Skip to Content
Information
Unsupported content This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

PKI authentication

This topic explains the how to configure BMC BladeLogic Decision Support for Server Automation so it can use public key infrastructure (PKI) to authenticate users who present a type of smart card known as a common access card (CAC).

When you insert the smart card, and launch the product, a dialog box appears for choosing the authentication method. After making that selection as PKI, the product is launched.

Warning

Note

Once you insert your smart card, you do not need to specify any other credentials to access the product.

To configure BMC BladeLogic Decision Support for Server Automation for using PKI

  1. Configure the Web Server to use the HTTPS protocol and CAC-authentication.
  2. Navigate to the BDSSAInstallationDirectory/webserver/conf/extra folder.

  3. Open the httpd-ssl.conf file and remove commenting before the following tags if they are not already removed:

    SSLVerifyClient require
    SSLVerifyDepth 10
    Error
    Warning

    Before modifying the httpd-ssl.conf file, BMC recommends that you make a backup copy.

  4. Add the following tags to the http-ssl.conf file:

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars +ExportCertData
    SSLUserName SSL_CLIENT_S_DN_CN
    RequestHeader add X-Forwarded-User %{REMOTE_USER}e
    </FilesMatch>
    <Directory "/usr/local/bmc/reports/webserver/cgi-bin">
    SSLOptions +StdEnvVars +ExportCertData
    SSLUserName SSL_CLIENT_S_DN_CN
    RequestHeader add X-Forwarded-User %{REMOTE_USER}e
    </Directory>
  5. Generate the dod-root-certs.pem file and copy it to the BDSSAInstallationDirectory/webserver/conf folder.
  6. Modify the Certificate Authority section in the httpd-ssl.conf file to include the path for the dod-root-certs.pem file.
  7. Generate the dod-root.jks file and copy it to the BDSSAInstallationDirectory/br folder. 
  8. On the reports server, navigate to the BDSSAInstallationDirectory/bin directory and start the Application Server Administration console (the blasadmin utility) by typing the following command: blasadmin.

  9. Run the following commands:

    set Pki IsEnabled true
    set Pki TruststorePass password
    set Pki TruststorePath DoDRoot.jks
    set Pki TruststoreType JKS
    set Pki UseCommon true
  10. Restart the Apache Web Server.

  11. Restart the Authentication and Cognos services.

    Warning

    To default to the PKI authentication mechanism so that you are not prompted to choose the authentication mechanism, change the value of the defaultAuthType attribute to 7 in the BDSSAInstallationDirectory/portal/configuration/config_BLNSProvider.properties file before restarting the Cognos services. The change in value effectively disables all other authentication mechanisms.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Decision Support for Server Automation 8.3