CAC Configuration Page

Contents
casp1031
Contents
Use the CAC Configuration page to configure OneClick to use Common Access Cards (CAC) for authentication.
  • Choose CAC Option
    Specifies whether to enable or disable the CAC authentication solution.
    • Disable CAC
      Disables CAC authentication.
    • Enable CAC
      Enables CAC authentication.
The Trusted Keystore section contains the following fields:
  • Trusted Keystore password
    Specifies the password to use for accessing the Trusted Keystore:
    changeit
    .
  • Re-enter Trusted Keystore password
    Confirms the password for accessing the Trusted Keystore.
The Revocation System section specifies how you want
CA Spectrum
to determine whether a CAC has been revoked. Select
one
of the following options:
  • Enable OCSP AIA
    Instructs
    CA Spectrum
    to retrieve the parameters of the OCSP server from the certificate on the Common Access Card from the “AIA extension” of the certificate.
  • Enable OCSP Server
    Specifies that the user must provide a URL to access OCSP server and a certificate for this server.
  • Enable CRL Directory
    Specifies that a path to the directory that contains CRL files is required.
  • Enable CRL URL
    Specifies a list, separated by spaces, of full URLs to the CRL files that the web server provides.
  • Enable CRL Distribution Point
    Specifies that
    CA Spectrum
    retrieves the information about the web location of the CRL files from the certificate itself.
The OCSP AIA Connectivity section appears when you select Enable OCSP AIA in the Revocation System section. This section contains the following option:
  • Test OCSP AIA
    Verifies that OCSP AIA is working properly.
The OCSP Server Connectivity section appears when you select Enable OCSP Server in the Revocation System section. This section contains the following options:
  • OCSP Server URL
    Specifies the complete URL for accessing the OCSP Responder. The complete URL is used because many OCSP Responders are servlets running on a larger OCSP server.
  • OCSP Server Certificate Alias
    Specifies the certificate for the specified OCSP server.
  • Test OSCAP Server
    Tests the connection to the OCSP server based on the credentials that you entered.
The Certificate Relocation Lists appears when you select Enable CRL Directory or Enable CRL URL in the Revocation System section. It contains the following settings, depending on the CRL option that you selected:
  • CRL Directory
    Specifies the full path to the directory that contains the CRL files for verifying user certificates.
  • CRL URL
    Specifies a list of full URLs, separated by spaces, to the CRL files that the web server provides.
  • Test CRL Availability
    Attempts to load the CRLs in the specified directory.
The LDAP Username Lookup section contains the following settings:
  • Enable LDAP
    Enables LDAP.
  • LDAP Server Hostname
    Specifies the host name of an LDAP server that contains users that correspond to user certificates.
  • LDAP Server Port
    Specifies the port number for accessing the LDAP server.
  • Enable SSL
    Enables secure connecting to the LDAP server using SSL.
    Load the LDAP server certificate if you enable SSL.
  • LDAP Base DN
    Specifies the LDAP base distinguished name.
  • LDAP User DN
    Specifies the distinguished name (DN) of the user that is used to query the LDAP server.
  • LDAP User Password
    Specifies the password of the user that is used to query the LDAP server.
  • Re-enter LDAP User Password
    Confirms the LDAP user password.
  • Certificate's EDIPI Field
    Specifies the source for user ID information. Select
    one
    of the following options, which describe the format in which EDIPI is stored in the CAC certificate:
    • Subject
    • SubjectUniqueId
    • AltName.otherName
    • AltName.rfc882Name
  • EDIPI Extraction Rule
    Specifies the rule to use to extract EDIPI from the CAC certificate field.
    Type:
    Java regular expression
    Example:
    The default value for this field is as follows:
    "CN=\w*\.\w*\.(\d+),";
    This string defines a rule that matches a string that resembles the following example:
    CN=aaaa.bbbbbb.1233454,xxxxxxxxxxxxxxxxx
    • Literal “CN=”
    • Any word (possibly empty) \w*
    • Literal “.”
    • Any word (possibly empty) \w*
    • Literal “.”
    • Integer number (non-empty) \d+
    • Literal “,”
    • Anything can follow.
    Regex
    capturing group
    must be defined in the regular expression.
    CA Spectrum
    uses the first defined group in the expression to extract unique user ID information. More information about capturing groups is available on the Internet.
  • LDAP EDIPI Attribute Name
    Specifies the name of the LDAP field that is used to store EDIPI (or other unique identifier) information.
  • LDAP Username Attribute Name
    Specifies the name of the LDAP field that is used to store
    CA Spectrum
    user name information.
  • LDAP Referral Setting
    Specifies how OneClick handles LDAP referrals.
    • follow
      (Default) Instructs OneClick to automatically follow any referrals.
    • throw
      Instructs OneClick to throw an exception for each referral. The request is likely to fail with an "Unprocessed Continuation Reference(s)" error.
    • ignore
      Instructs OneClick to ignore referrals. The request is likely to fail with an "Unprocessed Continuation Reference(s)" error.
    LDAP Referral Setting is hidden by default on the CAC Configuration page. To display this field and change its value, see Modify LDAP Referral Setting.
  • Test LDAP Server
    Attempts to connect to the LDAP server using the credentials that you supplied.
Modify LDAP Referral Setting
The LDAP Referral Setting specifies how OneClick handles LDAP referrals. When an LDAP server cannot locate a requested object, the server returns a referral to the client. The referral directs the request to another server to locate the object. By default, OneClick automatically follows referrals to obtain the requested information.
You can also specify to ignore referrals or to throw an exception for each referral. The LDAP Referral Setting is hidden by default on the CAC Configuration page. To modify its value, change the configuration file to display the field.
Follow these steps:
  1. Open <
    $SPECROOT
    >/tomcat/webapps/spectrum/WEB-INF/cac/cac-config.jsp in a text editor.
  2. Uncomment the LDAP Referral Setting display code:
    1. Add "-->" after <!-- BEGIN HIDDEN REFERRAL SETTING SECTION
    2. Add "<!--" before END HIDDEN REFERRAL SETTING SECTION -->
  3. Save and close the file.
  4. Refresh the CAC Configuration page.
    The LDAP Referral Setting field appears.
  5. Select a value from the LDAP Referral Setting drop-down list, and click Save.
    The new LDAP Referral Setting takes effect.