1 2 Previous Next 17 Replies Latest reply on Feb 12, 2013 2:47 AM by satish.kinikiri

    Common Access Card(CAC) authenication

    satish.kinikiri

      Hi

      I am trying to authenicate our application  using CAC.

       

       

      When ever a user of the application tries to access the card,browser prompts user pin and after giving users CAC pin user is allowed to access the application.

       

      the CAC certificate is configured as shown below in server.xml

       

                <Connector  protocol="HTTP/1.1" SSLEnabled="true"

                                        port="443" address="${jboss.bind.address}"

                                        scheme="https" secure="true" clientAuth="want"

                                        keystoreFile="${jboss.server.home.dir}/License/AppIQKeyStore.ks"

                                        keystorePass="password"

                                        truststoreFile="${jboss.server.home.dir}/License/server.truststore"

                                        truststorePass="servercert"

                                        ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,                                                                SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"      

                                        sslProtocol = "TLS"  maxThreads="150" minSpareThreads="25" maxSpareThreads="75"/>

       

      We have a requirement of showing a banner page for the users when ever the application is being accessed.

       

      (Basically we wanted to show information page for a user whenever he/she is typing the url in the browser and hitting enter.)

       

      Please let me know how to acheive this.

       

      Note I have tried.

       

      adding a "classname" attribute

       

      <Connector className="com.appiq.security.server.CACConnector" protocol="HTTP/1.1".........

       

      and CACConnector extending CoyoteConnector  as shown below...

       

      public class CACConnector extends CoyoteConnector {

       

      But not able to figure out which method to override.

       

      Please help.

        • 1. Re: Common Access Card(CAC) authenication
          jfclere

          you don't explain what is not working :-( CAC should work out of the box: it is a browser feature.

          • 2. Re: Common Access Card(CAC) authenication
            satish.kinikiri

            CAC is working. Our requirement is we need to show users a banner before logging in.

            Before user being promted by the CAC pin by the user we need to show  a message informing the user.

            • 3. Re: Common Access Card(CAC) authenication
              jfclere

              I still don't see how you want to achieve that. What do you have a standard webapp with servlet + jsp? Or are you trying a browser application?

              • 4. Re: Common Access Card(CAC) authenication
                satish.kinikiri

                We have standard Jboss based application.

                For this application we are trying to support card (CAC) based  authenication.

                I am able to get CAC authenication working.

                 

                But the requirement is to show users of the application a security warning message before browser prompting for active key password.

                 

                Basically user types application url in a browser and hits enter then browser prompts the user for active key password.

                but before this prompt we want to show a warning message dialog informing the user he/she trying to access secure application.

                • 5. Re: Common Access Card(CAC) authenication
                  jfclere

                  I don't think that is possible except using the servlet 3.0 programatic login.

                  • 6. Re: Common Access Card(CAC) authenication
                    satish.kinikiri

                    Thanks for your reply Clere

                     

                    One more query I have:

                     

                    My application after authenticated against CAC card  is not timing out.

                     

                    I tried setting time out parameter

                     

                    <session-config>

                            <session-timeout>15</session-timeout>

                        </session-config>

                     

                    in Myproject/src/jboss/appiq/deploy/jbossweb-tomcat50.sar/conf/web.xml

                     

                    Once we login using active key authenication by keying in password

                    Browser is not prompting for active key password even after closing the browser.

                     

                    Is the active key password is cached at browser level or card reader software level.

                    How to make browser (or my application) prompt for the password whenever user is trying to access the application after keying application url in the browser

                     

                    Or atleast how to make session time out work, say after 15 min of inactivity of the application, browser should prompt for the active key password.

                     

                    Any idea?

                    thanks once again for your reply for my earlier query.

                     

                     


                     


                    • 7. Re: Common Access Card(CAC) authenication
                      jfclere

                      that the way for jbossweb 4.0.x version are you sure you want to use such an old version?

                      • 8. Re: Common Access Card(CAC) authenication
                        satish.kinikiri

                        Our product is based on JBoss 4.0.1 only.( JBOSS 6 version of our product is still under development.)

                        We need to support Card based authenication on JBoss 4.0.1. and in near future even in Jboss 6

                         

                        the active key password is being prompted by JBoss or Card reading software or operating system.

                         

                        By removing the password from the above one of the cache I think we can acheive, but not sure about this

                        • 9. Re: Common Access Card(CAC) authenication
                          sjayakumar

                          Hi Satish,

                           

                          I have similar requirement to implement, could you please let me know how did you perform unit testing? I do not have smart card (CAC) with me to test. Is there a way to simulate and test?

                           

                          Also I'm yet to make changes with respect to the requirement, however you experience in implementing this requirement will be helpful to me.

                           

                          Kindly share the details.

                           

                          Thanks,

                          Senthil

                          • 10. Re: Common Access Card(CAC) authenication
                            satish.kinikiri

                            My employer issues active key(smart card) to login into our company applications. which is of X509 standard. I used the same for unit testing.

                            • 11. Re: Common Access Card(CAC) authenication
                              patelr8

                              Satish,

                              Hope things are fine at your end. I am new to Jboss community and its configuration.

                               

                              I came across one of your questions about Jboss and CAC, reading it I felt you are the right person to help me configure Jboss to use CAC.

                               

                              Background – We are using Jboss EAP 5.1.2 as Web Serve on Windows server 2008 to run SAS application on it. I need to configure Jboss to use CAC authentication. The windows server on which Jboss is installed (our mid-tier server) does recognize Windows AD users and CAC. I am not familiar with what steps I need to take and in which order.

                               

                              Help – Can you PLEASE help me with the list of all steps in the order to be performed to configure Jboss with CAC? Such as, do I need to perform any task on Active Directory Domain Control, what are those steps etc..

                               

                              Can you please help, this is urgent  - I have to successfully complete and test this configuration by 2/13/2013. I would really appreciate your help.

                               

                              Thanks in advance for your time and support.

                              • 12. Re: Common Access Card(CAC) authenication
                                jfclere

                                The first step is to set the clientAuth="true" in the connector and have the CAS CA in the trustore.

                                then you have to use something like https://community.jboss.org/wiki/LdapExtLoginModule

                                • 13. Re: Common Access Card(CAC) authenication
                                  satish.kinikiri

                                  Connector tag of server.xml has to be modified similar to what i have did (copied in my earlier post)

                                  This makes when you access your jboss though browser prompts for the pin of the certificate of your connected device.

                                   

                                  And appropriately change you login module.

                                   

                                  I didnt get your context of relating AD and CAC for authenication.

                                   

                                  CAC is just authenication module like AD . you can have both CAC and AD authenication in place or only CAC auth. Its up to your requirement.  

                                  • 14. Re: Common Access Card(CAC) authenication
                                    patelr8

                                    Thanks Jean-Frederic, I will try and post my results or questions -

                                    1 2 Previous Next