Configuring Data Warehouse for Smart Card and certificate login
-
PDF of this doc site
-
Configuration and administration
- Data Warehouse administration
-
Configuration and administration
Collection of separate PDF docs
Creating your file...
You must modify the OnCommand Insight Data Warehouse configuration to support Smart Card (CAC) and certificate logins.
Before you begin
-
LDAP must be enabled on the system.
-
The LDAP
User principal account name
attribute must match the LDAP field that contains a user's government ID number.The common name (CN) stored on government-issued CACs is normally in the following format:
first.last.ID
. For some LDAP fields, such assAMAccountName
, this format is too long. For these fields, OnCommand Insight extracts only the ID number from the CNs.
For the most up to date CAC and Certificate instructions, see the following Knowledgebase articles (Support login required): |
Steps
-
Use regedit to modify registry values in
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun2.0\SANscreen Server\Parameters\Java
-
Change the JVM_Option
-DclientAuth=false
to-DclientAuth=true
.
For Linux, modify the
clientAuth
parameter in/opt/netapp/oci/scripts/wildfly.server
-
-
Add certificate authorities (CAs) to the Data Warehouse trustore:
-
In a command window, go to
..\SANscreen\wildfly\standalone\configuration
. -
Use the
keytool
utility to list the trusted CAs:C:\Program Files\SANscreen\java64\bin\keytool.exe -list -keystore server.trustore -storepass changeit
The first word in each line indicates the CA alias.
-
If necessary, supply a CA certificate file, usually a
.pem
file. To include customer's CAs with Data Warehouse trusted CAs go to..\SANscreen\wildfly\standalone\configuration
and use thekeytool
import command:C:\Program Files\SANscreen\java64\bin\keytool.exe -importcert -keystore server.trustore -alias my_alias -file 'path/to/my.pem' -v -trustcacerts
my_alias is usually an alias that would easily identify the CA in the
keytool -list
operation.
-
-
On the OnCommand Insight server, the
wildfly/standalone/configuration/standalone-full.xml
file needs to be modified by updating verify-client to "REQUESTED" in/subsystem=undertow/server=default-server/https-listener=default-https
to enable CAC. Log in to the Insight server and run the appropriate command:OS
Script
Windows
<install dir>\SANscreen\wildfly\bin\enableCACforRemoteEJB.bat
Linux
/opt/netapp/oci/wildfly/bin/enableCACforRemoteEJB.sh
After executing the script, wait until the reload of the wildfly server is complete before proceeding to the next step.
-
Restart the OnCommand Insight server.