Configure Smart Card authentication installation procedure

Configure the Control Room to authenticate users using the Smart Card option.

Prerequisites

To perform the task, you must have a Control Room administrator account with the required rights and permissions.

Follow these steps to configure your Cloud Control Room to use Smart Card, X.509 certificate authentication.

Procedure

  1. Configure the secondary hostname to point to the Control Room load balancer.
    This process defines the secondary hostname used for authentication requests when the Control Room is configured for Smart Card authentication. The secondary hostname is configured within the Control Room load balancer automatically. Both the primary and secondary hostnames must be configured within the DNS system used by the Control Room environment (add DNS entries for primary and secondary hostnames - external to Control Room).
  2. How to obtain Java KeyStore with trusted CA certificates.
    Configure the location the Control Room will check for Certificate Authority (CA) certificates used to authenticate user certificates for user logins.
    Note: The certificates in this location are the server certificates for the CAs that will issue the user certificates.
    OptionAction
    Periodically scan the following location

    This setting allows the administrator to define the path to keystore file containing the CA certificates. Use this setting if you periodically update the CA truststore and set the frequency of the scan.
    Upload the KeyStore manually

    This setting allows the administrator to load a keystore file containing the CA certificates. Use this setting if your CAs are known and static and indicate whether or not the keystore is password protected. If the keystore is password protected, supply and confirm the password.
  3. Select the revocation checking method.
    Revocation checking configures the Control Room to reject authentication requests for certificates that have been revoked.
    OptionAction
    Online Certificate Status Protocol (OSCP) Use this setting if your CA has OSCP implemented.
    Certificate Revocation List Use this setting if you maintain a static list of revoked certificates.
    No Revocation Checking Using this setting the Control Room will not perform revocation check.
    Note: This is not recommended for production deployments where revocation will typically be used.
  4. Use the other method if selected method fails
    This setting will attempt to use the non-selected method of revocation checking if the configured method fails.
  5. Allow user to authenticate even if revocation status cannot be determined
    Use this setting to assure users can authenticate if either of the revocation check method fails.
  6. Configure user name mapping.
    User name mapping specifies which attribute of the user certificate is used for the Control Room username. The user name must be configured in the Control Room prior to the user logging into the Control Room and must match the user name derived from the certificate.
    1. Obtain user name from
      Certificate subject
      Use this setting if the Control Room user name is the same as the string in the Subject field for the user certificate.
      Universal Principal Name
      Use this setting if the Control Room user name is the same as the string in the Universal Principal Name field for the user certificate.
    2. Use Regular Expression
      Enter Regular Expression that will filter the Control Room user name from the selected field of the user certificate. This may not be necessary if the Control Room user name is the same as the data within the selected certificate field.
  7. Configure first name mapping.
    First name mapping specifies which attribute of the user certificate is used for the Control Room username. The first name must be configured in the Control Room prior to the user logging into the Control Room and must match the user first name derived from the certificate.
    1. Obtain first name from
      Certificate subject
      Use this setting if the Control Room first name is the same as the string in the Subject field for the user certificate.
      Universal Principal Name
      Use this setting if the Control Room user name is the same as the string in the Universal Principal Name field for the user certificate.
    2. Use Regular Expression
      Enter Regular Expression that will filter the Control Room user first name from the selected field of the user certificate. This may not be necessary if the Control Room user first name is the same as the data within the selected certificate field.
  8. Configure last name mapping.
    Last name mapping specifies which attribute of the user certificate is used for the Control Room username. The last name must be configured in the Control Room prior to the user logging into the Control Room and must match the user last name derived from the certificate.
    1. Obtain last name from
      Certificate subject
      Use this setting if the Control Room last name is the same as the string in the Subject field for the user certificate.
      Universal Principal Name
      Use this setting if the Control Room user name is the same as the string in the Universal Principal Name field for the user certificate.
    2. Use Regular Expression
      Enter Regular Expression that will filter the Control Room user last name from the selected field of the user certificate. This may not be necessary if the Control Room user last name is the same as the data within the selected certificate field.
  9. Configure email address mapping.
    Email address mapping specifies which attribute of the user certificate is used for the Control Room username. The email address must be configured in the Control Room prior to the user logging into the Control Room and must match the user last name derived from the certificate.
    1. Obtain last name from
      Certificate subject
      Use this setting if the Control Room email address is the same as the string in the Subject field for the user certificate.
      Universal Principal Name
      Use this setting if the Control Room user name is the same as the string in the Universal Principal Name field for the user certificate.
    2. Use Regular Expression
      Enter Regular Expression that will filter the Control Room user email address from the selected field of the user certificate. This may not be necessary if the Control Room user email address is the same as the data within the selected certificate field.
  10. Click Next.