PKI authentication

PKI authentication with smart cards is used for authentication between the Authentication Server and TrueSight Server Automation - Data Warehouse. Smart cards store the digital certificates that you obtain from the certification authority. 

To enable PKI authentication for TrueSight Smart Reporting for Server Automation, complete the following tasks:

  1. Set up CA-signed certificates for TrueSight Server Automation - Data Warehouse.
  2. Create the PKI TrustStore.
  3. Configure the Authentication Server for PKI authentication.
  4. Configure Tomcat for PKI authentication.

Set up CA-signed certificates for TrueSight Server Automation - Data Warehouse

Follow the instructions given in this topic: Implementing-private-certificates-in-TrueSight-Server-Automation-Data-Warehouse.

Create the PKI TrustStore

  1. Obtain the CA certificates that signed your user tokens and the CA certificates that signed the TrueSight Smart Reporting - Platform certificate. We recommend obtaining the entire certificate chain that includes the root, intermediate, and server certificates.
  2. Log in to the system where TrueSight Server Automation - Data Warehouse is installed.
  3. Create a new keystore in the <TSSA-DW_installation_directory>/br directory and import the CA certificates that are used to sign the user tokens and the certificates that are used to sign the TrueSight Smart Reporting - Platform certificate, starting with the root certificate in each chain.

    1. Run this command:
      Example:

      <TSSA-DW_installation_directory>/jre/bin/keytool -import -keystore <pki keystore> -storepass <pki keystore password> -file <ca_cert file> -alias <alias for cert>

      (Windows)

      "C:\Program Files\BMC Software\TSSA-DW\jre\bin\keytool.exe" -import -keystore "C:\Program Files\BMC Software\TSSA-DW\br\PkiTrustStore.jks" -storepass password -file ca_root_cert.pem -alias caroot

      (Linux)

      /opt/bmc/TSSA-DW/jre/bin/keytool -import -keystore /opt/bmc/TSSA-DW/br/PkiTrustStore.jks" -storepass password -file ca_root_cert.pem -alias caroot
    2. Repeat the previous command for each certificate in the CA chain by using a different alias for each one.
    3. If the TrueSight Smart Reporting - Platform certificate was signed by a different CA chain, repeat step a with those CA certificates.
    4. (Linux) Ensure the blauth user has permission to access the new keystore file:
      chown blauth:blauth <TSSADW_installation_directory>/br/PkiTrustStore.jks

Configure the TrueSight Server Automation - Data Warehouse Authentication Server for PKI authentication

Do the following:

  1. Configure the auth service with the blasadmin command line utility:

    On the TrueSight Server Automation - Data Warehouse server, start the Administration console of Authentication Server:

    • (Windows) At the command prompt, change to the <TSSADW_installation_directory>\bin directory and run the following command:

      blasadmin
    • (UNIX) At the command prompt, change to the <TSSADW_installation_directory>/br directory and run the following command:
      blasadmin

  2. Run the following commands:

    set PkiAuth IsEnabled true
    set PkiAuth TruststorePathname <pki keystore filename>
    set PkiAuth TruststoreType JKS
    set PkiAuth TruststorePassword <pki keystore password>
    set PkiAuth UseCommon true
    syncfile
  3. Exit the blasadmin utility.

Configuring Tomcat for PKI authentication

Do the following:

  1. Log in to the system where TrueSight Server Automation - Data Warehouse is installed.
  2. Navigate to the following directory: <TSSADW_installation_directory>\tomcat\conf
  3. Do the following:

    1. Get the blenc for the Pki keystore by running the following command:

      Example:

      <TSSA-DWInstallationDirectory>\bin\blenc.exe <pki keystore password>

      (Windows)

      "C:\Program Files\BMC Software\TSSA-DW\bin\blenc.exe" password

      (Linux)

      /opt/bmc/TSSA-DW/bin/blenc password
    2. Note the encrypted password after BLencrypt: in the output.
    3. In a text editor, open the server.xml file.
    4. Modify the following parameters in the SSL connector block:
      • truststoreFile="<TSSADW_installation_directory>/br/PkiTrustStore.jks"
      • trustStorePass="<pki keystore password in blenc>"

      • clientAuth="true"
        For example:
        (Windows)

        <Connector port="9443"
        SSLEnabled="true"
        sslEnabledProtocols="TLSv1.2"
        protocol="com.bmc.bbds.security.Http11NioProtocol"
        maxHttpHeaderSize="8192"
        maxThreads="150"
        minSpareThreads="25"
        enableLookups="false"
        disableUploadTimeout="true"
        acceptCount="100"
        scheme="https"
        secure="true"
        keystoreFile="C:\PROGRA~1\BMCSOF~1\TSSA-DW\tomcat\conf\bdsSslCertificate.cert"
        keystorePass=<password>

        truststoreFile="C:\PROGRA~1\BMCSOF~1\TSSA-DW\br\PkiTrustStore.jks"

        trustStorePass=<The password used for the truststore in the blenc format>

        clientAuth="true"

        sslProtocol="TLS"
        ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>

        (Linux)

        <Connector port="9443"
        SSLEnabled="true"
        sslEnabledProtocols="TLSv1.2"
        protocol="com.bmc.bbds.security.Http11NioProtocol"
        maxHttpHeaderSize="8192"
        maxThreads="150"
        minSpareThreads="25"
        enableLookups="false"
        disableUploadTimeout="true"
        acceptCount="100"
        scheme="https"
        secure="true"
        keystoreFile="/opt/bmc/TSSA-DW/tomcat/conf/bdsSslCertificate.cert"
        keystorePass=<password>

        truststoreFile="/opt/bmc/TSSA-DW/br/PkiTrustStore.jks"

        trustStorePass=<The password used for the truststore in the blenc format>

        clientAuth="true"

        sslProtocol="TLS"
        ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>
    5. Save the server.xml file.
  4. Restart the following services:
    • TrueSight Server Automation - Data Warehouse
    • Authentication Server

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*