This documentation supports the 9.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

CAC (certificate) Editor

Field

Parameters

Description

Name

 

Name for the Certificate and CAC authentication.

Use OCSP

 

Click Use OCSP in order to use the OCSP responder. BMC recommends that you use OCSP for validation.

Note: The clock skew between the BMC Atrium Single Sign-On server and the OCSP server must not be greater than 15 minutes. Otherwise, the certificate authentication fails. See Clock-skew-too-great-for-CAC-authentication.

Certificate Field for User Profile

 

Select one of the options. Options are Subject CN (Common Name attribute of the Subject DN), Subject DN (Distinguished Name), Subject UID (UID attribute of the Subject DN), Email, None, Other.

Forwarded Certificates

 

When running behind a load balancer or reverse proxy, the verification of ownership of the private key is not possible thru the SSL/TLS connection. Because of this verification restriction, the BMC Atrium Single Sign-On server requires that the fronting server be listed as a trusted host from which forwarded certificates can be trusted.

 

Forwarded Certificate List

This is the list of trusted host name that you add via the Trusted Host Name field. To delete a certificate, select the trusted host name and click Remove.

 

Trusted Host Name

Enter the name of a host from which a forwarded certificate can be trusted.

 

Certificate HTTP Header Name

Enter the name of the HTTP header that the forwarded certificate can be passed under.

Certificate Revocation Lists (CRL)

Use CRL

Select Use CRL to use a Certificate Revocation List (CRL).

Note: BMC does not recommend using the CRL approach due to the performance load experienced with the ever-increasing length of CRL lists.

 

LDAP Server Where Certificates are Stored

Provide the Host and Port for the LDAP server where the certificates are stored. The host name must end with a colon following by the port number for the LDAP server.

 

LDAP Start Search DN

Enter the DN of the node. The DN of the node starts the search within the LDAP server. To connect with the LDAP server, you must have sufficient privileges to perform the search.

 

LDAP Server Password
Confirm LDAP Server Password

Provide and confirm the password to connecting with the LDAP server.

 

Check CA with CRL

When verifying a certificate, the CA certificate used to sign the certificate can also be verified in the CRL.

 

Use SSL/TLS

If you are using SSL, the LDAP server certificate must be imported into the BMC Atrium Single Sign-On truststore so that SSL can connect with the LDAP server.

Trusted Certificates

 

Browse on your desktop to upload the trusted certificates file. Once the file is upload and in the trusted certificates list. You can also select the file, and click Remove to remove the file.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*