Administer > Hardening > Use TLS in OMi > Configure Client Certificate or Smart Card Authentication

Configure Client Certificate or Smart Card Authentication

Client certificate authentication configures OMi to require a client certificate when users log into OMi or when web services or data collectors connect to OMi. Depending on the deployment, you can configure OMi to authenticate the client on the OMi web server or, if available, the load balancer.

To configure client certificate authentication for OMi, complete the following steps in the OMi configuration wizard. Before enabling client certificate authentication, OMi must already be configured and a user with Super-Admin permissions must be created in OMi.

Configuring smart card authentication is similar to configuring client certificate authentication. For smart card authentication, you must additionally select the option Enforce use of smart card certificates in the configuration wizard.

Learn more

ClosedSmart Card Authentication

Smart cards are physical devices used to identify users in secure systems. These cards can be used to store certificates both verifying the user's identity and allowing access to secure environments.

OMi can be configured to use these certificates in place of the standard model of each user manually entering a user name and password. You define a method of extracting the user name from the certificate stored on each card.

When using smart cards with OMi, users can only log in using the smart card. The option of logging in by manually typing in your log-in user name and password is locked for all users unless smart card configuration is disabled.

ClosedSmart Card Authentication Support Matrix

Supported Data Collectors

  • OpsCx

  • Data Flow Probe

  • SiteScope

Supported Integrations

  • Application Performance Management (APM)

  • Operations Orchestration

  • Service Manager

  • UCMDB

Tasks

ClosedHow to configure client certificate or smart card authentication

  1. Make sure OMi is already configured and running.

  2. Create an OMi super-admin user and optionally other OMi users:

    1. Log into OMi and navigate to user management:

      Administration > Users > Users, Groups, and Roles

      Alternatively, click Users, Groups, and Roles.

    2. Create a new user and click Super-Admin to assign all permissions to the user.

      Create additional users as required.

    3. Take note of each user's log-in name (case sensitive). The user log-in value must be embedded in an attribute in the client certificate. When you run the configuration wizard you choose the attribute.

  3. Obtain certificates from your Certificate Authority (CA):

    1. Obtain the root CA certificate and any intermediate CA certificates of the CA.

    2. Obtain client authentication certificates from your CA for each OMi user. Make sure the certificates include the user's log-in credentials in one of the certificate attributes. When you run the configuration wizard you choose the attribute that contains the log-in credentials.

      Note We recommend using the strongest currently available cryptographic algorithms when obtaining client certificates, as well as the largest key size (not less than 2048-bit RSA keys). To see the latest NIST approved cryptographic algorithms and key lengths, go to http://csrc.nist.gov/publications/PubsFIPS.html.

    3. Verify that the client authentication certificate is correct.

      1. Double-click the client authentication certificate that is installed on your machine. The Certificate dialog box opens.

      2. Click the Details tab.

      3. Click Enhanced Key Usage.

      4. Verify that the Client Authentication object identifier (OID) is 1.3.6.1.5.5.7.3.2.

  4. If your OMi front-end server is a load balancer or reverse proxy, perform the following steps:

    1. Follow the standard procedures for requiring a client authentication certificate specified on your reverse proxy. For details, see the third party documentation of your reverse proxy.

    2. Pass the client authentication certificate details in a header to the OMi gateway server.

      This procedure describes the general settings that are required, but you may need to see the web server documentation for the details. For details, see How to manually configure reverse proxy for smart cards.

  5. Stop OMi.

  6. Start the OMi configuration wizard:

    <OMi_HOME>/bin/config-server-wizard.[bat|sh]

  7. Proceed through the wizard. In the Client Certificate Authentication page, select the authentication option:

    • Authentication on OMi web server.

      1. Select the certificate of the CA that issued the client certificate. The certificate file must be PEM-encoded.

        If you have more than one CA certificate issuer for the client authentication certificates (for example, there is an intermediate CA) follow the instructions below:

        • Apache. Create a chain certificate of the certificates in .PEM format.

      2. Choose how OMi checks whether the client certificate has been revoked:

        None. OMi does not check the revocation status.

        OCSP URL from certificate. OMi sends an OCSP request to the URL provided in the client certificate and evaluates the OCSP response to determine the revocation status of the certificate.

        Local CRL file (PEM-encoded). OMi checks the revocation status in a CRL file local to the gateway server. Make sure the CRL file on the gateway server is the latest one available from your CA.

        Tip The following example converts a revocation list from CRL to PEM format:

        <OMi_HOME>/WebServer/bin>openssl crl -inform DER -outform PEM -in <path to .crl> -out <path to .pem to be created>

      3. Specify the certificate data that is used for authentication:

        Attribute used to identify users. If Subject has an attribute called E, Email, emailaddress, email address, e-mail address, e-mailaddress, rfc822 name, or rfc822name, select SubjectDN in the Attribute used to identify users field, and enter the value of the attribute in the Relevant part of the attribute field.

        Relevant element of attribute field (for example, CN). If the Subject does not contain one of the attributes listed above, select Subject Alternative Name in the Attribute used to identify users field, and enter the attribute name (not its value) in the Relevant part of the attribute field. The attribute name may be one of the following: Principal Name, Principalname, other name, principalname, principal name, or Microsoft principal name.

        Tip When defining the Relevant part of the attribute field, the attribute must be the user's unique identifier. You can find the certificate attributes in the certificate details. In Internet Explorer, these can be viewed from Tools > Internet Options > Content > Certificates > Personal > Details > Subject or Subject Alternative Name.

      4. Optional. Click Enforce use of smart card certificates to configure OMi to always require a smart card when a user logs on.

      5. Click Next to continue.

    • Authentication on load balancer.

      1. Specify the certificate data that is used for authentication:

        Attribute used to identify users. If Subject has an attribute called E, Email, emailaddress, email address, e-mail address, e-mailaddress, rfc822 name, or rfc822name, select SubjectDN in the Attribute used to identify users field, and enter the value of the attribute in the Relevant part of the attribute field.

        Relevant element of attribute field (for example, CN). If the Subject does not contain one of the attributes listed above, select Subject Alternative Name in the Attribute used to identify users field, and enter the attribute name (not its value) in the Relevant part of the attribute field. The attribute name may be one of the following: Principal Name, Principalname, other name, principalname, principal name, or Microsoft principal name.

        Tip When defining the Relevant part of the attribute field, the attribute must be the user's unique identifier. You can find the certificate attributes in the certificate details. In Internet Explorer, these can be viewed from Tools > Internet Options > Content > Certificates > Personal > Details > Subject or Subject Alternative Name.

      2. Optional. Click Enforce use of smart card certificates to configure OMi to always require a smart card when a user logs on.

      3. Click Next to continue.

  8. Complete the remaining wizard pages and enable OMi again.

  9. Enable smart card authentication on the data collector or component servers. For details, see the following help centers:

    • OpsCx. See the OpsCx Help.

    • SiteScope. See the SiteScope Help.

  10. Distribute the client certificates to the OMi users and data collectors.

ClosedHow to manually configure reverse proxy for smart cards

This procedure describes the general settings that are required, but you may need to refer to the web server documentation for the details. It must be performed before you restart your OMi gateway servers to enable smart card authentication.

For the Apache web server:

  1. Prerequisite. Apache is already configured to require a client certificate.

  2. In httpd.conf, enable the mod_headers.so

  3. In httpd-ssl.conf, add the following line before </VirtualHost>:

    requestHeader set CLIENT_CERT_HEADER "%{SSL_CLIENT_CERT}s"

ClosedHow to configure OMi to provide client certificate authentication

In some cases, the OMi server itself acts as a client with respect to other servers and must provide a client authentication certificate. If this is the case, it must be performed only once.

For example, this is required when a data collector such as SiteScope requires a client authentication certificate (for example, when smart cards authentication is required by the data collector).

  1. Obtain software client authentication certificate from your CA issued to a user with appropriate permissions for this integration. You can use one of the certificates you obtained in the beginning of the How to configure client certificate or smart card authentication.

  2. If the certificate is not already in Java keystore (JKS) format, convert it to JKS.

    For example, if your certificate is in PFX format, you can convert it to JKS format as seen in the following example: 

    keytool.exe -importkeystore -srckeystore c:\certificate.pfx -destkeystore c:\certificate.jks -srcstoretype PKCS12

  3. Open <OMi_HOME>/application-server/bin/standalone.conf[.bat|.sh] on all OMi gateway and data processing servers and make the following changes on each server:

    1. Locate the following line in the file:

      set "JAVA_OPTS=%JAVA_OPTS% ‑Dtopaz.home=%PRODUCT_HOME_PATH%"

    2. Insert the following lines right after the line:

      set SECURITY_OPTS=‑Djavax.net.ssl.keyStore=<path to certificate.jks> ‑Djavax.net.ssl.keyStorePassword=<keystore password> ‑Djavax.net.ssl.keyStoreType=JKS

      set JAVA_OPTS=%JAVA_OPTS% %SECURITY_OPTS%

Troubleshooting

ClosedNotes and limitations

  • User names are case sensitive.

  • When creating an admin user as directed in the smart card authentication wizard, make sure you enter a secure password even though no password is required for authentication with smart cards. If smart card authentication is disabled, the user will still exist on the system and if an insecure password is defined it could pose a security risk.

  • The following integration is not supported:

    • UCMDB - OMi Downtime Integration

ClosedTimeout failure during configuration

Problem: When configuring smart card authentication, OMi fails during setup with a timeout failure.

Solution: Increase the value of the process.launcher.time.out parameter. The default is 60 seconds.

  1. In a text editor, open <OMi_HOME>/conf/settings/security.xml.

  2. Locate the parameter process.launcher.time.out.

    <setting
name="process.launcher.time.out"
sectionResource="security.login"
nameResource="process.launcher.time.out.name"
descResource="process.launcher.time.out.desc"
refreshRate="Reboot"
displayInUI="false"
settingType="global">
<value type="number">60</value>
</setting>
  3. In the line <value type="number">60</value>, increase the value.
ClosedEmergency disable of smart card authentication

Note This procedure should only be used if you cannot access OMi normally.

If you cannot log in to OMi using any smart card and want to disable smart card authentication, run the opr-tls-config command-line interface with the ‑disable option. See alsoopr-tls-config Command-Line Interfaceopr-tls-config Command-Line Interface.

ClosedUsing command-line tools when client certificate enforcement is used
ClosedUse a dedicated client certificate for the CLIs

  1. Request a client certificate for a service account (if smart card is not required). The certificate is associated with an email address, for example cli@example.com.

  2. Create a new user for cli@example.com in OMi. The user must have either administrative rights or the Node Editor permission.

  3. Create a java keystore from the certificate:

    <OMi_Home>\JRE\bin\keytool -importkeystore -srckeystore cli-user.p12 -srcstoretype pkcs12 -destkeystore cert.jks

    Note The keystore password must be the same as the password to import the certificate.

  4. You can now run CLI tools using the -jks option, for example:

    opr-agt -jks C:\<OMi_Home>\keystore -jp <java-keystore-password> -status -all

ClosedRemove the client certificate enforcements for data collectors and CLIs

This step will configure OMi to only require a certificate for the login page, but not for other URLs. After enabling smart card authentication, OMi requires CAC authentication for all requests, including data collector API/REST calls. If you don't need client certificate authentication between data collectors and OMi (TLS only), do the following:

  1. Configure the Apache web server

    1. In the <OMi_HOME>/WebServer/conf/extra/cac-impl-login.tpl.conf file, remove the part |@@WS_URLS@@ from the following section:

      SSLCACertificateFile "${TOPAZ_HOME}/WebServer/conf/client_ca_root.pem"
      #SSLOCSPEnable on
      #SSLCARevocationCheck chain
      #SSLCARevocationFile @@CRL_REV_FILE@@
      <LocationMatch ".*/topaz/login.jsp|@@WS_URLS@@">
      SSLVerifyClient require
      SSLVerifyDepth 10
      SSLOptions +ExportCertData
      </LocationMatch>

    2. Save the modified file.

  2. Change the LW-SSO settings to exclude the web services.

    1. Execute the following command:

      Linux: <OMi_HOME>/opr/support/opr-jmxClient.sh -r -s localhost:4447 -b "Topaz:service=LW-SSO Configuration" -m invokeGetInternalLwConf

      Windows: <OMi_HOME>\opr\support\opr-jmxClient.bat -r -s localhost:4447 -b "Topaz:service=LW-SSO Configuration" -m invokeGetInternalLwConf

    2. Check if the output contains .*/opr.*/rest.* in the REST URLs section, for example:

      Rest URLs

      ===================

      Rest URL = .*/opr.*/rest.*

    3. If the output does not contain those lines, add the URL by running the following command:

      Linux: <OMi_HOME>/opr/support/opr-jmxClient.sh -r -s localhost:4447 -b "Topaz:service=LW-SSO Configuration" -m addRestUrl -a .*/opr.*/rest.*

      Windows: <OMi_HOME>\opr\support\opr-jmxClient.bat -r -s localhost:4447 -b "Topaz:service=LW-SSO Configuration" -m addRestUrl -a .*/opr.*/rest.*

  3. Restart OMi.

  4. If you can't log in to OMi after the restart, check if the client certificate handler is set correctly:

    1. Open the JMX console on the gateway server by navigating to https://localhost:29000/ in a web browser.
    2. Go to Topaz:service=LW-SSO Configuration.
    3. Look for ClientCertificateInboundHandlerEnabled. When a public key infrastructure (PKI) is enabled, this setting must be true. If it is false, change it to true and click set.
    4. Restart OMi again.

Send Help Center feedback