Share this page
Configure PKI Certificate authentication
You can configure Deployment Automation to use PKI Certificate authentication.
Configure PKI certificate support
Before you can use PKI certificates for authentication, configure the server to expect certificate-based authentication upon requested access.
To configure the server to support use of PKI certificates for authentication:
-
Navigate to the Common Tomcat conf directory, for example:
C:\Program Files\Micro Focus\common\tomcat\<tomcat-version>\webapps\da\conf
- Open the server.xml file.
-
Create a new
Connectorentry by adding the following code into the file:Copy code<Connector port="8643" SSLEnabled="true"
scheme="https" secure="true" sslProtocol="TLS"
sslEnabledProtocols="TLSv1.3,TLSv1.2"
maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100"
keystoreFile="conf/sample-ssl.jks"
keystorePass="serena" keyAlias="tomcat"
truststoreFile="conf/sample-ssl.jks" truststorePass="serena"
clientAuth="true" />
In this example, the port is 8643. Avoid using the same port that is used in an existingConnectorentry. Ensure that the clientAuth value is set to true.
This tells Common Tomcat that the server can be accessed only if a user provides a certificate in the request.
If you don't have a valid certificate in your browser and attempt to log in to Deployment Automation, the certificate-based authentication fails.
Import CA certificates
You must import your CA certificates as trusted certificates into the Java KeyStore file before using any user certificate signed by those CA certificates.
To add CA certificates:
-
Navigate to the Common Tomcat conf directory, for example:
C:\Program Files\Micro Focus\common\tomcat\<tomcat-version>\webapps\da\conf
-
Using an appropriate editor such as the Oracle Java keytool utility, unlock and edit the jks file that you specified in the connector keystoreFile parameter, for example:
sample-ssl.jks
-
Import the CA certificate as a trusted certificate.
After importing a CA certificate, you can select it in your web browser when you enter the secure URL pointing to Deployment Automation, for example:
https://<MyServer>:8643/da
Set up internal revocation verification
Before you can use the Internal revocation source type to verify PKI certificate revocation, change the server.xml settings to support it.
For details about the options for verifying revocation, see Add a PKI Certificate authentication realm.
To configure the server for internal revocation verification:
-
Navigate to the Common Tomcat conf directory, for example:
C:\Program Files\Micro Focus\common\tomcat\<tomcat-version>\webapps\da\conf
- Open the server.xml file.
-
Find the Connector entry that you added or modified earlier, as described in Configure PKI certificate support.
Add the attribute crlFile=”../list.crl”, where list.crl is a file that contains your certificate revocation list:
Copy code<Connector port="8643" SSLEnabled="true"
scheme="https" secure="true" sslProtocol="TLS"
sslEnabledProtocols="TLSv1.3,TLSv1.2"
maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100"
keystoreFile="conf/sample-ssl.jks"
keystorePass="serena" keyAlias="tomcat"
truststoreFile="conf/sample-ssl.jks" truststorePass="serena"
clientAuth="true" crlFile=”../list.crl”/>
You can now use the revocation source type to verify against the specified certificate revocation list.
Configure polling for certificate revocation lists
To handle large Certificate Revocation Lists (CRLs), you can run a CRL poller service as part of the server startup. The poller service downloads the updated CRL for all enabled PKI Certificate authentication realms once a day.
Downloaded lists are stored in the Deployment Automation's profile directory:
<da_profile_directory>\var\cache\pki
The CRL poller service downloads CRLs only under these conditions:
- A PKI Certificate authentication realm is configured to use External or Both revocation verification source types. For details, see Add a PKI Certificate authentication realm.
- The CRL Distribution Point property is configured for the PKI Certificate authentication realm.
- The CRL poller flag is set to true in the server configuration file.
To configure the poller service:
-
Navigate to the Common Tomcat WEB-INF\classes directory, for example:
C:\Program Files\Micro Focus\common\tomcat\9.0\webapps\da\WEB-INF\classes
- Open the web application's da_config.xml file.
-
Add or edit the pkiConfig entries:
crlPollerEnabled To run the poller service, set this option to true. If set to false, the polling is disabled. crlPollerStartHour Set to an integer value from 0 through 23 in 24-hour time format.
If the value is not set, the default is 0, which means the polling service runs at midnight.
Example: In this example, the poller is enabled and set to run at midnight.
<pkiConfig> <crlPollerEnabled>true</crlPollerEnabled> <crlPollerStartHour>0</crlPollerStartHour> </pkiConfig>
Configure PKI certification for agents
For additional security, you can configure agents to authenticate through PKI certificates.
Note: No corresponding users are created in Deployment Automation when agents authenticate through PKI certificates. For details on user authentication through PKI certificates, see Create and manage users.
To configure an agent to authenticate using PKI certificates:
-
Navigate to the <agent_install_directory>\conf directory:
<agent_install_directory>\conf
- Using an appropriate editor such as the Oracle Java keytool utility, remove the default key from the agent's agent.keystore file.
- Add the client certificate issued by your CA for this agent to the agent.keystore file.
-
In the <agent_install_directory>\conf\agent directory, update the installed.properties file to have the correct passwords for the agent.keystore file (locked/agent.keystore.pwd) and for the key ( locked/agent.keystore.key.pwd).
If you enter passwords unencrypted, they are encrypted the next time the agent starts.
See also:
