Configuring i2 Analyze
To enable a user to log in using a client certificate, you must modify some of the configuration files for i2 Analyze.
About this task
Add a rewrite rule that enables client authentication on the IBM HTTP Server to the i2 Analyze configuration. Then, update the web.xml file for the application to enable client certificate authentication.
If you follow this procedure for a deployment that provides high availability, you must complete each step on every Liberty server in your environment before you move to the next step.
Procedure
Using a text editor, open the configuration\environment\proxy\http-custom-rewrite-rules.txt file. Add the following line between the !Start_After_Rules! and !End_After_Rules! lines to enable client certificate authentication:
SSLClientAuth Optional
In an XML editor, open the toolkit\configuration\environment\topology.xml file.
Add a child <key-store> element to the <key-stores> element.
For your truststore, specify the type as trust-store and file as the full path to your truststore.
For example, add the attributes as highlighted in the following code:
<application http-server-host="true" name="<opal-server>" host-name="<hostname>" secure-connection="true"> ... <key-stores> <key-store type="key-store" file="C:/i2/i2analyze/i2-liberty-keystore.jks"/> <key-store type="trust-store" file="C:/i2/i2analyze/i2-liberty-truststore.jks"/> </key-stores> ... </application>
Specify the truststore password in the credentials file. In a text editor, open the toolkit\configuration\environment\credentials.properties file and enter a password for the truststore that you specified in the topology.xml file.
ssl.truststore.password=<password>
Use an XML editor to modify the toolkit\configuration\fragments\opal-services\WEB-INF\web.xml file.
Comment out the following lines so that form-based authentication is not used:
<login-config> <auth-method>FORM</auth-method> <realm-name>Form-Based Authentication Area</realm-name> <form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/login.html?failed</form-error-page> </form-login-config> </login-config>
In the login configuration section, add the following lines to define the client certificate authentication method:
<login-config> <auth-method>CLIENT-CERT</auth-method> <realm-name>WebRealm</realm-name> </login-config>
In a command prompt, navigate to the toolkit\scripts directory.
Stop Liberty:
setup -t stopLiberty
Update the i2 Analyze application:
setup -t deployLiberty
Start Liberty:
setup -t startLiberty
Using an XML editor, open the wlp\usr\servers\<opal-server>\server.xml file.
Modify the <ssl> element with the id defaultSSLConfig to include clientAuthenticationSupported="true".
For example:
<ssl clientAuthenticationSupported="true" id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore"/>
Modify the <httpDispatcher> element to include trustedSensitiveHeaderOrigin="*".
For more information about the values that you can provide for the trustedSensitiveHeaderOrigin attribute, see HTTP Dispatcher (httpDispatcher).
For example:
<httpDispatcher enableWelcomePage="false" trustedSensitiveHeaderOrigin="*"/>
Results
The i2 Analyze application is configured to allow client certificate authentication.