This is interesting.. sounds a little like the AF Portal.. The problem with AF Portal is the Embedded password into the scripting.. This is a little on the "2 taco's shy of a combination plate" aspect.. But it souds like you are not doing that.. interesting.. is this in JSP ? the redirector and then into remedy..
would like to see that if possible.. MSgt Patrick Zandi, USAF On 10/10/06, Davis, David CTR NAVSURFWARCENDIV Crane, Code 0552 <[EMAIL PROTECTED]> wrote:
Hello Carolyn, What we have done at our activity is to tie the CAC PKI SmartCard to the Active Directory and assign AD users to a Remedy Group. That group has permissions to the Virtual Website that hosts the Remedy MidTier. Much like your "Trust" comment below. Additionally, we redirect any user that attempts to access Remedy MidTier to a registration page that collects their CAC data to create an AD account. Once their request is approved their AD account is added to the Remedy group. It is not where we want to be but we have our Remedy MidTier and Production servers on separate AD Domains. Thank You for your feedback, Dave Davis -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Wixson Carolyn L PSNS Sent: Friday, October 06, 2006 10:07 To: [email protected] Subject: Re: Authenticate an ARS user using a certificate stored on a smar t card Hi! Here is what we plan on doing so far, only on the mid-tier (6.3): All of our users are authenticated, so we provide a link for Requesters to a JSP page that gets the user name and logs them in with it. Once they are in, an Active link runs a process that calls another JSP page to get the Windows user name again and compares it to the $USER$. (This is to ensure that someone does not work-around the auto-login page.) Both of these JSP pages are based from KM-000000010678 "How can I use my NT domain name to log me directly into the Mid-Tier without having to be directed to login.jsp?" There are other Active links that run to ensure that the login meets other criteria as well. This will work if everyone is authenticated, but as you said, it does not check the certificate. On the windows client, it is pretty much available to just Customer Support and they login. If a user does access the windows client, there are some Active Links that limit the use, etc. I am looking at other solutions, but I believe that the above will work for now. We have not moved this to production yet. We have never used the Mid-Tier before, but now that we are going to allow requesters to submit their own tickets, it seems a good way to go. I hope this helps. Carolyn Wixson -----Original Message----- From: Rebecca Hammond [mailto:[EMAIL PROTECTED] Sent: Thursday, October 05, 2006 7:46 To: [email protected] Subject: Re: Authenticate an ARS user using a certificate stored on a smart card Nothing, yet. Based on research, seems that it can't be done - you can set up a "trust" (which our security people get indignant at calling it that) - meaning, if you want to "trust" that just because someone got on to a machine with a smart card, you could grab the user name get them into the system that way. But you can't have the AR Server and the client communicate with certificates. However, on the mid-tier, we can use certificates, as we'll do all of the authentication work using SiteMinder... -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Davis, David CTR NAVSURFWARCENDIV Crane, Code 0552 Sent: Thursday, October 05, 2006 1:24 PM To: [email protected] Subject: Re: Authenticate an ARS user using a certificate stored on a smart card Rebecca Have you been able to integrated ARS authentication with the PKI SmartCard yet? If so, what tools did you use. Thanks, Dave Davis Software Systems Engineer - SAIC -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Rebecca Hammond Sent: Wednesday, September 13, 2006 13:39 To: [email protected] Subject: Re: Authenticate an ARS user using a certificate stored on a smart card Am I the only one who isn't totally confused by the white paper? I'm just not clear on how I'm supposed to write an Authenticator of my own, that handles PKI or SmartCard technology. Is it just because with SSO, it pulls the information from your OS? Does anyone have any samples of what these Authenticators might look like? Thanks in advance! -Rebecca Hammond On Fri, 11 Aug 2006 14:11:45 -0700, Easter, David <[EMAIL PROTECTED]> wrote: >Daniel, > > You may want to take a look at the "Integrating BMC Remedy Action >Request System with Single Sign-On (SSO)" white paper that was updated >for AR System 7.00.00. It also applies to other client-side login >intercept technologies like smart cards or PKI. > >It is available on http://supportweb.remedy.com in the Documents >section. > >David J. Easter >Sr. Product Manager - BMC Software > >-----Original Message----- >From: Action Request System discussion list(ARSList) >[mailto:[EMAIL PROTECTED] On Behalf Of CONDREA, Daniel >Sent: Thursday, August 10, 2006 10:53 PM >To: [email protected] >Subject: Authenticate an ARS user using a certificate stored on a smart >card > >Hi All, > >Can anybody suggest a way to authenticate an ARS user using a >certificate stored on a smart card? > >The end user can not authenticate with a username and a password. >He/she can only authenticate using the certificate stored in the smartcard. > >Best regards, >Daniel Condrea > >-- > >*****DISCLAIMER***** > >The information contained in this communication is confidential and may >be legally privileged. It is intended solely for the use of the >individual or entity to whom it is addressed and others authorized to >receive it. If you are not the intended recipient you are hereby >notified that any disclosure, copying, distribution or taking action in >reliance of the contents of this information is strictly prohibited and >may be unlawful. Orange Romania S.A. is neither liable for the proper, >complete transmission of the information contained in this >communication nor any delay in its receipt. > >*****END OF DISCLAIMER***** > >_______________________________________________________________________ >_ >_______ >UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org > >_______________________________________________________________________ >____ ____ >UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org >======================================================================= >= ________________________________________________________________________ _______ UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org ________________________________________________________________________ ____ ___ UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org ________________________________________________________________________ ____ ___ UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org ________________________________________________________________________ _______ UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
-- Patrick Zandi _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
