client to provide a trusted certificate to the server that might break certain communication between the Remedy SSO server and a Remedy SSO agent.
Importing CA certificates to a truststore
You can import CA certificates to the following truststores as required:
- Truststore of the the Tomcat server (or the load balancer)—Used for certificate-based authentication that enables the Tomcat server (or the load balancer) to send an appropriate information to the client so that the client returns only a trusted certificate.
Truststore used by the Remedy SSO for certificate validation—Used if you want Remedy SSO to perform additional validation of the client certificate, such as OCSP or CRL check. Certificate validation including OCSP or CRL check might be supported on the Tomcat server (or the load balancer). If all the necessary validations are already enabled on the Tomcat server (or the load balancer), you can skip the validation on the Remedy SSO server.
If a client has intermediate certificates, they must be imported into the truststore as well.