Determining current custom field configuration. The QuickBooks Online API Preferences object contains the current custom field configuration. The numeric id of each field is carried in the CustomField.Name attribute and corresponds to the order in which they appear in the UI. Field definitions may not appear in numeric order in the Preferences. Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the. Since version 60 Firefox includes the option to use DNS over HTTPS (DoH), which causes DNS lookup requests. Beginning with 'network.trr' (Trusted Recursive Resolver) in about:config: if network.trr.mode is 0, DoH is disabled;.
- Use TLS in OMi
Administer > Hardening > Use TLS in OMi > Configure Client Certificate or Smart Card Authentication
Client certificate authentication configures OMi to require a client certificate when users log into OMi or when web services or data collectors connect to OMi. Depending on the deployment, you can configure OMi to authenticate the client on the OMi web server or, if available, the load balancer.
To configure client certificate authentication for OMi, complete the following steps in the OMi configuration wizard. Before enabling client certificate authentication, OMi must already be configured and a user with Super-Admin permissions must be created in OMi.
Configuring smart card authentication is similar to configuring client certificate authentication. For smart card authentication, you must additionally select the option Enforce use of smart card certificates in the configuration wizard.
Learn more
Smart cards are physical devices used to identify users in secure systems. These cards can be used to store certificates both verifying the user's identity and allowing access to secure environments.
OMi can be configured to use these certificates in place of the standard model of each user manually entering a user name and password. You define a method of extracting the user name from the certificate stored on each card.
When using smart cards with OMi, users can only log in using the smart card. The option of logging in by manually typing in your log-in user name and password is locked for all users unless smart card configuration is disabled.
Supported Data Collectors
- OpsCx
- Data Flow Probe
- SiteScope
Supported Integrations
- Application Performance Management (APM)
- Operations Orchestration
- Service Manager
- UCMDB
Tasks
- Make sure OMi is already configured and running.
- Create an OMi super-admin user and optionally other OMi users:
- Log into OMi and navigate to user management:Administration > Users > Users, Groups, and RolesAlternatively, click Users, Groups, and Roles.
- Create a new user and click Super-Admin to assign all permissions to the user.Create additional users as required.
- Take note of each user's log-in name (case sensitive). The user log-in value must be embedded in an attribute in the client certificate. When you run the configuration wizard you choose the attribute.
- Obtain certificates from your Certificate Authority (CA):
- Obtain the root CA certificate and any intermediate CA certificates of the CA.
- Obtain client authentication certificates from your CA for each OMi user. Make sure the certificates include the user's log-in credentials in one of the certificate attributes. When you run the configuration wizard you choose the attribute that contains the log-in credentials.Note We recommend using the strongest currently available cryptographic algorithms when obtaining client certificates, as well as the largest key size (not less than 2048-bit RSA keys). To see the latest NIST approved cryptographic algorithms and key lengths, go to http://csrc.nist.gov/publications/PubsFIPS.html.
- Verify that the client authentication certificate is correct.
- Double-click the client authentication certificate that is installed on your machine. The Certificate dialog box opens.
- Click the Details tab.
- Click Enhanced Key Usage.
- Verify that the Client Authentication object identifier (OID) is 1.3.6.1.5.5.7.3.2.
- If your OMi front-end server is a load balancer or reverse proxy, perform the following steps:
- Follow the standard procedures for requiring a client authentication certificate specified on your reverse proxy. For details, see the third party documentation of your reverse proxy.
- Pass the client authentication certificate details in a header to the OMi gateway server.This procedure describes the general settings that are required, but you may need to see the web server documentation for the details. For details, see How to manually configure reverse proxy for smart cards.
- Stop OMi.
- Start the OMi configuration wizard:
<OMi_HOME>/bin/config-server-wizard.[bat|sh]
- Proceed through the wizard. In the Client Certificate Authentication page, select the authentication option:
- Authentication on OMi web server.
- Select the certificate of the CA that issued the client certificate. The certificate file must be PEM-encoded.If you have more than one CA certificate issuer for the client authentication certificates (for example, there is an intermediate CA) follow the instructions below:
- Apache. Create a chain certificate of the certificates in .PEM format.
- Choose how OMi checks whether the client certificate has been revoked:None.OMi does not check the revocation status.OCSP URL from certificate.OMi sends an OCSP request to the URL provided in the client certificate and evaluates the OCSP response to determine the revocation status of the certificate.Local CRL file (PEM-encoded).OMi checks the revocation status in a CRL file local to the gateway server. Make sure the CRL file on the gateway server is the latest one available from your CA.Tip The following example converts a revocation list from CRL to PEM format:
<OMi_HOME>/WebServer/bin>openssl crl -inform DER -outform PEM -in <path to .crl> -out <path to .pem to be created>
- Specify the certificate data that is used for authentication:Attribute used to identify users. If Subject has an attribute called E, Email, emailaddress, email address, e-mail address, e-mailaddress, rfc822 name, or rfc822name, select SubjectDN in the Attribute used to identify users field, and enter the value of the attribute in the Relevant part of the attribute field.Relevant element of attribute field (for example, CN). If the Subject does not contain one of the attributes listed above, select Subject Alternative Name in the Attribute used to identify users field, and enter the attribute name (not its value) in the Relevant part of the attribute field. The attribute name may be one of the following: Principal Name, Principalname, other name, principalname, principal name, or Microsoft principal name.Tip When defining the Relevant part of the attribute field, the attribute must be the user's unique identifier. You can find the certificate attributes in the certificate details. In Internet Explorer, these can be viewed from Tools > Internet Options > Content > Certificates > Personal > Details > Subject or Subject Alternative Name.
- Optional. Click Enforce use of smart card certificates to configure OMi to always require a smart card when a user logs on.
- Click Next to continue.
- Authentication on load balancer.
- Specify the certificate data that is used for authentication:Attribute used to identify users. If Subject has an attribute called E, Email, emailaddress, email address, e-mail address, e-mailaddress, rfc822 name, or rfc822name, select SubjectDN in the Attribute used to identify users field, and enter the value of the attribute in the Relevant part of the attribute field.Relevant element of attribute field (for example, CN). If the Subject does not contain one of the attributes listed above, select Subject Alternative Name in the Attribute used to identify users field, and enter the attribute name (not its value) in the Relevant part of the attribute field. The attribute name may be one of the following: Principal Name, Principalname, other name, principalname, principal name, or Microsoft principal name.Tip When defining the Relevant part of the attribute field, the attribute must be the user's unique identifier. You can find the certificate attributes in the certificate details. In Internet Explorer, these can be viewed from Tools > Internet Options > Content > Certificates > Personal > Details > Subject or Subject Alternative Name.
- Optional. Click Enforce use of smart card certificates to configure OMi to always require a smart card when a user logs on.
- Click Next to continue.
- Complete the remaining wizard pages and enable OMi again.
- Enable smart card authentication on the data collector or component servers. For details, see the following help centers:
- OpsCx. See the OpsCx Help.
- SiteScope. See the SiteScope Help.
- Distribute the client certificates to the OMi users and data collectors.
This procedure describes the general settings that are required, but you may need to refer to the web server documentation for the details. It must be performed before you restart your OMi gateway servers to enable smart card authentication.
For the Apache web server:
- Prerequisite. Apache is already configured to require a client certificate.
- In
httpd.conf
, enable themod_headers.so
- In
httpd-ssl.conf
, add the following line before</VirtualHost>
:requestHeader set CLIENT_CERT_HEADER '%{SSL_CLIENT_CERT}s'
In some cases, the OMi server itself acts as a client with respect to other servers and must provide a client authentication certificate. If this is the case, it must be performed only once.
For example, this is required when a data collector such as SiteScope requires a client authentication certificate (for example, when smart cards authentication is required by the data collector).
- Obtain software client authentication certificate from your CA issued to a user with appropriate permissions for this integration.You can use one of the certificates you obtained in the beginning of the How to configure client certificate or smart card authentication.
- If the certificate is not already in Java keystore (JKS) format, convert it to JKS.For example, if your certificate is in PFX format, you can convert it to JKS format as seen in the following example:
keytool.exe -importkeystore -srckeystore c:certificate.pfx -destkeystore c:certificate.jks -srcstoretype PKCS12
- Open
<OMi_HOME>/application-server/bin/standalone.conf[.bat|.sh]
on allOMi gateway and data processing servers and make the following changes on each server:- Locate the following line in the file:
set 'JAVA_OPTS=%JAVA_OPTS% ‑Dtopaz.home=%PRODUCT_HOME_PATH%'
- Insert the following lines right after the line:
set SECURITY_OPTS=‑Djavax.net.ssl.keyStore=<path to certificate.jks> ‑Djavax.net.ssl.keyStorePassword=<keystore password> ‑Djavax.net.ssl.keyStoreType=JKS
set JAVA_OPTS=%JAVA_OPTS% %SECURITY_OPTS%
Troubleshooting
- User names are case sensitive.
- When creating an admin user as directed in the smart card authentication wizard, make sure you enter a secure password even though no password is required for authentication with smart cards. If smart card authentication is disabled, the user will still exist on the system and if an insecure password is defined it could pose a security risk.
- The following integration is not supported:
- UCMDB - OMi Downtime Integration
Problem: When configuring smart card authentication, OMi fails during setup with a timeout failure.
Solution: Increase the value of the
process.launcher.time.out
parameter. The default is 60 seconds.- In a text editor, open
<OMi_HOME>/conf/settings/security.xml
. - Locate the parameter
process.launcher.time.out
. - In the line
<value type='number'>60</value>
, increase the value.
Note This procedure should only be used if you cannot access OMi normally.
If you cannot log in to OMi using any smart card and want to disable smart card authentication, run the opr-tls-config command-line interface with the opr-tls-config Command-Line Interface .
‑disable
option. See alsoopr-tls-config Command-Line Interface- Request a client certificate for a service account (if smart card is not required). The certificate is associated with an email address, for example [email protected].
- Create a new user for [email protected] in OMi. The user must have either administrative rights or the Node Editor permission.
- Create a java keystore from the certificate:
<OMi_Home>JREbinkeytool -importkeystore -srckeystore cli-user.p12 -srcstoretype pkcs12 -destkeystore cert.jks
Note The keystore password must be the same as the password to import the certificate. - You can now run CLI tools using the
-jks
option, for example:opr-agt -jks C:<OMi_Home>keystore -jp <java-keystore-password> -status -all
This step will configure OMi to only require a certificate for the login page, but not for other URLs. After enabling smart card authentication, OMi requires CAC authentication for all requests, including data collector API/REST calls. If you don't need client certificate authentication between data collectors and OMi (TLS only), do the following:
- Configure the Apache web server
- In the
<OMi_HOME>/WebServer/conf/extra/cac-impl-login.tpl.conf
file, remove the part|@@WS_URLS@@
from the following section:SSLCACertificateFile '${TOPAZ_HOME}/WebServer/conf/client_ca_root.pem'
#SSLOCSPEnable on
#SSLCARevocationCheck chain
#SSLCARevocationFile @@CRL_REV_FILE@@
<LocationMatch '.*/topaz/login.jsp|@@WS_URLS@@'>
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +ExportCertData
</LocationMatch> - Save the modified file.
- Change the LW-SSO settings to exclude the web services.
- Execute the following command:Linux:
<OMi_HOME>/opr/support/opr-jmxClient.sh -r -s localhost:4447 -b 'Topaz:service=LW-SSO Configuration' -m invokeGetInternalLwConf
Windows:<OMi_HOME>oprsupportopr-jmxClient.bat -r -s localhost:4447 -b 'Topaz:service=LW-SSO Configuration' -m invokeGetInternalLwConf
- Check if the output contains
.*/opr.*/rest.*
in the REST URLs section, for example:Rest URLs
Rest URL = .*/opr.*/rest.*
- If the output does not contain those lines, add the URL by running the following command:Linux:
<OMi_HOME>/opr/support/opr-jmxClient.sh -r -s localhost:4447 -b 'Topaz:service=LW-SSO Configuration' -m addRestUrl -a .*/opr.*/rest.*
Windows:<OMi_HOME>oprsupportopr-jmxClient.bat -r -s localhost:4447 -b 'Topaz:service=LW-SSO Configuration' -m addRestUrl -a .*/opr.*/rest.*
- Restart OMi.
- If you can't log in to OMi after the restart, check if the client certificate handler is set correctly:
- Open the JMX console on the gateway server by navigating to
https://localhost:29000/
in a web browser. - Go to
Topaz:service=LW-SSO Configuration
. - Look for
ClientCertificateInboundHandlerEnabled
. When a public key infrastructure (PKI) is enabled, this setting must betrue
. If it isfalse
, change it totrue
and click set. - Restart OMi again.
- Open the JMX console on the gateway server by navigating to