Configuring i2 Analyze

To enable a user to log in using a client certificate, you must modify some of the configuration files for i2 Analyze.

About this task

Add a rewrite rule that enables client authentication on the IBM HTTP Server to the i2 Analyze configuration. Then, update the web.xml file for the application to enable client certificate authentication.

If you follow this procedure for a deployment that provides high availability, you must complete each step on every Liberty server in your environment before you move to the next step.

Procedure

  1. Using a text editor, open the configuration\environment\proxy\http-custom-rewrite-rules.txt file. Add the following line between the !Start_After_Rules! and !End_After_Rules! lines to enable client certificate authentication:
    SSLClientAuth Optional
  2. In an XML editor, open the toolkit\configuration\environment\topology.xml file.
    1. Add a child <key-store> element to the <key-stores> element.
      For your truststore, specify the type as trust-store and file as the full path to your truststore.
      For example, add the attribute as highlighted in the following code:
      <application http-server-host="true" name="opal-server"
        host-name="hostname" secure-connection="true">
      ...
          <key-stores>
              <key-store type="key-store"
                file="C:/i2/i2analyze/i2-liberty-keystore.jks"/>
              <key-store type="trust-store" 
                file="C:/i2/i2analyze/i2-liberty-truststore.jks"/>
          </key-stores>
      ...
      </application>
    2. Specify the truststore password in the credentials file. In a text editor, open the toolkit\configuration\environment\credentials.properties file and enter a password for the truststore that you specified in the topology.xml file.
      ssl.truststore.password=password
  3. Use an XML editor to modify the toolkit\configuration\fragments\opal-services\WEB-INF\web.xml file.
    Comment out the following lines so that form based authentication is not used:
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>Form-Based Authentication Area</realm-name>
        <form-login-config>
            <form-login-page>/login.html</form-login-page>
            <form-error-page>/login.html?failed</form-error-page>
        </form-login-config>
    </login-config>
    In the login configuration section, add the following lines to define the client certificate authentication method:
    <login-config>
        <auth-method>CLIENT-CERT</auth-method>
        <realm-name>WebRealm</realm-name>
    </login-config>
  4. In a command prompt, navigate to the toolkit\scripts directory.
  5. Stop Liberty:
    setup -t stopLiberty
  6. Update the i2 Analyze application:
    setup -t deployLiberty
  7. Start Liberty:
    setup -t startLiberty
  8. Using an XML editor, open the wlp\usr\servers\opal-server\server.xml file.
    1. Modify the <ssl> element with the id defaultSSLConfig to include clientAuthenticationSupported="true".
      For example:
      <ssl clientAuthenticationSupported="true"
        id="defaultSSLConfig"
        keyStoreRef="defaultKeyStore"
        trustStoreRef="defaultTrustStore"/>
    2. Modify the <httpDispatcher> element to include trustedSensitiveHeaderOrigin="*".
      For more information about the values that you can provide for the trustedSensitiveHeaderOrigin attribute, see HTTP Dispatcher (httpDispatcher).
      For example:
      <httpDispatcher enableWelcomePage="false"
        trustedSensitiveHeaderOrigin="*"/>

Results

The i2 Analyze application is configured to allow client certificate authentication.