How to disable Common Access Card Authentication (CAC) in Spectrum.

book

Article ID: 41361

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

The following are the steps to disable CAC in Spectrum.

Environment

Release: Any version of Spectrum integrated with CAC
Component:

Resolution

The following steps can be used to revert the OneClick setup back to the initial non-CAC configuration: 

1. Stop the OneClick Server. This can be done by any of the following approaches: 

    a. Executing “$SPECROOT/tomcat/bin/stopTomcat.sh 
    b. Executing “net stop SpectrumTomcat” on Windows 
    c. Killing the process

2. Edit the file $SPECROOT/tomcat/conf/server.xml and change clientAuth to false in the https connector

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->    
    <Connector
           port="8443"
           enableLookups="true" disableUploadTimeout="true" tcpNoDelay="true"
           acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
           clientAuth="false" sslProtocol="TLS"
           sslEnabledProtocols="TLSv1.2"
           ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
                    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
                    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
                    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
                    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
                    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
                    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
                    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
           keystoreFile="custom/keystore/cacerts"
           keystorePass="changeit">

     </Connector>


3. Edit the file $SPECROOT/tomcat/conf/context.xml and change the following line from: 

    <Valve className="com.aprisma.tomcat.authenticator.CACAuth" changeSessionIdOnAuthentication="false" /> 

    -TO-

   <Valve className="org.apache.catalina.authenticator.BasicAuthenticator" changeSessionIdOnAuthentication="false" /> 

4. Restoring the original file in Spectrum/tomcat/webapps/spectrum/WEB-INF/web.xml by executing the script:
          $SPECROOT/Install-Tools/createwebxml.sh 


5. Restore the file, cac-system-config.xml, by executing: 

     cp $SPECROOT/tomcat/webapps/spectrum/WEB-INF/cac/config/cac-system-config.xml $SPECROOT/custom/cac/config/cac-system-config.xml 


6. Restart the web server and check the log for any errors to ensure all steps have been done correctly. 



Note: These steps have been tested only on a Windows OneClick Server. Instructions and procedures may vary on other operating systems.