Skip to Content

Configuring certificate-based authentication

Certificate-based authentication actively enhances user security, enables passwordless user access, and ensures user non-repudiation through the use of digital signatures.

Important

Use this certificate configuration only for on-premises deployments.

The following image shows the tasks to configure the certificate-based authentication in BMC Helix Single Sign-On:

Configuring certificate-based authentication

Before you begin

 Make sure you perform the following steps:

  • Verify that you have a valid Certificate Authority (CA) certificate to sign user keys.
  • Use OpenSSL to generate a certificate for a specific user if no authenticator is available (for example, bmcopsenduser). For more information about this option, seeCreating certificates using the OpenSSL tool in the BMC TrueSight Infrastructure Management documentation.
  • Make sure you have obtained the Public Key Certificate before proceeding. 

To update the BMC Helix SSO keystore

  1. To add the complete CA chain certificates that signed the user certificates in the cot.jks file, , run the following command:

    keytool -importcert -alias bmcopsenduser -file bmcopsenduser.crt-keystore cot.jks -storepass changeit 

  2. To update the secret so that the BMC Helix SSO pod can pick the updated client certificate in cot.jks.

  3. To export the values of the current rsso-custom-keystore secret to the cot.jks file.

To configure a load balancer

To use F5 as the load balancer, perform these steps:

  1. Enable Client Certificate Request in the F5 SSL profile.
  2. Update the F5 iRule and insert the client certificate into a custom header (for example, HTTP::header insert "X-ENV-SSL-CLIENT-CERTIFICATE" [b64encode [SSL::cert 0]])

To use Ingress as the load balancer, perform these steps:

  1. Enable mTLS in the Ingress Controller.
  2. Pass the client certificate to BMC Helix SSO.

 For other load balancers, contact your network administrator and complete the required steps.

To configure certificate-based authentication

  1. Log in to the BMC Helix SSO Admin Console.
  2. Navigate to the Realm tab, click Add Realm or Edit Realm.
  3. In the Authentication section, set Authentication Type to CERT.
  4. Enter the following certificate-based authentication details:

    Field

    Description

    User ID

    This field is used to get the user ID from the client certificate.

    If you select Custom Attribute, you must save the information and edit the realm again to provide the attribute's name or Object Identifier (OID).

    The maximum length for the User ID field is 80 characters. If the User ID value exceeds 80 characters after transformation, it causes a redirection loop when the user tries to access the integrated BMC Helix applications, and the browser shows the 'Page cannot be displayed' message.

    Example: Subject CN

    User ID Attribute

    Complete this field only if you selected a Custom Attribute value for User ID. Enter the attribute name or OID value.

    Forwarded Certificate

    Select this option if the following conditions are met:

    • The client certificate is passed through HTTP headers.
    • The load balancer or reverse proxy is used in front of the Ingress, and SSL termination is performed on the load balancer or reverse proxy.

    When you select this option, you must enter the HTTP header name in the HTTP Header Name field.  

     Example: Enabled

    HTTP Header Name

    Enter comma-separated header names that follow the same order as the client certificate chain from the end-entity certificate to the root CA certificate.

    The HTTP header names that construct the certificate chain. 

    Example:  X-ENV-SSL-CLIENT-CERTIFICATE

  5. Import the custom CA certificate into the truststore on the BMC Helix SSO server.
  6. Validate the certificate against the BMC Helix SSO truststore:
    1. Select the Enable Validation check box to validate the client certificate chain against the truststore.
    2. In the Trusted Certificates field, specify a certificate type that you would like to validate:
      • Default 
      • Custom—If you use this option, you must additionally complete the following fields:
        • Truststore File—Name or path of the truststore file. 
        • Truststore Password—Password for the truststore file. 

      7. Click Add.

Additional settings for certificate configuration

Apart from the mandatory validation, you can optionally enable the following certificate checks:

  1. To enable the Online Certificate Status Protocol (OCSP) check, select the Enable OCSP checkbox, and then enter the custom OCSP responder URI in the OCSP Responder URL field. Note that if you do not provide any OCSP responder URI, the system uses the OCSP responder URL that is specified in the certificate.
  2. To enable the Certificate Revocation List (CRL) check, select the Enable CRL checkbox, and then enter the custom Certificate Revocation List Distribution Point (CRL DP) URI in the CRL DP URL field. You can provide an HTTP URI.
  3. To enable OCSP and CRL validation to be carried out only for an end-entity certificate, select the OCSP/CRL Check On End-Entity Only check box.
  4. Update the BMC Helix SSO settings to configure the realm as required:
    1. In the UserID Transformation field, specify a required transformation type. Note that this setting is ignored if you enter a Custom Expression.
      For more information about this option, see Transforming User ID to match Login ID.
    2. In the Custom Expression field, specify your value in the following format: "userId + {value}".
      For more information about this option, see Transforming User ID to match Login ID.
    3. In the Allow From Domain(s) field, specify the trusted domain URLs. 
      For more information about this option, see Configuring BMC Helix SSO to open applications in iframes.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Single Sign-On 25.4