Summary
Question
After configuring BSM/OMi 9.2x with the SmartCard Authentication Guide, the user might be continuosly prompted to enter the PKI PIN when switching between pages in the GUI console.
Answer
This behavior might be observed when the customer's SmartCard software doesn't allow the caching of the PIN for the whole user session. The solution below does not require changes in code or web applications, but can be achieved by constraining the URL list that is client-cert authenticated; this is in the configuration file of the Apache Reverse Proxy / LoadBalancer (or the Apache web server directly, if there are no Apache LoadBalancer in front to terminate the user’s incoming SSL connection).
The required change has to be applied in the httpd-ssl.conf file:
In this file, the following section can be found:
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /opt/HP/BSM/WebServer/conf/ssl/client_ca_root.pem
SSLOptions +ExportCertData
This section needs to be wrapped with a URL constraint to have this particular URL do the SmartCard authentication (and thus the PIN prompt), while the rest of the application session will be server-authenticated https after a valid application session is established.
<LocationMatch ".*/topaz/login.jsp">
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /opt/HP/BSM/WebServer/conf/ssl/client_ca_root.pem
SSLOptions +ExportCertData
</LocationMatch>
After the change in the configuration file, the Apache Web server has to be restarted to ensure that the configuration is activated.
Please note that with this change, the client certificate enforcements for all of the data collectors is no longer required, i.e. many of the data collector sections of the SmartCard Authentication Guide are no longer needed, as you can focus entirely on the setup of the user-related configuration that is documented in the guide.