Configuring hosts for Smart Card and certificate login
You must make modifications to the OnCommand Insight host configuration to support Smart Card (CAC) and certificate logins.
Before you begin
-
LDAP must be enabled on the system.
-
The LDAP
User principal account name
attribute must match the LDAP field that contains a user's ID.
For the most up to date CAC and Certificate instructions, see the following Knowledgebase articles (Support login required): |
Steps
-
Use the
regedit
utility to modify registry values inHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun2.0\SANscreen Server\Parameters\Java
:-
Change the JVM_Option
DclientAuth=false
toDclientAuth=true.
-
-
Back up the keystore file:
C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore
-
Open a command prompt specifying
Run as administrator
-
Delete the self-generated certificate:
C:\Program Files\SANscreen\java64\bin\keytool.exe -delete -alias "ssl certificate" -keystore C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore
-
Generate a new certificate:
C:\Program Files\SANscreen\java64\bin\keytool.exe -genkey -alias "alias_name" -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -validity 365 -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -dname "CN=commonName,OU=orgUnit,O=orgName,L=localityNameI,S=stateName,C=countryName"
-
Generate a certificate signing request (CSR):
C:\Program Files\SANscreen\java64\bin\keytool.exe -certreq -sigalg SHA1withRSA -alias "alias_name" -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -file C:\temp\server.csr"
-
After the CSR is returned in step 6, import the certificate, then export the certificate in Base-64 format and place it in
"C:\temp" named servername.cer
. -
Extract the certificate from the keystore:
C:\Program Files\SANscreen\java64\bin\keytool.exe -v -importkeystore -srckeystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -srcalias "alias_name" -destkeystore "C:\temp\file.p12" -deststoretype PKCS12
-
Extract a private key from the p12 file:
openssl pkcs12 -in "C:\temp\file.p12" -out "C:\temp\servername.private.pem"
-
Merge the Base-64 certificate that you exported in step 7 with the private key:
openssl pkcs12 -export -in "<folder>\<certificate>.cer" -inkey "C:\temp\servername.private.pem" -out "C:\temp\servername.new.p12" -name "servername.abc.123.yyy.zzz"
-
Import the merged certificate into the keystore:
C:\Program Files\SANscreen\java64\bin\keytool.exe -importcert -destkeystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -srckeystore "C:\temp\servername.new.p12" -srcstoretype PKCS12 -alias "alias_name"
-
Import the root certificate:
C:\Program Files\SANscreen\java64\bin\keytool.exe -importcert -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -file "C:\<root_certificate>.cer" -trustcacerts -alias "alias_name"
-
Import the root certificate into the server.trustore:
C:\Program Files\SANscreen\java64\bin\keytool.exe -importcert -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.trustore" -file "C:\<email_certificate>.cer" -trustcacerts -alias "alias_name"
-
Import the intermediate certificate:
C:\Program Files\SANscreen\java64\bin\keytool.exe -importcert -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.trustore" -file "C:\<intermediate_certificate>.cer" -trustcacerts -alias "alias_name"
Repeat this step for all intermediate certificates.
-
Specify the domain in LDAP to match this example.
-
Restart the server.