CAC Configuration Page
Use the CAC Configuration page to configure OneClick to use Common Access Cards (CAC) for authentication.
- Choose CAC OptionSpecifies whether to enable or disable the CAC authentication solution.
- Disable CACDisables CAC authentication.
- Enable CACEnables CAC authentication.
The Trusted Keystore section contains the following fields:
- Trusted Keystore passwordSpecifies the password to use for accessing the Trusted Keystore:changeit.
- Re-enter Trusted Keystore passwordConfirms the password for accessing the Trusted Keystore.
The Revocation System section specifies how you want
CA Spectrumto determine whether a CAC has been revoked. Select
oneof the following options:
- Enable OCSP AIAInstructsCA Spectrumto retrieve the parameters of the OCSP server from the certificate on the Common Access Card from the “AIA extension” of the certificate.
- Enable OCSP ServerSpecifies that the user must provide a URL to access OCSP server and a certificate for this server.
- Enable CRL DirectorySpecifies that a path to the directory that contains CRL files is required.
- Enable CRL URLSpecifies a list, separated by spaces, of full URLs to the CRL files that the web server provides.
- Enable CRL Distribution PointSpecifies thatCA Spectrumretrieves the information about the web location of the CRL files from the certificate itself.
The OCSP AIA Connectivity section appears when you select Enable OCSP AIA in the Revocation System section. This section contains the following option:
- Test OCSP AIAVerifies that OCSP AIA is working properly.
The OCSP Server Connectivity section appears when you select Enable OCSP Server in the Revocation System section. This section contains the following options:
- OCSP Server URLSpecifies the complete URL for accessing the OCSP Responder. The complete URL is used because many OCSP Responders are servlets running on a larger OCSP server.
- OCSP Server Certificate AliasSpecifies the certificate for the specified OCSP server.
- Test OSCAP ServerTests the connection to the OCSP server based on the credentials that you entered.
The Certificate Relocation Lists appears when you select Enable CRL Directory or Enable CRL URL in the Revocation System section. It contains the following settings, depending on the CRL option that you selected:
- CRL DirectorySpecifies the full path to the directory that contains the CRL files for verifying user certificates.
- CRL URLSpecifies a list of full URLs, separated by spaces, to the CRL files that the web server provides.
- Test CRL AvailabilityAttempts to load the CRLs in the specified directory.
The LDAP Username Lookup section contains the following settings:
- Enable LDAPEnables LDAP.
- LDAP Server HostnameSpecifies the host name of an LDAP server that contains users that correspond to user certificates.
- LDAP Server PortSpecifies the port number for accessing the LDAP server.
- Enable SSLEnables secure connecting to the LDAP server using SSL.Load the LDAP server certificate if you enable SSL.
- LDAP Base DNSpecifies the LDAP base distinguished name.
- LDAP User DNSpecifies the distinguished name (DN) of the user that is used to query the LDAP server.
- LDAP User PasswordSpecifies the password of the user that is used to query the LDAP server.
- Re-enter LDAP User PasswordConfirms the LDAP user password.
- Certificate's EDIPI FieldSpecifies the source for user ID information. Selectoneof the following options, which describe the format in which EDIPI is stored in the CAC certificate:
- EDIPI Extraction RuleSpecifies the rule to use to extract EDIPI from the CAC certificate field.Type:Java regular expressionExample:The default value for this field is as follows:"CN=\w*\.\w*\.(\d+),";This string defines a rule that matches a string that resembles the following example:CN=aaaa.bbbbbb.1233454,xxxxxxxxxxxxxxxxx
Regexcapturing groupmust be defined in the regular expression.CA Spectrumuses the first defined group in the expression to extract unique user ID information. More information about capturing groups is available on the Internet.
- Literal “CN=”
- Any word (possibly empty) \w*
- Literal “.”
- Any word (possibly empty) \w*
- Literal “.”
- Integer number (non-empty) \d+
- Literal “,”
- Anything can follow.
- LDAP EDIPI Attribute NameSpecifies the name of the LDAP field that is used to store EDIPI (or other unique identifier) information.
- LDAP Username Attribute NameSpecifies the name of the LDAP field that is used to storeCA Spectrumuser name information.
- LDAP Referral SettingSpecifies how OneClick handles LDAP referrals.
- follow(Default) Instructs OneClick to automatically follow any referrals.
- throwInstructs OneClick to throw an exception for each referral. The request is likely to fail with an "Unprocessed Continuation Reference(s)" error.
- ignoreInstructs OneClick to ignore referrals. The request is likely to fail with an "Unprocessed Continuation Reference(s)" error.
- Test LDAP ServerAttempts to connect to the LDAP server using the credentials that you supplied.
Modify LDAP Referral Setting
The LDAP Referral Setting specifies how OneClick handles LDAP referrals. When an LDAP server cannot locate a requested object, the server returns a referral to the client. The referral directs the request to another server to locate the object. By default, OneClick automatically follows referrals to obtain the requested information.
You can also specify to ignore referrals or to throw an exception for each referral. The LDAP Referral Setting is hidden by default on the CAC Configuration page. To modify its value, change the configuration file to display the field.
Follow these steps:
- Open <$SPECROOT>/tomcat/webapps/spectrum/WEB-INF/cac/cac-config.jsp in a text editor.
- Uncomment the LDAP Referral Setting display code:
- Add "-->" after <!-- BEGIN HIDDEN REFERRAL SETTING SECTION
- Add "<!--" before END HIDDEN REFERRAL SETTING SECTION -->
- Save and close the file.
- Refresh the CAC Configuration page.The LDAP Referral Setting field appears.
- Select a value from the LDAP Referral Setting drop-down list, and click Save.The new LDAP Referral Setting takes effect.