Configuring the Server to Support PKI Certificates

Before you can use PKI certificates for authentication, you must configure the server to expect certificate-based authentication upon requested access.

To configure the server to support use of PKI Certificates for authentication:

  1. Navigate to the Tomcat conf directory. For example: ..\Common\Tomcat 8.0\conf
  2. Edit the following file: server.xml
  3. Copy and paste the following Connector entry into the file to create a new Connector entry. For example, in the following, the port is 8643. You must ensure you don't use the same port number that is used in an existing Connector entry and you must ensure the clientAuth value is set to true, as shown in the following example.
    <Connector port="8643" SSLEnabled="true"
                   scheme="https" secure="true" sslProtocol="TLS" 
                   sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
                   maxHttpHeaderSize="8192"
                   maxThreads="150" minSpareThreads="25"
                   enableLookups="false" disableUploadTimeout="true"
                   acceptCount="100"
    			            keystoreFile="conf/sample-ssl.jks" 
                   keystorePass="serena" keyAlias="tomcat"
                   truststoreFile="conf/sample-ssl.jks" truststorePass="serena" 
                   clientAuth="true"  />		 
    	
This tells Tomcat that the server can be accessed only if the user provides a certificate in the request. If you try logging into Deployment Automation and don't have a valid certificate in your browser, you will receive the following message:

Certificate-based authentication failed