Skip to Content

Implementing PKI authentication

The BMC Server Automation Authentication Server can use public key infrastructure (PKI) to authenticate users who present a type of smart card known as a common access card (CAC). A BMC Server Automation client can access the appropriate certificate and private key on the smart card to authenticate the user through two middleware approaches:

  • ActiveClient
    If you are using the ActiveClient middleware, the RCP console requests for an ActiveClient PIN to connect, as shown in the following figure:

    activeclient.png

  • 90meter
    For 90meter middleware, PKI configuration file Sunpkcs11.cfg is not created by default. To create the file use the following blcred command:

    blcred config pki -provider <path to the LitPKCS11.dll from the install directory>

    You can also create the file manually in the home directory (for example, on Windows 7, the location is: C:\Users\<username>\AppData\Roaming\BladeLogic) with following contents:

    • name=CryptokiProvider
    • library=c:\Program Files\90meter\CACPIVMD\pkcs11\x86\LitPKCS11.dll
    • slotListIndex=0

     

    Warning

    Note

    library should have the full path to the LitPKCS11.dll file and slotListIndex should be the slot id where smart card is inserted. Typically it is 0, but in some cases where more than one smart cards are inserted on the server, it could be 1 or more also.

    Separate prompt for the PIN/password is not shown. Enter the Password on the login panel of RCP console to login successfully, as shown in the following figure:

    90meter.png

    Information
    Info

    If you are authenticating the 90meter smart card through BLCLI command, blcred cred -acquire, you are not prompted for the password and login results as unsuccessful. Not entering the password on CLI will result in an authentication failure and also an invalid PIN attempt against the card

    blcred cred -acquire -profile <name of pki auth profile> -password <password>
    Warning

    Note

    Following message appears when PKI authentication profile is selected on the login panel of RCP console to ensure a password is entered when using 90meter. This does not result in failed authentication.

    Login failed: Please enter the password and try it again.

To verify that a certificate is currently valid, the Authentication Server can access an OCSP Responder. By default, OCSP verification is enabled for PKI authentication. For more information about setting up OCSP, see Setting-up-certificate-verification-using-OCSP.

Warning

Note

PKI authentication does not work in BMC Server Automation 8.7 if OCSP verification is enabled, due to issues in JRE 1.8, which is shipped with BMC BladeLogic Server Automation 8.7. See defect QM001884045 in Known-and-corrected-issues.

While logging into a BMC Server Automation client, the user must insert a smart card into a card reader and enter a PIN. If the information the user enters is valid and the OCSP Responder verifies the validity of the user's certificate, the Authentication Service issues the client a session credential.

BMC Server Automation does not provide a default set of trusted CA certificates for use with PKI authentication. If you are implementing PKI, you must obtain certificates from a CA.

For a procedure describing how to set up PKI authentication, see Configuring-PKI-authentication.

Warning

Note

In this release, PKI authentication is not supported by the BMC Server Automation Console on 64-bit Windows systems. On a Windows 64-bit system, install and use the 32-bit BMC Server Automation Console.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

Server Automation Documentation