Configuring a realm for certificate-based authentication
Before you begin
Add a realm and configure its general settings. For more information on realm configuration, see Configuring Realms.
To configure certificate-based authentication
- In the left navigation panel of the Add Realm or Edit Realm page, click Authentication .
- In the Authentication Type field, click CERT.
Enter the following certificate-based authentication details.
Field
Description
User ID
This field is used to get the user ID from the client certificate.
If you select Custom Attribute, you must save the information and edit the realm again to provide the name or OID of the attribute.
The maximum length for the User ID field is 80 characters. If the User ID value exceeds 80 characters after transformation, it causes a redirection loop when the user tries to access the integrated Remedy applications and the browser shows the 'Page cannot be displayed' message.
User ID Attribute
You must complete this field only if you selected Custom Attribute value for User ID. Enter attribute name or OID value.
Forwarded Certificate
Select this option if the following conditions are met:
- The client certificate chain is passed through HTTP headers.
- The load balancer or reverse proxy is used in front of Tomcat servers, and SSL termination is done on the load balancer or the reverse proxy.
When you select this option, you must enter the HTTP header names in the HTTP Header Name field.
HTTP Header Name
The HTTP header names construct the certificate chain.
Enter comma separated header names following the same order as client certificate chain from the end-entity certificate to the root CA certificate:
Forward client certificate example# this option is mandatory to force apache to forward the client cert data to tomcat
SSLOptions +ExportCertData
RequestHeader set X-Client-Cert "%{SSL_CLIENT_CERT}s"
RequestHeader set X-Client-Cert-Chain-0 "%{SSL_CLIENT_Chain_0}s"
RequestHeader set X-Client-Cert-Chain-1 "%{SSL_CLIENT_Chain_1}s"- (Optional) To transform the user ID obtained from the client, select a value in the User ID Transformation field. See Transforming-User-ID-to-match-Login-ID.
- (Optional) Select the Enable AR authentication for bypass check box to enable bypass URL to authenticate against AR.
For more information about enabling BMC Remedy AR System authentication for bypass, see Enabling-AR-authentication-for-bypassing-other-authentication-methods. - (Optional) Click Enable Chaining Mode and perform steps to enable authentication chaining. For more information about the authentications that you can chain with cert-based authentication, see Enabling-authentication-chaining-mode.
- Click Save.