Administer > Configure NNMi to Support Public Key Infrastructure User Authentication > Example: Configuring NNMi to Require a Smart Card Log on

Example: Configuring NNMi to Require a Smart Card Logon

The following example illustrates how to configure NNMi to use PKI user authentication to require a smart card logon.

Note This example uses the Mixed user authentication strategy.

This example makes the following assumptions:

  • The organization is using smart cards for logging on to NNMi.
  • The smart card contains a certificate with an email address in the Subject Alternative Name field.
  • The organization uses CRLs to check revocation for all certificates.

To complete the example configuration, follow these steps:

  1. In the NNMi console, create a user called myusername@example.com with guest privileges.

    1. From the User Accounts view, create the myusername@example.com user.

      Tip On the User Account form, be sure to select the Directory Service Account check box and leave the Password field blank. For more information, see the NNMi help.

    2. From the User Account Mappings view, create a new user account mapping to assign the myusername@example.com user to the NNMi Guest Users user group.
  2. Edit the following file:

    Windows: %NnmDataDir%\nmsas\NNM\conf\nms-auth-config.xml

    Linux: $NnmDataDir/nmsas/NNM/conf/nms-auth-config.xml

  3. Search for the following text block:

    <realm name="console">
    <mode>FORM</mode>
    </realm>
  4. To enable X.509 certificate authentication, edit the text to read as follows:

    <realm name="console">
    <mode>X509</mode>
    </realm>
  5. Search for the following text block:

    <principalMapping>
  6. In the <principalMapping> block, include the following line to extract the first match of type rfc822Name from the Subject Alternative Name field of the certificate:

    <subjectAlternativeName type="rfc822Name" />
  7. Within the <crl> section of the file (find the <crl> tag), search for the line that begins with the following text:

    <enabled>
  8. To enable CRL checking, change the line to read as follows:

    <enabled>true</enabled>
  9. Within the <crl> section of the file, locate the text block containing the following text:

    <mode>
  10. To require and enforce CRLs, change the line to read as follows:

    <mode>REQUIRE</mode>
  11. Locate the text block containing the following:

    <certificateConstraints>
  12. To require client authentication, edit the following section:

    <!-- client authentication -->
    <extKeyUsage>1.3.6.1.5.5.7.3.2</extKeyUsage>
  13. To require users to log on using a Microsoft smart card, add the following lines:

    <!-- Microsoft smart card logon -->
    <extKeyUsage>1.3.6.1.4.1.311.20.2.2</extKeyUsage>
  14. Save your changes to the nms-auth-config.xml file.
  15. Change to the directory on the NNMi management server that contains the nnm-trust.p12 files:

    Windows: %NnmDataDir%\shared\nnm\certificates

    Linux: $NnmDataDir/shared/nnm/certificates

  16. Import your trusted CA certificate into the nnm-trust.p12 file. Suppose the example_ca.cer file contains the certificate you must use. Run the following command to import the CA certificate into the NNMi nnm-trust.p12 file:

    Windows: %NnmInstallDir%\bin\nnmkeytool.ovpl -import -alias myca -storetype PKCS12 -keystore nnm-trust.p12 -file example_ca.cer

    Linux: $NnmInstallDir/bin/nnmkeytool.ovpl -import -alias myca -storetype PKCS12 -keystore nnm-trust.p12 -file example_ca.cer

  17. Ensure that the user account’s name matches the user name contained in the certificate (myusername).
  18. Restart the NNMi services:

    • Run the ovstop command on the NNMi management server.
    • Run the ovstart command on the NNMi management server.

NNMi is now configured to require a smart card logon.

The following text is similar to how the nms-auth-config.xml file might appear after making the configuration changes described in this example:

<methods>
   <X509>
      <principalMapping>
           <subjectAlternativeName type="rfc822Name" />
      </principalMapping>
      <certificateConstraints>
           <extKeyUsage>1.3.6.1.5.5.7.3.2</extKeyUsage>
           <extKeyUsage>1.3.6.1.4.1.311.20.2.2</extKeyUsage>
           <trustedIssuer>CN=MyIssuer, OU=MyOrgUnit, O=MyOrg, ST=CO, C=US</trustedIssuer>
      </certificateConstraints>
      <revocation>
         <ordering>CRL OCSP</ordering>
          <mode>CHECK_ALL</mode>
       </revocation>
       <crl>
          <enabled>true</enabled>
           <mode>REQUIRE</mode>
           <!-- refresh CRLs every 12 hours -->
           <refreshPeriod>12h</refreshPeriod>
            <!-- remove CRLs that have not been used for 36 hours -->
            <maxIdleTime>36h</maxIdleTime>
        </crl>
        <ocsp>
          <enabled>false</enabled>
          <mode>ENFORCE</mode>
          <nonce>false</nonce>
        </ocsp>
  </X509>
</methods>
<realms>
  <realm name="console">
  <mode>X509</mode>
   </realm>
</realms>