How to setup DoD PKI authentication via Common Access Card (CAC) in the Web Reports
Step 1: Prepare the Certificate
Open a command prompt as an administrator and navigate to the following folder (depends on where you installed EventSentry):
cd "\Program Files\EventSentry\WebReports\jre\bin"
Step 2: Use a Certificate Authority Keystore
Run the following command to generate a keystore:
keytool.exe -genkey -alias eventsentry -keyalg RSA -keystore eventsentry.jks
In this example the password is "changeit". Use the FQDN of the machine for the "First and last name" value.
Create the certificate request:
keytool.exe -certreq -keyalg RSA -alias eventsentry -file certreq.req -keystore eventsentry.jks
Follow the instructions from your CA on submitting the certificate request. You will use the certreq.req file created in the last step. In this example, the CA gave a ZIP file containing a chain of certificates.
If your CA recommends specific instructions, follow those instead of the ones here. In our case, these were the steps we had to take to import the certificates.
1 2 3 4 |
keytool.exe -importcert -alias AddTrustExternalCARoot -file c:\certs\AddTrustExternalCARoot.crt -keystore eventsentry.jks keytool.exe -importcert -alias ComodoUTNSGCCA -file c:\certs\ComodoUTNSGCCA.crt -keystore eventsentry.jks keytool.exe -importcert -alias EssentialSSLCA_2 -file c:\certs\EssentialSSLCA_2.crt -keystore eventsentry.jks keytool.exe -importcert -alias UTNAddTrustSGCCA -file c:\certs\UTNAddTrustSGCCA.crt -keystore eventsentry.jks |
Then after the chain is complete, import the new server specific certificate provided by the CA:
keytool.exe -importcert -alias eventsentry -file c:\certs\<servername_domain_local>.crt -keystore eventsentry.jks
Step 3: Configure the Web Reports to Use Your Keystore
Move the keystore to the conf folder:
move eventsentry.jks "C:\Program Files\EventSentry\WebReports\conf"
Configure a SSL connector by editing the server.xml file, by default located in:
C:\Program Files\EventSentry\WebReports\web\conf\server.xml
Look for the first instance of "<Connector.../>" and insert the following below that section making sure the "keystorePass" and "keystoreFile" lines match your particular instance:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
<!-- SSL "Connector" --> <Connector port="8443" relaxedQueryChars="[]" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" disableUploadTimeout="true" enableLookups="false" sslProtocol="TLS" scheme="https" secure="true" SSLEnabled="true" keystorePass="changeit" keyAlias="eventsentry" keystoreFile="C:\Program Files\EventSentry\WebReports\conf\eventsentry.jks" SSLVerifyClient="require" truststoreFile="C:\Program Files\EventSentry\WebReports\conf\eventsentry.jks" truststorePass="changeit" clientAuth="true" /> |
clientAuth
Set to true if you want the SSL stack to require a valid certificate chain from the client before accepting a connection.
Set to want if you want the SSL stack to request a client Certificate, but not fail if one isn't presented.
A false value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication.
SSLVerifyClient
This will require a valid certificate chain from the client before accepting a connection.
truststoreFile
This is the keystore where the CA and signed certifications exist and can be the same as our keystoreFile.
If you would also like to disable HTTP, look for this connector:
Either delete it or comment it out (enclose it in <!-- and -->)
Step 4: Restart EventSentry Web Reports service
After restarting the "EventSentry Web Reports" service, navigate to https://server.domain.local:8443 to test & access the web reports through SSL.
