Configuring certificate-based authentication


As a BMC Helix Single Sign-On administrator, you can configure certificate-based authentication which is considered the most secure authentication among all authentication types supported by BMC Helix Single Sign-On.

Important

To use the certificate-based authentication, an end user browser must have a valid Public Key Certificate. The process of obtaining the Public Key Certificate is out of scope this documentation.  

Related topics

Setting-up-end-user-authentication




Configuring a realm for certificate-based authentication

After you have configured SSL for the Tomcat server on which BMC Helix Single Sign-On is hosted, you need to configure a realm for certificate-based authentication in the BMC Helix SSO console.  

To configure certificate-based authentication

  1. Add a realm and configure its general settings.
    For more information on realm configuration, see Configuring Realms.
  2. In the left navigation panel of the Add Realm or Edit Realm page, click Authentication .
  3. In the Authentication Type field, click CERT.

  4. Enter the following certificate-based authentication details.


    Field

    Description

    User ID

    This field is used to get the user ID from the client certificate.

    If you select Custom Attribute, you must save the information and edit the realm again to provide the name or OID of the attribute.

    The maximum length for the User ID field is 80 characters. If the User ID value exceeds 80 characters after transformation, it causes a redirection loop when the user tries to access the integrated Remedy applications and the browser shows the 'Page cannot be displayed' message.

    User ID Attribute

    You must complete this field only if you selected Custom Attribute value for User ID. Enter attribute name or OID value.

    Forwarded Certificate

    Select this option if the following conditions are met:

    • The client certificate chain is passed through HTTP headers.
    • The load balancer or reverse proxy is used in front of Tomcat servers, and SSL termination is done on the load balancer or the reverse proxy.

    When you select this option, you must enter the HTTP header names in the HTTP Header Name field.

    HTTP Header Name

    The HTTP header names construct the certificate chain.

    Enter comma separated header names following the same order as client certificate chain from the end-entity certificate to the root CA certificate:

    Forward client certificate example
    # this option is mandatory to force apache to forward the client cert data to tomcat
      SSLOptions +ExportCertData

      RequestHeader set X-Client-Cert "%{SSL_CLIENT_CERT}s"
      RequestHeader set X-Client-Cert-Chain-0 "%{SSL_CLIENT_Chain_0}s"
      RequestHeader set X-Client-Cert-Chain-1 "%{SSL_CLIENT_Chain_1}s"
  5. (Optional) To transform the user ID obtained from the client, select a value in the User ID Transformation field. See Transforming-User-ID-to-match-Login-ID.
  6. (Optional) Select the Enable AR authentication for bypass check box to enable bypass URL to authenticate against AR. 
    For more information about enabling BMC Remedy AR System authentication for bypass, see Enabling-AR-authentication-for-bypassing-other-authentication-methods.
  7. (Optional) Click Enable Chaining Mode and perform steps to enable authentication chaining. For more information about the authentications that you can chain with cert-based authentication, see Enabling-authentication-chaining-mode.
  8. Click Save.

Validating a certificate

When you have configured certificate-based authentication for a realm on your BMC Helix Single Sign-On server, you can validate the certificate.

To validate a certificate on the BMC Helix SSO server

Important

If you plan to validate a custom CA certificate, you must have it imported to a truststore on the BMC Helix SSO server. 


  1. In the left navigation panel of the Edit Realm page, select Authentication.
  2. Select the Enable Validation check box to validate the client certificate chain against the truststore.
  3. In the Trusted Certificates field,  specify a certificate type that you would like to validate:
    • Default 
    • Custom—If you use this option, you must additionally complete the following fields:
      • Truststore File—Name or path of the truststore file. 
      • Truststore Password—Password for the truststore file. 

  4. (Optional) To enable OCSP check, select Enable OCSP check box, and then enter the custom OCSP responder URI in the OCSP Responder URL field.

    Important

    If you do not provide any OCSP responder URI, the system uses the OCSP responder URL that is specified in the certificate.

  5. (Optional) To enable CRL check, select Enable CRL check box, and then enter the custom CRL DP URI in the CRL DP URL field. You can provide a HTTP URI.
  6. (Optional) To enable OCSP and  CRL validation to be carried out only for an end-entity certificate,  select the OCSP/CRL Check On End-Entity Only check box.
  7. Click Save.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*