Modifying the Tomcat server
Before selecting the CAC Chain to use for authentication, the Tomcat server hosting the BMC Atrium Single Sign-On application must be configured to ask clients for certificates and the Tomcat server's truststore must be set up with the root certificates for the CAC cards and the OCSP server.
To modify the Tomcat server for CAC Chain authentication
- Stop the BMC Atrium Single Sign-On Tomcat server.
- Edit the following file:
<installationDirectory>/BMC Software/BMC Atrium SSO/tomcat/conf/server.xml Search the file to find the Connector definition used to configure the server's HTTP and HTTPS communications. The tag is similar to the following:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:\Program Files\BMC Software\BMC Atrium SSO\tomcat\conf\keystore"
keystorePass="internal4bmc"
truststoreFile="C:\Program Files\BMC Software\BMC Atrium SSO\tomcat\conf\cacerts.p12"
truststorePass="changeit" />Change the clientAuth attribute from "false" to "want".
clientAuth="want"
The clientAuth attribute enables Tomcat to ask for client certificates.After the change, the Connector tag is similar to the following:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="want" sslProtocol="TLS"
keystoreFile="C:\Program Files\BMC Software\BMC Atrium SSO\tomcat\conf\keystore.p12"
keystorePass="internal4bmc"
truststoreFile="C:\Program Files\BMC Software\BMC Atrium SSO\tomcat\conf\cacerts.p12"
truststorePass="changeit" />
Where to go from here
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*