How to setup DoD PKI authentication via Common Access Card (CAC) in the Web Reports

Article ID: 438
Category: Web Reports
Applies to: v3.0 or later
Updated: 2020-09-23

Step 1: Prepare the Certificate

Open a command prompt as an administrator and navigate to the following folder (depends on where you installed EventSentry):
cd "\Program Files\EventSentry\WebReports\jre\bin"


Step 2: Use a Certificate Authority Keystore

Run the following command to generate a keystore:
keytool.exe -genkey -alias eventsentry -keyalg RSA -keystore eventsentry.jks
In this example the password is "changeit". Use the FQDN of the machine for the "First and last name" value.

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  server.domain.local

Create the certificate request:

keytool.exe -certreq -keyalg RSA -alias eventsentry -file certreq.req -keystore eventsentry.jks

Follow the instructions from your CA on submitting the certificate request. You will use the certreq.req file created in the last step. In this example, the CA gave a ZIP file containing a chain of certificates. If they have instructions, follow those instead of the ones here. In our case, these were the steps we had to take to import the certificates.

keytool.exe -importcert -alias AddTrustExternalCARoot -file c:\certs\AddTrustExternalCARoot.crt -keystore eventsentry.jks
keytool.exe -importcert -alias ComodoUTNSGCCA -file c:\certs\ComodoUTNSGCCA.crt -keystore eventsentry.jks
keytool.exe -importcert -alias EssentialSSLCA_2 -file c:\certs\EssentialSSLCA_2.crt -keystore eventsentry.jks
keytool.exe -importcert -alias UTNAddTrustSGCCA -file c:\certs\UTNAddTrustSGCCA.crt -keystore eventsentry.jks

Then after the chain is complete, import the server specific certificate:
keytool.exe -importcert -alias eventsentry -file c:\certs\server_domain_local.crt -keystore eventsentry.jks


Step 3: Configure the Web Reports to Use Your Keystore

Move the keystore to the conf folder:
move eventsentry.jks "C:\Program Files\EventSentry\WebReports\conf"

Configure a SSL connector by editing the server.xml file, by default located in:
C:\Program Files\EventSentry\WebReports\web\conf\server.xml

Look for the first instance of "<Connector.../>" and insert the following below that section making sure the "keystorePass" and "keystoreFile" lines match your particular instance:

    <!-- SSL "Connector" -->
    <Connector port="8443" relaxedQueryChars="[]" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" disableUploadTimeout="true" enableLookups="false"
               sslProtocol="TLS" scheme="https" secure="true"
               SSLEnabled="true" keystorePass="changeit"
               keyAlias="eventsentry"
               keystoreFile="C:\Program Files\EventSentry\WebReports\conf\eventsentry.jks"

               SSLVerifyClient="require"
               truststoreFile="C:\Program Files\EventSentry\WebReports\conf\eventsentry.jks"
               truststorePass="changeit" 

               clientAuth="true"
               />

clientAuth
Set to true if you want the SSL stack to require a valid certificate chain from the client before accepting a connection.
Set to want if you want the SSL stack to request a client Certificate, but not fail if one isn't presented.
A false value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication.

SSLVerifyClient
This will require a valid certificate chain from the client before accepting a connection.

truststoreFile
This is the keystore where the CA and signed certifications exist and can be the same as our keystoreFile.


If you would also like to disable HTTP, look for this connector:

<Connector port="8080" relaxedQueryChars="[]" protocol="HTTP/1.1"
              connectionTimeout"20000"
              redirectPort="8443" />

Either delete it or comment it out (enclose it in <!-- and -->)


Step 4: Restart EventSentry Web Reports service

After restarting the "EventSentry Web Reports" service, navigate to https://server.domain.local:8443 to test & access the web reports through SSL.