1 2 Previous Next 17 Replies Latest reply on Feb 12, 2013 2:47 AM by satish.kinikiri

Common Access Card(CAC) authenication

satish.kinikiri Jul 9, 2012 1:21 AM

I am trying to authenicate our application using CAC.

When ever a user of the application tries to access the card,browser prompts user pin and after giving users CAC pin user is allowed to access the application.

the CAC certificate is configured as shown below in server.xml

<Connector protocol="HTTP/1.1" SSLEnabled="true"

port="443" address="${jboss.bind.address}"

scheme="https" secure="true" clientAuth="want"

keystoreFile="${jboss.server.home.dir}/License/AppIQKeyStore.ks"

keystorePass="password"

truststoreFile="${jboss.server.home.dir}/License/server.truststore"

truststorePass="servercert"

ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

sslProtocol = "TLS" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"/>

We have a requirement of showing a banner page for the users when ever the application is being accessed.

(Basically we wanted to show information page for a user whenever he/she is typing the url in the browser and hitting enter.)

Please let me know how to acheive this.

Note I have tried.

adding a "classname" attribute

<Connector className="com.appiq.security.server.CACConnector" protocol="HTTP/1.1".........

and CACConnector extending CoyoteConnector as shown below...

public class CACConnector extends CoyoteConnector {

But not able to figure out which method to override.

Please help.

1. Re: Common Access Card(CAC) authenication

jfclere Jul 9, 2012 2:31 AM (in response to satish.kinikiri)

you don't explain what is not working :-( CAC should work out of the box: it is a browser feature.
Actions
2. Re: Common Access Card(CAC) authenication

satish.kinikiri Jul 9, 2012 2:37 AM (in response to jfclere)

CAC is working. Our requirement is we need to show users a banner before logging in.
Before user being promted by the CAC pin by the user we need to show a message informing the user.
Actions
3. Re: Common Access Card(CAC) authenication

jfclere Jul 10, 2012 3:08 AM (in response to satish.kinikiri)

I still don't see how you want to achieve that. What do you have a standard webapp with servlet + jsp? Or are you trying a browser application?
Actions
4. Re: Common Access Card(CAC) authenication

satish.kinikiri Jul 18, 2012 1:12 AM (in response to jfclere)

We have standard Jboss based application.
For this application we are trying to support card (CAC) based authenication.
I am able to get CAC authenication working.

But the requirement is to show users of the application a security warning message before browser prompting for active key password.

Basically user types application url in a browser and hits enter then browser prompts the user for active key password.
but before this prompt we want to show a warning message dialog informing the user he/she trying to access secure application.
Actions
5. Re: Common Access Card(CAC) authenication

jfclere Jul 18, 2012 2:55 AM (in response to satish.kinikiri)

I don't think that is possible except using the servlet 3.0 programatic login.
Actions
6. Re: Common Access Card(CAC) authenication

satish.kinikiri Jul 18, 2012 5:27 AM (in response to jfclere)

Thanks for your reply Clere

One more query I have:

My application after authenticated against CAC card is not timing out.

I tried setting time out parameter

<session-config>
<session-timeout>15</session-timeout>
</session-config>

in Myproject/src/jboss/appiq/deploy/jbossweb-tomcat50.sar/conf/web.xml

Once we login using active key authenication by keying in password
Browser is not prompting for active key password even after closing the browser.

Is the active key password is cached at browser level or card reader software level.
How to make browser (or my application) prompt for the password whenever user is trying to access the application after keying application url in the browser

Or atleast how to make session time out work, say after 15 min of inactivity of the application, browser should prompt for the active key password.

Any idea?
thanks once again for your reply for my earlier query.
Actions
7. Re: Common Access Card(CAC) authenication

jfclere Jul 23, 2012 4:50 AM (in response to satish.kinikiri)

that the way for jbossweb 4.0.x version are you sure you want to use such an old version?
Actions
8. Re: Common Access Card(CAC) authenication

satish.kinikiri Jul 23, 2012 11:43 PM (in response to jfclere)

Our product is based on JBoss 4.0.1 only.( JBOSS 6 version of our product is still under development.)
We need to support Card based authenication on JBoss 4.0.1. and in near future even in Jboss 6

the active key password is being prompted by JBoss or Card reading software or operating system.

By removing the password from the above one of the cache I think we can acheive, but not sure about this
Actions
9. Re: Common Access Card(CAC) authenication

sjayakumar Jan 28, 2013 9:16 AM (in response to satish.kinikiri)

Hi Satish,

I have similar requirement to implement, could you please let me know how did you perform unit testing? I do not have smart card (CAC) with me to test. Is there a way to simulate and test?

Also I'm yet to make changes with respect to the requirement, however you experience in implementing this requirement will be helpful to me.

Kindly share the details.

Thanks,
Senthil
Actions
10. Re: Common Access Card(CAC) authenication

satish.kinikiri Jan 28, 2013 10:19 PM (in response to satish.kinikiri)

My employer issues active key(smart card) to login into our company applications. which is of X509 standard. I used the same for unit testing.
Actions
11. Re: Common Access Card(CAC) authenication

patelr8 Feb 9, 2013 12:57 PM (in response to satish.kinikiri)

Satish,
Hope things are fine at your end. I am new to Jboss community and its configuration.

I came across one of your questions about Jboss and CAC, reading it I felt you are the right person to help me configure Jboss to use CAC.

Background – We are using Jboss EAP 5.1.2 as Web Serve on Windows server 2008 to run SAS application on it. I need to configure Jboss to use CAC authentication. The windows server on which Jboss is installed (our mid-tier server) does recognize Windows AD users and CAC. I am not familiar with what steps I need to take and in which order.

Help – Can you PLEASE help me with the list of all steps in the order to be performed to configure Jboss with CAC? Such as, do I need to perform any task on Active Directory Domain Control, what are those steps etc..

Can you please help, this is urgent - I have to successfully complete and test this configuration by 2/13/2013. I would really appreciate your help.

Thanks in advance for your time and support.
Actions
12. Re: Common Access Card(CAC) authenication

jfclere Feb 11, 2013 4:07 AM (in response to patelr8)

The first step is to set the clientAuth="true" in the connector and have the CAS CA in the trustore.
then you have to use something like https://community.jboss.org/wiki/LdapExtLoginModule
Actions
13. Re: Common Access Card(CAC) authenication

satish.kinikiri Feb 11, 2013 9:50 AM (in response to satish.kinikiri)

Connector tag of server.xml has to be modified similar to what i have did (copied in my earlier post)
This makes when you access your jboss though browser prompts for the pin of the certificate of your connected device.

And appropriately change you login module.

I didnt get your context of relating AD and CAC for authenication.

CAC is just authenication module like AD . you can have both CAC and AD authenication in place or only CAC auth. Its up to your requirement.
Actions
14. Re: Common Access Card(CAC) authenication

patelr8 Feb 11, 2013 11:46 AM (in response to jfclere)

Thanks Jean-Frederic, I will try and post my results or questions -
Actions

1 2 Previous Next

Go to original post