Administer > Configure CAC Support

Configure CAC Support

This section describes how to configure Common Access Card (CAC) support on the UCMDB Browser.

  1. Make sure that you have access to the keystore, truststore, and crl files. If necessary, you can create them using the following examples:

    • Import the server certificate into the keystore:

      $ keytool -importkeystore -deststorepass changeit ‑destkeypass changeit ‑destkeystore keystore.jks ‑srckeystore ../../certtest/localhost.p12 ‑srcstoretype PKCS12 ‑alias sercer

      Enter source keystore password:   
    • Import the certificate authority (CA) certificate into the truststore:

      $ keytool ‑import ‑keystore cacerts.jks ‑storepass changeit ‑alias my_ca ‑file ../../certtest/ca.crt

      Owner: EMAILADDRESS=ca@naive.sk, CN=CA Admin, OU=CA, O=Naive, L=Bratislava, ST=Bratislava, C=SK
      ...too long... 
      Trust this certificate? [no]:  yes
      Certificate was added to keystore

    Important After upgrading to UCMDB 10.32 or later,

    • the deststorepass is the password set at UCMDB server upgrade.
    • the destkeystore is the password set at UCMDB server upgrade.
    • the storepass is the password set at UCMDB server upgrade.
  2. Load the client certificate into your Web browser.
  3. Open the server.xml file, located in <UCMDB_Browser_installation_directory>\webapps\release\conf. Add the following lines, if they do not exist:

    • <Connector protocol="HTTP/1.1" port="8553" maxThreads="200"

      This line specifies the port number. You can use any value, as long as it does not conflict with an existing port. The default value is 8443.

    • SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS"

      This line configures SSL for the Tomcat server.

    • truststoreFile="C:\Program Files\Apache Software Foundation\Tomcat 8.5.15\certificates\server.truststore" truststorePass="hppass"

      This line provides the path to the truststore file and the password of the truststore file.

    • keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat 8.5.15\certificates\server.keystore" keystorePass="hppass"

      This line provides the path to the keystore file and the password of the keystore file.

    • crlFile="C:\Program Files\Apache Software Foundation\Tomcat 8.5.15\certificates\server.crl"

      This line provides the path to the certificate revocation list file.

    • clientAuth="true" />

      This line specifies that login is permitted only when the client has a valid client certificate.

      Important After upgrading to UCMDB 10.32 or later,

      • the truststorePass is the password set at UCMDB server upgrade.
      • the keystorePass is the password set at UCMDB server upgrade.
  4. Disable access to other connectors ( to ensure that no user can connect to the Tomcat server with unsecured HTTP access) by commenting out or deleting other connector tags that are referenced in the file.

  5. Save the server.xml file and restart the Tomcat server.

Note If your Web browser cannot connect to the Tomcat server after following this procedure, delete the following line from the server.xml file:

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

Save the server.xml file and restart the Tomcat server again.