Unsupported content This version of the product is in limited support. However, the documentation is available for your convenience. You will not be able to leave comments.

Configuring a realm for certificate-based authentication

After you have configured SSL for the Tomcat server on which Remedy Single Sign-On is hosted, you need to configure a realm for certificate-based authentication in the Remedy SSO console.  

Related topics

Troubleshooting-authentication-issues

Before you begin

Add a realm and configure its general settings. For more information on realm configuration, see Configuring Realms.

To configure certificate-based authentication

  1. In the left navigation panel of the Add Realm or Edit Realm page, click Authentication .
  2. In the Authentication Type field, click CERT.

  3. Enter the following certificate-based authentication details.


    Field

    Description

    User ID

    This field is used to get the user ID from the client certificate.

    If you select Custom Attribute, you must save the information and edit the realm again to provide the name or OID of the attribute.

    The maximum length for the User ID field is 80 characters. If the User ID value exceeds 80 characters after transformation, it causes a redirection loop when the user tries to access the integrated Remedy applications and the browser shows the 'Page cannot be displayed' message.

    User ID Attribute

    You must complete this field only if you selected Custom Attribute value for User ID. Enter attribute name or OID value.

    Forwarded Certificate

    Select this option if the following conditions are met:

    • The client certificate chain is passed through HTTP headers.
    • The load balancer or reverse proxy is used in front of Tomcat servers, and SSL termination is done on the load balancer or the reverse proxy.

    When you select this option, you must enter the HTTP header names in the HTTP Header Name field.

    HTTP Header Name

    The HTTP header names construct the certificate chain.

    Enter comma separated header names following the same order as client certificate chain from the end-entity certificate to the root CA certificate:

    Forward client certificate example
    # this option is mandatory to force apache to forward the client cert data to tomcat
      SSLOptions +ExportCertData

      RequestHeader set X-Client-Cert "%{SSL_CLIENT_CERT}s"
      RequestHeader set X-Client-Cert-Chain-0 "%{SSL_CLIENT_Chain_0}s"
      RequestHeader set X-Client-Cert-Chain-1 "%{SSL_CLIENT_Chain_1}s"
  4. (Optional) To transform the user ID obtained from the client, select a value in the User ID Transformation field. See Transforming-User-ID-to-match-Login-ID.
  5. (Optional) Select the Enable AR authentication for bypass check box to enable bypass URL to authenticate against AR. 
    For more information about enabling BMC Remedy AR System authentication for bypass, see Enabling-AR-authentication-for-bypassing-other-authentication-methods.
  6. (Optional) Click Enable Chaining Mode and perform steps to enable authentication chaining. For more information about the authentications that you can chain with cert-based authentication, see Enabling-authentication-chaining-mode.
  7. Click Save.

Where to go from here

Validating-a-certificate