2018-03-08_23-45-50_Certificate-based authentication process
Remedy Single Sign-On (Remedy SSO) supports certificate-based authentication starting from the release 9.1.01. To use the certificate-based authentication, you must ensure that:
- Client has a valid Public Key Certificate
- SSL support is configured for the server
- Client authentication is configured on the server
The following image shows the tasks that you need to perform to configure the certificate-based authentication in Remedy SSO.
Configuring the Tomcat server to ask clients for certificates
If you are using using a load balancer and SSL termination is done on the load balancer, there is no need to configure the Tomcat server. If you are not using a load balancer, you must configure the Tomcat server that host the Remedy SSO application to ask clients for certificates. You must also configure the Tomcat server truststore with trusted CA certificates.
- Stop the Apache Tomcat server that is being used for Remedy SSO.
- Open the <TomcatInstallationDirectory>/conf/server.xml file and modify the <Connector> tag.
- Set the
clientAuthattribute to want as specified in the following code block.
<Connector port="18443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" keystoreFile="conf/cert/server-keystore.jks" keystorePass="changeit" truststoreFile="conf/cert/server-truststore.jks" truststorePass="changeit" />
Do not set the
clientAuth attribute to true, because it becomes mandatory for the client to provide a trusted certificate to the server that might break certain communication between Remedy SSO and an agent.
Before you begin
- The required digital certificate filed name to get the user ID from the client certificate.
- Custom responder URI if you want to enable OCSP validation.
- Custom CRL DP URI if you want to enable CRL validation.
- (Optional) Click Enable Chaining Mode and perform the following steps to enable authentication chaining. For more information about the authentications that you can chain with cert-based authentication, see 2018-03-08_23-43-50_Authentication chaining.
- Click Add Authentication.
- Select the required authentication type and enter the authentication details.
- Repeat Step a through Step b to add more authentications for the realm.
Certificate-based authentication parameters
Importing CA certificates to a truststore
You can import CA certificates on the following two truststores as required:
- Truststore of the the Tomcat server or the load balancer: Used for certificate-based authentication that enables the Tomcat server or the load balancer to send an appropriate information to the client so that the client returns only the trusted certificate.
Truststore used by Remedy SSO for certificate validation: Used if you want Remedy SSO to perform an extra validation on the client certificate, such as OCSP or CRL check. Certificate validation including OCSP or CRL check might be supported on the Tomcat server or the load balancer. If all the necessary validations are already enabled on the Tomcat server or the load balancer, you might skip the validation at Remedy SSO level.
If customer has intermediate certificates, they must be imported into the truststore as well.