Unsupported content This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Configuring PKI authentication

This topic provides instructions for configuring the Authentication Server so it can perform PKI-based authentication.

To configure PKI authentication

  1. On the Authentication Server, start the Application Server Administration console (that is, the blasadmin utility).
  2. To enable PKI authentication, enter the following:
    set PkiAuth IsEnabled true
    By default, PKI authentication is not turned on. When set to false, all PKI-based logon attempts are rejected.
  3. To register users by the common name portion of the subject name within a user's certificate, enter the following:
    set PkiAuth useCommonName true
    By default, cross-registration by common name is not turned on; users must be cross-registered according their full distinguished name (DN).
    If you choose to cross-register users by their common name, you cannot also cross-register users by their distinguished name. You must choose between the common name or the distinguished name approach.
  4. Set up a trust store for PKI authentication.
  5. Configure certificate verification using an OCSP Responder. In most situations, OCSP verification is enabled for PKI authentication and no additional configuration is necessary.

  6. Cross-register users in both the user registry maintained for smart card holders and the RBAC user database.

    More on cross-registering users

    Users must be registered in both the registry maintained for smart card holders and the BMC Server Automation RBAC-based user database. Cross-registration allows users to be authorized for RBAC roles.
    By default, users are registered by their full distinguished name. Optionally, users can be registered by just the common name portion of the subject name within their certificate.
    Only users authorized to use BMC Server Automation should be entered into the BMC Server Automation database. Use RBAC to add users to the database. For information about adding users to RBAC, see Creating-users.
    BMC Server Automation documentation assumes you know how to add users to the registry of smart card holders.

  7. Set up authentication profiles using PKI authentication on the BMC Server Automation client.
    See Authentication-profiles and Managing-authorizations.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*