Troubleshooting CAC authentication
If authentication fails, there are several log directories and several debug methods that you can use to resolve issues. If you discover that a certificate is not in the truststore, import the certificate into the keystore.
- With the default logging level, check for errors in the normal BMC Atrium Single Sign-On log files in the logs directory: <installationDirectory>\AtriumSSO\tomcat\logs
- Check the Authentication file in the logs directory after setting the logging level to Message: <installationDirectory>\AtriumSSO\tomcat\logs
- Check the Authentication directory: BMC Atrium SSO \WEB-INF\config\Atrium SSO\logs\Authentication
- Change the clientAuth setting in the Tomcat server.xml configuration file to True.
- Turn on network debug logging.
- Check the BMC Atrium Single Sign-On truststore to verify that the certificate has been imported or that the Issuer (in other words, the Signer) certificate has been imported.
The following troubleshooting topics are addressed here:
- Example of a default logging level error
- Example of a debug log error when a certificate is not available
- Changing the clientAuth setting
- Turning on network debug logging
- Example of a client not responding with a certificate
- Example of a client sending a certificate
- Example of a list of certificates sent to the client
- Example of URL certificate authentication not enabled
- Example of OCSP certificate failure
- Clock skew too great for CAC authentication