Troubleshooting CAC authentication

If authentication fails, there are several log directories and several debug methods that you can use to resolve issues. If you discover that a certificate is not in the truststore, import the certificate into the keystore.

• With the default logging level, check for errors in the normal BMC Atrium Single Sign-On log files in the logs directory: <installationDirectory>\AtriumSSO\tomcat\logs
• Check the Authentication file in the logs directory after setting the logging level to Message: <installationDirectory>\AtriumSSO\tomcat\logs
• Check the Authentication directory: BMC Atrium SSO \WEB-INF\config\Atrium SSO\logs\Authentication
• Change the clientAuth setting in the Tomcat server.xml configuration file to True.
• Turn on network debug logging.
• Check the BMC Atrium Single Sign-On truststore to verify that the certificate has been imported or that the Issuer (in other words, the Signer) certificate has been imported.

The following troubleshooting topics are addressed here:

• Example of a default logging level error
• Example of a debug log error when a certificate is not available
• Changing the clientAuth setting
• Turning on network debug logging
• Example of a client not responding with a certificate
• Example of a client sending a certificate
• Example of a list of certificates sent to the client
• Example of URL certificate authentication not enabled
• Example of OCSP certificate failure
• Clock skew too great for CAC authentication