Summary
After configuring BSM with the SmartCard Authentication Guide, the user might be continuously prompted to enter the PKI PIN when switching between pages in the GUI console
Question
After configuring BSM with the SmartCard Authentication Guide, the user might be continuously prompted to enter the PKI PIN when switching between pages in the GUI console
Answer
This behavior might be observed in case a customer is using a SmarCard software which doesn't allow the caching of the PIN for the whole user session. In this cases, the solution described below does not require changes in code or web applications, but can be achieved by constraining the URL list that is client-cert authenticated; this is in the configuration file of the Apache Reverse Proxy / LoadBalancer (or the Apache Web Server, if you don’t have the Apache LoadBalancer in front to terminate the user’s incoming SSL connection).
The required change has to be applied in the httpd-ssl.conf file:
In this file, you will find this section:
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /opt/HP/BSM/WebServer/conf/ssl/client_ca_root.pem
SSLOptions +ExportCertData
This section needs to be wrapped with a URL constraint to have this particular URL do the Smartcard authentication (and thus the PIN prompt), while the rest of the application session will be server-authenticated https after a valid application session is established.
<LocationMatch ".*/topaz/login.jsp">
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /opt/HP/BSM/WebServer/conf/ssl/client_ca_root.pem
SSLOptions +ExportCertData
</LocationMatch>
After the change in the configuration file, the Apache Web server needs to be restarted to ensure that the configuration is activated.
Please note that with this change, the client certificate enforcements for all of the data collectors is no longer required, i.e. many of the data collector sections of the SmartCard Authentication Guide are no longer needed, as you can focus entirely on the setup of the user-related configuration that is documented in the guide.
The required change has to be applied in the httpd-ssl.conf file:
In this file, you will find this section:
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /opt/HP/BSM/WebServer/conf/ssl/client_ca_root.pem
SSLOptions +ExportCertData
This section needs to be wrapped with a URL constraint to have this particular URL do the Smartcard authentication (and thus the PIN prompt), while the rest of the application session will be server-authenticated https after a valid application session is established.
<LocationMatch ".*/topaz/login.jsp">
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /opt/HP/BSM/WebServer/conf/ssl/client_ca_root.pem
SSLOptions +ExportCertData
</LocationMatch>
After the change in the configuration file, the Apache Web server needs to be restarted to ensure that the configuration is activated.
Please note that with this change, the client certificate enforcements for all of the data collectors is no longer required, i.e. many of the data collector sections of the SmartCard Authentication Guide are no longer needed, as you can focus entirely on the setup of the user-related configuration that is documented in the guide.