Implementing PKI authentication

The TrueSight Server Automation Authentication Server can use public key infrastructure (PKI) to authenticate users who present a type of smart card known as a common access card (CAC). A TrueSight Server Automation client can access the appropriate certificate and private key on the smart card to authenticate the user through two middleware approaches:

  • ActivClient
    For ActivClient middleware, if the PKI configuration file, sunpkcs11.cfg does not exist, use the following blcred command to create the file:

    blcred config pki -provider <path to the 64-bit acpkcs211.dll from the install directory>

    Starting from version 21.3, the provider argument is mandatory.

    Important

    Starting from version 21.3, TrueSight Server Automation no longer supports 32-bit DLLs. Therefore, after you upgrade the 

    TrueSight Server Automation

     console to 21.3 or later, run this command again or update the sunpkcs11.cfg file manually so that library key in the file has the value set to the path to the 64-bit acpkcs211.dll.

    You can also create the file manually in the home directory (for example, on Windows 7, the location is: C:\Users\<username>\AppData\Roaming\BladeLogic) with following contents:

    • name=CryptokiProvider
    • library=c:\Progra~1\ActivIdentity\ActivClient\acpkcs211.dll
      Provide full path to the acpkcs211.dll file.
    • slotListIndex=0
      slotListIndex is the slot id where smart card is inserted. Typically it is 0, but in some cases where more than one smart cards are inserted on the server, it could be 1 or more also.

    If you are using the ActivClient middleware, the TrueSight Server Automation console requests for an ActivClient PIN to connect.

    Note

    For TrueSight Server Automation to support ActivClient version 7.x, perform the following prerequisite steps:

    1. Locate the sunpkcs11.cfg file in %AppData%\BladeLogic, and open it with any text editor.
    2. In the path to the ActivClient directory, modify the Program Files directory name according to the 8.3 filename convention.
      For example, change C:\Program Files\ActivIdentity\ActivClient to C:\Progra~1\ActivIdentity\ActivClient.
      Ensure that the path does not include any spaces.

  • 90meter
    If the PKI configuration file, sunpkcs11.cfg does not exist, use the following blcred command to create the file:

    blcred config pki -provider <path to the 64-bit LitPKCS11.dll from the install directory>
    Starting from version 21.3, the provider argument is mandatory.

    Important

    Starting from version 21.3, TrueSight Server Automation no longer supports 32-bit DLLs. Therefore, after you upgrade the 

    TrueSight Server Automation

     console to 21.3 or later, run this command again or update the sunpkcs11.cfg file manually so that library key in the file has the value set to the path to the 64-bit LitPKCS11.dll.

    You can also create the file manually in the home directory (for example, on Windows 7, the location is: C:\Users\<username>\AppData\Roaming\BladeLogic) with following contents:

    • name=CryptokiProvider
    • library=c:\Program Files\90meter\CACPIVMD\pkcs11\x86\LitPKCS11.dll
      Provide full path to the LitPKCS11.dll file. 
    • slotListIndex=0
      slotListIndex is the slot id where smart card is inserted. Typically it is 0, but in some cases where more than one smart cards are inserted on the server, it could be 1 or more also.

    Separate prompt for the PIN/password is not shown. Enter the Password on the login panel of TrueSight Server Automation console.

    Info

    If you are authenticating the 90meter smart card through BLCLI command, blcred cred -acquire, you are not prompted for the password and login results as unsuccessful. Not entering the password on CLI will result in an authentication failure and also an invalid PIN attempt against the card

    blcred cred -acquire -profile <name of pki auth profile> -password <password>

    Note

    Following message appears when PKI authentication profile is selected on the login panel of RCP console to ensure a password is entered when using 90meter. This does not result in failed authentication.

    Login failed: Please enter the password and try it again.

To verify that a certificate is currently valid, the Authentication Server can access an OCSP Responder. By default, OCSP verification is enabled for PKI authentication. For more information about setting up OCSP, see Setting-up-certificate-verification-using-OCSP. While logging into a TrueSight Server Automation client, the user must insert a smart card into a card reader and enter a PIN. If the information the user enters is valid and the OCSP Responder verifies the validity of the user's certificate, the Authentication Service issues the client a session credential.

TrueSight Server Automation does not provide a default set of trusted CA certificates for use with PKI authentication. If you are implementing PKI, you must obtain certificates from a CA.

For a procedure describing how to set up PKI authentication, see Configuring-PKI-authentication.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*
OSZAR »