Administer > System configuration parameters > SSL parameters > Parameter: acceptsharedcert

Parameter: acceptsharedcert

Startup parameters change the behavior of the Service Manager server. You can always set a startup parameter from the server's operating system command prompt.

Parameter

acceptsharedcert

Description

This parameter defines how the Service Manager server handles signed SSL certificates from incoming client requests in a Trusted Sign-On configuration.

Caution This functionality works only for the Service Manager Windows and web clients; it does not work for web service client connections, such as Service Request Catalog (SRC), Mobility, and other third-party web service integrations.

When this parameter is set to 0 (default), the Service Manager server validates the signed SSL client certificates by using standard best practices. The validation procedure is described in Secure Sockets Layer (SSL) encryption and server certificates.

Note We recommend that you run the Service Manager server with the default value set for this parameter (acceptsharedcert:0), as it is the most secure mode of operation. Before you modify the default behavior, consider the following alternative workarounds:

  • Do not use the Service Manager Windows client. Instead, use only the Service Manager web tier, as it does not incur the additional maintenance overhead or complexity that is associated with managing numerous signed client SSL certificates.

  • If you must use the Service Manager Windows client in your environment, consider limiting the distribution of this client to a small number of users. This minimizes the additional overhead costs associated with managing numerous Service Manager Windows clients and their unique signed client SSL certificates.

  • Use as many Service Manager Windows clients as are needed, but disable Trusted Sign-On functionality for these users. This eliminates the requirement to generate unique signed client SSL certificates.

When the parameter is enabled (acceptsharedcert:1), the Service Manager server allows Trusted Sign-On connections by using a so-called "shared certificate." TheService Manager server validates the shared certificate using only the following checks:

  • Whether the certificate is issued by a trusted certificate authority
  • Whether the Common Name attribute of the certificate is in the Service Manager Server's trusted clients keystore

This parameter is provided primarily for use in customer environments where the following conditions are true:

  • There is a requirement to allow access to Service Manager through Trusted Sign-On for a large number of Service Manager Windows clients.
  • Creating and maintaining the required signed SSL client certificates adds too much maintenance overhead and complexity to IT operations.

By using acceptsharedcert:1, only one client SSL certificate (the "shared certificate") needs to be created and maintained. This significantly minimizes the maintenance overhead costs and complexity that are associated with managing signed SSL client certificates. However, bear in mind the following considerations:

  • You must still copy and distribute the shared certificate to individual Service Manager Windows clients before you can successfully use Trusted Sign-On access.
  • By using acceptsharedcert:1 you will have minimized your maintenance overhead and complexity of your IT operations at the cost of reduced security in Service Manager. This is due to the two simple "shared certificate" validation checks that the Service Manager server performs when it runs with acceptsharedcert:1. Running the Service Manager server with the recommended default value for the acceptsharedcert parameter provides the most secure method for enabling Trusted Sign-On features because the Service Manager server performs additional validation checks against the client SSL certificate. It is also possible, though unlikely, that if a malicious user obtains the "shared certificate" that user may be able to gain unauthorized access to Service Manager if they can then also defeat the NTLM-based implementation of Trusted Sign-On on the Service Manager Windows client.

Valid if set from

Server's operating system command prompt

Initialization file (sm.ini)

Requires restart of the Service Manager server?

Yes

Default value

0

Possible values

0 (Disabled)

1 (Enabled)

Example usage

Command line: sm -httpPort:13080 -acceptsharedcert:1

Initialization file: acceptsharedcert:1

Related topics

Trusted sign-on
Enter a parameter in the sm.ini file
SSL parameters
Requirements for trusted sign-on
Parameter: ssl_reqClientAuth