Configuring Data Warehouse for Smart Card and certificate login
You must modify the OnCommand Insight Data Warehouse configuration to support Smart Card (CAC) and certificate logins.
Before you begin
-
LDAP must be enabled on the system.
-
The LDAP
User principal account name
attribute must match the LDAP field that contains a user's government ID number.The common name (CN) stored on government-issued CACs is normally in the following format:
first.last.ID
. For some LDAP fields, such assAMAccountName
, this format is too long. For these fields, OnCommand Insight extracts only the ID number from the CNs.
|
If you have changed server.keystore and/or server.trustore passwords using securityadmin, restart the sanscreen service before importing the LDAP certificate. |
|
For the most up to date CAC and Certificate instructions, see the following Knowledgebase articles (Support login required): |
Steps
-
Use regedit to modify registry values in
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun2.0\SANscreen Server\Parameters\Java
-
Change the JVM_Option
-DclientAuth=false
to-DclientAuth=true
.
For Linux, modify the
clientAuth
parameter in/opt/netapp/oci/scripts/wildfly.server
-
-
Add certificate authorities (CAs) to the Data Warehouse trustore:
-
In a command window, go to
..\SANscreen\wildfly\standalone\configuration
. -
Use the
keytool
utility to list the trusted CAs:C:\Program Files\SANscreen\java64\bin\keytool.exe -list -keystore server.trustore -storepass <password>
See the SecurityAdmin documentation for more information about setting or changing the password for server_trustore.The first word in each line indicates the CA alias.
-
If necessary, supply a CA certificate file, usually a
.pem
file. To include customer's CAs with Data Warehouse trusted CAs go to..\SANscreen\wildfly\standalone\configuration
and use thekeytool
import command:C:\Program Files\SANscreen\java64\bin\keytool.exe -importcert -keystore server.trustore -alias my_alias -file 'path/to/my.pem' -v -trustcacerts
my_alias is usually an alias that would easily identify the CA in the
keytool -list
operation.
-
-
On the OnCommand Insight server, the
wildfly/standalone/configuration/standalone-full.xml
file needs to be modified by updating verify-client to "REQUESTED" in/subsystem=undertow/server=default-server/https-listener=default-https
to enable CAC. Log in to the Insight server and run the appropriate command:OS
Script
Windows
<install dir>\SANscreen\wildfly\bin\enableCACforRemoteEJB.bat
Linux
/opt/netapp/oci/wildfly/bin/enableCACforRemoteEJB.sh
After executing the script, wait until the reload of the wildfly server is complete before proceeding to the next step.
-
Restart the OnCommand Insight server.