Configuring hosts for Smart Card and certificate login

You must make modifications to the OnCommand Insight host configuration to support Smart Card (CAC) and certificate logins.

Before you begin

Procedure

  1. Use the regedit utility to modify registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun2.0\SANscreen Server\Parameters\Java:
    1. Change the JVM_Option DclientAuth=false to DclientAuth=true.
  2. Back up the keystore file: C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore
  3. Open a command prompt specifying Run as administrator
  4. Delete the self-generated certificate: C:\Program Files\SANscreen\java64\bin\keytool.exe -delete -alias "ssl certificate" -keystore C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore
  5. Generate a new certificate: C:\Program Files\SANscreen\java64\bin\keytool.exe -genkey -alias "alias_name" -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -validity 365 -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -dname "CN=commonName,OU=orgUnit,O=orgName,L=localityNameI,S=stateName,C=countryName"
  6. Generate a certificate signing request (CSR): C:\Program Files\SANscreen\java64\bin\keytool.exe -certreq -sigalg SHA1withRSA -alias "alias_name" -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -file C:\temp\server.csr"
  7. After the CSR is returned in step 6, import the certificate, then export the certificate in Base-64 format and place it in "C:\temp" named servername.cer.
  8. Extract the certificate from the keystore: C:\Program Files\SANscreen\java64\bin\keytool.exe -v -importkeystore -srckeystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -srcalias "alias_name" -destkeystore "C:\temp\file.p12" -deststoretype PKCS12
  9. Extract a private key from the p12 file: openssl pkcs12 -in "C:\temp\file.p12" -out "C:\temp\servername.private.pem"
  10. Merge the Base-64 certificate that you exported in step 7 with the private key: openssl pkcs12 -export -in "<folder>\<certificate>.cer" -inkey "C:\temp\servername.private.pem" -out "C:\temp\servername.new.p12" -name "servername.abc.123.yyy.zzz"
  11. Import the merged certificate into the keystore: C:\Program Files\SANscreen\java64\bin\keytool.exe -importcert -destkeystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -srckeystore "C:\temp\servername.new.p12" -srcstoretype PKCS12 -alias "alias_name"
  12. Import the root certificate: C:\Program Files\SANscreen\java64\bin\keytool.exe -importcert -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -file "C:\<root_certificate>.cer" -trustcacerts -alias "alias_name"
  13. Import the root certificate into the server.trustore: C:\Program Files\SANscreen\java64\bin\keytool.exe -importcert -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.trustore" -file "C:\<email_certificate>.cer" -trustcacerts -alias "alias_name"
  14. Import the intermediate certificate: C:\Program Files\SANscreen\java64\bin\keytool.exe -importcert -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.trustore" -file "C:\<intermediate_certificate>.cer" -trustcacerts -alias "alias_name"
    Repeat this step for all intermediate certificates.
  15. Specify the domain in LDAP to match this example.
  16. On the OnCommand Insight server, the wildfly/standalone/configuration/standalone-full.xml file needs to be modified by updating verify-client to "REQUESTED" in /subsystem=undertow/server=default-server/https-listener=default-https to enable CAC. Run the appropriate command:
    OS Script
    Windows <install dir>\SANscreen\wildfly\bin\enableCACforRemoteEJB.bat
    Linux /opt/netapp/oci/wildfly/bin/enableCACforRemoteEJB.sh
    After executing the script, wait until the reload of the wildfly server is complete before proceeding to the next step.
  17. Restart the server.