On Linux, to enable users to log on to the Command Center using a Common Access Card (CAC) or a client certificate, you must add a Certificate Authority (CA) root certificate to the Tomcat server.
Before You Begin
Obtain a certificate file (.cer or .crt) or a keystore file that contains the client certificate.
Procedure
-
From the command prompt, go to the Base folder.
If you want to run commands from a different location, instead of using ./, you must provide the absolute path of the cvCertTool.sh script.
-
Enable login using a certificate file or a keystore file.
-
To use a certificate file, run the following command:
./cvCertTool.sh -trustcert-filename "certificate-full-path " configure-client-verification -
To use a keystore file, run the following command:
./cvCertTool.sh -truststore-filename "truststore-full-path" -truststore-password "password" -truststore-type "type" configure-client-verificationFor example, if the truststore file is located at /some/folder/mytruststorefile.pfx and has a password of tiger, use the following command:
./cvCertTool.sh -truststore-filename "/some/folder/mytruststorefile.pfx" -truststore-password "tiger" -truststore-type "PKCS12" configure-client-verification
-
-
To add the keystore that contains the revocation list, run the following command:
./cvCertTool.sh -trustcert-filename "certificate-full-path " -certificateRevocationList-filename "revocation-list-full-path " configure-client-verification -
Restart the Tomcat server.
Results
A new certificateVerification=”optional” element appears in the corresponding server.xml file in the Command Center computer.
What to Do Next
If necessary, you can disable client verification by running the following command:
cvcerttool.cmd -remove true configure-client-verificationcommand.