ACS with CAC/Smart Card Authentication

Similar Messages

• How to CAC (Smart Card) enable the server within JDev

  I need to know how to CAC (Smart Card) enable the server within JDev, or if it is even possible.

  Kamran,
  you are definitely thinking in the right direction.
  1) Would I need to export or enter all the existing users of the system presently available through an internal database to the SSO Repository or there is a different way of getting the users to the OID when they first run the url or our Oracle Forms App?
  You have a choice: pre-load (probably using LDIF) or create what I call a self-registration process. Pre-load will require the arduous task of gathering the CAC user CN's in advance. This is technically easy but logistically a nightmare.
  I created a self-registration JSP which is invoked by a failure to lookup a user in OID. Registration involves requiring a user to enter valid database credentials, testing the credentials (by making a connection) and binding the database userid/password to the CAC identity.
  2) How would I get the CAC Certificate CN from the Browser or CAC Card so I can make the comparison to the OID CN?
  When you configure the SSO for certificate authentication, the HTTP_Server will pass the SSL variables (which include the CAC certificate which was authenticated in the SSL handshake) to the sso/web application deployed in the OC4J_SECURITY container. You can install your own plug-in that the SSO will invoke where you can retrieve the authenticated certificate and get any of the information therein from Java.
  I recommend you get very acquainted with the SSO Admin Guide (esp. Cert authentication chapter), as well as, the Forms Deployment Guide (esp. SSO chapter).
  There is too much to fit here. Things would be a lot easier if Forms Server supported enterprise users for authentication to database. Forms apps are relegated to the whole business of RADs and such which gives you X.509 certificate (and thus CAC) authentication but is rather convoluted IMHO (password in the clear in the RAD, orclResourceViewer permission for Forms Server, userid/password login in the background) but that is a different discussion.
  Good Luck.
  regards,
  tt

• Smart card authentication for IOS device

  I am just wondering if anyone was able to successfully implement smart card authentication for vty and console session.  if anyone did, can you please point me to the documentation and the implementation guide?  thanks

  Actually, with the rsa key pair setup in ISO 15+, you can use a smart card to authenticate to cisco switches.  I'm still working out all the details but you would need SecureCRT or Putty-CAC.  SecureCRT allows you to export the public key from a pki cert and then import that into the switch/router.  The disadvantage is you can only use the first cert in the list.  Putty-CAC allows you to select which PKI cert you want to use but I haven't verified you can export the public key from a cert.  If you contact me, I'll email you the info need to use use SecureCRT.

• ISE 802.1x EAP-TLS machine and smart card authentication

  I suspect I know the answer to this, but thought that I would throw it out there anway...
  With Cisco ISE 1.2 is it possible to enable 802.1x machine AND user smart card  authentication simultaneously for wired/wireless clients (specifically  Windows 7/8, but Linux or OSX would also be good).  I can find plenty of  information regarding 802.1x machine authentication (EAP-TLS) and user  password authentication (PEAP), but none about dual EAP-TLS  authentication using certificates for machines and users at the same time.  I think I can figure out how to configure such a policy in ISE, but options seem to be lacking on the client end.  For example, the Windows 7 supplicant seems only able to present either a machine or user smart card certificate, not one then the other.  Plus, I am not sure how the client would know which certificate to present, or if the type can be specified from the authenticator.

  Hope this video link will help you
  http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls

• Safari can use my CAC (Smart) Card to login to government websites but Firefox cannot.

  Safari and even Google Crome can access my CAC Card and login to government websites, however Firefox just doesn't seem to even try. OSX Lion, Apple Macbook Pro, Firefox 5.0.1.

  Try:
  * [/questions/808161] Trying to use a CAC smart card reader with Mac version of Firefox
  * https://militarycac.com/firefox.htm

• Smart card authentication

  I need to figure out how to allow users to authenticate to webi with a smart card. I'm using BOE XIr2 with Tomcat on Linux, and I have documentation for using Tomcat with smart cards, but I don't see anything in Business Objects documentation or the forums about smart cards, or linking a particular user's certificate from the card to a defined user account with a set of Business Objects permissions. Any suggestions?
  /me goes back to reading the Enterprise Deployment and Configuration guide
  -- Josh

  A smart card is typically integrated with AD. You should be able to set up AD auth or vintela SSO. I've released a new doc you can search for vintela enterprises in the SMP portal. Also the XI 3.x admin guides show how to configure kerberos.
  Regards,
  Tim

• Compression with Java/Smart Cards

  I am a Software Development Student. I am currently researching the area of data ZIP compression in conjunction with Java/Smart cards. Just wondering if anyone has come across a similar project and if so where?
  Thanks.

  We can't deal with real compression, as you known the jcvm is composed of the converter and the jcre
  the compression is related to the converter.jar
  There are many ways to produce compressed code compared to an original not optimisez code.
  Real comresion is not really possible on a such support, the processor is not enought fast. In my mind, the only compression possible can be the rle. Not very brilliant if it is not used for images...
  (sorry for my english writting...)

• How to sign  PDF with a smart card or USB token in C# through IAC ?

  Hi,
  My goal is to apply a certification signature (MDP) to a PDF document with a smart card (Belgium identity card) from a C# application.
  I start Acrobat through IAC.
  The JavaScript object apparently can only sign with PKCS12 file (.pfx)...
  To sign a PDF with a smart card I need to develop a plug-in if I am right?
  The samples in the SDK are to get a certificate from the windows certificate store or to write a Third party handler.
  I already get the certificate context (an HCRYPPROV object from windows certificate store)
  How can I create a signature field but mostly sign it? With DigSig I guess, but I’m lost in the API… does
  I have to use DigSigSignDoc ?
  Syntax : void DigSigSignDoc(PDDoc pdDoc, CosObj sigField, ASAtom filterKey)
  The filterKey value for the windows certificate store is “Adobe.PPKMS” but how can I choose my certificate?
  I also have to build a signature reference dictionary i guess?
  What does i have to do and in which order? I can't find any documentation on this.
  There is a more simple way?
  Thank you,
  Goffin
  Fabian

  Hi,
  -download the JDK sample "sdkAddSignature.js"
  -change the sign methode like this :
  Sign = app.trustedFunction (
      function( sigField, DigSigHandlerName )
     try {
     app.beginPriv();
     //the diSigHandler is "Adobe.PPKLite"
     var myEngine = security.getHandler(DigSigHandlerName);
     var ids = myEngine.digitalIDs;
     //choose an id which is installed in the microsoft store
    var oCert = ids.certs[3];
    // for (var i=0; i<ids.certs.length; i++)
    //  console.println("certificat n°"+ i + " " +ids.certs[i]);
    var oParams = {cPassword:"0000" , oEndUserSignCert:oCert }
    if(myEngine.login({cPassword:"0000",oParams:oParams,bUI:false}))
     console.println("OK");
    else
     console.println("Error");
    console.println("sigfield :" + sigField);
  sigField.signatureSign({oSig: myEngine,oInfo: { password: "0000",reason: ACROSDK.sigReason,location: ACROSDK.sigLocation,contactInfo: ACROSDK.sigContactInfo}}); 
  app.endPriv
     } catch (e) {
     console.println("An error occurred: " + e);
  -perform some test using the javascript debugger
  -and finally use IAC to execute the script

• 41N3004 compatibility with v2 smart cards

  Hello,
  Can someone let me know if 41N3004 is compatible with V2 smart cards. Not sure if V2 smart cards are ISO 7816 complaint.
  Thanks, Anand

  I don't know off the top of my head however this article may answer:
  About the SD and SDXC card slot - Apple Support

• Support for smart-card authentication in PowerBuilder based application

  Hi, I have an application on PB11.5 with an Oracle DB back-end (11.2g). My DoD customer wants the application to use their DoD CAC Card (Smart Card) to authenticate against the Enterprise - Windows Active Directory domain, currently the application uses user-id\password for user authentication.  Is this something newer versions of PB can support and implement? Thank you.

  You have a couple of choices:
  1.  Depending on how old their workstations are, or if they have ACTIVCLIENT installed, you could call the CAPICOMM ActiveX using OLE commands
  2.  A solution that doesn't require that ActiveX is to use the Smart Card SDK built into newer versions of Windows.  It does require a lot lower level coding though, as you have to issue specific APDU commands to the card and know how to handle the responses.
  I posted a sample of the latter to the NNTP groups back in 2011.  I suppose I should get around to creating a blog entry explaining how to use it.

• Government CAC (Smart Cards) interface to Oracle 10g Forms and Reports

  Am working an Oracle Forms and Oracle Reports (10g) WEB applications for an Air Force customer. They are wanting to use Smart Cards (CAC) to log onto their PCs and do not want to have to enter logon and passsword to enter my Oracle WEB appliaction.
  Has anyone or does anyone know of a government customer that has an Oracle forms and reports application that does not require a login and password, but uses the CAC card information to connect? If so can you please provide name of organization and contact information. thanks [email protected]

  Hi,
  I have been researching a CAC card solution for a DOD customer.
  We plan (hope) to authenticate users against their Active Directory accounts using Oracle Internet Directory and Single Sign-on Server. Active directory reads the CAC card, and Oracle verifies they are authenticated in Active Directory.
  Oracle Windows Native Authentication (WNA) may be what you're looking for.
  Here's an OBE on enabling WNA:
  http://www.oracle.com/technology/obe/obe_as_10g/im/wna/wna.htm
  Chapter 43 of the Oracle Internet Directory (9.0.4) guide discusses integration with Windows Active Directory:
  http://download-east.oracle.com/docs/cd/B10464_05/manage.904/b12118/odip_act.htm#127412
  If you haven't already done it, search these forums for "CAC". You'll find other posts from people who have implemented CAC authentication in their Oracle products.
  Good luck!
  Jim

• Programming multiple smart cards with multiple smart card readers in a PC causes a PCSCException in a smart card that is in progress

  Hi,
  I develop a Java code using smartcardio API to program a smart card. My GUI allows to add at most 5 smart card readers that will wait for card present, then do authentication and program the smart card with an application, then wait for card removal. This is a separate thread running in a loop for each smart card reader added as programmer.
  The problem occurs when a certain smart card is in progress and I inserted another smart card to another smart card reader.  Both smart card reader halts and throw sun.security.smartcardio.PCSCException: Unknown error 0x8010002f.
  I also observed that every time there is an attempt to insert/remove a smart card in the smart card reader that is connected to the USB port would cause the programming in progress to be interrupted and throw the PCSCException.
  These are some exceptions I got during my testing:
  sun.security.smartcardio.PCSCException: Unknown error 0x8010002f
    at sun.security.smartcardio.PCSC.SCardTransmit(Native Method)
    at sun.security.smartcardio.ChannelImpl.doTransmit(ChannelImpl.java:171)
  java.lang.Exception: Loader Record Failed: 6E | 0 //Sometimes I got this return code SW1 0x6E SW2 0x00 which means an APDU with an invalid 'CLA' bytes was received. I had check the command before it was sent and it was correct.
  Help me understand this issue. I think the CardTerminal.isCardPresent(), CardTerminal.waitForCardPresent(0), and CardTerminal.waitForCardAbsent(0) cause this issue that CardChannel.transmit(apduCommand) is interrupted or the smart card insertion/removal causes the CardChannel.transmit(apduCommand) is interrupted.
  Regards,
  Knivez

  Hi,
  when you work with one smartcard reader only usually you address the slot -1 that means "the first found".
  But to deal with multiple readers you have to use slots of course since one reader will be slot 0, next reader will be slot 1 and so on...
  So a credential object will be identified on a system by a couple
  <slot,alias>
  After that, the way to address slots (I mean the syntax) depends on the classes you are using...
  Bye

• Configuring Weblogic Server for X.509 Smart Card Authentication

  0 down vote favorite
  share [g+] share [fb] share [tw]
  I am running Oracle Weblogic 11g (10.3.6) and attempting to configure two-way SSL (client certificate requested and enforced). The client certificate is on a smart card.
  I have enabled "basic" ssl in the weblogic server, and used keytool to import the relevant root CA certificates into the DemoTruststore.jks file. I have set the Two-way client cert behavior to Client Certs Requested and Enforced for the server.
  Unfortunately, attempting to access my application causes the following:
  <pre>
  <Certificate chain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
  <NO_CERTIFICATE alert was received from 127.0.0.1 - 127.0.0.1. Verify the SSL configuration has a proper SSL certificate chain and private key specified.>
  <Certificate chain received from 127.0.0.1 - 127.0.0.1 was incomplete.>
  </pre>
  The ActivClient dialog never appears to select a certificate from the Smart Card, and a pin is never requested. Therefore, I think I misconfigured something.
  Help would be greatly appreciated.
  Jason

  Hello Mukunthan Damodharan,
  this means that the SSL Server Certificate has not his fully quallified name in the subject alternative name extension of the X.509 certificate.
  You can create a valid one or disbale that check in the Secure Login Client.
  How does the configuration gets to the clients?
  With the Policy Download you can disable that check over the Secure Login Server Administration console in the corresponding authentication profile.
  If manually you can change the following registry key:
  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\SAP\SecureLogin\profiles\<profile name>
  "sslHostAlternativeNameCheck"=dword:00000000
  the value 0 disable that check on the client.
  best regards
  Alexander Gimbel

• Get serial number of ACS 38 CCID smart card reader to identify it.

  I m working over native card , and for security i want to get the special feature of smart card reader (serial number or anything) to make it distinguish with other reader. I am using ACS 38 CCID reader.
  what i did to find this-
  1- in Winscard.h , there are a function with name - SCardGetAttribute() , when i am using this for getting serial number , it is showing error like- Error 0x00000032 :- the request is not supported. while it is giving serial number when i am using other reader - SCM Microsystems Inc.
  2- when i go for registry ,
  HKLM\SYSTEM\CURRENT CONTROL SET\SERVICES\A38CCID\ENUM . i found there a
  string - usb\vid_072f&Pid_90cc\5&3873a573&0&2 (Device Instance Id) but for number of reader ,its similar. so here i am fail again.
  Is there any way to get this or i need to consult with manufacture?
  I already use javax.smartcardio.*; is there any function to get the detail of reader connected????

  I'd bet my last Euro it's the second FRU you mentioned, 04W1637, because all FRUs, and all Lenovo MTMs and order numbers that I have ever seen consist of 7 digits or letters, this was so in the IBM days and has been the case ever since.
  Andy  ______________________________________
  Please remember to come back and mark the post that you feel solved your question as the solution, it earns the member + points
  Did you find a post helpfull? You can thank the member by clicking on the star to the left awarding them Kudos Please add your type, model number and OS to your signature, it helps to help you. Forum Search Option T430 2347-G7U W8 x64, Yoga 10 HD+, Tablet 1838-2BG, T61p 6460-67G W7 x64, T43p 2668-G2G XP, T23 2647-9LG XP, plus a few more. FYI Unsolicited Personal Messages will be ignored.
    Deutsche Community     Comunidad en Español    English Community Русскоязычное Сообщество
  PepperonI blog 

• UAG smart card authentication plus kcdauthentication true

  Hi
  I have already setup smart card certificate authentication to UAG portal. I'm using certificate's field Subject Alternative Name and RFC822 Name to read UPN information. It says 'RFC822
  Name=[email protected]'. That information i'm comparing to AD account's mail attribute. Authentication works ok.
  In Active Directory, samaccount is created from UPN's first part: firstname.lastname. So far i have been able to use kcdauthentication and create valid kerberos ticket which is acceptable for delegation.
  Customer changed their samaccoun to a different form. KCD does not work anymore. I've tried to use regkey:
  HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter\KCDUseUPN,1. It does not work.
  I have no idea how to change from inc files that do not use samaccount but instead us UPN. UPN matches mail.
  Any ideas ?
  thanks in advance :)
  br -teemu

  Below Article might not give you direct answer.
  But, you may get an excellent idea on how to play around with INC files for your scenario.
  http://social.technet.microsoft.com/wiki/contents/articles/17031.how-to-get-client-certificate-authentication-working-on-a-uag-2010-portal.aspx
  Please let us know, how it goes. :)