Configuring PKI authentication

This topic provides instructions for configuring the Authentication Server so it can perform PKI-based authentication.

To configure PKI authentication

  1. On the Authentication Server, start the Application Server Administration console (that is, the blasadmin utility).
  2. To enable PKI authentication, enter the following:
    set PkiAuth IsEnabled true
    By default, PKI authentication is not turned on. When set to false, all PKI-based logon attempts are rejected.
  3. To register users by the common name portion of the subject name within a user's certificate, enter the following:
    set PkiAuth useCommonName true
    By default, cross-registration by common name is not turned on; users must be cross-registered according their full distinguished name (DN).
    If you choose to cross-register users by their common name, you cannot also cross-register users by their distinguished name. You must choose between the common name or the distinguished name approach.

  4. Set up a trust store for PKI authentication.

    Note

    If you are configuring PKI authentication for use in a U.S. Department of Defense (DoD) environment, use the instructions on Using-the-DoD-InstallRoot-tool-to-create-a-trust-store to create the trust store.

  5. Configure certificate verification using an OCSP Responder. In most situations, OCSP verification is enabled for PKI authentication and no additional configuration is necessary.

  6. Cross-register users in both the user registry maintained for smart card holders and the RBAC user database.

    More on cross-registering users

    Users must be registered in both the registry maintained for smart card holders and the TrueSight Server Automation RBAC-based user database. Cross-registration allows users to be authorized for RBAC roles.
    By default, users are registered by their full distinguished name. Optionally, users can be registered by just the common name portion of the subject name within their certificate.
    Only users authorized to use TrueSight Server Automation should be entered into the TrueSight Server Automation database. Use RBAC to add users to the database. For information about adding users to RBAC, see Creating-users.
    TrueSight Server Automation documentation assumes you know how to add users to the registry of smart card holders.

  7. Set up authentication profiles using PKI authentication on the TrueSight Server Automation client.
    See System-capabilities-related-to-security and Managing-authorizations.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*