Configuring Data Warehouse for Smart Card and certificate login

You must modify the OnCommand Insight Data Warehouse configuration to support Smart Card (CAC) and certificate logins.

Before you begin

Steps

  1. Use regedit to modify registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun2.0\SANscreen Server\Parameters\Java
    1. Change the JVM_Option -DclientAuth=false to -DclientAuth=true.
    For Linux, modify the clientAuth parameter in /opt/netapp/oci/scripts/wildfly.server
  2. Add certificate authorities (CAs) to the Data Warehouse trust store:
    1. In a command window, go to ..\SANscreen\wildfly\standalone\configuration.
    2. Use the keytool utility to list the trusted CAs: C:\Program Files\SANscreen\java64\bin\keytool.exe -list -keystore server.truststore -storepass changeit
      The first word in each line indicates the CA alias.
    3. If necessary, supply a CA certificate file, usually a .pem file. To include customer's CAs with Data Warehouse trusted CAs go to ..\SANscreen\wildfly\standalone\configuration and use the keytool import command: C:\Program Files\SANscreen\java64\bin\keytool.exe -importcert -keystore server.truststore -alias my_alias -file 'path/to/my.pem' -v -trustcacerts
      my_alias is usually an alias that would easily identify the CA in the keytool -list operation.
  3. On the OnCommand Insight server, the wildfly/standalone/configuration/standalone-full.xml file needs to be modified by updating verify-client to "REQUESTED" in /subsystem=undertow/server=default-server/https-listener=default-https to enable CAC. Log in to the Insight server and run the appropriate command:
    OS Script
    Windows <install dir>\SANscreen\wildfly\bin\enableCACforRemoteEJB.bat
    Linux /opt/netapp/oci/wildfly/bin/enableCACforRemoteEJB.sh
    After executing the script, wait until the reload of the wildfly server is complete before proceeding to the next step.
  4. Restart the OnCommand Insight server.