Common Access Card introduction

The Common Access Card (CAC) is the Unites States Department of Defense (DoD) smart card for multi-factor authentication. CACs are issued as standard identification for active-duty military personnel, reserve personnel, civilian employees, non-DoD government employees, state employees of the National Guard and eligible contractor personnel. In addition to its use as an ID card, a CAC is required for access to government buildings and computer networks.

If you have not configured CACs for Service Manager, you must do so before you can enable CAC for Service Request Catalog. To do this, refer to the following sections of the Service Manager Help Center:

  • Common Access Card (CAC) sign-on
  • Requirements for CAC sign-on

You may also want to review the following example in the Service Manager Help Center:

  • Example: Enabling CAC sign-on

If you have already configured CACs for Service Manager, you can skip ahead to the following section.

Enable SRC for Common Access Cards

To enable Common Access Cards for Service Request Catalog, follow these steps:

  1. Enable CAC in Service Manager. To do this, use the cacsign on parameter from a Service Manager command line, or specify it in the sm.ini file.

    Command line: sm -httpPort:13080 -cacsignon:1
    Initialization file: cacsignon:1

    For more information on this parameter, see Parameter: cacsignon.

  2. Complete the following tasks from the "Example: enabling CAC sign-on" section of the Service Manager Help Server.

    Task 1: Enable required SSL encryption and trusted clients.
    Task 2: Enable CAC sign-on in the SM server.
    Task 5: Connect your web application server to the web server.
    Task 6: Configure your web application server to use SSL.
    Task 7: Configure the web server to use SSL.
    Task 8: Create operator records for CAC users
    Task 9: Configure web browsers to enable web client users to use CAC.
    Task 10: Test your CAC sign-on setup.

    Note  

    • When you perform "Task 1: Enable required SSL encryption and trusted clients", you are referred to "Example: Enabling required SSL encryption and trusted clients" section of the Service Manager Help Center. You need to copy the keystore files generated at step 9 of this procedure to the WEB-INF folder in your Service Request Catalog deployment or, if needed, to a folder that you plan to specify in the applicationContext.properties file.
    • Tasks 3 and 4, which are missing from the preceding list, refer to the configuration of the Service Manager Web tier and Windows client, and are not a consideration for Service Request Catalog.
    • If you choose to use CAC, make sure that you have configured Service Request Catalog to use SSL and either TSO or LW-SSO (as appropriate for your environment) as described in the Service Managerupgrade documentation.

The following tables show a summary of how your property files should be configured after you have enabled CAC:

ApplicationContext.properties
Configure these properties Comments

 

sm.protocol=
sm.hostname=
sm.port=13443
src.trustStore=
src.trustStorePassword=
src.keyStore=
src.keyStorePassword=

Enables two-way SSL between and Service Manager.

Note The keys are generated when you complete "Task 1: Enable required SSL encryption and trusted clients." See the previous note for details.

sm.protocol=https
sm.hostname=[FQDN]
sm.port=13443
src.trustStore=C:\\client\\cacerts
src.trustStorePassword=changeit
src.keyStore=C:\\client\\src.keystore
src.keyStorePassword=clientkeystore
src.security.mode=cac
src.security.cac=true
Enables CAC.
src.security.secureLogin=true
src.security.sslPort=8443
Enables SSL Connection between Service Request Catalog and the end user's client browser.

 

cacConfiguration.properties
Configure these properties Comments
certificateFieldExtractDN=Subject.CN

This parameter is used to get the field in the certificate that stores the login name. If the DN is from one of the fields in the Subject, set this parameter using the following format:

Subject.CN

Subject.CN means extracting the DN from the Common Name field in Subject.

validationStrategy=1

Client Certificate Verification Sequence is as follows:

  1. Check the revocation status by using local CRL.
  2. Check revocation status by using an online CRL.
  3. Check revocation status by using OCSP.
  4. Check if the status is expired.
  5. Check if the certificate type is smart card.
RootCertPath=

Specifies file path to the issuer CA certificate. This is a mandatory property.

Example:

RootCertPath=C:/client/CAC/hp_ca_for_cac.cer
CRLRefreshScheduler=

Specifies a schedule in minutes for CRL refresh, if CRL check is enabled.

Example:

CRLRefreshScheduler=1440
CRLDownloadURL=

The URL that identifies the location of the CRL. If it is not specified, the CRL Distribution Point from the certificate being validated will be used.  This behavior will slow performance dramatically.

 CRLDownloadURL=http://onsitecrl.example.com/LatestCRL.crl
CRLStoreLocation=

Specifies the CRL file path.

OCSPResponderURL=

The URL that identifies the location of the OCSP responder. By default, the location of the OCSP responder is determined implicitly from the certificate being validated. This property is used when the Authority Information Access extension (defined in RFC 3280) is absent from the certificate or when it requires overriding.

OCSPResponderURL=http://ocsp.example.net:80