Implementing PKI authentication

The TrueSight Server Automation Authentication Server can use public key infrastructure (PKI) to authenticate users who present a type of smart card known as a common access card (CAC). A TrueSight Server Automation client can access the appropriate certificate and private key on the smart card to authenticate the user through two middleware approaches:

  • ActivClient
    If you are using the ActivClient middleware, the TrueSight Server Automation console requests for an ActivClient PIN to connect.

    Note

    For TrueSight Server Automation to support ActivClient version 7.x, perform the following prerequisite steps:

    1. Locate the sunpkcs11.cfg file in %AppData%\BladeLogic, and open it with any text editor.
    2. In the path to the ActivClient directory, modify the Program Files directory name according to the 8.3 filename convention.
      For example, change C:\Program Files (x86)\ActivIdentity\ActivClient to C:\Progra~2\ActivIdentity\ActivClient.
      Ensure that the path does not include any space characters.

  • 90meter
    For 90meter middleware, PKI configuration file Sunpkcs11.cfg is not created by default. To create the file use the following blcred command:

    blcred config pki -provider <path to the LitPKCS11.dll from the install directory>

    You can also create the file manually in the home directory (for example, on Windows 7, the location is: C:\Users\<username>\AppData\Roaming\BladeLogic) with following contents:

    • name=CryptokiProvider
    • library=c:\Program Files\90meter\CACPIVMD\pkcs11\x86\LitPKCS11.dll
    • slotListIndex=0

    Note

    library should have the full path to the LitPKCS11.dll file and slotListIndex should be the slot id where smart card is inserted. Typically it is 0, but in some cases where more than one smart cards are inserted on the server, it could be 1 or more also.

    Separate prompt for the PIN/password is not shown. Enter the Password on the login panel of TrueSight Server Automation console.

    Info

    If you are authenticating the 90meter smart card through BLCLI command, blcred cred -acquire, you are not prompted for the password and login results as unsuccessful. Not entering the password on CLI will result in an authentication failure and also an invalid PIN attempt against the card

    blcred cred -acquire -profile <name of pki auth profile> -password <password>

    Note

    Following message appears when PKI authentication profile is selected on the login panel of RCP console to ensure a password is entered when using 90meter. This does not result in failed authentication.

    Login failed: Please enter the password and try it again.

To verify that a certificate is currently valid, the Authentication Server can access an OCSP Responder. By default, OCSP verification is enabled for PKI authentication. For more information about setting up OCSP, see Setting-up-certificate-verification-using-OCSP. While logging into a TrueSight Server Automation client, the user must insert a smart card into a card reader and enter a PIN. If the information the user enters is valid and the OCSP Responder verifies the validity of the user's certificate, the Authentication Service issues the client a session credential.

TrueSight Server Automation does not provide a default set of trusted CA certificates for use with PKI authentication. If you are implementing PKI, you must obtain certificates from a CA.

For a procedure describing how to set up PKI authentication, see Configuring-PKI-authentication.

Note

In this release, PKI authentication is not supported by the TrueSight Server Automation console on 64-bit Windows systems. On a Windows 64-bit system, install and use the 32-bit TrueSight Server Automation console.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*