Search

GlobalSCAPE Knowledge Base

What is Common Access Card authentication?

Karla Marsh
EFT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT, version 6.4.3 and later

QUESTION

What is Common Access Card authentication?

ANSWER

A CAC is approximately the size of a credit card, and has a magnetic stripe on the back of it. It is the standard identification for active duty uniformed service personnel, Selected Reserve, DoD civilian employees, and eligible contractor personnel. It can be used to enable physical access to buildings and computer networks and systems. Common Access Card (CAC) Authentication is available in EFT Enterprise with Advanced Authentication module on LDAP Sites with SSL (HTTPS or FTPS) enabled.

When CAC is enabled on EFT Enterprise, clients are required to provide a certificate when connecting. Once the user’s certificate is validated, EFT Enterprise uses the Principal Name (UPN) taken from the Subject Alternative Name (SAN) field of the Signature Certificate to search for the user in LDAP and allow or deny access based on the information found. The certificate provisioned via the web browser must have an Electronic Data Interchange Personal Identifier (EDI/PI). If the EDI/PI is not found or otherwise cannot be validated, the connection is denied. If the EDI/PI is found, EFT Enterprise maps the corresponding fields in LDAP using the appropriate LDAP query string. If the user is found in LDAP, if a certificate is assigned to that user, and if the certificate exactly matches the one provided by the client, the user is allowed access.

The user certificate must contain the Subject Alternative Name field Other Name: Principal Name= so that the UPN (User Principal Name) can be properly authenticated against LDAP (as shown below). Currently, all other SAN fields are ignored by EFT Enterprise. Certificates using exclusively "RFC822 Name=" are not sufficient. EFT Enterprise needs the Principal Name value.

The certificate lookup process looks like this:

  1. EFT Enterprise looks for UPN entry in SAN field of certificate (i.e., the OID).

  2. EFT Enterprise performs an LDAP lookup using the LDAP Auth Manager specifications, searching against the user login attribute for the value found in the UPN entry of SAN.

  3. This lookup returns 0 or more "userCertificate" properties of the matched object, if found.

  4. For each returned userCertificate, EFT Enterprise does a cryptographically strong comparison of the LDAP-provided certificate and the one supplied by the CAC.

CAC and WTC

When CAC is enabled and HTTPS connection is made, the Logout and Change Password buttons on the Java-enabled Web Transfer Client (WTC) are hidden. To log out, you must close the browser and remove your CAC card. WTC sessions will timeout immediately when the browser is closed. If a user navigates away from the WTC instead of closing the browser, and then goes back to the WTC page, the previous session is expired and a new session ID is generated. This prevents the WTC licenses from being locked when no one is using them.

  • The Account Management page is not available when CAC is enabled or necessary; there is no concept of logging out or changing passwords when using CAC.

  • CAC is only available on EFT Enterprise with an LDAP-authenticated Site.

  • CAC is incompatible with RADIUS, RSA, PCI DSS, ODBC, NT authentication, AD authentication, and Globalscape authentication. PCI DSS Compliance reports do not report on CAC-enabled Sites.

When CAC is enabled on a Site:

  • The WTC uses the JSE instead of the Apache client. The JSE HTTP client provides NTLM v2 proxy authentication support.

  • Any attempt to access any of the account management pages causes a "page not found" error.

  • When HTTP and HTTPS are both enabled, the Redirect HTTP to HTTPS check box is selected and disabled, forcing redirection of HTTP traffic to HTTPS.

  • When FTPS is enabled, the username and password provided are ignored; the authentication is provided by the certificate.

  • The method EnableCAC can be used to enable CAC via the COM API.

  • The following major events are logged:

    • Could not find proper SAN field in certificate

    • The value received from the SAN field

    • If user had no certificates in LDAP

    • If certificates were present but no certificate matched

    • More than one user was retrieved when LDAP was queried (authentication is only attempted against the first one)

Refer to Defining Connections (Sites) (or your version of EFT Enterprise) for details of creating an LDAP-authenticated Site that uses CAC.

Details
Last Modified: 5 Years Ago
Last Modified By: kmarsh
Type: HOWTO
Rated 2 stars based on 4 votes.
Article has been viewed 21K times.
Options
Also In This Category