PKI authentication

PKI authentication with smart cards is used for authentication between the Authentication Server and TrueSight Server Automation - Data Warehouse. Smart cards store the digital certificates that you obtain from the certification authority. 

To enable PKI authentication for TrueSight Smart Reporting for Server Automation, complete the following tasks:

  1. Set up CA-signed certificates for TrueSight Server Automation - Data Warehouse.
  2. Create the PKI TrustStore.
  3. Configure the Authentication Server for PKI authentication.
  4. Configure Tomcat for PKI authentication.

Set up CA-signed certificates for TrueSight Server Automation - Data Warehouse

Follow the instructions given in this topic: Implementing-private-certificates-in-TrueSight-Server-Automation-Data-Warehouse.

Create the PKI TrustStore

  1. Obtain the CA certificates that signed your user tokens and the CA certificates that signed the certificate. We recommend obtaining the entire certificate chain that includes the root, intermediate, and server certificates.
  2. Log in to the system where TrueSight Server Automation - Data Warehouse is installed.
  3. Create a new keystore in the <TSSA-DW_installation_directory>/br directory and import the CA certificates that are used to sign the user tokens and the certificates that are used to sign the certificate, starting with the root certificate in each chain.

    1. Run this command:
      Example:

      <TSSA-DW_installation_directory>/jre/bin/keytool -import -keystore <pki keystore> -storepass <pki keystore password> -file <ca_cert file> -alias <alias for cert>

      (Windows)

      "C:\Program Files\BMC Software\TSSA-DW\jre\bin\keytool.exe" -import -keystore "C:\Program Files\BMC Software\TSSA-DW\br\PkiTrustStore.jks" -storepass password -file ca_root_cert.pem -alias caroot

      (Linux)

      /opt/bmc/TSSA-DW/jre/bin/keytool -import -keystore /opt/bmc/TSSA-DW/br/PkiTrustStore.jks" -storepass password -file ca_root_cert.pem -alias caroot
    2. Repeat the previous command for each certificate in the CA chain by using a different alias for each one.
    3. If the certificate was signed by a different CA chain, repeat step a with those CA certificates.
    4. (Linux) Ensure the blauth user has permission to access the new keystore file:
      chown blauth:blauth <TSSADW_installation_directory>/br/PkiTrustStore.jks

Configure the TrueSight Server Automation - Data Warehouse Authentication Server for PKI authentication

Do the following:

  1. Configure the auth service with the blasadmin command line utility:

    On the TrueSight Server Automation - Data Warehouse server, start the Administration console of Authentication Server:

    • (Windows) At the command prompt, change to the <TSSADW_installation_directory>\bin directory and run the following command:

      blasadmin
    • (UNIX) At the command prompt, change to the <TSSADW_installation_directory>/br directory and run the following command:
      blasadmin

  2. Run the following commands:

    set PkiAuth IsEnabled true
    set PkiAuth TruststorePathname <pki keystore filename>
    set PkiAuth TruststoreType JKS
    set PkiAuth TruststorePassword <pki keystore password>
    set PkiAuth UseCommon true
    syncfile
  3. Exit the blasadmin utility.

Configuring Tomcat for PKI authentication

Do the following:

  1. Log in to the system where TrueSight Server Automation - Data Warehouse is installed.
  2. Navigate to the following directory: <TSSADW_installation_directory>\tomcat\conf
  3. Do the following:

    1. Get the blenc for the Pki keystore by running the following command:

      Example:

      <TSSA-DWInstallationDirectory>\bin\blenc.exe <pki keystore password>

      (Windows)

      "C:\Program Files\BMC Software\TSSA-DW\bin\blenc.exe" password

      (Linux)

      /opt/bmc/TSSA-DW/bin/blenc password
    2. Note the encrypted password after BLencrypt: in the output.
    3. In a text editor, open the server.xml file.
    4. Modify the following parameters in the SSL connector block:
      • truststoreFile="<TSSADW_installation_directory>/br/PkiTrustStore.jks"
      • trustStorePass="<pki keystore password in blenc>"

      • clientAuth="true"
        For example:
        (Windows)

        <Connector port="9443"
        SSLEnabled="true"
        sslEnabledProtocols="TLSv1.2"
        protocol="com.bmc.bbds.security.Http11NioProtocol"
        maxHttpHeaderSize="8192"
        maxThreads="150"
        minSpareThreads="25"
        enableLookups="false"
        disableUploadTimeout="true"
        acceptCount="100"
        scheme="https"
        secure="true"
        keystoreFile="C:\PROGRA~1\BMCSOF~1\TSSA-DW\tomcat\conf\bdsSslCertificate.cert"
        keystorePass=<password>

        truststoreFile="C:\PROGRA~1\BMCSOF~1\TSSA-DW\br\PkiTrustStore.jks"

        trustStorePass=<The password used for the truststore in the blenc format>

        clientAuth="true"

        sslProtocol="TLS"
        ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>

        (Linux)

        <Connector port="9443"
        SSLEnabled="true"
        sslEnabledProtocols="TLSv1.2"
        protocol="com.bmc.bbds.security.Http11NioProtocol"
        maxHttpHeaderSize="8192"
        maxThreads="150"
        minSpareThreads="25"
        enableLookups="false"
        disableUploadTimeout="true"
        acceptCount="100"
        scheme="https"
        secure="true"
        keystoreFile="/opt/bmc/TSSA-DW/tomcat/conf/bdsSslCertificate.cert"
        keystorePass=<password>

        truststoreFile="/opt/bmc/TSSA-DW/br/PkiTrustStore.jks"

        trustStorePass=<The password used for the truststore in the blenc format>

        clientAuth="true"

        sslProtocol="TLS"
        ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"/>
    5. Save the server.xml file.
  4. Restart the following services:
    • TrueSight Server Automation - Data Warehouse
    • Authentication Server

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*