Configuring hosts for Smart Card and certificate login

You must make modifications to the OnCommand Insight host configuration to support Smart Card (CAC) and certificate logins.

Before you begin

Steps

  1. Use the regedit utility to modify registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun2.0\SANscreen Server\Parameters\Java:
    1. Change the JVM_Option DclientAuth=false to DclientAuth=true.
  2. Back up the keystore file: C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore
  3. Open a command prompt specifying Run as administrator
  4. Delete the self-generated certificate: C:\Program Files\SANscreen\java64\bin\keytool.exe -delete -alias "ssl certificate" -keystore C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore
  5. Generate a new certificate: C:\Program Files\SANscreen\java64\bin\keytool.exe -genkey -alias "alias_name" -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -validity 365 -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -dname "CN=commonName,OU=orgUnit,O=orgName,L=localityNameI,S=stateName,C=countryName"
  6. Generate a certificate signing request: C:\Program Files\SANscreen\java64\bin\keytool.exe -certreq -sigalg SHA1withRSA -alias "alias_name" -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -file C:\temp\server.csr"
  7. After the CSR is returned, import the certificate and then export the certificate in Base-64 format and place it in "C:\temp" named servername.cer.
  8. Extract the certificate from the keystore: C:\Program Files\SANscreen\java64\bin\keytool.exe -v -importkeystore -srckeystore ""C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore"" -srcalias "alias_name" -destkeystore "C:\temp\file.p12" -deststoretype PKCS12
  9. Extract a private key from the p12 file: openssl pkcs12 -in "C:\temp\file.p12" -out "C:\temp\servername.private.pem"
  10. Merge the certificate with private key: openssl pkcs12 -export -in "<folder>\<certificate>.cer" -inkey "C:\temp\servername.private.pem" -out "C:\temp\servername.new.p12" -name "servername.abc.123.yyy.zzz"
  11. Import the merged certificate into the keystore: C:\Program Files\SANscreen\java64\bin\keytool.exe -importkeystore -destkeystore "C:\Program Files\SANscreen\java64\bin\keytool.exe" -srckeystore "C:\temp\servername.new.p12" -srcstoretype PKCS12 -alias "alias_name"
  12. Import the root certificate: C:\Program Files\SANscreen\java64\bin\keytool.exe -importkeysotre -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration" -file "C:\<root_certificate>.cer" -trustcacerts -alias "alias_name"
  13. Import the intermediate email certificate: C:\Program Files\SANscreen\java64\bin\keytool.exe -importkeysotre -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.truststore" -file "C:\<email_certificate>.cer" -trustcacerts -alias "alias_name"
    Repeat this step for all intermediate email certificates.
  14. Import the intermediate certificate: C:\Program Files\SANscreen\java64\bin\keytool.exe -importkeysotre -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.truststore" -file "C:\<intermediate_certificate>.cer" -trustcacerts -alias "alias_name"
    Repeat this step for all intermediate certificates.
  15. Specify the domain in LDAP to match this example.
  16. On the OnCommand Insight server, the wildfly/standalone/configuration/standalone-full.xml file needs to be modified by updating verify-client to "REQUESTED" in /subsystem=undertow/server=default-server/https-listener=default-https to enable CAC. Run the appropriate command:
    OS Script
    Windows <install dir>\SANscreen\wildfly\bin\enableCACforRemoteEJB.bat
    Linux /opt/netapp/oci/wildfly/bin/enableCACforRemoteEJB.sh
    After executing the script, wait until the reload of the wildfly server is complete before proceeding to the next step.
  17. Restart the server.