Re: Authenticate an ARS user using a certificate stored on a smar t card
Patrick,
I have not done all the research I really need to do for a better approach
yet, this is what I have so far. It seems to do the trick for the most part
of what I need - Mid Tier only.
This will work if all your users are authenticated.
You need to allow Guest Users.
Get the KM-00010678 RemoteUser.jsp from the Remedy Support Site. Follow
the directions for permissions, etc. Name it something like:
RequesterLogin.jsp.
You will have a link on your Intranet to the RequesterLogin.jsp file that
will automatically log in the user based on their authenticated windows
login. (Note that anyone that has a password in the User table, will need to
use the normal login screen.)
You create functionality that verifies the windows login again. (This will
prevent mistyped or invalid logins of people that accidentally get to the
normal login screen or know how to access via URL.)
Create another jsp, name it something like GetLogin.jsp. Here is an example:
function rtn_RemoteUser() {
<%
String ruser = request.getRemoteUser();
String realname = "";
/** Loop to remove [Domain.com\] of the ruser so that we are left with
only the NT domain account name **/
int startpoint = ruser.indexOf("\\") + 1;
int endpoint = ruser.length();
for(int x = startpoint; x < endpoint; x++) {
realname += ruser.charAt(x);
}
%>
return("<%=realname%>");
}
In the form that Requesters access upon login, place the following in the
heading:
Then create an active link that will do a Run Process to set a field:
javascript:window.F(60005).DoSet(rtn_RemoteUser()); (I got this part
from a post to the list with the Subject of "passing ip config information"
- I just love this list!)
You will need to create other Active Links as necessary to allow Admin
testing, etc. Verify the basic rules of login, etc. If these are not met or
if $USER$ does not equal the value your Active Link returns, limit the use
to view only of specific items, or bounce them out, etc.
Hope this helps!
Carolyn
-Original Message-
From: patrick zandi [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 11, 2006 8:11
To: arslist@ARSLIST.ORG
Subject: Re: Authenticate an ARS user using a certificate stored on a
smar t card
So, how is your approach to this .. Carolyn ?
you can send me offlist..
[EMAIL PROTECTED]
On 10/11/06, Wixson Carolyn L PSNS <[EMAIL PROTECTED]> wrote:
> This sounds very interesting.
>
> I am glad that there are so many people interested in finding a good fix
for
> the PKI / Smartcard authentication. One thing that I would like to stay
away
> from is having all the "Requesters" need to have a record in the user
table.
> (We have around 7000 people that just need Requester access.)
>
> Carolyn
>
>
> -Original Message-
> From: Davis, David CTR NAVSURFWARCENDIV Crane, Code 0552
> [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 10, 2006 10:07
> To: arslist@ARSLIST.ORG
> Subject: Re: Authenticate an ARS user using a certificate stored on a
> smar t card
>
>
> The redirect is handle by the 401 Errors. If you are not in the group
> hence 401 on the website. Once redirected you must have CAC and a
> reason to register. Registration info and harvested data is used to
> create the AD account. What I am looking for is a more direct approach
> within ARS itself.
>
> Thanks,
> Dave
>
>
> -Original Message-
> From: Action Request System discussion list(ARSList)
> [mailto:[EMAIL PROTECTED] On Behalf Of patrick zandi
> Sent: Tuesday, October 10, 2006 10:34
> To: arslist@ARSLIST.ORG
> Subject: Re: Authenticate an ARS user using a certificate stored on a
> smar t card
>
> This is interesting.. sounds a little like the AF Portal..
> The problem with AF Portal is the Embedded password into the scripting..
> This is a little on the "2 taco's shy of a combination plate" aspect..
> But it souds like you are not doing that..
> interesting.. is this in JSP ? the redirector and then into remedy..
>
> would like to see that if possible..
>
> MSgt Patrick Zandi, USAF
>
> On 10/10/06, Davis, David CTR NAVSURFWARCENDIV Crane, Code 0552
> <[EMAIL PROTECTED]> wrote:
> > Hello Carolyn,
> >
> > What we have done at our activity is to tie the CAC PKI SmartCard to
> > the Active Directory and assign AD users to a Remedy Group. That
> > group has permissions to the Virtual Website that hosts the Remedy
> > MidTier. Much like your "Trust" comment below. Additionally, we
> > redirect any user that attempts to access Remedy MidTier to a
> > registration page that collects their CAC data to create an AD
> > account. Once their request is approved their AD account is added to
> > the Remedy group. It is not where we want
Re: Authenticate an ARS user using a certificate stored on a smar t card
So, how is your approach to this .. Carolyn ? you can send me offlist.. [EMAIL PROTECTED] On 10/11/06, Wixson Carolyn L PSNS <[EMAIL PROTECTED]> wrote: This sounds very interesting. I am glad that there are so many people interested in finding a good fix for the PKI / Smartcard authentication. One thing that I would like to stay away from is having all the "Requesters" need to have a record in the user table. (We have around 7000 people that just need Requester access.) Carolyn -Original Message- From: Davis, David CTR NAVSURFWARCENDIV Crane, Code 0552 [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 10:07 To: arslist@ARSLIST.ORG Subject: Re: Authenticate an ARS user using a certificate stored on a smar t card The redirect is handle by the 401 Errors. If you are not in the group hence 401 on the website. Once redirected you must have CAC and a reason to register. Registration info and harvested data is used to create the AD account. What I am looking for is a more direct approach within ARS itself. Thanks, Dave -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of patrick zandi Sent: Tuesday, October 10, 2006 10:34 To: arslist@ARSLIST.ORG Subject: Re: Authenticate an ARS user using a certificate stored on a smar t card This is interesting.. sounds a little like the AF Portal.. The problem with AF Portal is the Embedded password into the scripting.. This is a little on the "2 taco's shy of a combination plate" aspect.. But it souds like you are not doing that.. interesting.. is this in JSP ? the redirector and then into remedy.. would like to see that if possible.. MSgt Patrick Zandi, USAF On 10/10/06, Davis, David CTR NAVSURFWARCENDIV Crane, Code 0552 <[EMAIL PROTECTED]> wrote: > Hello Carolyn, > > What we have done at our activity is to tie the CAC PKI SmartCard to > the Active Directory and assign AD users to a Remedy Group. That > group has permissions to the Virtual Website that hosts the Remedy > MidTier. Much like your "Trust" comment below. Additionally, we > redirect any user that attempts to access Remedy MidTier to a > registration page that collects their CAC data to create an AD > account. Once their request is approved their AD account is added to > the Remedy group. It is not where we want to be but we have our > Remedy MidTier and Production servers on separate AD Domains. > > Thank You for your feedback, > Dave Davis > > > -Original Message- > From: Action Request System discussion list(ARSList) > [mailto:[EMAIL PROTECTED] On Behalf Of Wixson Carolyn L PSNS > Sent: Friday, October 06, 2006 10:07 > To: arslist@ARSLIST.ORG > Subject: Re: Authenticate an ARS user using a certificate stored on a > smar t card > > Hi! > > Here is what we plan on doing so far, only on the mid-tier (6.3): > > All of our users are authenticated, so we provide a link for > Requesters to a JSP page that gets the user name and logs them in with it. > > Once they are in, an Active link runs a process that calls another JSP > page to get the Windows user name again and compares it to the $USER$. > (This is to ensure that someone does not work-around the auto-login > page.) Both of these JSP pages are based from KM-00010678 "How can > I use my NT domain name to log me directly into the Mid-Tier without > having to be directed to login.jsp?" > > There are other Active links that run to ensure that the login meets > other criteria as well. > > This will work if everyone is authenticated, but as you said, it does > not check the certificate. > > On the windows client, it is pretty much available to just Customer > Support and they login. If a user does access the windows client, > there are some Active Links that limit the use, etc. > > I am looking at other solutions, but I believe that the above will > work for now. We have not moved this to production yet. We have never > used the Mid-Tier before, but now that we are going to allow > requesters to submit their own tickets, it seems a good way to go. > > I hope this helps. > > Carolyn Wixson > > > > -Original Message- > From: Rebecca Hammond [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 05, 2006 7:46 > To: arslist@ARSLIST.ORG > Subject: Re: Authenticate an ARS user using a certificate stored on a > smart card > > > Nothing, yet. Based on research, seems that it can't be done - you > can set up a "trust" (which our security people get indignant at > calling it > that) - meaning, if you want to "trust" that just because someone got > on to a machine with a smart card, you could grab the user name get > them into the system that way. Bu
Re: Authenticate an ARS user using a certificate stored on a smar t card
This sounds very interesting. I am glad that there are so many people interested in finding a good fix for the PKI / Smartcard authentication. One thing that I would like to stay away from is having all the "Requesters" need to have a record in the user table. (We have around 7000 people that just need Requester access.) Carolyn -Original Message- From: Davis, David CTR NAVSURFWARCENDIV Crane, Code 0552 [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 10:07 To: arslist@ARSLIST.ORG Subject: Re: Authenticate an ARS user using a certificate stored on a smar t card The redirect is handle by the 401 Errors. If you are not in the group hence 401 on the website. Once redirected you must have CAC and a reason to register. Registration info and harvested data is used to create the AD account. What I am looking for is a more direct approach within ARS itself. Thanks, Dave -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of patrick zandi Sent: Tuesday, October 10, 2006 10:34 To: arslist@ARSLIST.ORG Subject: Re: Authenticate an ARS user using a certificate stored on a smar t card This is interesting.. sounds a little like the AF Portal.. The problem with AF Portal is the Embedded password into the scripting.. This is a little on the "2 taco's shy of a combination plate" aspect.. But it souds like you are not doing that.. interesting.. is this in JSP ? the redirector and then into remedy.. would like to see that if possible.. MSgt Patrick Zandi, USAF On 10/10/06, Davis, David CTR NAVSURFWARCENDIV Crane, Code 0552 <[EMAIL PROTECTED]> wrote: > Hello Carolyn, > > What we have done at our activity is to tie the CAC PKI SmartCard to > the Active Directory and assign AD users to a Remedy Group. That > group has permissions to the Virtual Website that hosts the Remedy > MidTier. Much like your "Trust" comment below. Additionally, we > redirect any user that attempts to access Remedy MidTier to a > registration page that collects their CAC data to create an AD > account. Once their request is approved their AD account is added to > the Remedy group. It is not where we want to be but we have our > Remedy MidTier and Production servers on separate AD Domains. > > Thank You for your feedback, > Dave Davis > > > -Original Message- > From: Action Request System discussion list(ARSList) > [mailto:[EMAIL PROTECTED] On Behalf Of Wixson Carolyn L PSNS > Sent: Friday, October 06, 2006 10:07 > To: arslist@ARSLIST.ORG > Subject: Re: Authenticate an ARS user using a certificate stored on a > smar t card > > Hi! > > Here is what we plan on doing so far, only on the mid-tier (6.3): > > All of our users are authenticated, so we provide a link for > Requesters to a JSP page that gets the user name and logs them in with it. > > Once they are in, an Active link runs a process that calls another JSP > page to get the Windows user name again and compares it to the $USER$. > (This is to ensure that someone does not work-around the auto-login > page.) Both of these JSP pages are based from KM-00010678 "How can > I use my NT domain name to log me directly into the Mid-Tier without > having to be directed to login.jsp?" > > There are other Active links that run to ensure that the login meets > other criteria as well. > > This will work if everyone is authenticated, but as you said, it does > not check the certificate. > > On the windows client, it is pretty much available to just Customer > Support and they login. If a user does access the windows client, > there are some Active Links that limit the use, etc. > > I am looking at other solutions, but I believe that the above will > work for now. We have not moved this to production yet. We have never > used the Mid-Tier before, but now that we are going to allow > requesters to submit their own tickets, it seems a good way to go. > > I hope this helps. > > Carolyn Wixson > > > > -Original Message- > From: Rebecca Hammond [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 05, 2006 7:46 > To: arslist@ARSLIST.ORG > Subject: Re: Authenticate an ARS user using a certificate stored on a > smart card > > > Nothing, yet. Based on research, seems that it can't be done - you > can set up a "trust" (which our security people get indignant at > calling it > that) - meaning, if you want to "trust" that just because someone got > on to a machine with a smart card, you could grab the user name get > them into the system that way. But you can't have the AR Server and > the client communicate with certificates. > > However, on the mid-tier, we can use
Re: Authenticate an ARS user using a certificate stored on a smar t card
The redirect is handle by the 401 Errors. If you are not in the group hence 401 on the website. Once redirected you must have CAC and a reason to register. Registration info and harvested data is used to create the AD account. What I am looking for is a more direct approach within ARS itself. Thanks, Dave -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of patrick zandi Sent: Tuesday, October 10, 2006 10:34 To: arslist@ARSLIST.ORG Subject: Re: Authenticate an ARS user using a certificate stored on a smar t card This is interesting.. sounds a little like the AF Portal.. The problem with AF Portal is the Embedded password into the scripting.. This is a little on the "2 taco's shy of a combination plate" aspect.. But it souds like you are not doing that.. interesting.. is this in JSP ? the redirector and then into remedy.. would like to see that if possible.. MSgt Patrick Zandi, USAF On 10/10/06, Davis, David CTR NAVSURFWARCENDIV Crane, Code 0552 <[EMAIL PROTECTED]> wrote: > Hello Carolyn, > > What we have done at our activity is to tie the CAC PKI SmartCard to > the Active Directory and assign AD users to a Remedy Group. That > group has permissions to the Virtual Website that hosts the Remedy > MidTier. Much like your "Trust" comment below. Additionally, we > redirect any user that attempts to access Remedy MidTier to a > registration page that collects their CAC data to create an AD > account. Once their request is approved their AD account is added to > the Remedy group. It is not where we want to be but we have our > Remedy MidTier and Production servers on separate AD Domains. > > Thank You for your feedback, > Dave Davis > > > -Original Message- > From: Action Request System discussion list(ARSList) > [mailto:[EMAIL PROTECTED] On Behalf Of Wixson Carolyn L PSNS > Sent: Friday, October 06, 2006 10:07 > To: arslist@ARSLIST.ORG > Subject: Re: Authenticate an ARS user using a certificate stored on a > smar t card > > Hi! > > Here is what we plan on doing so far, only on the mid-tier (6.3): > > All of our users are authenticated, so we provide a link for > Requesters to a JSP page that gets the user name and logs them in with it. > > Once they are in, an Active link runs a process that calls another JSP > page to get the Windows user name again and compares it to the $USER$. > (This is to ensure that someone does not work-around the auto-login > page.) Both of these JSP pages are based from KM-00010678 "How can > I use my NT domain name to log me directly into the Mid-Tier without > having to be directed to login.jsp?" > > There are other Active links that run to ensure that the login meets > other criteria as well. > > This will work if everyone is authenticated, but as you said, it does > not check the certificate. > > On the windows client, it is pretty much available to just Customer > Support and they login. If a user does access the windows client, > there are some Active Links that limit the use, etc. > > I am looking at other solutions, but I believe that the above will > work for now. We have not moved this to production yet. We have never > used the Mid-Tier before, but now that we are going to allow > requesters to submit their own tickets, it seems a good way to go. > > I hope this helps. > > Carolyn Wixson > > > > -Original Message- > From: Rebecca Hammond [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 05, 2006 7:46 > To: arslist@ARSLIST.ORG > Subject: Re: Authenticate an ARS user using a certificate stored on a > smart card > > > Nothing, yet. Based on research, seems that it can't be done - you > can set up a "trust" (which our security people get indignant at > calling it > that) - meaning, if you want to "trust" that just because someone got > on to a machine with a smart card, you could grab the user name get > them into the system that way. But you can't have the AR Server and > the client communicate with certificates. > > However, on the mid-tier, we can use certificates, as we'll do all of > the authentication work using SiteMinder... > > -Original Message- > From: Action Request System discussion list(ARSList) > [mailto:[EMAIL PROTECTED] On Behalf Of Davis, David CTR > NAVSURFWARCENDIV Crane, Code 0552 > Sent: Thursday, October 05, 2006 1:24 PM > To: arslist@ARSLIST.ORG > Subject: Re: Authenticate an ARS user using a certificate stored on a > smart card > > Rebecca > > Have you been able to integrated ARS authentication with the PKI > SmartCard yet? If so, what tools did you use. > > Th
Re: Authenticate an ARS user using a certificate stored on a smar t card
This is interesting.. sounds a little like the AF Portal.. The problem with AF Portal is the Embedded password into the scripting.. This is a little on the "2 taco's shy of a combination plate" aspect.. But it souds like you are not doing that.. interesting.. is this in JSP ? the redirector and then into remedy.. would like to see that if possible.. MSgt Patrick Zandi, USAF On 10/10/06, Davis, David CTR NAVSURFWARCENDIV Crane, Code 0552 <[EMAIL PROTECTED]> wrote: Hello Carolyn, What we have done at our activity is to tie the CAC PKI SmartCard to the Active Directory and assign AD users to a Remedy Group. That group has permissions to the Virtual Website that hosts the Remedy MidTier. Much like your "Trust" comment below. Additionally, we redirect any user that attempts to access Remedy MidTier to a registration page that collects their CAC data to create an AD account. Once their request is approved their AD account is added to the Remedy group. It is not where we want to be but we have our Remedy MidTier and Production servers on separate AD Domains. Thank You for your feedback, Dave Davis -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Wixson Carolyn L PSNS Sent: Friday, October 06, 2006 10:07 To: arslist@ARSLIST.ORG Subject: Re: Authenticate an ARS user using a certificate stored on a smar t card Hi! Here is what we plan on doing so far, only on the mid-tier (6.3): All of our users are authenticated, so we provide a link for Requesters to a JSP page that gets the user name and logs them in with it. Once they are in, an Active link runs a process that calls another JSP page to get the Windows user name again and compares it to the $USER$. (This is to ensure that someone does not work-around the auto-login page.) Both of these JSP pages are based from KM-00010678 "How can I use my NT domain name to log me directly into the Mid-Tier without having to be directed to login.jsp?" There are other Active links that run to ensure that the login meets other criteria as well. This will work if everyone is authenticated, but as you said, it does not check the certificate. On the windows client, it is pretty much available to just Customer Support and they login. If a user does access the windows client, there are some Active Links that limit the use, etc. I am looking at other solutions, but I believe that the above will work for now. We have not moved this to production yet. We have never used the Mid-Tier before, but now that we are going to allow requesters to submit their own tickets, it seems a good way to go. I hope this helps. Carolyn Wixson -Original Message- From: Rebecca Hammond [mailto:[EMAIL PROTECTED] Sent: Thursday, October 05, 2006 7:46 To: arslist@ARSLIST.ORG Subject: Re: Authenticate an ARS user using a certificate stored on a smart card Nothing, yet. Based on research, seems that it can't be done - you can set up a "trust" (which our security people get indignant at calling it that) - meaning, if you want to "trust" that just because someone got on to a machine with a smart card, you could grab the user name get them into the system that way. But you can't have the AR Server and the client communicate with certificates. However, on the mid-tier, we can use certificates, as we'll do all of the authentication work using SiteMinder... -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Davis, David CTR NAVSURFWARCENDIV Crane, Code 0552 Sent: Thursday, October 05, 2006 1:24 PM To: arslist@ARSLIST.ORG Subject: Re: Authenticate an ARS user using a certificate stored on a smart card Rebecca Have you been able to integrated ARS authentication with the PKI SmartCard yet? If so, what tools did you use. Thanks, Dave Davis Software Systems Engineer - SAIC -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Rebecca Hammond Sent: Wednesday, September 13, 2006 13:39 To: arslist@ARSLIST.ORG Subject: Re: Authenticate an ARS user using a certificate stored on a smart card Am I the only one who isn't totally confused by the white paper? I'm just not clear on how I'm supposed to write an Authenticator of my own, that handles PKI or SmartCard technology. Is it just because with SSO, it pulls the information from your OS? Does anyone have any samples of what these Authenticators might look like? Thanks in advance! -Rebecca Hammond On Fri, 11 Aug 2006 14:11:45 -0700, Easter, David <[EMAIL PROTECTED]> wrote: >Daniel, > > You may want to take a look at the "Integrating BMC Remedy Action >Request System with Single Sign-On (SSO)" white paper that was updated >for AR System 7.00.00. It also applies to other client-side login >intercept t
Re: Authenticate an ARS user using a certificate stored on a smar t card
Hello Carolyn, What we have done at our activity is to tie the CAC PKI SmartCard to the Active Directory and assign AD users to a Remedy Group. That group has permissions to the Virtual Website that hosts the Remedy MidTier. Much like your "Trust" comment below. Additionally, we redirect any user that attempts to access Remedy MidTier to a registration page that collects their CAC data to create an AD account. Once their request is approved their AD account is added to the Remedy group. It is not where we want to be but we have our Remedy MidTier and Production servers on separate AD Domains. Thank You for your feedback, Dave Davis -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Wixson Carolyn L PSNS Sent: Friday, October 06, 2006 10:07 To: arslist@ARSLIST.ORG Subject: Re: Authenticate an ARS user using a certificate stored on a smar t card Hi! Here is what we plan on doing so far, only on the mid-tier (6.3): All of our users are authenticated, so we provide a link for Requesters to a JSP page that gets the user name and logs them in with it. Once they are in, an Active link runs a process that calls another JSP page to get the Windows user name again and compares it to the $USER$. (This is to ensure that someone does not work-around the auto-login page.) Both of these JSP pages are based from KM-00010678 "How can I use my NT domain name to log me directly into the Mid-Tier without having to be directed to login.jsp?" There are other Active links that run to ensure that the login meets other criteria as well. This will work if everyone is authenticated, but as you said, it does not check the certificate. On the windows client, it is pretty much available to just Customer Support and they login. If a user does access the windows client, there are some Active Links that limit the use, etc. I am looking at other solutions, but I believe that the above will work for now. We have not moved this to production yet. We have never used the Mid-Tier before, but now that we are going to allow requesters to submit their own tickets, it seems a good way to go. I hope this helps. Carolyn Wixson -Original Message- From: Rebecca Hammond [mailto:[EMAIL PROTECTED] Sent: Thursday, October 05, 2006 7:46 To: arslist@ARSLIST.ORG Subject: Re: Authenticate an ARS user using a certificate stored on a smart card Nothing, yet. Based on research, seems that it can't be done - you can set up a "trust" (which our security people get indignant at calling it that) - meaning, if you want to "trust" that just because someone got on to a machine with a smart card, you could grab the user name get them into the system that way. But you can't have the AR Server and the client communicate with certificates. However, on the mid-tier, we can use certificates, as we'll do all of the authentication work using SiteMinder... -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Davis, David CTR NAVSURFWARCENDIV Crane, Code 0552 Sent: Thursday, October 05, 2006 1:24 PM To: arslist@ARSLIST.ORG Subject: Re: Authenticate an ARS user using a certificate stored on a smart card Rebecca Have you been able to integrated ARS authentication with the PKI SmartCard yet? If so, what tools did you use. Thanks, Dave Davis Software Systems Engineer - SAIC -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Rebecca Hammond Sent: Wednesday, September 13, 2006 13:39 To: arslist@ARSLIST.ORG Subject: Re: Authenticate an ARS user using a certificate stored on a smart card Am I the only one who isn't totally confused by the white paper? I'm just not clear on how I'm supposed to write an Authenticator of my own, that handles PKI or SmartCard technology. Is it just because with SSO, it pulls the information from your OS? Does anyone have any samples of what these Authenticators might look like? Thanks in advance! -Rebecca Hammond On Fri, 11 Aug 2006 14:11:45 -0700, Easter, David <[EMAIL PROTECTED]> wrote: >Daniel, > > You may want to take a look at the "Integrating BMC Remedy Action >Request System with Single Sign-On (SSO)" white paper that was updated >for AR System 7.00.00. It also applies to other client-side login >intercept technologies like smart cards or PKI. > >It is available on http://supportweb.remedy.com in the Documents >section. > >David J. Easter >Sr. Product Manager - BMC Software > >-Original Message- >From: Action Request System discussion list(ARSList) >[mailto:[EMAIL PROTECTED] On Behalf Of CONDREA, Daniel >Sent: Thursday, August 10, 2006 10:53 PM >To: arslist@ARSLIST.ORG >Subject: Authenticate an ARS user using a certificate stored on a sma
Re: Authenticate an ARS user using a certificate stored on a smar t card
** Hi James, This is for ARS 6.3 on Windows To use the AREA plugin: Turn on Cross Reference Blank Password from the admin tool add the following lines to ar.cfg External-Authentication-RPC-Socket: 390695 Plugin: areasamp.dll Now the hard part. You have to take the areasamp.c program that is supplied with the api and modify the function AREAVerifyLoginCallback to call a module that you develop (using sockets, I believe) or you get from your infrastructure people. Your module will take the user id and passcode from the login screen (which ARS makes conveniently available to the function) and return whether it is a Good User or a Bad User. After you compile it, you copy the areasamp.dll to your AR System folder where it will be run. Caveats: This is not SSO. BMC was working on an areasso.c to use instead of areasamp.c. I don't know how far they got with this. Also, if the user doesn't enter his passcode correctly the first time into the mid-tier, ARS will try to call AREAVerifyLoginCallback repeatedly for each attempt by the user. Because it is a single use password, this will not work. BMC assures me that this is by design, of course. I've added a note to my error.jsp that says "If you are trying to login, please close then restart your browser and try again." Oddly enough, I've had no complaints about this. Julie At 10:03 AM 10/6/2006, you wrote: ** Julie: Inquiring minds would like to know HOW you did this. James McKenzie L-3 GSI -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Julie Rockwood Sent: Friday, October 06, 2006 8:37 AM To: arslist@ARSLIST.ORG Subject: Re: Authenticate an ARS user using a certificate stored on a smart card Hi Rebecca, Maybe you have something more advanced than we have, but we've customized areasamp.c to take the user supplied login id and passcode and call a module to authenticate it. It works great for both the WUT and mid-tier. Let me know if you have any questions. Julie At 08:45 PM 10/5/2006, Rebecca Hammond wrote: >Nothing, yet. Based on research, seems that it can't be done - you can >set up a "trust" (which our security people get indignant at calling it >that) - meaning, if you want to "trust" that just because someone got >on to a machine with a smart card, you could grab the user name get >them into the system that way. But you can't have the AR Server and >the client communicate with certificates. > >However, on the mid-tier, we can use certificates, as we'll do all of >the authentication work using SiteMinder... > >-Original Message- >From: Action Request System discussion list(ARSList) >[ mailto:arslist@ARSLIST.ORG] On Behalf Of Davis, David CTR >NAVSURFWARCENDIV Crane, Code 0552 >Sent: Thursday, October 05, 2006 1:24 PM >To: arslist@ARSLIST.ORG >Subject: Re: Authenticate an ARS user using a certificate stored on a >smart card > >Rebecca > >Have you been able to integrated ARS authentication with the PKI >SmartCard yet? If so, what tools did you use. > >Thanks, >Dave Davis >Software Systems Engineer - SAIC > > >-Original Message- >From: Action Request System discussion list(ARSList) >[ mailto:arslist@ARSLIST.ORG] On Behalf Of Rebecca Hammond >Sent: Wednesday, September 13, 2006 13:39 >To: arslist@ARSLIST.ORG >Subject: Re: Authenticate an ARS user using a certificate stored on a >smart card > >Am I the only one who isn't totally confused by the white paper? I'm >just not clear on how I'm supposed to write an Authenticator of my own, >that handles PKI or SmartCard technology. > >Is it just because with SSO, it pulls the information from your OS? > >Does anyone have any samples of what these Authenticators might look >like? > >Thanks in advance! > >-Rebecca Hammond > >On Fri, 11 Aug 2006 14:11:45 -0700, Easter, David ><[EMAIL PROTECTED]> >wrote: > > >Daniel, > > > > You may want to take a look at the "Integrating BMC Remedy Action > >Request System with Single Sign-On (SSO)" white paper that was > >updated for AR System 7.00.00. It also applies to other client-side > >login intercept technologies like smart cards or PKI. > > > >It is available on http://supportweb.remedy.com in the Documents > >section. > > > >David J. Easter > >Sr. Product Manager - BMC Software > > > >-Original Message- > >From: Action Request System discussion list(ARSList) > >[mailto:arslist@ARSLIST.ORG] On Behalf Of CONDREA, Daniel > >Sent: Thursday, August 10, 2006 10:53 PM > >To: arslist@ARSLIST.ORG > >Subject: Authenticate an ARS user using a certificate stored on a > >smart > > >card > > > >Hi All, > > > >Can anybody suggest a way to authenticate an ARS user using a > >certificate stored on a smart card? > > > >The end user can not authenticate with a username and a password. > >He/she can only authenticate using the certificate stored in the >smartcard
Re: Authenticate an ARS user using a certificate stored on a smar t card
Title: RE: Authenticate an ARS user using a certificate stored on a smart card ** Julie: Inquiring minds would like to know HOW you did this. James McKenzie L-3 GSI -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Julie Rockwood Sent: Friday, October 06, 2006 8:37 AM To: arslist@ARSLIST.ORG Subject: Re: Authenticate an ARS user using a certificate stored on a smart card Hi Rebecca, Maybe you have something more advanced than we have, but we've customized areasamp.c to take the user supplied login id and passcode and call a module to authenticate it. It works great for both the WUT and mid-tier. Let me know if you have any questions. Julie At 08:45 PM 10/5/2006, Rebecca Hammond wrote: >Nothing, yet. Based on research, seems that it can't be done - you can >set up a "trust" (which our security people get indignant at calling it >that) - meaning, if you want to "trust" that just because someone got >on to a machine with a smart card, you could grab the user name get >them into the system that way. But you can't have the AR Server and >the client communicate with certificates. > >However, on the mid-tier, we can use certificates, as we'll do all of >the authentication work using SiteMinder... > >-Original Message- >From: Action Request System discussion list(ARSList) >[mailto:arslist@ARSLIST.ORG] On Behalf Of Davis, David CTR >NAVSURFWARCENDIV Crane, Code 0552 >Sent: Thursday, October 05, 2006 1:24 PM >To: arslist@ARSLIST.ORG >Subject: Re: Authenticate an ARS user using a certificate stored on a >smart card > >Rebecca > >Have you been able to integrated ARS authentication with the PKI >SmartCard yet? If so, what tools did you use. > >Thanks, >Dave Davis >Software Systems Engineer - SAIC > > >-Original Message- >From: Action Request System discussion list(ARSList) >[mailto:arslist@ARSLIST.ORG] On Behalf Of Rebecca Hammond >Sent: Wednesday, September 13, 2006 13:39 >To: arslist@ARSLIST.ORG >Subject: Re: Authenticate an ARS user using a certificate stored on a >smart card > >Am I the only one who isn't totally confused by the white paper? I'm >just not clear on how I'm supposed to write an Authenticator of my own, >that handles PKI or SmartCard technology. > >Is it just because with SSO, it pulls the information from your OS? > >Does anyone have any samples of what these Authenticators might look >like? > >Thanks in advance! > >-Rebecca Hammond > >On Fri, 11 Aug 2006 14:11:45 -0700, Easter, David ><[EMAIL PROTECTED]> >wrote: > > >Daniel, > > > > You may want to take a look at the "Integrating BMC Remedy Action > >Request System with Single Sign-On (SSO)" white paper that was > >updated for AR System 7.00.00. It also applies to other client-side > >login intercept technologies like smart cards or PKI. > > > >It is available on http://supportweb.remedy.com in the Documents > >section. > > > >David J. Easter > >Sr. Product Manager - BMC Software > > > >-Original Message- > >From: Action Request System discussion list(ARSList) > >[mailto:arslist@ARSLIST.ORG] On Behalf Of CONDREA, Daniel > >Sent: Thursday, August 10, 2006 10:53 PM > >To: arslist@ARSLIST.ORG > >Subject: Authenticate an ARS user using a certificate stored on a > >smart > > >card > > > >Hi All, > > > >Can anybody suggest a way to authenticate an ARS user using a > >certificate stored on a smart card? > > > >The end user can not authenticate with a username and a password. > >He/she can only authenticate using the certificate stored in the >smartcard. > > > >Best regards, > >Daniel Condrea > > > >-- > > > >*DISCLAIMER* > > > >The information contained in this communication is confidential and > >may > > >be legally privileged. It is intended solely for the use of the > >individual or entity to whom it is addressed and others authorized to > >receive it. If you are not the intended recipient you are hereby > >notified that any disclosure, copying, distribution or taking action > >in > > >reliance of the contents of this information is strictly prohibited > >and > > >may be unlawful. Orange Romania S.A. is neither liable for the > >proper, complete transmission of the information contained in this > >communication nor any delay in its receipt. > > > >*END OF DISCLAIMER* > > > >_ > >__ > >_ > >___ > >UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org > > > >_ > >__ > > > > >UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org > >= > >== > >= > >___ >_ >___ >UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org > >__
Re: Authenticate an ARS user using a certificate stored on a smar t card
Hi! Here is what we plan on doing so far, only on the mid-tier (6.3): All of our users are authenticated, so we provide a link for Requesters to a JSP page that gets the user name and logs them in with it. Once they are in, an Active link runs a process that calls another JSP page to get the Windows user name again and compares it to the $USER$. (This is to ensure that someone does not work-around the auto-login page.) Both of these JSP pages are based from KM-00010678 "How can I use my NT domain name to log me directly into the Mid-Tier without having to be directed to login.jsp?" There are other Active links that run to ensure that the login meets other criteria as well. This will work if everyone is authenticated, but as you said, it does not check the certificate. On the windows client, it is pretty much available to just Customer Support and they login. If a user does access the windows client, there are some Active Links that limit the use, etc. I am looking at other solutions, but I believe that the above will work for now. We have not moved this to production yet. We have never used the Mid-Tier before, but now that we are going to allow requesters to submit their own tickets, it seems a good way to go. I hope this helps. Carolyn Wixson -Original Message- From: Rebecca Hammond [mailto:[EMAIL PROTECTED] Sent: Thursday, October 05, 2006 7:46 To: arslist@ARSLIST.ORG Subject: Re: Authenticate an ARS user using a certificate stored on a smart card Nothing, yet. Based on research, seems that it can't be done - you can set up a "trust" (which our security people get indignant at calling it that) - meaning, if you want to "trust" that just because someone got on to a machine with a smart card, you could grab the user name get them into the system that way. But you can't have the AR Server and the client communicate with certificates. However, on the mid-tier, we can use certificates, as we'll do all of the authentication work using SiteMinder... -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Davis, David CTR NAVSURFWARCENDIV Crane, Code 0552 Sent: Thursday, October 05, 2006 1:24 PM To: arslist@ARSLIST.ORG Subject: Re: Authenticate an ARS user using a certificate stored on a smart card Rebecca Have you been able to integrated ARS authentication with the PKI SmartCard yet? If so, what tools did you use. Thanks, Dave Davis Software Systems Engineer - SAIC -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Rebecca Hammond Sent: Wednesday, September 13, 2006 13:39 To: arslist@ARSLIST.ORG Subject: Re: Authenticate an ARS user using a certificate stored on a smart card Am I the only one who isn't totally confused by the white paper? I'm just not clear on how I'm supposed to write an Authenticator of my own, that handles PKI or SmartCard technology. Is it just because with SSO, it pulls the information from your OS? Does anyone have any samples of what these Authenticators might look like? Thanks in advance! -Rebecca Hammond On Fri, 11 Aug 2006 14:11:45 -0700, Easter, David <[EMAIL PROTECTED]> wrote: >Daniel, > > You may want to take a look at the "Integrating BMC Remedy Action >Request System with Single Sign-On (SSO)" white paper that was updated >for AR System 7.00.00. It also applies to other client-side login >intercept technologies like smart cards or PKI. > >It is available on http://supportweb.remedy.com in the Documents >section. > >David J. Easter >Sr. Product Manager - BMC Software > >-Original Message- >From: Action Request System discussion list(ARSList) >[mailto:[EMAIL PROTECTED] On Behalf Of CONDREA, Daniel >Sent: Thursday, August 10, 2006 10:53 PM >To: arslist@ARSLIST.ORG >Subject: Authenticate an ARS user using a certificate stored on a smart >card > >Hi All, > >Can anybody suggest a way to authenticate an ARS user using a >certificate stored on a smart card? > >The end user can not authenticate with a username and a password. >He/she can only authenticate using the certificate stored in the smartcard. > >Best regards, >Daniel Condrea > >-- > >*DISCLAIMER* > >The information contained in this communication is confidential and may >be legally privileged. It is intended solely for the use of the >individual or entity to whom it is addressed and others authorized to >receive it. If you are not the intended recipient you are hereby >notified that any disclosure, copying, distribution or taking action in >reliance of the contents of this information is strictly prohibited and >may be unlawful. Orange Romania S.A. is neither liable for the proper, >complete transmission of the information contained in this >communication nor any delay in its receipt. > >*END OF DISCLAIMER* > >___ >_ >___ >UNSUBSCRIBE or acce
Re: Authenticate an ARS user using a certificate stored on a smar t card
We are in the same boat. We need to Authenticate with Common Access Cards (CAC). (The CAC has PKI installed on it.) We are upgrading from 5.1.2 to 6.3 and then we will try to figure the authentication issue out. I got a bit confused when I read through the SSO information. I am hoping that it will make more sense when we actually try to implement it. My fear is that SSO just authenticates to the Windows login, not the CAC, PKI, or smart card as in your situation. Carolyn Wixson -Original Message- From: Rebecca Hammond [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 13, 2006 11:39 To: arslist@ARSLIST.ORG Subject: Re: Authenticate an ARS user using a certificate stored on a smart card Am I the only one who isn't totally confused by the white paper? I'm just not clear on how I'm supposed to write an Authenticator of my own, that handles PKI or SmartCard technology. Is it just because with SSO, it pulls the information from your OS? Does anyone have any samples of what these Authenticators might look like? Thanks in advance! -Rebecca Hammond On Fri, 11 Aug 2006 14:11:45 -0700, Easter, David <[EMAIL PROTECTED]> wrote: >Daniel, > > You may want to take a look at the "Integrating BMC Remedy Action >Request System with Single Sign-On (SSO)" white paper that was updated >for AR System 7.00.00. It also applies to other client-side login >intercept technologies like smart cards or PKI. > >It is available on http://supportweb.remedy.com in the Documents >section. > >David J. Easter >Sr. Product Manager - BMC Software > >-Original Message- >From: Action Request System discussion list(ARSList) >[mailto:[EMAIL PROTECTED] On Behalf Of CONDREA, Daniel >Sent: Thursday, August 10, 2006 10:53 PM >To: arslist@ARSLIST.ORG >Subject: Authenticate an ARS user using a certificate stored on a smart >card > >Hi All, > >Can anybody suggest a way to authenticate an ARS user using a >certificate stored on a smart card? > >The end user can not authenticate with a username and a password. He/she >can only authenticate using the certificate stored in the smartcard. > >Best regards, >Daniel Condrea > >-- > >*DISCLAIMER* > >The information contained in this communication is confidential and may >be legally privileged. It is intended solely for the use of the >individual or entity to whom it is addressed and others authorized to >receive it. If you are not the intended recipient you are hereby >notified that any disclosure, copying, distribution or taking action in >reliance of the contents of this information is strictly prohibited and >may be unlawful. Orange Romania S.A. is neither liable for the proper, >complete transmission of the information contained in this communication >nor any delay in its receipt. > >*END OF DISCLAIMER* > > >___ >UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org > >___ >UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org > ___ UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org ___ UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
