This documentation supports the 22.3 version of BMC Helix Single Sign-On, which is available only to BMC Helix customers (SaaS). To view an earlier version, select the version from the Product version menu.

Configuring the Tomcat server for certificate-based authentication

To configure certificate-based authentication for your realm, the first task you need to complete is to configure the Tomcat server that hosts the BMC Helix SSO server to do the following:

  • Ask clients for CA certificates
  • Add CA certificates to the truststore

In a high availability mode, if you are using a load balancer and SSL termination is done on a load balancer, there is no need to configure the Tomcat. 


Related topics

Configuring-certificate-based-authentication

Before you begin

Configure SSL for Tomcat installed on the BMC Helix SSO server. For information about how to do do this, refer toConfigure SSL  online documentation.

To configure the Tomcat server to ask clients for certificates

  1. Stop the Apache Tomcat server that is being used for BMC Helix SSO.
  2. Open the <TomcatInstallationDirectory>/conf/server.xml file and modify the <Connector> tag.
  3. Set the clientAuth attribute to want as specified in the following code:
<Connector port="18443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="want" sslProtocol="TLS"
keystoreFile="conf/cert/server-keystore.jks"
keystorePass="changeit"
truststoreFile="conf/cert/server-truststore.jks"
truststorePass="changeit" />

Important

Do not set the clientAuth attribute to true, because it becomes mandatory for the client to provide a trusted certificate to the server that might break certain communication between the BMC Helix SSO server and a BMC Helix SSO agent.

Importing CA certificates to a truststore

You can import CA certificates to the following truststores as required:

  • Truststore of the the Tomcat server (or the load balancer)—Used for certificate-based authentication that enables the Tomcat server (or the load balancer) to send an appropriate information to the client so that the client returns only a trusted certificate.

  • Truststore used by the BMC Helix SSO for certificate validation—Used if you want BMC Helix SSO to perform additional validation of the client certificate, such as OCSP or CRL check. Certificate validation including OCSP or CRL check might be supported on the Tomcat server (or the load balancer). If all the necessary validations are already enabled on the Tomcat server (or the load balancer), you can skip the validation on the BMC Helix SSO server.

    Important

    If a client has intermediate certificates, they must be imported into the truststore as well.

Where to go from here

Configuring-a-realm-for-certificate-based-authentication

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*