Use > Hardening > Using a Reverse Proxy > Configure CAC Support on UCMDB by Reverse Proxy

Configure CAC Support on UCMDB by Reverse Proxy

This section describes how to configure Common Access Card (CAC) support on UCMDB using a reverse proxy.

  1. Open the JMX console by launching the Web browser and entering the Server address, as follows: https://localhost:8443/jmx-console.

    You may have to log in with a user name and password.

  2. Under UCMDB, click UCMDB:service=Ports Management Services to open the Operations page.

    • (optional) Click ComponentsConfigurations. Do the following:

      • Set HTTPSetPort to 8080 and click Invoke.
      • Click Back to MBean.
    • Click mapComponentToConnectors. Do the following:

      • In the mapComponentToConnectors service, set componentName to ucmdb-ui.

      • Set only isHTTP to true, and click Invoke.

      • Click Back to MBean.
      • In the mapComponentToConnectors service, set componentName to root.

      • Set only isHTTP to true, and click Invoke.
  3. Under UCMDB, click UCMDB:service=Security Services to open the Operations page.

    • Set loginWithCAC to true, and click Invoke.
    • Click Back to MBean.
    • Set withReverseProxy to true, and click Invoke.

      This setting tells the UCMDB server to extract from the UCMDB_SSL_CLIENT_CERT header the user name to be used in UCMDB and the certificate to be used for authentication.

    • Click Back to MBean.
    • (optional) Set onlyCACCerts to true, and click Invoke.

      Set this operation to true to accept only certificates that come from a physical CAC device.

    • (optional) Click usernameField to specify the field from the certificate that will be used by UCMDB to extract a username, and click Invoke.

      Note If you do not specify a field, the default of PRINCIPAL_NAME_FROM_SAN_FIELD is used.

  4. Restart the UCMDB Server.

(Optional) Configure LocationMatch in Apache Reverse Proxy httpd-ssl.conf for CAC Setup

When using Apache as a reverse proxy while accessing the UCMDB server with CAC enabled, sometimes you might encounter cascading pin request popups.

To skip the appler.jsp pin prompt, you may add the LocationMatch setting as follows to the httpd-ssl.conf file:

<LocationMatch "^/ucmdb-ui/login_page.jsp">
SSLVerifyClient require
SSLVerifyDepth 10
</LocationMatch>