Use > Hardening > Enabling Secure Sockets Layer (SSL) Communication > Configure CAC (Smart Card / PKI Authentication) Support on UCMDB

Configure CAC (Smart Card / PKI Authentication) Support on UCMDB

This section describes how to configure Smart Card Authentication or PKI Authentication (CAC) support on UCMDB.

Note  

  • CAC support is only available when using Internet Explorer 10 or later.
  • Common Access Card (CAC) is not supported in a multi-customer or State environment.
  1. Import the root CA and any intermediate certificates into the UCMDB Server Truststore as follows:

    1. On the UCMDB machine, copy the certificate files to the following directory on UCMDB:

      C:\UCMDB\UCMDBServer\conf\security

      Note If your certificate is in Microsoft p7b format, you may need to convert it to PEM format.

    2. For each certificate, run the following command:

      C:\UCMDB\UCMDBServer\bin\jre\bin\keytool.exe -import -v -keystore
      C:\UCMDB\UCMDBServer\conf\security\server.truststore -file <certificate> -alias <certificate alias>
    3. Enter the UCMDB Server Truststore password.

    4. When asked, Trust this certificate?, press y and then Enter.

    5. Make sure the output Certificate was added to the keystore.

  2. Open the JMX console by launching the Web browser and entering the Server address, as follows: https://<UCMDB Server Host Name or IP>:8443/jmx-console.

    You may have to log in with a user name and password.

  3. Under UCMDB, click UCMDB:service=Ports Management Services to open the Operations page.

    • (optional) Click ComponentsConfigurations. Do the following:

      • Set HTTPSClientAuthSetPort to 8444 and click Invoke.
      • Click Back to MBean.
    • Click mapComponentToConnectors. Do the following:

      • In the mapComponentToConnectors service, set componentName to ucmdb-ui.

      • Set only isHTTPSWithClientAuth to true, and click Invoke.

      • Click Back to MBean.
      • In the mapComponentToConnectors service, set componentName to root.

      • Set only isHTTPSWithClientAuth to true, and click Invoke.
  4. Under UCMDB, click UCMDB:service=Security Services to open the Operations page. In the loginWithCAC service, do the following:

    • Set loginWithCAC to true, and click Invoke.

      Note: If a user who is used in CAC login does not have permissions to access the UCMDB UI, then automatic login and display of a white page will not occur.
    • Click Back to MBean.
    • (optional) Click usernameField to specify the field from the certificate that will be used by UCMDB to extract a username, and click Invoke.

      Note If you do not specify a field, the default of PRINCIPAL_NAME_FROM_SAN_FIELD is used.

    • Click Back to MBean.
    • Click pathToCRL to set a path to an offline Certificate Revocation List (CRL) to be used if the online list (from the certificate) is not available, and click Invoke.

      Note When you work with a local CRL and there is a working Internet connection to the UCMDB server, the local CRL is used. The validation of any certificate (even if it is not revoked) fails in the following situations:

      • if the CRL path is set but the CRL file itself is missing
      • if the CRL is expired
      • if the CRL has an incorrect signature

      If you do not set the path to an offline CRL and the UCMDB server cannot access the online CRL, all certificates that contain a CRL or OCSP URL are rejected (since the URL cannot be accessed, the revocation check fails). To give the UCMDB server access to the Internet, uncomment the following lines in the wrapper.conf file and provide a valid proxy and port:

      #wrapper.java.additional.40=-Dhttp.proxyHost=<PROXY_ADDR>
      #wrapper.java.additional.41=-Dhttp.proxyPort=<PORT>
      #wrapper.java.additional.42=-Dhttps.proxyHost=<PROXY_ADDR>
      #wrapper.java.additional.43=-Dhttps.proxyPort=<PORT>
    • Click Back to MBean.
    • (optional) Set onlyCACCerts to true, and click Invoke.

      Set this operation to true to accept only certificates that come from a physical CAC device.

    You should now be able to log into UCMDB with https://<UCMDB Server Host Name or IP>.<domainname>:8444.

  5. Configure UCMDB to use LW-SSO authentication and restart the UCMDB Server.

For details on LW-SSO authentication, seeEnabling Login to Universal CMDB with LW-SSO.