1 2 3 Previous Next 42 Replies Latest reply on Apr 13, 2012 3:07 PM by Mike Roper

    Atrium SSO and CAC Integration with ARS

      Share This:



      Has any community member successfully configured Atrium SSO to use CAC authentication? I'm looking for an overview on how it works from the mid-tier and how it passes data to the SSO server then asks for the cert, validates it and passes the authenticated user back to the mid-tier. I need to understand things like what username is passed back to ARS to determine who they are. Any insight to fill in the gaps in my knowledge would be appreciated.


      Using ARS 7.6.04 P2

      Mid-tier w/tomcatv6




        • 1. Atrium SSO and CAC Integration with ARS
          Shrihari Salem

          Hi Mike,


          The documentation for configuring Atrium SSO to use CAC can be found here(section 'Using CAC for authentication). The document briefs about how to configure SSO with CAC and setting up users.

          I hope this helps. Kindly let us know if you have any further queries.




          • 2. Atrium SSO and CAC Integration with ARS

            Thanks Shrihari but I've read that document multiple times. The Atrium SSO installation itself actually went well. I'm running into issues configuring CAC authentication. My issue is with certificates and actividentity I believe. I've also read the integration guide and after some hurdles, I was able to get the agent deployer to stop crashing tomcat on the mid-tier.


            So, my original question still stands. Has anyone successfully deployed CAC authentication with Atrium SSO?

            • 3. Atrium SSO and CAC Integration with ARS



              Very happy to provide free professional services and deliver a working, supported, quality solution in an hour over a webex. With BMC customers lining up to implement SSO Plugin, I'm currently tied up until the end of the week but if the need is particularly urgent, I can find someone to assist.





              SSO Plugin for BMC, HP and more.


              • 4. Atrium SSO and CAC Integration with ARS


                Thanks for the offer. I actually created a proof of concept last year with your plugin. There's no doubt that it works and that it is easy to setup. The issue is that it is now my job to hold BMC's feet to the fire and make this work or for them to admit that it will not work as advertised. Support is slow to respond but i'm in it for the long haul and possible bitter end.




                • 5. Re: Atrium SSO and CAC Integration with ARS



                  I tried to make AtriumSSO work too. I feel your pain. I'm looking forward to your feedback and I'm sure you can make it work! And when you do, the customer will want a 24/7/365 support contract with you on standby, because no-one else knows how it works



                  • 6. Atrium SSO and CAC Integration with ARS

                    Hi Mike,


                    As you report that  your issue is with "certificates and actividentity" (I'm guessing you mean the ActivClient software

                    from ActivIdentity), have you attempted to get in touch the the software vendors for further assistance?


                    I can't say that I have actually configured Atrium SSO to use CAC authentication, but if you can tell us more about what problem you are experiencing, we may be able to offer some input.  This is an overview of the steps:


                    1. Configure Tomcat to use clientAuth="want" and restart Tomcat.

                    2. Import the DoD CA certificates appropriate for your CAC cards.

                    3. Use OCSP responder to validate certificates

                    4. Configure BMC Atrium SSO to allow valid CAC card access

                    5. Configure BMC Atrium SSO for CAC Chain user authentication


                    Please let us know whch step you have reached and what error you received, and we can try to make some progress.


                    Thanks & Regards,


                    1 of 1 people found this helpful
                    • 7. Atrium SSO and CAC Integration with ARS

                      Jim, Thanks for the response. I appreciate it. I followed the documentation to the letter.


                      I completed steps 1-5 paying special attention to step 2 and 3.


                      I configured tomcat to "want" the certs and bounced the service.


                      I imported the root certs and the intermediate certs as well as the ocsp cert. However, in the debug log it still tells me that the cert passed in the URL is not enabled for this client. So the documentation says that this means that the CAC certifcate was not passed from the client.


                      From the doc:

                      Ensure that the certificates, or the correct certificates, were imported into the

                      cacerts file.


                      I made my cac certs available to windows through ActiveClient


                      I configured SSO to allow any valid CAC user.


                      In Atrium SSO, the CAC module is preconfigured accordind to BMC but I did verify the settings anyway.

                      I set the organization authentication method to CAC Chain.


                      When I start the browser and hit the mid-tier, the "choose certificate" dialog appears but is empty and grayed-out. I'm obviously missing something but i've run out of things to try.


                      Assuming I get the SSO end working by validating the cert, how does it match up the user presenting the card with an account in ARS?


                      Thanks for any help that you can provide


                      • 8. Atrium SSO and CAC Integration with ARS

                        mikeroper wrote:


                        Assuming I get the SSO end working by validating the cert, how does it match up the user presenting the card with an account in ARS?

                        Have you performed any configuration on the Remedy AR System side?  BMC Remedy Action Request System 7.6.04

                        Integration Guide has instructions.


                        For the remainder, I'll need to dig around some more to see what I can find out. 


                        Thanks & Regards,


                        • 9. Atrium SSO and CAC Integration with ARS


                          I followed the mid-tier integration instructions for SSO on page 163 of the integrations guide as the SSO implementation is after the fact. The cmd line for the deployer in the documentation is incorrect as well. the --container-type tomcat should be tomcatv6. It seems to be functioning at this point as the web agent is installed and it does redirect to the SSO server for authentication. I created a corresponding account in the people form based on LAST.FIRST.EDIPI# as the login name. I assume that's what it passes... I even synchronized the password between the people record and the internal "Subject" record in SSO thinking it might help. I also configured the Atrium SSO tab in the server administration console.

                          Am I missing something here? the C plugin or Java plugin server configuration? I'm not integrated with any LDAP.


                          So, it goes like this:

                          I open the browser (firefox)

                          Go to the mid-tier address

                          The ActiveClient asks me for the pin.

                          I enter the pin

                          SSO thinks about it for a moment

                          displays the SSO login page to me (the blue one, not the admin console)

                          I try the account that I created based on the card and I get login failed.


                          Other questions that came to mind...

                          Is the CAC validation on the SSO side simply a check to the OCSP to verify the certs are not revoked?


                          Also, once validated, does it just communicate back to the web agent to put me into the system as the user that it associates me with from the people record?


                          Any password exchange that goes on like previous ARS login intercept technologies?


                          Thanks for your efforts


                          • 10. Re: Atrium SSO and CAC Integration with ARS

                            Hi Mike,


                            After providing the PIN number to ActivClient, you mentioned that no certificates were available in the dialog. This condition usually means that the CAC signing certificates for the card are not in the truststore. Assuming you have the default installation (e.g. not an external Tomcat), you can verify the truststore that is in use by looking at the server.xml file in the /jdk/bin) and add the parameter “-providername JsafeJCE” when importing the certificates.


                            No, the certificate check isn’t just verified against an OCSP. You must have the private key with the certificate to prove ownership. The OCSP check is to make sure the certificate is still valid and hasn’t been revoked.


                            The identity of the user is pulled from the owner attribute of the certificate. The attribute is configured in the CAC module. In the CAC examples I’ve seen, the username has been something like “John.Doe.12345”.


                            Once you are validated, the browser is sent back to mid-tier where it access the login information from the SSO server. This name is then used by mid-tier to lookup permissions in the people record.






                            • 11. Atrium SSO and CAC Integration with ARS

                              Adam and Jim,


                              I have made some progress with the certificates. The browser can now see the certificate. Here's what happened...


                              Page 74 of the SSO guide shows:


                              4 Use the keytool utility to import the certificate into the truststore using the

                              following parameters:

                              keytool -importcert -keystore cacerts -file DOD_CA19.car -alias

                              DOD_CA19 -storetype PKCS12 -providername JsafeJCE


                              I re-read page 37 on Ch. 3 and noticed some differences that were mainly with the keystore file.

                              I had a cacerts and a cacerts.p12 file in the conf directory. I put the certs into the .p12 keystore and now the browser asks me to select on of the certs on my card.


                              The whole thing isn't working quite yet. I'm still not getting passed back into the mid-tier as the account associated with my uid. I'm going to continue working on this today.


                              Thanks for all your help so far.


                              • 12. Re: Atrium SSO and CAC Integration with ARS

                                Hi Mike,


                                Good to know progress is being made - keep us posted!


                                I've logged documentation update requests for both the deployer.jar issue on P.163/164 of the BMC Remedy Action Request System 7.6.04 Integration Guide and the keytool issue on P.74 of the BMC Atrium Single Sign-On 7.6.04 Administration Guide.


                                Thanks & Regards,


                                • 13. Re: Atrium SSO and CAC Integration with ARS

                                  You'll find an updated 7.6.04 SSO Admin guide on the wiki. For 7.6.04, the error was caught in a few places, but not all. See https://docs.bmc.com/docs/display/ac7604/Product+guides if you don't have the updated version.

                                  • 14. Atrium SSO and CAC Integration with ARS

                                    Thanks Jim,


                                    I'm having ocsp issues but I'm working through those with an internal group here.


                                    For the sake of testing I have turned off ocsp validation temporarily in hopes that I would be magically transported into the mid-tier. No such luck unfortunately. I've had a ticket open with support for about a week now trying to get this thing off the ground. Franny Frontline will get back to me soon I'm sure

                                    1 2 3 Previous Next