CAC required login - x.509, SSL?, third party, OCSP?

Latest response

Has any put together a thorough "This is how to implement using a CAC to authenticate to your Web Application"?

I can't find it. I read where you need a third party software like Spnego or other things. I know I need to implement using CACs like this on JBoss 7.2 EAP.

When I look up x.509 on Red Hat, I see references to SSL. Would the steps to implement using a CAC to authenticate to my web application look something like this:

  1. Install JBoss 7.2 EAP (I need to use this version)
  2. Install SPNego
  3. Configure JBoss for SSL
  4. Perform additional JBoss configurations for x.509

Is there anything in JBoss or a third party that checks the Online Certificate Status Protocol (OCSP) to make sure CACs that have been disabled aren't getting access?

Is there a good book on this somewhere?

Anyone that could provide some solid insight would be greatly appreciated.

Responses

I am digging through the JBoss documentation and I found this:

"2.5. Configure Authentication with Certificates - IMPORTANT - Before you can set up certificate-based authentication, you must have two-way SSL configured. More details on configuring two-way SSL can be found in the https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/how_to_configure_server_security/#elytron_two-way_ssl_apps section of the How to Configure Server Security guide."

x.509 is a certificate so this is the right direction.

Ok, I found this in the JBoss EAP documentation, "Section 1.4.2.2. Enable Two-way SSL/TLS for Applications Using the Elytron Subsystem. 1. Obtain or generate your client keystores. 2. Export the client certificate."

My question on this is (maybe this will be answered further down in the documentation but....): I have an application open to the public but I want to require a user logging in to it to have a CAC card. I have no access to the clients... do I create the client keystore on the web app server and deliver the keystore to the client?

I found this nice summary: https://www.youtube.com/watch?v=PhoVNqnzQ1E. But in the video at time 3:28ish the gentleman stated, "The last thing to do is to register the client". Does this mean that after setting up CAC authentication on a website that the only way to access the site is to use certain computers that have been configured?

Yes, the client computer requires both hardware and software configuration in order to access the website.

Here is an example of a preconfigured client OS which is available to the general public: https://www.spi.dod.mil/lipose.htm. See the FAQ for details.