This documentation supports the 19.11 version of BMC Remedy Single Sign-On, which is available only to BMC Helix subscribers (SaaS).

To view an earlier version, select the version from the Product version menu.

Configuring the Tomcat server for certificate-based authentication

To configure certificate-based authentication for your realm, the first task you need to complete is to configure the Tomcat server that hosts the Remedy SSO server to do the following:

  • Ask clients for CA certificates
  • Add CA certificates to the truststore

In a high availability mode, if you are using a load balancer and SSL termination is done on a load balancer, there is no need to configure the Tomcat. 


Before you begin

Configure SSL for Tomcat installed on the Remedy SSO server. For information about how to do do this, refer to Configure SSL  online documentation.

To configure the Tomcat server to ask clients for certificates

  1. Stop the Apache Tomcat server that is being used for Remedy SSO.
  2. Open the <TomcatInstallationDirectory>/conf/server.xml file and modify the <Connector> tag.

  3. Set the clientAuth attribute to want as specified in the following code:

<Connector port="18443" protocol="HTTP/1.1" SSLEnabled="true"
		maxThreads="150" scheme="https" secure="true"
		clientAuth="want" sslProtocol="TLS"
		keystoreFile="conf/cert/server-keystore.jks"
		keystorePass="changeit"
		truststoreFile="conf/cert/server-truststore.jks" 
		truststorePass="changeit" />

Important

Do not set the clientAuth attribute to true, because it becomes mandatory for the client to provide a trusted certificate to the server that might break certain communication between the Remedy SSO server and a Remedy SSO agent.

Importing CA certificates to a truststore

You can import CA certificates to the following truststores as required:

  • Truststore of the the Tomcat server (or the load balancer)—Used for certificate-based authentication that enables the Tomcat server (or the load balancer) to send an appropriate information to the client so that the client returns only a trusted certificate.
  • Truststore used by the Remedy SSO for certificate validation—Used if you want Remedy SSO to perform additional validation of the client certificate, such as OCSP or CRL check. Certificate validation including OCSP or CRL check might be supported on the Tomcat server (or the load balancer). If all the necessary validations are already enabled on the Tomcat server (or the load balancer), you can skip the validation on the Remedy SSO server.

    Note

    If a client has intermediate certificates, they must be imported into the truststore as well.

Where to go from here

Configuring a realm for certificate-based authentication

Was this page helpful? Yes No Submitting... Thank you

Comments