Unsupported content This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

CAC authentication

This topic describes Common Access Card (CAC) authentication and the steps required to configure 

The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

so it can use public key infrastructure (PKI) to authenticate users who present a type of smart card known as CAC.

When CAC authentication is set up, if you attempt to launch 

The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

, you are prompted to choose a certificate that should be used for CAC authentication. After making that selection, you must insert a smart card and specify a PIN to access the logon screen for 

The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

To configure BMC BladeLogic Decision Support for Server Automation for CAC authentication

  1. Make sure 

    The macro unmigrated-inline-wiki-markup from Confluence is no longer available.

    is configured to use the HTTPS protocol.
    Using HTTPS ensures that you have the Apache environment variables, SSLCertificateFile and SSLCertificateKeyFile defined so they identify the correct files.
  2. Make sure you have following files available with you:
    • CA certificates in PEM format
      If you have more than one CA certificate, combine them into a single file. Make sure there are no blank lines between each certificate. For example, you might create a CA file called C:/webserver/conf/cac_ca_chain.pem.
    • Certificate Revocation List (CRL)
       Make sure you download the certificate revocation list from your CA.

  3. Convert the CRL to PEM encoding using the following command. If you are using multiple CRLs, repeat the process for each list.

    openssl crl -in <certficateRevocationList> -inform DER  -out <encodedCRL> -outform pem

    For example, you might use this command to create a CRL in PEM format at the following location: C:/webserver/conf/crl.pem

  4. Edit the Apache configuration file at BDSSAInstallationDirectory/webserver/conf/extra/httpd-ssl.conf by doing the following:

    1. For the SSLCACertificateFileentry, enter the following:

      SSLCACertificateFile "<certificatesFile>"

      In this entry, <certificatesFile> is the CA certificates file you obtained in step 2. For example, you might enter:

      SSLCACertificateFile "C:/webserver/conf/cac_ca_chain.pem"

      After you create this entry, make sure any other entries for SSLCACertificateFile are commented out.

    2. Locate the SSLCARevocationFile entry and enter the following:

      SSLCARevocationFile "<CRLFile>"

      In this entry, <CRLFile> is the certificate revocation list you converted to PEM in step 3. For example, you might enter:

      SSLCARevocationFile "C:/webserver/conf/crl.pem"

      When you make this entry, make sure any other entries for SSLCARevocationFile are commented out.

    3. Enable client authentication by adding the following entries to the configuration file:

      SSLVerifyClient require
       SSLVerifyDepth 10
  5. Restart Apache.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*