Configure PKI Certificate authentication

This topic guides you through configuring Deployment Automation to use PKI Certificate authentication.

Configure the server to support PKI certificates

Before you can use PKI certificates for authentication, configure the server to expect certificate-based authentication upon requested access.

To configure the server to support use of PKI Certificates for authentication:

  1. Navigate to the Common Tomcat conf directory, for example:

    C:\Program Files\Micro Focus\common\tomcat\8.5\webapps\da\conf
  2. Edit the following file: server.xml.
  3. Copy and paste the following Connector entry into the file to create a new Connector entry.

    For example, the port is 8643. Make sure you don't use the same port number that is used in an existing Connector entry, and ensure the clientAuth value is set to true as shown in the following example.

    <Connector port="8643" SSLEnabled="true"
      scheme="https" secure="true" sslProtocol="TLS" 
      sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
      maxHttpHeaderSize="8192"
      maxThreads="150" minSpareThreads="25"
      enableLookups="false" disableUploadTimeout="true"
      acceptCount="100"
      keystoreFile="conf/sample-ssl.jks" 
      keystorePass="microfocus" keyAlias="tomcat"
      truststoreFile="conf/sample-ssl.jks" truststorePass="serena" 
      clientAuth="true"  />		 
    

This tells Common Tomcat that the server can be accessed only if a user provides a certificate in the request.

If you don't have a valid certificate in your browser and try logging into Deployment Automation, you will receive the following message:

Certificate-based authentication failed

Back to top

Import CA certificates

CA certificates from your certification centers must be imported into the Java KeyStore file as a trusted certificate before using any user certificate signed by this CA certificate.

To add CA certificates:

  1. Navigate to the Common Tomcat conf directory, for example:

    C:\Program Files\Micro Focus\common\tomcat\8.5\webapps\da\conf

  2. Using an appropriate editor such as the Oracle Java keytool utility, unlock and edit the jks file that you specified in the connector keystoreFile parameter, for example:

    sample-ssl.jks

  3. Import the CA certificate as a trusted certificate.

After importing a CA certificate, you will be able to select it in your web browser when you enter the secure URL pointing to Deployment Automation, for example:

https://<MyServer>:8643/da

Back to top

Configure internal revocation verification

Before you can use the Internal PKI certificate revocation verification option, you must configure the server to support this.

If you use the External PKI certificate revocation, you do not need to configure this. See Create PKI Certificate authentication realms.

To configure the server for internal revocation verification:

  1. Navigate to the Common Tomcat conf directory, for example:

    C:\Program Files\Micro Focus\common\tomcat\8.5\webapps\da\conf

  2. Edit the following file: server.xml.
  3. Edit the Connector entry that you added or modified in . Add the attribute crlFile=”../list.crl, where list.crl is a file that contains your certificate revocation list as shown in the following example.

    <Connector port="8643" SSLEnabled="true"
      scheme="https" secure="true" sslProtocol="TLS" 
      sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
      maxHttpHeaderSize="8192"
      maxThreads="150" minSpareThreads="25"
      enableLookups="false" disableUploadTimeout="true"
      acceptCount="100"
      keystoreFile="conf/sample-ssl.jks"
      keystorePass="microfocus" keyAlias="tomcat"
      truststoreFile="conf/sample-ssl.jks" truststorePass="serena"
      clientAuth="true" crlFile=”../list.crl”/>	 
    

Back to top

You can now use the Revocation Source Type of Internal to verify against the specified certificate revocation list.

Back to top

Configure polling for certificate revocation lists

To handle large Certificate Revocation Lists (CRL), you can run a CRL poller service as part of the server startup. This service downloads the updated CRL for all enabled PKI Certificate authentication realms once a day.

Downloaded lists are stored in the Deployment Automation profile directory, for example:

C:\Users\<username>\.microfocus\da/var/cache/pki

The CRL poller service downloads CRL lists only under these conditions:

  • A PKI Certificate authentication realm is configured to use External or Both revocation verification source types.
  • The CRL Distribution Point property is configured for the PKI Certificate authentication realm.
  • The CRL poller flag is set to true in the server configuration file.

If you use the Internal PKI certificate revocation, you do not need to configure polling. See Create PKI Certificate authentication realms.

To configure the poller service:

  1. Navigate to the Common Tomcat WEB-INF\classes directory, for example:

    C:\Program Files\Micro Focus\common\tomcat\8.5\webapps\da\WEB-INF\classes

  2. Edit the following file: da_config.xml.
  3. Add or edit the pkiConfig entries:

    crlPollerEnabled: If set to true, the poller service runs. If set to false, it doesn't.

    crlPollerStartHour: Set to an integer value from 0 through 23 in 24-hour time format. If this is not set, the default value is 0.

    Example: In this example, the poller is enabled, and the start hour is 0, which means it runs at midnight.

    <pkiConfig>
        <crlPollerEnabled>true</crlPollerEnabled>
        <crlPollerStartHour>0</crlPollerStartHour>
    </pkiConfig> 

Back to top

Configure PKI Certification for agents

For additional security, you can configure agents to authenticate through PKI certificates.

Note: No corresponding users are created in Deployment Automation when agents authenticate through PKI certificates. For information on user authentication through PKI certificates, see Create and manage users.

To configure an agent to authenticate using PKI certificates:

  1. Navigate to the agent's conf directory, for example:

    C:\Program Files (x86)\Micro Focus\<Deployment Automation Agent>\conf

  2. Using an appropriate editor such as the Oracle Java keytool utility, remove the default key from the agent's agent.keystore file.
  3. Add the client certificate issued by your CA for this agent to the agent.keystore file.
  4. Update the installed.properties file in the agent's conf directory to have the correct passwords for the agent.keystore file and for the key itself (locked/agent.keystore.pwd and locked/agent.keystore.key.pwd respectively). Passwords can be entered unencrypted, and will be encrypted the next time the agent starts.

Back to top