Out of support This documentation supports the 8.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

Importing DoD CA certificates

The DoD CA certificates appropriate for your CAC cards must be imported into the BMC Atrium Single Sign-On server's truststore before using CAC for authentication. Importing the certificates allows the server to send the appropriate query to the client to return the correct certificate. Refer to the documentation from the supplier of your CAC cards for the location where the current root certificates can be acquired.

The server's truststore (named cacerts.p12 ) is located in the <installationDirectory>/BMC Software/BMC Atrium SSO/tomcat/conf. The following instructions uses the Oracle keytool utility to import the certificate, but another tool could also be used.

To import certificates

  1. Add the bin directory to the PATH environment variable.

    When BMC Atrium Single Sign-On is installed with its own Tomcat server, a JDK is installed with the server. When using this JDK, the DoD certificate can be imported into the server's truststore by using the keytool command (keytool.exe on Windows), located within the JDK's bin directory. This bin directory needs to be added to the PATH environment variable if it is not already a part of that variable.
  2. To add the location, run the following command:

    (UNIX) export PATH=<installationLocation>/BMC Software/BMC Atrium SSO/jdk/bin:$PATH
     (Microsoft Windows) set PATH=<installationLocation>\BMC Software\BMC Atrium SSO\jdk\bin;%PATH%
  3. Use the keytool utility to copy the DoD CA certificate file into the following directory:
    <installationDirectory>/BMC Software/BMC Atrium SSO/tomcat/conf

  4. Use the keytool utility to import the certificate into the truststore using the following parameters:

    keytool -importcert -keystore cacerts.p12 -file DOD_CA19.car -alias DOD_CA19 -storetype PKCS12 -providername JsafeJCE 

    Note

    In this example, the certificate file name, DOD_CA19.cer, may not be appropriate for your use.

  5. Enter the password (Default: changeit).
  6. Accept the certificate at the prompt.
  7. If SSL is used to communicate with an external LDAP server, import that server's certificate into the truststore.
    • Use the keytool utility to import the LDAP server's certificate into the BMC Atrium Single Sign-On truststore.
    • If the LDAP server requires a client certificate, export the BMC Atrium Single Sign-On certificate and import it into the LDAP server's truststore before enabling CAC Chain.
    • If CA signed certificates are used for LDAPs, import the CA signed certificate and any intermediate signing certificates into the truststores instead.
  8. Restart the Tomcat server.

Where to go from here

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*