针对智能卡和证书登录配置主机

您必须对 OnCommand Insight 主机配置进行修改,以支持智能卡 (CAC) 和证书登录。

开始之前

步骤

  1. 使用 regedit 实用程序修改 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun2.0\SANscreen Server\Parameters\Java 中的注册表值:
    将 JVM_Option DclientAuth=false 更改为 DclientAuth=true
  2. 备份密钥库文件:C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore
  3. 打开命令提示符,指定 Run as administrator
  4. 删除自生成的证书:C:\Program Files\SANscreen\java64\bin\keytool.exe -delete -alias "ssl certificate" -keystore C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore
  5. 生成新证书:C:\Program Files\SANscreen\java64\bin\keytool.exe -genkey -alias "alias_name" -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -validity 365 -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -dname "CN=commonName,OU=orgUnit,O=orgName,L=localityNameI,S=stateName,C=countryName"
  6. 生成证书签名请求: C:\Program Files\SANscreen\java64\bin\keytool.exe -certreq -sigalg SHA1withRSA -alias "alias_name" -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -file C:\temp\server.csr"
  7. 返回 CSR 后,导入证书,然后以 Base-64 格式导出证书并将其置于 "C:\temp" named servername.cer 中。
  8. 从密钥库提取证书: C:\Program Files\SANscreen\java64\bin\keytool.exe -v -importkeystore -srckeystore ""C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore"" -srcalias "alias_name" -destkeystore "C:\temp\file.p12" -deststoretype PKCS12
  9. 从 p12 文件提取私钥: openssl pkcs12 -in "C:\temp\file.p12" -out "C:\temp\servername.private.pem"
  10. 将证书与私钥合并:openssl pkcs12 -export -in "<folder>\<certificate>.cer" -inkey "C:\temp\servername.private.pem" -out "C:\temp\servername.new.p12" -name "servername.abc.123.yyy.zzz"
  11. 将合并的证书导入密钥库:C:\Program Files\SANscreen\java64\bin\keytool.exe -importkeystore -destkeystore "C:\Program Files\SANscreen\java64\bin\keytool.exe" -srckeystore "C:\temp\servername.new.p12" -srcstoretype PKCS12 -alias "alias_name"
  12. 导入根证书:C:\Program Files\SANscreen\java64\bin\keytool.exe -importkeysotre -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration" -file "C:\<root_certificate>.cer" -trustcacerts -alias "alias_name"
  13. 导入中间电子邮件证书:C:\Program Files\SANscreen\java64\bin\keytool.exe -importkeysotre -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.truststore" -file "C:\<email_certificate>.cer" -trustcacerts -alias "alias_name"
    对所有中间电子邮件证书重复此步骤。
  14. 导入中间证书:C:\Program Files\SANscreen\java64\bin\keytool.exe -importkeysotre -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.truststore" -file "C:\<intermediate_certificate>.cer" -trustcacerts -alias "alias_name"
    对所有中间证书重复此步骤。
  15. 在 LDAP 中指定与本例相符的域。
  16. 重新启动服务器。