Skip to main content
OnCommand Insight

Configuring hosts for Smart Card and certificate login

Contributors netapp-alavoie
PDFs

You must make modifications to the OnCommand Insight host configuration to support Smart Card (CAC) and certificate logins.

Before you begin

  • LDAP must be enabled on the system.

  • The LDAP User principal account name attribute must match the LDAP field that contains a user's ID.

Note If you have changed server.keystore and/or server.trustore passwords using securityadmin, restart the sanscreen service before importing the LDAP certificate.
Note

For the most up to date CAC and Certificate instructions, see the following Knowledgebase articles (Support login required):

Steps

  1. Use the regedit utility to modify registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun2.0\SANscreen Server\Parameters\Java:

    1. Change the JVM_Option DclientAuth=false to DclientAuth=true.

  2. Back up the keystore file: C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore

  3. Open a command prompt specifying Run as administrator

  4. Delete the self-generated certificate: C:\Program Files\SANscreen\java64\bin\keytool.exe -delete -alias "ssl certificate" -keystore C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore

  5. Generate a new certificate: C:\Program Files\SANscreen\java64\bin\keytool.exe -genkey -alias "alias_name" -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -validity 365 -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -dname "CN=commonName,OU=orgUnit,O=orgName,L=localityNameI,S=stateName,C=countryName"

  6. Generate a certificate signing request (CSR): C:\Program Files\SANscreen\java64\bin\keytool.exe -certreq -sigalg SHA1withRSA -alias "alias_name" -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -file C:\temp\server.csr"

  7. After the CSR is returned in step 6, import the certificate, then export the certificate in Base-64 format and place it in "C:\temp" named servername.cer.

  8. Extract the certificate from the keystore:C:\Program Files\SANscreen\java64\bin\keytool.exe -v -importkeystore -srckeystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -srcalias "alias_name" -destkeystore "C:\temp\file.p12" -deststoretype PKCS12

  9. Extract a private key from the p12 file: openssl pkcs12 -in "C:\temp\file.p12" -out "C:\temp\servername.private.pem"

  10. Merge the Base-64 certificate that you exported in step 7 with the private key: openssl pkcs12 -export -in "<folder>\<certificate>.cer" -inkey "C:\temp\servername.private.pem" -out "C:\temp\servername.new.p12" -name "servername.abc.123.yyy.zzz"

  11. Import the merged certificate into the keystore: C:\Program Files\SANscreen\java64\bin\keytool.exe -importcert -destkeystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -srckeystore "C:\temp\servername.new.p12" -srcstoretype PKCS12 -alias "alias_name"

  12. Import the root certificate: C:\Program Files\SANscreen\java64\bin\keytool.exe -importcert -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -file "C:\<root_certificate>.cer" -trustcacerts -alias "alias_name"

  13. Import the root certificate into the server.trustore: C:\Program Files\SANscreen\java64\bin\keytool.exe -importcert -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.trustore" -file "C:\<email_certificate>.cer" -trustcacerts -alias "alias_name"

  14. Import the intermediate certificate: C:\Program Files\SANscreen\java64\bin\keytool.exe -importcert -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.trustore" -file "C:\<intermediate_certificate>.cer" -trustcacerts -alias "alias_name"

    Repeat this step for all intermediate certificates.

  15. Specify the domain in LDAP to match this example.

  1. Restart the server.