On Linux, to enable users to log on to the Command Center using a Common Access Card (CAC) or a client certificate, you must add a Certificate Authority (CA) root certificate to the Tomcat server.
Before You Begin
Obtain a certificate file (.cer or .crt) or a keystore file that contains the client certificate.
Procedure
-
From the command prompt, go to the Base folder.
If you want to run commands from a different location, instead of using ./, you must provide the absolute path of the cvCertTool.sh script.
-
Enable login using a certificate file or a keystore file.
-
To use a certificate file, run the following command:
./cvCertTool.sh -trustcert-filename "<certificate-full-path>" configure-client-verification
-
To use a keystore file, run the following command:
./cvCertTool.sh -truststore-filename "<truststore-full-path>" -truststore-password "<password>" -truststore-type "<type>" configure-client-verification
For example, if the truststore file is located at /some/folder/mytruststorefile.pfx and has a password of tiger, use the following command:
./cvCertTool.sh -truststore-filename "/some/folder/mytruststorefile.pfx" -truststore-password "tiger" -truststore-type "PKCS12" configure-client-verification
-
-
To add the keystore that contains the revocation list, run the following command:
./cvCertTool.sh -trustcert-filename "<certificate-full-path>" -certificateRevocationList-filename "<revocation-list-full-path>" configure-client-verification
-
Restart the Tomcat server.
Results
A new certificateVerification=”optional”
element appears in the corresponding server.xml file in the Web Console or Command Center computer.
What to Do Next
If necessary, you can disable client verification by running the following command:
cvcerttool.cmd -remove true configure-client-verification
command.