Configure PKI Certificate authentication

This topic explains how to configure Deployment Automation to use PKI Certificate authentication.

Configure the server to support PKI certificates

Before you can use PKI certificates for authentication, configure the server to expect certificate-based authentication upon requested access.

To configure the server to support use of PKI certificates for authentication:

  1. Navigate to the Common Tomcat conf directory, for example:

    C:\Program Files\Micro Focus\common\tomcat\<Tomcat-version>\webapps\da\conf

  2. Open the server.xml file.
  3. Create a new Connector entry by adding the following code into the file:

    Copy code
    <Connector port="8643" SSLEnabled="true"
      scheme="https" secure="true" sslProtocol="TLS" 
      sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
      maxHttpHeaderSize="8192"
      maxThreads="150" minSpareThreads="25"
      enableLookups="false" disableUploadTimeout="true"
      acceptCount="100"
      keystoreFile="conf/sample-ssl.jks" 
      keystorePass="microfocus" keyAlias="tomcat"
      truststoreFile="conf/sample-ssl.jks" truststorePass="serena" 
      clientAuth="true"  />

    In this example, the port is 8643. Make sure you don't use the same port that is used in an existing Connector entry, and ensure the clientAuth value is set to true.

This tells Common Tomcat that the server can be accessed only if a user provides a certificate in the request.

If you don't have a valid certificate in your browser and attempt to log in to Deployment Automation, the certificate-based authentication will fail.

Back to top

Import CA certificates

You must import your CA certificates as trusted certificates into the Java KeyStore file before using any user certificate signed by those CA certificates.

To add CA certificates:

  1. Navigate to the Common Tomcat conf directory, for example:

    C:\Program Files\Micro Focus\common\tomcat\<Tomcat-version>\webapps\da\conf

  2. Using an appropriate editor such as the Oracle Java keytool utility, unlock and edit the jks file that you specified in the connector keystoreFile parameter, for example:

    sample-ssl.jks

  3. Import the CA certificate as a trusted certificate.

After importing a CA certificate, you can select it in your web browser when you enter the secure URL pointing to Deployment Automation, for example:

https://<MyServer>:8643/da

Back to top

Set up internal revocation verification

Before you can use the Internal revocation source type to verify PKI certificate revocation, you must change the server.xml settings to support it.

For details about the options for verifying revocation, see Add a PKI Certificate authentication realm.

To configure the server for internal revocation verification:

  1. Navigate to the Common Tomcat conf directory, for example:

    C:\Program Files\Micro Focus\common\tomcat\<Tomcat-version>\webapps\da\conf

  2. Open the server.xml file.
  3. Find the Connector entry that you added or modified earlier, as described in Configure the server to support PKI certificates.

    Add the attribute crlFile=”../list.crl”, where list.crl is a file that contains your certificate revocation list:

    Copy code
    <Connector port="8643" SSLEnabled="true"
      scheme="https" secure="true" sslProtocol="TLS" 
      sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
      maxHttpHeaderSize="8192"
      maxThreads="150" minSpareThreads="25"
      enableLookups="false" disableUploadTimeout="true"
      acceptCount="100"
      keystoreFile="conf/sample-ssl.jks"
      keystorePass="microfocus" keyAlias="tomcat"
      truststoreFile="conf/sample-ssl.jks" truststorePass="serena"
      clientAuth="true" crlFile=”../list.crl”/>

You can now use the revocation source type to verify against the specified certificate revocation list.

Back to top

Configure polling for certificate revocation lists

To handle large Certificate Revocation Lists (CRLs), you can run a CRL poller service as part of the server startup. The poller service downloads the updated CRL for all enabled PKI Certificate authentication realms once a day.

Downloaded lists are stored in the Deployment Automation's profile directory, for example:

C:\Users\<username>\.microfocus\da\var\cache\pki

The CRL poller service downloads CRLs only under these conditions:

  • A PKI Certificate authentication realm is configured to use External or Both revocation verification source types. For details, see Add a PKI Certificate authentication realm.
  • The CRL Distribution Point property is configured for the PKI Certificate authentication realm.
  • The CRL poller flag is set to true in the server configuration file.

To configure the poller service:

  1. Navigate to the Common Tomcat WEB-INF\classes directory, for example:

    C:\Program Files\Micro Focus\common\tomcat\<Tomcat-version>\webapps\da\WEB-INF\classes

  2. Open the web application's da_config.xml file.
  3. Add or edit the pkiConfig entries:

    crlPollerEnabled To run the poller service, set this option to true. If set to false, the polling is disabled.
    crlPollerStartHour

    Set to an integer value from 0 through 23 in 24-hour time format.

    If the value is not set, the default is 0, which means the polling service runs at midnight.

    Example: In this example, the poller is enabled and set to run at midnight.

    <pkiConfig>
        <crlPollerEnabled>true</crlPollerEnabled>
        <crlPollerStartHour>0</crlPollerStartHour>
    </pkiConfig> 

Back to top

Configure PKI Certification for agents

For additional security, you can configure agents to authenticate through PKI certificates.

Note: No corresponding users are created in Deployment Automation when agents authenticate through PKI certificates. For details on user authentication through PKI certificates, see Create and manage users.

To configure an agent to authenticate using PKI certificates:

  1. Navigate to the agent's conf directory, for example:

    C:\Program Files (x86)\Micro Focus\<Deployment Automation Agent>\conf

  2. Using an appropriate editor such as the Oracle Java keytool utility, remove the default key from the agent's agent.keystore file.
  3. Add the client certificate issued by your CA for this agent to the agent.keystore file.
  4. In the agent's conf directory, update the installed.properties file to have the correct passwords for the agent.keystore file (locked/agent.keystore.pwd) and for the key ( locked/agent.keystore.key.pwd).

    You can enter passwords unencrypted, and they will be encrypted the next time the agent starts.

Back to top

See also: