BSM Connector supports user authentication using smart cards. If smart card authentication is configured, you cannot log in without a valid smart card.
Smart cards are physical devices used to identify users in secure systems. These cards can be used to store certificates both verifying the user's identity and allowing access to secure environments.
BSM Connector can be configured to use these certificates in place of the standard model of each user manually entering a user name and password. When using smart cards with BSM Connector, users can only log in using the smart card.
To configure smart card authentication in BSM Connector, complete the following tasks:
Import the certificate of your certificate authority to a truststore. You can use an existing one, or create a new one.
Go to the folder C:\Program Files\HP\HP BTO Software\nonOV\jre\b\bin
(Windows) or /opt/OV/nonOV/jre/b/bin
(Linux) and run the following command:
keytool -import -trustcacerts -alias <your alias> -keystore <path to the truststore file> -file <root CA certificate file>
For example, on Linux, to add the certificate "hpca2ssG2_ns.cer" to the truststore "newTrustStore.jks", run:
./keytool -import -trustcacerts -alias TSTORE1 -keystore /tmp/newTrustStore.jks -file /tmp/hpca2ssG2_ns.cer
You need to define a password and agree to add the certificate to the truststore.
Configure the BSM Connector OVTomcat server to require a client certificate for mutual authentication and to use the truststore to which you imported the certificate.
The file server.xml
used by OV Tomcat is recreated on each ovc start, with XPL values replacing the values from templates. Therefore run the Operations Agent tool ovconfchg
to change the settings in the XPL configuration:
Run ovconfchg -edit
to open the default system editor (Notepad on Windows, vi on Linux) and load thecurrent XPL configuration.
The Tomcat related XPL settings are in the XPL namespace NONOV.TomcatB. Configure the Tomcat server to request a client certificate by locating the following section Locate the following seciton:
<Connector port="30000" maxThreads="150"
minSpareThreads="25" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0"
scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS"
KeystoreFile="../groups/serverKeystore"
KeystoreType="JKS"
KeystorePass="changeit"/>
Change clientAuth
to "true"
, and add the following attributes:
truststoreFile="<path to the truststore file>"
truststorePass="<password>"
truststoreType="JKS"
/>
Alternatively, change the settings directly, using the -set
option:
ovconfchg -ns <namespace> -set <parameter> <value>
For example:
ovconfchg -ns NONOV.TomcatB -set clientAuth "true" -set truststoreFile "<path to the truststore file>" -set truststorePass "<password>" -set truststoreType "JKS"
Start OVTomcat:
ovc -start ovtomcatB
Add users to BSM Connector using the BSM Connector user command line tool:
In the Subject Alternative Name (SAN) field of the certificate, look for the value of the User Principal Name (UPN) in Other Name (OID: 1.3.6.1.4.1.311.20.2.3).
Use the user command-line tool to add a user to BSM Connector:
user -add <value of UPN> <password>
Note: The user tool requires a password for each user. However, the password is not used when logging into OMi connector using a smart card. Users must enter their smart card PIN instead.
For more information on the user command-line tool, see Local User Configuration Tool.
The file server.xml
used by OV Tomcat is recreated on each ovc start, with XPL values replacing the values from templates. Therefore run the Operations Agent tool ovconfchg
to change the settings in the XPL configuration:
Run ovconfchg -edit
to open the default system editor (Notepad on Windows, vi on Linux) and load thecurrent XPL configuration.
The Tomcat related XPL settings are in the XPL namespace NONOV.TomcatB. Configure the Tomcat server to not request a client certificate by locating the following section:
<Connector port="30000" maxThreads="150"
minSpareThreads="25" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0"
scheme="https" secure="true" clientAuth="true"
sslProtocol="TLS"
KeystoreFile="../groups/serverKeystore"
KeystoreType="JKS"
KeystorePass="changeit" truststoreFile="../templates.certificates/truststore.jks"
truststorePass="<password>"
truststoreType="JKS" />
Change clientAuth
to "false"
.
Alternatively, change the settings directly, using the -set
option:
ovconfchg -ns <namespace> -set <parameter> <value>
For example:
ovconfchg -ns NONOV.TomcatB -set clientAuth "false"
Restart ovc:
ovc -restart ovtomcatB