Setting up Certificate-based authentication in Remedy SSO

Remedy Single Sign-On (Remedy SSO) supports certificate-based authentication. To use the certificate-based authentication, you must ensure that:

  • Client has a valid Public Key Certificate
  • SSL support is configured for the server
  • Client authentication is configured on the server

The following topics help you to perform the above tasks in Remedy SSO and create an authorization profile in the TrueSight console:


Related topics

Configuring tenants in Remedy SSO

To enable multi-tenancy in Presentation Server

Managing authorization profiles

Role-based access Open link

Before you begin

  • You must have installed and configured the Remedy SSO to work with the Presentation Server and its component products. For details, see  Planning to deploy Remedy SSO Open link  and  Installing Remedy Single Sign-On. Open link
  • You must have created an equivalent local user(and its associated local usergroup) for every Certificate-based authentication user that needs to log into the Presentation Server. This is required because the Remedy SSO server cannot obtain usergroup information from the Certificate identify provider for the successfully logged in Certificate-based authentication user. Therefore, you need to create an equivalent local user with the exact name as the Certificate-based authentication user and associate that local user with the desired local usergroup. For details on creating local users and usergroups in Remedy SSO using the import utility, perform the  Migrating internal user data from Atrium SSO to Remedy SSO Open link  procedure.
  • You must have added a non-default tenant (realm) in addition to the default * tenant (realm). Configuring tenants for the Presentation Server in Remedy SSO.
  • You must have configured a multi-tenant environment by enabling the msp parameter. For enabling multi-tenancy, see To enable multi-tenancy in Presentation Server.

    Note

    Certificate-based authentication cannot be configured using the * (default realm) tenant.

  • Configure a realm for the authentication. For more information on realm configuration, see Configuring Realms.

  • Configuring the Tomcat server for certificates. Open link

  • Obtain the following information:
    • The required digital certificate filed name to get the user ID from the client certificate.
    • Custom responder URI if you want to enable OCSP validation.
    • Custom CRL DP URI if you want to enable CRL validation.

Configuring the certificate-based authentication in Remedy SSO for the TrueSight Presentation Server

Perform the following tasks to configure the certificate based authentication to work with TrueSight Presentation Server:

To configure the certificate-based authentication in Remedy SSO for the TrueSight Presentation Server

  1. Specify the Certificate-based authentication details. For more information on parameters, see Certificate-based authentication parameters.

    Important

    When you configure the Certificate-based authentication parameters for the Presentation Server, you must set the User ID Transformation field as required based on the User ID you selected. For example, if your User ID Format value is Email, you must set the User ID Transformation to RemoveEmailDomain.

  2. Click Save.
  3. Click Add Authentication.
  4. In the Authentication Type field, click LOCAL.
  5. Enter the LOCAL details. For more information on parameters, see LOCAL authentication parameters.
  6. Create users and user groups for the LOCAL authentication. 
    The users in LOCAL should be exactly same as the users in CERT identity provider.
    Alternatively, the users can also be created using import script under the migration utility.
  7. Associate users to the user groups.
  8. Click Save.

Important

 Add the LOCAL authentication entry below the Certificate-based authentication entry, and do not promote or move the LOCAL entry above the Certificate-based authentication entry.

Notes

Certificate-based authentication parameters

FieldDescription
User ID

Field that is used to get the user ID from the client certificate. If you select Custom Attribute, you must save the information and edit the realm again to provide the name or OID of the attribute.

The maximum length for the User ID field is 80 characters. If the User ID field exceeds 80 characters after transformation, it causes a redirection loop when the user tries to access the integrated Remedy applications and the browser shows the 'Page cannot be displayed' message.

Forwarded Certificate

The HTTP header names to construct the certificate chain. Select this option if the client certificate chain is passed through HTTP headers and when the load balancer or reverse proxy is used in front of Tomcat servers and SSL termination is done on the load balancer or the reverse proxy.

If you select this option, you must enter the HTTP header names in the HTTP Header Name field. Header Names is a comma separated header names following the same order as client certificate chain from the end-entity certificate to the root CA certificate.

Forward client certificate example
# this option is mandatory to force apache to forward the client cert data to tomcat
  SSLOptions +ExportCertData
 
  RequestHeader set X-Client-Cert "%{SSL_CLIENT_CERT}s"
  RequestHeader set X-Client-Cert-Chain-0 "%{SSL_CLIENT_Chain_0}s"
  RequestHeader set X-Client-Cert-Chain-1 "%{SSL_CLIENT_Chain_1}s"
Enable Validation

Enables certificate validation. If you select this option, you can select from the following validation options:

  • Trusted Certificates
  • OSCP
  • CRL
  • OCSP/CRL Check On End-Entity Only

Client certificate chain is validated against the configured truststore when this option is selected.

Trusted Certificates

Specifies whether the system uses default or custom certificates.

If you select the Custom option, you must provide the truststore file and the truststore password. Ensure that you have already placed the truststore file on the server. For more information about importing CA certificates to truststore, see Importing CA certificates to a truststore  .

Truststore FileName or path of the truststore file. This field is available only when you select the Custom option in the Trusted Certificates field.
Truststore PasswordPassword for the truststore file. This field is available only when you select the Custom option in the Trusted Certificates field.
Enable OCSP

Enables OCSP check. If you select this option, you must enter the custom OCSP responder URI in the OCSP Responder URL field.

If you do not provide any OCSP responder URI, the system uses the OCSP responder URL that is specified in the certificate.

Enable CRLEnable CRL check. If you select this option, you must enter the custom CRL DP URI in the CRL DP URL field. You can provide a HTTP URI.
OCSP/CRL Check On End-Entity OnlyEnables the OCSP and CRL validation to be carried out only for end-entity certificate.

To create or edit an authorization profile with certificate-based authentication users in the Presentation Server

  1. Log in to the TrueSight console as a Super Admin.
  2. Navigate to Administration>Authorization Profiles.
  3. Create a new authorization profile or edit an existing authorization profile to associate the user groups.
  4. Select a tenant other than the * (asterisk) tenant that you configured in Remedy Single Sign-On for Certificate-based authentication users and select Edit under User Groups

    Note

    Do not select the * (asterisk) tenant for the Certificate-based authentication users.


  5. Click Add and select the Certificate-based authentication user group from the list of user groups.
  6. Select the required roles from the list roles.
  7. (Optional) Select the required objects from the list of object.
  8. Select OK and then Save.
  9. Select Yes to confirm changes to the authorization profile.
  10. Log out of the TrueSight console.
  11. Log in to the TrueSight console as a Certificate-based authentication user.
    A two-step authentication screen is displayed.

  12. Type the Certificate-based authentication realm Application Domain name and click Submit.
    The Certificate-based authentication login screen is displayed.

  13. Type the Certificate-based authentication login credentials and click Login.
    The TrueSight console is displayed.


Related topics

User ID transformation Open link

Troubleshooting authentication issues Open link

Was this page helpful? Yes No Submitting... Thank you

Comments