Configuring the Tomcat server for certificate-based authentication
Before you begin
Configure SSL for Tomcat installed on the BMC Helix SSO server. For information about how to do do this, refer toConfigure SSL online documentation.
To configure the Tomcat server to ask clients for certificates
- Stop the Apache Tomcat server that is being used for BMC Helix SSO.
- Open the <TomcatInstallationDirectory>/conf/server.xml file and modify the <Connector> tag.
- Set the clientAuth attribute to want as specified in the following code:
<Connector port="18443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="want" sslProtocol="TLS"
keystoreFile="conf/cert/server-keystore.jks"
keystorePass="changeit"
truststoreFile="conf/cert/server-truststore.jks"
truststorePass="changeit" />
maxThreads="150" scheme="https" secure="true"
clientAuth="want" sslProtocol="TLS"
keystoreFile="conf/cert/server-keystore.jks"
keystorePass="changeit"
truststoreFile="conf/cert/server-truststore.jks"
truststorePass="changeit" />
Importing CA certificates to a truststore
You can import CA certificates to the following truststores as required:
- Truststore of the the Tomcat server (or the load balancer)—Used for certificate-based authentication that enables the Tomcat server (or the load balancer) to send an appropriate information to the client so that the client returns only a trusted certificate.
Truststore used by the BMC Helix SSO for certificate validation—Used if you want BMC Helix SSO to perform additional validation of the client certificate, such as OCSP or CRL check. Certificate validation including OCSP or CRL check might be supported on the Tomcat server (or the load balancer). If all the necessary validations are already enabled on the Tomcat server (or the load balancer), you can skip the validation on the BMC Helix SSO server.
Where to go from here
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*