Use > JMX Reference > Hardening Methods > How to Configure CAC (Smart Card / PKI Authentication) Support for the Embedded CMS UI

How to Configure CAC (Smart Card / PKI Authentication) Support for the Embedded CMS UI

This section describes how to configure Smart Card Authentication or PKI Authentication (CAC) support for the embedded CMS UI.

Note  

  • CAC support is only available when using Internet Explorer 10 or later.
  • In order to automatically log in to UI the user from the certificate needs to have the Access to UI (General Action) permission.

  1. Configure UCMDB to use LW-SSO authentication.

    For details on LW-SSO authentication, see Enabling Login to Universal CMDB with LW-SSO.

  2. Import the root CA and any intermediate certificates into the UCMDB Server Truststore as follows:

    1. On the UCMDB machine, copy the certificate files to the following directory on UCMDB:

      C:\UCMDB\UCMDBServer\conf\security

      Note If your certificate is in Microsoft p7b format, you may need to convert it to PEM format.

    2. For each certificate, run the following command:

      C:\UCMDB\UCMDBServer\bin\jre\bin\keytool.exe -import -v -keystore
      C:\UCMDB\UCMDBServer\conf\security\server.truststore -file <certificate> - alias <certificate alias>
    3. Enter the UCMDB Server Truststore password.

    4. When asked, Trust this certificate?, press y and then Enter.

    5. Make sure the output Certificate was added to the keystore.

  3. Open the JMX console by launching the Web browser and entering the Server address, as follows: https://<UCMDB Server Host Name or IP>:8443/jmx-console.

    You may have to log in with a user name and password.

  4. Under UCMDB, click UCMDB:service=Ports Management Services to open the Operations page.

  5. Click mapComponentToConnectors. In the mapComponentToConnectors service, do the following: 

    • Map ucmdb-ui

      • Set componentName to ucmdb-ui.
      • Set only isHTTPSWithClientAuth to true, and click Invoke.

      • Click Back to MBean.
    • Map ucmdb-browser

      • Set componentName to ucmdb-browser
      • Set only isHTTPSWithClientAuth to true, and click Invoke.
      • Click Back to MBean
    • Map root

      • Set componentName to root.
      • Set isHTTPSWithClientAuth and isHTTP to true, and click Invoke.

  6. Under UCMDB, click UCMDB:service=Security Services to open the Operations page. In the loginWithCAC service, set loginWithCAC to true, and click Invoke.

    You should now be able to log into UCMDB with https://<UCMDB Server Host Name or IP>.<domainname>:8444.

  7. Assign roles or rights for each CMS UI user in the UCMDB Server, as they will be created without roles or rights.

  8. Restart the UCMDB Server.