Configure CAC (Smart Card / PKI Authentication) Support on UCMDB

Configure CAC Support on UCMDB Server

This section describes how to configure Smart Card Authentication or PKI Authentication (CAC) support on UCMDB server.

1. Import the root CA and any intermediate certificates into the UCMDB Server Truststore as follows:

   1. On the UCMDB machine, copy the certificate files to the following directory on UCMDB:

      C:\UCMDB\UCMDBServer\conf\security

      Note: If your certificate is in Microsoft p7b format, you may need to convert it to PEM format.

   2. For each certificate, run the following command:

      C:\UCMDB\UCMDBServer\bin\jre\bin\keytool.exe -import -v -keystore
      C:\UCMDB\UCMDBServer\conf\security\server.truststore -file 
      <certificate> -alias <certificate alias>

      Note: (FIPS mode only) If UCMDB server is running in FIPS mode, make sure you import each certificate into server-fips.truststore by following the steps below:

      1. Stop UCMDB Server.
      2. Copy <UCMDB_Server_Install_Dir>\lib\bcfips\bc-fips-1.0.1.jar into the <UCMDB_Server_Install_Dir>\bin\jre\lib\ext folder.

      3. Open <UCMDB_Server_Install_Dir>\bin\jre\lib\security\java.security using a text editor and add the following lines to the provider list:

         security.provider.11=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider

      4. Run the following command:

         <UCMDB_Server_Install_Dir>\bin\jre\bin\keytool.exe -import -v -keystore <UCMDB_Server_Install_Dir>\conf\security\server-fips.truststore" -storetype BCFKS -providername BCFIPS -storepass <password of server-fips.truststore> –file <certificate> -alias < certificate alias >

      5. Revert the changes you made from step ii to step iii.
      6. Restart UCMDB Server.
      7. For UCMDB Cluster, perform the above steps on all UCMDB writer and reader servers.

   3. (Non-FIPS mode only) Enter the UCMDB Server Truststore password.

   4. When asked, Trust this certificate?, press y and then Enter.

   5. Make sure the output Certificate was added to the keystore.

2. Open the JMX console by launching the Web browser and entering the Server address, as follows: https://<UCMDB Server Host Name or IP>:8443/jmx-console.

   You may have to log in with a user name and password.

3. Under UCMDB, click UCMDB:service=Ports Management Services to open the Operations page.

   • (optional) Click ComponentsConfigurations. Do the following:

     • Set HTTPSClientAuthSetPort to 8444 and click Invoke.
     • Click Back to MBean.

   • Click mapComponentToConnectors. Do the following:

     • In the mapComponentToConnectors service, set componentName to ucmdb-ui.

     • Set only isHTTPSWithClientAuth to true, and click Invoke.

     • Click Back to MBean.

     • In the mapComponentToConnectors service, set componentName to root.

     • Set only isHTTPSWithClientAuth to true, and click Invoke.

4. Under UCMDB, click UCMDB:service=Security Services to open the Operations page. In the loginWithCAC service, do the following:

   • Set loginWithCAC to true, and click Invoke.

     Note: If a user who is used in CAC login does not have permissions to access the UCMDB UI, then automatic login and display of a white page will not occur.
   • Click Back to MBean.

   • (optional) Click usernameField to specify the field from the certificate that will be used by UCMDB to extract a username, and click Invoke.

     Note: If you do not specify a field, the default of PRINCIPAL_NAME_FROM_SAN_FIELD is used.

   • Click Back to MBean.

   • Click pathToCRL to set a path to an offline Certificate Revocation List (CRL) to be used if the online list (from the certificate) is not available, and click Invoke.

     Note: When you work with a local CRL and there is a working Internet connection to the UCMDB server, the local CRL is used. The validation of any certificate (even if it is not revoked) fails in the following situations:

     • if the CRL path is set but the CRL file itself is missing
     • if the CRL is expired
     • if the CRL has an incorrect signature

     If you do not set the path to an offline CRL and the UCMDB server cannot access the online CRL, all certificates that contain a CRL or OCSP URL are rejected (since the URL cannot be accessed, the revocation check fails). To give the UCMDB server access to the Internet, uncomment the following lines in the wrapper.conf file and provide a valid proxy and port:

     #wrapper.java.additional.40=-Dhttp.proxyHost=<PROXY_ADDR>
     #wrapper.java.additional.41=-Dhttp.proxyPort=<PORT>
     #wrapper.java.additional.42=-Dhttps.proxyHost=<PROXY_ADDR>
     #wrapper.java.additional.43=-Dhttps.proxyPort=<PORT>

   • Click Back to MBean.

   • (optional) Set onlyCACCerts to true, and click Invoke.

     Set this operation to true to accept only certificates that come from a physical CAC device.

5. (FIPS mode only) Export the CAC certificate along with its private key.

   When UCMDB server is on FIPS mode, enabling CAC in UCMDB will enable two-way authentication between UCMDB UI and UCMDB Server. For the two-way authentication work properly, you need to export the CAC certificate along with its private key and import them into the keystore of client JRE (assume the keystore file is jssecacerts).

   To export the CAC certificate along with the private key, do the following:

   1. Open Microsoft Certificates (run certmgr.msc as Administrator from command prompt).

   2. Locate your CAC certificate. (We use User1-CP.01.01 in this example.)

      

   3. Right-click the certificate and select All Tasks > Export.... The Certificate Export Wizard opens.
   4. Click Next.
   5. On the Export Private Key wizard page, select Yes, export the private key, and click Next.

   6. On the Export File Format page, select Personal Information Exchange - PKCS # 12 (.PFX), and click Next.

      

   7. On the Password page, provide the password, and click Next.
   8. On the File to Export page, click Browse to locate the file for export.
   9. Click Next.

6. (FIPS mode only) Import the certificates (for example, user1.pfx) into keystore of client JRE.

   1. Make sure bc-fips-1.0.1.jar exists in folder <JRE_install_dir>\lib\ext.
   2. Make sure org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider exists in java.security of client JRE.

   3. Run the following command to import CAC certificate (by default, the password of cacerts/jssecacerts is changeit), and we assume jssecacerts is the file name of keystore in client JRE:

      <Client_JRE_dir>\bin\keytool.exe -importkeystore -v -deststorepass <keystore_password> -destkeystore "<path_of_jssecacerts>\jssecacerts" -deststoretype BCFKS -destprovidername BCFIPS -srckeystore "<path_of_user1.pfx>\user1.pfx" -srcstoretype PKCS12 -srcstorepass <key_password_of_user1.pfx>

   4. Change the password of private key of CAC certificate (user1.pfx in this example) to the password of jssecacerts:

      <Client_JRE_dir>\bin\keytool -keypasswd -alias <alias_of_CAC_cert> -keypass <password_of_CAC_cert> -new <password_of_ jssecacerts > -keystore "<path_of_ jssecacerts>\jssecacerts" -storetype BCFKS -providername BCFIPS -storepass <password_of_ jssecacerts>

7. Configure UCMDB to use LW-SSO authentication and restart the UCMDB Server.

   For details about LW-SSO authentication, see .

8. You should now be able to log into UCMDB with https://<UCMDB Server Host Name or IP>.<domainname>:8444.

Configure CAC Support on Standalone CMS UI

1. Copy the server-fips.keystore and server-fips.truststore files from the <UCMDBServer>\conf\security folder to the machine where CMS UI is installed. (C:\)

2. Modify the server.xml file.

   1. Open the <CMS_UI_Home>\conf\server.xml file using a text editor.
   2. In the lines where connector port is 8443, replace 8443 with 8553.
   3. For the maxThreads parameter, change its value to 200.
   4. For the clientAuth parameter, change its value to true.

   5. Update the following lines:

      keystoreFile="${catalina.home}/conf/server-fips.keystore"
                     keystorePass="${keystorepassword}" sendReasonPhrase="true" keystoreType="BCFKS" keystoreProvider="BCFIPS"
         truststoreFile="${catalina.home}/conf/server-fips.truststore"
                    truststorePass="${keystorepassword}" truststoreType="BCFKS" truststoreProvider="BCFIPS"
                     clientAuth="true" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2"
         crlFile="<ucmdb_browser>\conf\crl.pem""
      

   6. Save the file.

3. Modify the configuration.

   1. Go to the browser\conf folder, open the ucmdb_browser_config.xml file using a text editor.
   2. Add the UCMDB server domain name or UCMDB server IP, and save the file.
   3. Open the ucmdb-browser-fips-lwsso*.xml file using a text editor.
   4. Add the domain name.
   5. Restart the CMS UI service.

4. Import the certificate, and access CMS UI using the following address in a private IE window:

   https://<CMS_UI_hostname_or_IP_address>:8553/ucmdb-browser/

Send Help Center feedback

We welcome your comments!

To open the configured email client on this computer, open an email window.

Otherwise, copy the information below to a web mail client, and send this email to cms-doc@microfocus.com.

---

Help Topic ID:

Product:  

Topic Title:

Feedback:

---

 

Legal Notices and Support Information

Legal Notices

Warranty

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Except as specifically indicated otherwise, a valid license from Micro Focus is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.

Disclaimer

Certain versions of software and/or documents (“Material”) accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.

Copyright Notice

© 2011 - 2018 Micro Focus or one of its affiliates

Trademark Notices

MICRO FOCUS and the Micro Focus logo, among others, are trademarks or registered trademarks of Micro Focus (IP) Limited or its subsidiaries in the United Kingdom, United States and other countries. All other marks are the property of their respective owners.

Adobe™ is a trademark of Adobe Systems Incorporated.

Microsoft® and Windows® are U.S. registered trademarks of Microsoft Corporation.

UNIX® is a registered trademark of The Open Group.

Documentation Updates

To check for recent updates or to verify that you are using the most recent edition of a document, go to: https://softwaresupport.softwaregrp.com.

This site requires that you register for a Micro Focus Passport and to sign in. To register for a Micro Focus Passport ID, click Register for Micro Focus Passport on the Micro Focus Support website at https://softwaresupport.softwaregrp.com.

You will also receive updated or new editions if you subscribe to the appropriate product support service. Contact your Micro Focus sales representative for details.

Support

Visit the Micro Focus Support site at: https://softwaresupport.softwaregrp.com.

This website provides contact information and details about the products, services, and support that Micro Focus offers.

Micro Focus online support provides customer self-solve capabilities. It provides a fast and efficient way to access interactive technical support tools needed to manage your business. As a valued support customer, you can benefit by using the support website to:

• Search for knowledge documents of interest
• Submit and track support cases and enhancement requests
• Download software patches
• Manage support contracts
• Look up Micro Focus support contacts
• Review information about available services
• Enter into discussions with other software customers
• Research and register for software training

Most of the support areas require that you register as a Micro Focus Passport user and to sign in. Many also require a support contract. To register for a Micro Focus Passport ID, click Register for Micro Focus Passport on the Micro Focus Support website at https://softwaresupport.softwaregrp.com.

To find more information about access levels, go to: https://softwaresupport.softwaregrp.com/web/softwaresupport/access-levels.

Integration Catalog accesses the Micro Focus Integration Catalog website. This site enables you to explore Micro Focus Product Solutions to meet your business needs, includes a full list of Integrations between Micro Focus Products, as well as a listing of ITIL Processes. The URL for this website is https://softwaresupport.softwaregrp.com/km/KM01702731.

Flare Bug FixThis snippet must be hidden somewhere in your Flare project in order to enable the use of HP Metric fonts in output-to-Help of any format (WebHelp, HTML5, or Frameless Help). This snippet is inserted at the bottom of _HP_Import-SharedFiles\Content\Resources\MasterPages\_HP_Legal_Notices.htm to ensure that our custom Metric fonts are included with the Help files, but never available for our customers to use. Everything in this Snippet is configured to be hidden from view for our customers. You can ignore this file.FontFileBlackurl('../../Stylesheets/_HP_Metric/Black/MetricHPE-Web-Black.eot')url('../../Stylesheets/_HP_Metric/Black/MetricHPE-Web-Black.woff')url('../../Stylesheets/_HP_Metric/Black/MetricHPE-Web-BlackItalic.eot')url('../../Stylesheets/_HP_Metric/Black/MetricHPE-Web-BlackItalic.woff')Boldurl('../../Stylesheets/_HP_Metric/Bold/MetricHPE-Web-Bold.eot')url('../../Stylesheets/_HP_Metric/Bold/MetricHPE-Web-Bold.woff')url('../../Stylesheets/_HP_Metric/Bold/MetricHPE-Web-BoldItalic.eot')url('../../Stylesheets/_HP_Metric/Bold/MetricHPE-Web-BoldItalic.woff')url('../../Stylesheets/_HP_Metric/Bold/MetricHPE-Web-Semibold.eot')url('../../Stylesheets/_HP_Metric/Bold/MetricHPE-Web-Semibold.woff')url('../../Stylesheets/_HP_Metric/Bold/MetricHPE-Web-SemiboldItalic.eot')url('../../Stylesheets/_HP_Metric/Bold/MetricHPE-Web-SemiboldItalic.woff')Lighturl('../../Stylesheets/_HP_Metric/Light/MetricHPE-Web-Light.eot')url('../../Stylesheets/_HP_Metric/Light/MetricHPE-Web-Light.woff')url('../../Stylesheets/_HP_Metric/Light/MetricHPE-Web-LightItalic.eot')url('../../Stylesheets/_HP_Metric/Light/MetricHPE-Web-LightItalic.woff')Regularurl('../../Stylesheets/_HP_Metric/Regular/MetricHPE-Web-Regular.eot')url('../../Stylesheets/_HP_Metric/Regular/MetricHPE-Web-Regular.woff')url('../../Stylesheets/_HP_Metric/Regular/MetricHPE-Web-RegularItalic.eot')url('../../Stylesheets/_HP_Metric/Regular/MetricHPE-Web-RegularItalic.woff')Thinurl('../../Stylesheets/_HP_Metric/Thin/MetricHPE-Web-Thin.eot')url('../../Stylesheets/_HP_Metric/Thin/MetricHPE-Web-Thin.woff')url('../../Stylesheets/_HP_Metric/Thin/MetricHPE-Web-ThinItalic.eot')url('../../Stylesheets/_HP_Metric/Thin/MetricHPE-Web-ThinItalic.woff')Mediumurl('../../Stylesheets/_HP_Metric/Medium/MetricHPE-Web-Medium.eot')url('../../Stylesheets/_HP_Metric/Medium/MetricHPE-Web-Medium.woff')url('../../Stylesheets/_HP_Metric/Medium/MetricHPE-Web-MediumItalic.eot')url('../../Stylesheets/_HP_Metric/Medium/MetricHPE-Web-MediumItalic.woff')iomoonurl('../../Stylesheets/_HP_Icons/_HP_icons.eot')url('../../Stylesheets/_HP_Icons/_HP_icons.ttf')url('../../Stylesheets/_HP_Icons/_HP_icons.woff')Required link to each HPE Metric font file to enable font-family: 'HPMetricLocal')