Administer > System security > Common Access Card (CAC) sign-on > Requirements for CAC sign-on

Requirements for CAC sign-on

This configuration is intended for customers who have an Service Manager server running in a secured environment and want users to be able to log on to the server using a Common Access Card (CAC), without the need to enter a user name and password.

Parameters required in sm.ini

Service Manager 9.32 or later supports CAC sign-on with two-way SSL enabled and the ssl_reqClientAuth parameter set to either "1" or "2".

The following table lists the server parameters required for CAC sign-on.

ssl_reqClientAuth:1 ssl_reqClientAuth:2
cacsignon:1
ssl:1
sslConnector:1
ssl_reqClientAuth:1
keystoreFile:<servercert.keystore>
keystorePass:<keystoreFile password>
truststoreFile:cacerts
truststorePass:<truststoreFile password>

Note When using ssl_reqClientAuth:1, the ssl_trustedClientsJKS and ssl_trustedClientsPwd parameters are not required.

cacsignon:1
ssl:1
sslConnector:1
ssl_reqClientAuth:2
keystoreFile:<servercert.keystore>
keystorePass:<keystoreFile password>
truststoreFile:cacerts
truststorePass:<truststoreFile password>
ssl_trustedClientsJKS:<trustedclients.jks>
ssl_trustedClientsPwd:<ssl_trustedClientsJKS password>

Note Once cacsignon is enabled (set to 1), three parameters are automatically (and implicitly) set to 1. See the following table.

Parameter Value Notes
ssl 1 Any other values explicitly specified in sm.ini are ignored.
sslConnector 1
ssl_reqClientAuth 1 Any other values explicitly specified in sm.ini are ignored except for ssl_reqClientAuth:2.

Parameters required in web.xml

The following parameters are required in the web tier configuration file (web.xml):

  • isCustomAuthenticationUsed=false

    Set the value to false to make Service Manager send the current user name in the HTTP header.

  • CACLogin=true

    Set the value to true to enable the CAC logon mode in the web tier.

Other requirements

  • Configure your web application server to enable CAC authentication. You do so by updating the web tier's application-context.xml file. For details, see Example: enabling CAC sign-on.
  • When CAC logon is enabled in the server, you can set ssl_reqClientAuth:1 or ssl_reqClientAuth:2 in the sm.ini file. You must then create unique client SSL certificates for each Service Manager client wanting to access Service Manager with CAC. For example, if you have 20 Service Manager Windows clients, you must create 20 unique client SSL certificates. If you have 4 Service Manager Web Tier servers, you must create 4 unique client SSL certificates for them. In addition, you need to configure SSL in the web tier configuration file (web.xml) and also in the Windows client Preferences setting. For details, see Example: Enabling required SSL encryption and trusted clients.

    Tip If maintaining these unique client SSL certificates incurs unsustainable IT operation costs, you can consider the use of the acceptsharedcert:1 parameter, which enables all clients to use a "shared certificate". For more information, see Parameter: acceptsharedcert

  • CAC sign-on requires two-way SSL connections between the web server (or web application server if no web server) and the user's browser. You need to set up two-way SSL on the web server, or on the web application server (if you have no web server deployed).
  • Each CAC user must have an operator record created in Service Manager.

Related topics

Example: Generating a client certificate with OpenSSL
Example: Generating a server certificate with OpenSSL
Add a client certificate to the web tier
Add a client certificate to the Windows client
Update the cacerts keystore file
Requirements for required SSL encryption and trusted clients
Parameter: acceptsharedcert