为主机配置智能卡和证书登录
单独 PDF 文档的收集
Creating your file...
您必须修改OnCommand Insight 主机配置、以支持智能卡(CAC)和证书登录。
开始之前
-
必须在系统上启用LDAP。
-
LDAP
User principal account name
属性必须与包含用户ID的LDAP字段匹配。
步骤
-
使用
regedit
用于修改注册表值的实用程序HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun2.0\SANscreen Server\Parameters\Java
:-
更改JVM_Option
DclientAuth=false
toDclientAuth=true.
-
-
备份密钥库文件:
C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore
-
打开指定的命令提示符
Run as administrator
-
删除自生成的证书:
C:\Program Files\SANscreen\java64\bin\keytool.exe -delete -alias "ssl certificate" -keystore C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore
-
生成新证书:
C:\Program Files\SANscreen\java64\bin\keytool.exe -genkey -alias "alias_name" -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -validity 365 -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -dname "CN=commonName,OU=orgUnit,O=orgName,L=localityNameI,S=stateName,C=countryName"
-
生成证书签名请求(CSR):
C:\Program Files\SANscreen\java64\bin\keytool.exe -certreq -sigalg SHA1withRSA -alias "alias_name" -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -file C:\temp\server.csr"
-
在步骤6中返回CSR后、导入证书、然后以Base-64格式导出证书并将其放入
"C:\temp" named servername.cer
。 -
从密钥库提取证书:
C:\Program Files\SANscreen\java64\bin\keytool.exe -v -importkeystore -srckeystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -srcalias "alias_name" -destkeystore "C:\temp\file.p12" -deststoretype PKCS12
-
从p12文件提取私钥:
openssl pkcs12 -in "C:\temp\file.p12" -out "C:\temp\servername.private.pem"
-
将步骤7中导出的Base-64证书与私钥合并:
openssl pkcs12 -export -in "<folder>\<certificate>.cer" -inkey "C:\temp\servername.private.pem" -out "C:\temp\servername.new.p12" -name "servername.abc.123.yyy.zzz"
-
将合并的证书导入到密钥库中:
C:\Program Files\SANscreen\java64\bin\keytool.exe -importcert -destkeystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -srckeystore "C:\temp\servername.new.p12" -srcstoretype PKCS12 -alias "alias_name"
-
导入根证书:
C:\Program Files\SANscreen\java64\bin\keytool.exe -importcert -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.keystore" -file "C:\<root_certificate>.cer" -trustcacerts -alias "alias_name"
-
将根证书导入到server.trustore:
C:\Program Files\SANscreen\java64\bin\keytool.exe -importcert -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.trustore" -file "C:\<email_certificate>.cer" -trustcacerts -alias "alias_name"
-
导入中间证书:
C:\Program Files\SANscreen\java64\bin\keytool.exe -importcert -keystore "C:\Program Files\SANscreen\wildfly\standalone\configuration\server.trustore" -file "C:\<intermediate_certificate>.cer" -trustcacerts -alias "alias_name"
对所有中间证书重复此步骤。
-
在LDAP中指定与此示例匹配的域。
-
重新启动服务器。