Out of support This documentation supports the 8.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

Validating CAC certificates

CAC certificates can be validated by configuring BMC Atrium Single Sign-On to use either OCSP responder certificates or a Certificate Revocation Lists (CRL). BMC does not recommended using the CRL approach due to the performance load experienced with the ever-increasing length of CRL lists. These lists can grow to be very large which affects the network and server when retrieving the data.

To configure BMC Atrium Single Sign-On to use OCSP responder

  1. Ensure that the users' root certificates have been imported into the cacerts.p12 file.
  2. Ensure that the OCSP responder certificate has been imported.
  3. Navigate to Configuration > Servers and Sites.
  4. Click the server link.
  5. Click the Security tab.
  6. Click the Online Certificate Status Protocol Check link.
  7. Verify that alias for this certificate is DoDocspCertificate, otherwise, the nickname specified for the server configuration must be updated to the correct value.
     The alias (nickname) is used to store the OCSP responder certificate in the truststore.

  8. Verify that the Responder URL field is correct for the installation site. If not, update the URL. 

    Note

    If a responder URL is not specified, the value within the certificate is used.

To configure BMC Atrium Single Sign-On to use CRL

Instead of relying upon OCSP (the recommended approach for validating CAC certificates), BMC Atrium Single Sign-On can be configured to use a Certificate Revocation List (CRL) to validate certificates.

Note

BMC does not recommended using the CRL approach due to the performance load experienced with the ever-increasing length of CRL lists.

  1. Navigate to Access Control > BmcRealm link > Authentication.
  2. Click Module Instances.
  3. Click CAC.
  4. In the OCSP Validation field, deselect Enabled (if selected).
  5. In the Issuer DN Attribute Used to Search LDAP for CRLs field, enter the DN.
  6. In the HTTP Parameters for CRL Update field, enter the parameters.
  7. In the Match CA Certificate to CRL field, click Enabled.
  8. Click Save.

Contact the CA signed certificate administrator for the following parameters and values:

  • Issuer DN Attribute Used to Search LDAP for CRLs value. This value is used to access the server where the CRL is stored.
  • HTTP Parameters for CRL Update parameters. These parameters are used to contact the servlet for the CRL.

Where to go from here

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*