Skip to main content
OnCommand Insight

Configuring Data Warehouse for Smart Card and certificate login

Contributors netapp-alavoie
PDFs

You must modify the OnCommand Insight Data Warehouse configuration to support Smart Card (CAC) and certificate logins.

Before you begin

  • LDAP must be enabled on the system.

  • The LDAP User principal account name attribute must match the LDAP field that contains a user's government ID number.

    The common name (CN) stored on government-issued CACs is normally in the following format: first.last.ID. For some LDAP fields, such as sAMAccountName, this format is too long. For these fields, OnCommand Insight extracts only the ID number from the CNs.

Note If you have changed server.keystore and/or server.trustore passwords using securityadmin, restart the sanscreen service before importing the LDAP certificate.
Note

For the most up to date CAC and Certificate instructions, see the following Knowledgebase articles (Support login required):

Steps

  1. Use regedit to modify registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun2.0\SANscreen Server\Parameters\Java

    1. Change the JVM_Option -DclientAuth=false to -DclientAuth=true.

    For Linux, modify the clientAuth parameter in /opt/netapp/oci/scripts/wildfly.server

  2. Add certificate authorities (CAs) to the Data Warehouse trustore:

    1. In a command window, go to ..\SANscreen\wildfly\standalone\configuration.

    2. Use the keytool utility to list the trusted CAs: C:\Program Files\SANscreen\java64\bin\keytool.exe -list -keystore server.trustore -storepass <password>
      See the SecurityAdmin documentation for more information about setting or changing the password for server_trustore.

      The first word in each line indicates the CA alias.

    3. If necessary, supply a CA certificate file, usually a .pem file. To include customer's CAs with Data Warehouse trusted CAs go to ..\SANscreen\wildfly\standalone\configuration and use the keytool import command: C:\Program Files\SANscreen\java64\bin\keytool.exe -importcert -keystore server.trustore -alias my_alias -file 'path/to/my.pem' -v -trustcacerts

      my_alias is usually an alias that would easily identify the CA in thekeytool -list operation.

  3. On the OnCommand Insight server, the wildfly/standalone/configuration/standalone-full.xml file needs to be modified by updating verify-client to "REQUESTED" in /subsystem=undertow/server=default-server/https-listener=default-httpsto enable CAC. Log in to the Insight server and run the appropriate command:

    OS

    Script

    Windows

    <install dir>\SANscreen\wildfly\bin\enableCACforRemoteEJB.bat

    Linux

    /opt/netapp/oci/wildfly/bin/enableCACforRemoteEJB.sh

    After executing the script, wait until the reload of the wildfly server is complete before proceeding to the next step.

  4. Restart the OnCommand Insight server.