Setting up Certificate-based authentication in Remedy SSO
Before you begin
You must have installed and configured the Remedy SSO to work with the Presentation Server and its component products. For details, see Planning to deploy Remedy SSO and Installing Remedy Single Sign-On.
You must have created an equivalent local user(and its associated local usergroup) for every Certificate-based authentication user that needs to log into the Presentation Server. This is required because the Remedy SSO server cannot obtain usergroup information from the Certificate identify provider for the successfully logged in Certificate-based authentication user. Therefore, you need to create an equivalent local user with the exact name as the Certificate-based authentication user and associate that local user with the desired local usergroup. For details on creating local users and usergroups in Remedy SSO using the import utility, perform the Migrating internal user data from Atrium SSO to Remedy SSO procedure.
- You must have added a non-default tenant (realm) in addition to the default * tenant (realm). Configuring-tenants-for-the-Presentation-Server-in-Remedy-SSO.
You must have configured a multi-tenant environment by enabling the msp parameter. For enabling multi-tenancy, see To enable multi-tenancy in Presentation Server.
- Configure a realm for the authentication. For more information on realm configuration, see Configuring Realms.
- Obtain the following information:
- The required digital certificate filed name to get the user ID from the client certificate.
- Custom responder URI if you want to enable OCSP validation.
- Custom CRL DP URI if you want to enable CRL validation.
Configuring the certificate-based authentication in Remedy SSO for the TrueSight Presentation Server
Perform the following tasks to configure the certificate based authentication to work with TrueSight Presentation Server:
- To configure the certificate-based authentication in Remedy SSO for the TrueSight Presentation Server
- To create or edit an authorization profile with certificate-based authentication users in the Presentation Server
To configure the certificate-based authentication in Remedy SSO for the TrueSight Presentation Server
- Log in to the Remedy SSO Admin console.
- In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.
- In the Authentication Type field, click CERT.
Specify the Certificate-based authentication details. For more information on parameters, see Certificate-based authentication parameters.
- Click Save.
- In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.
- In the Authentication Type field, click CERT and click Enable Chaining Mode.
- Click Add Authentication.
- In the Authentication Type field, click LOCAL.
- Enter the LOCAL details. For more information on parameters, see LOCAL authentication parameters.
- Create users and user groups for the LOCAL authentication.
The users in LOCAL should be exactly same as the users in CERT identity provider.
Alternatively, the users can also be created using import script under the migration utility. - Associate users to the user groups.
- Click Save.
Certificate-based authentication parameters
Field | Description |
|---|---|
User ID | Field that is used to get the user ID from the client certificate. If you select Custom Attribute, you must save the information and edit the realm again to provide the name or OID of the attribute. The maximum length for the User ID field is 80 characters. If the User ID field exceeds 80 characters after transformation, it causes a redirection loop when the user tries to access the integrated Remedy applications and the browser shows the 'Page cannot be displayed' message. |
Forwarded Certificate | The HTTP header names to construct the certificate chain. Select this option if the client certificate chain is passed through HTTP headers and when the load balancer or reverse proxy is used in front of Tomcat servers and SSL termination is done on the load balancer or the reverse proxy. If you select this option, you must enter the HTTP header names in the HTTP Header Name field. Header Names is a comma separated header names following the same order as client certificate chain from the end-entity certificate to the root CA certificate. Forward client certificate example # this option is mandatory to force apache to forward the client cert data to tomcat SSLOptions +ExportCertData RequestHeader set X-Client-Cert "%{SSL_CLIENT_CERT}s" RequestHeader set X-Client-Cert-Chain-0 "%{SSL_CLIENT_Chain_0}s" RequestHeader set X-Client-Cert-Chain-1 "%{SSL_CLIENT_Chain_1}s" |
Enable Validation | Enables certificate validation. If you select this option, you can select from the following validation options:
Client certificate chain is validated against the configured truststore when this option is selected. |
Trusted Certificates | Specifies whether the system uses default or custom certificates. If you select the Custom option, you must provide the truststore file and the truststore password. Ensure that you have already placed the truststore file on the server. For more information about importing CA certificates to truststore, see Importing CA certificates to a truststore . |
Truststore File | Name or path of the truststore file. This field is available only when you select the Custom option in the Trusted Certificates field. |
Truststore Password | Password for the truststore file. This field is available only when you select the Custom option in the Trusted Certificates field. |
Enable OCSP | Enables OCSP check. If you select this option, you must enter the custom OCSP responder URI in the OCSP Responder URL field. If you do not provide any OCSP responder URI, the system uses the OCSP responder URL that is specified in the certificate. |
Enable CRL | Enable CRL check. If you select this option, you must enter the custom CRL DP URI in the CRL DP URL field. You can provide a HTTP URI. |
OCSP/CRL Check On End-Entity Only | Enables the OCSP and CRL validation to be carried out only for end-entity certificate. |
To create or edit an authorization profile with certificate-based authentication users in the Presentation Server
- Log in to the TrueSight console as a Super Admin.
- Navigate to Administration>Authorization Profiles.
- Create a new authorization profile or edit an existing authorization profile to associate the user groups.
Select a tenant other than the * (asterisk) tenant that you configured in Remedy Single Sign-On for Certificate-based authentication users and select Edit under User Groups.
- Click Add and select the Certificate-based authentication user group from the list of user groups.
- Select the required roles from the list roles.
- (Optional) Select the required objects from the list of object.
- Select OK and then Save.
- Select Yes to confirm changes to the authorization profile.
- Log out of the TrueSight console.
- Log in to the TrueSight console as a Certificate-based authentication user.
A two-step authentication screen is displayed. - Type the Certificate-based authentication realm Application Domain name and click Submit.
The Certificate-based authentication login screen is displayed. - Type the Certificate-based authentication login credentials and click Login.
The TrueSight console is displayed.