Integrating CAC cards with CAS
|
|
David-746
|
I'm not too familiar with CAC(common access cards) but I learned that they basically store certificates. Is there a way to just bypass the CAS login screen when a user has their CAC in the computer? Basically the computer would automatically read the certificate and when it should be redirected to the cas page, the user would automatically get the ticket. Is that possible?
Thanks, David -- You are currently subscribed to [hidden email] as: [hidden email] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user |
||||||||||||||||
Marvin Addison
|
> I'm not too familiar with CAC(common access cards) but I learned that they basically store certificates. Is there a way to just bypass the CAS login screen when a user has their CAC in the computer?
I believe the X509CredentialsAuthenticationHandler, http://www.ja-sig.org/wiki/display/CASUM/X.509+Certificates, should meet your needs. We use this to non-interactively authenticate users when a eToken Pro USB device containing a client cert is inserted into the computer. M -- You are currently subscribed to [hidden email] as: [hidden email] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user |
||||||||||||||||
|
David-746
|
Got it. I'll take a look at that asap. Thanks again!
BTW, how do you get the browser to automatically read the certificate straight from the card? -David Marvin Addison wrote: >> I'm not too familiar with CAC(common access cards) but I learned that they basically store certificates. Is there a way to just bypass the CAS login screen when a user has their CAC in the computer? >> > > I believe the X509CredentialsAuthenticationHandler, > http://www.ja-sig.org/wiki/display/CASUM/X.509+Certificates, should > meet your needs. We use this to non-interactively authenticate users > when a eToken Pro USB device containing a client cert is inserted into > the computer. > > M > > -- You are currently subscribed to [hidden email] as: [hidden email] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user |
||||||||||||||||
|
Marvin Addison
|
> BTW, how do you get the browser to automatically read the certificate
> straight from the card? I have no idea. In the case of the eToken Pro, there's a proprietary PKCS12 provider library that communicates directly with the token. Then anything that can talk to PKCS12 modules, e.g. pcscd on Linux, can communicate with the token. You need both the middleware and the eToken libs for the browser to read the certificate from the token. From my experience the middleware is good, and the proprietary stuff stinks. I hope you have better luck. Please report back to the list on your experience if you get it working. It'd be nice to have some feedback on ease of use/integration of other hardware security devices. M -- You are currently subscribed to [hidden email] as: [hidden email] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user |
||||||||||||||||
|
David-746
|
Using Activclient, it imports the user certificates from the CAC into
whatever browser you're using. For example, in Firefox 3.5 (tools>options>advanced>encryption>view certificates) you can view the certain certificates. That is also the case when i use IE7. Although, whenever I pull the card out, the certificates go away. I'm still trying to figure out how I can use those certificates and automatically authenticate them using CAS so CAS can just pass the ticket as soon as they see that there is the certificate there. -David Marvin Addison wrote: >> BTW, how do you get the browser to automatically read the certificate >> straight from the card? >> > > I have no idea. In the case of the eToken Pro, there's a proprietary > PKCS12 provider library that communicates directly with the token. > Then anything that can talk to PKCS12 modules, e.g. pcscd on Linux, > can communicate with the token. You need both the middleware and the > eToken libs for the browser to read the certificate from the token. > > From my experience the middleware is good, and the proprietary stuff > stinks. I hope you have better luck. Please report back to the list > on your experience if you get it working. It'd be nice to have some > feedback on ease of use/integration of other hardware security > devices. > > M > > -- You are currently subscribed to [hidden email] as: [hidden email] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user |
||||||||||||||||
|
Marvin Addison
|
> I'm still trying to figure out how I can use those certificates and
> automatically authenticate them using CAS so CAS can just pass the > ticket as soon as they see that there is the certificate there. You can certainly do this. http://www.ja-sig.org/wiki/display/CASUM/X.509+Certificates has excellent instructions. M -- You are currently subscribed to [hidden email] as: [hidden email] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user |
||||||||||||||||
|
David-746
|
Thanks a bunch. I've been reading that for a while now and believe I
have the things set up. I'm testing this on the casified tomcat HelloWorldExample. When I click the example, the activclient card reader promts for a password, but I'm not sure what it is. How can I have it so that if there is not a CAC inserted, then it redirects to the regular cas login page? Below is my added code and the error I get when I start Tomcat... <!-- in cas-servlet.xml --> <bean id="x509Check" p:centralAuthenticationService-ref="centralAuthenticationService" class="org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction" > <property name="centralAuthenticationService" ref="centralAuthenticationService"/> <!-- in deployerConfigContext.xml...each block of code is places where they are supposed to be --> <bean class="org.jasig.cas.adaptors.x509.authentication.principal.X509CertificateCredentialsToIdentifierPrincipalResolver"> <property name="identifier" value="$CN" /> </bean> <bean class="org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler"> <property name="trustedIssuerDnPattern" value="CN=DOD JITC EMAIL CA-11" /> <!-- <property name="maxPathLength" value="3" /> <property name="checkKeyUsage" value="true" /> <property name="requireKeyUsage" value="true" /> --> </bean> <!-- server.xml configuration --> <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" SSLEnabled="true" keystoreFile="C:/Documents and Settings/username/.keystore" keystorePass="changeit" truststoreFile="C:/Program Files/Java/jdk1.6.0_10/jre/lib/security/cacerts" /> <!-- in login-webflow.xml --> <action-state id="startAuthenticate"> <action bean="x509Check" /> <transition on="success" to="sendTicketGrantingTicket" /> <transition on="error" to="viewLoginForm" /> </action-state> <!-- tomcat error --> <!-- stdout log --> 2009-07-14 16:06:34,578 ERROR [org.springframework.web.servlet.DispatcherServlet] - <Context initialization failed> org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 135 in XML document from ServletContext resource [/WEB-INF/cas-servlet.xml] is invalid; nested exception is org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 'bean'. One of '{"http://www.springframework.org/schema/beans":meta, "http://www.springframework.org/schema/beans":constructor-arg, "http://www.springframework.org/schema/beans":property, "http://www.springframework.org/schema/beans":lookup-method, "http://www.springframework.org/schema/beans":replaced-method, WC[##other:"http://www.springframework.org/schema/beans"]}' is expected. at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:404) at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:342) at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:310) at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:143) at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:178) at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:149) at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:124) at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:92) at org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:123) at org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:422) at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:352) at org.springframework.web.servlet.FrameworkServlet.createWebApplicationContext(FrameworkServlet.java:402) at org.springframework.web.servlet.FrameworkServlet.initWebApplicationContext(FrameworkServlet.java:316) at org.springframework.web.servlet.FrameworkServlet.initServletBean(FrameworkServlet.java:282) at org.springframework.web.servlet.HttpServletBean.init(HttpServletBean.java:126) at javax.servlet.GenericServlet.init(GenericServlet.java:212) at org.jasig.cas.web.init.SafeDispatcherServlet.init(SafeDispatcherServlet.java:64) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1161) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:981) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4045) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4351) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:825) at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:714) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:490) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1138) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) at org.apache.catalina.core.StandardHost.start(StandardHost.java:719) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:516) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:566) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) Caused by: org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 'bean'. One of '{"http://www.springframework.org/schema/beans":meta, "http://www.springframework.org/schema/beans":constructor-arg, "http://www.springframework.org/schema/beans":property, "http://www.springframework.org/schema/beans":lookup-method, "http://www.springframework.org/schema/beans":replaced-method, WC[##other:"http://www.springframework.org/schema/beans"]}' is expected. at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source) at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.error(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(Unknown Source) at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(Unknown Source) at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.reportSchemaError(Unknown Source) at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.handleStartElement(Unknown Source) at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.emptyElement(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source) at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown Source) at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown Source) at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown Source) at org.springframework.beans.factory.xml.DefaultDocumentLoader.loadDocument(DefaultDocumentLoader.java:75) at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:396) ... 42 more Line 135 of cas-servlet.xml is <bean id="openIdProviderController" class="org.jasig.cas.web.OpenIdProviderController" ---> p:loginUrl="${cas.securityContext.casProcessingFilterEntryPoint.loginUrl}" /> <!-- localhost log --> SEVERE: SafeDispatcherServlet: The Spring DispatcherServlet we wrap threw on init. But for our having caught this error, the servlet would not have initialized. org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 135 in XML document from ServletContext resource [/WEB-INF/cas-servlet.xml] is invalid; nested exception is org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 'bean'. One of '{"http://www.springframework.org/schema/beans":meta, "http://www.springframework.org/schema/beans":constructor-arg, "http://www.springframework.org/schema/beans":property, "http://www.springframework.org/schema/beans":lookup-method, "http://www.springframework.org/schema/beans":replaced-method, WC[##other:"http://www.springframework.org/schema/beans"]}' is expected. at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:404) at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:342) at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:310) at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:143) at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:178) at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:149) at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:124) at org.springframework.web.context.support.XmlWebApplicationContext.loadBeanDefinitions(XmlWebApplicationContext.java:92) at org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:123) at org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:422) at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:352) at org.springframework.web.servlet.FrameworkServlet.createWebApplicationContext(FrameworkServlet.java:402) at org.springframework.web.servlet.FrameworkServlet.initWebApplicationContext(FrameworkServlet.java:316) at org.springframework.web.servlet.FrameworkServlet.initServletBean(FrameworkServlet.java:282) at org.springframework.web.servlet.HttpServletBean.init(HttpServletBean.java:126) at javax.servlet.GenericServlet.init(GenericServlet.java:212) at org.jasig.cas.web.init.SafeDispatcherServlet.init(SafeDispatcherServlet.java:64) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1161) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:981) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4045) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4351) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:825) at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:714) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:490) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1138) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) at org.apache.catalina.core.StandardHost.start(StandardHost.java:719) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:516) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:566) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) Caused by: org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 'bean'. One of '{"http://www.springframework.org/schema/beans":meta, "http://www.springframework.org/schema/beans":constructor-arg, "http://www.springframework.org/schema/beans":property, "http://www.springframework.org/schema/beans":lookup-method, "http://www.springframework.org/schema/beans":replaced-method, WC[##other:"http://www.springframework.org/schema/beans"]}' is expected. at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(Unknown Source) at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.error(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(Unknown Source) at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(Unknown Source) at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.reportSchemaError(Unknown Source) at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.handleStartElement(Unknown Source) at com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator.emptyElement(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(Unknown Source) at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source) at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source) at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown Source) at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown Source) at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown Source) at org.springframework.beans.factory.xml.DefaultDocumentLoader.loadDocument(DefaultDocumentLoader.java:75) at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:396) ... 42 more Marvin S. Addison wrote: >> I'm still trying to figure out how I can use those certificates and >> automatically authenticate them using CAS so CAS can just pass the >> ticket as soon as they see that there is the certificate there. > > You can certainly do this. > http://www.ja-sig.org/wiki/display/CASUM/X.509+Certificates has > excellent instructions. > > M > -- You are currently subscribed to [hidden email] as: [hidden email] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user |
||||||||||||||||
|
David-746
|
In reply to this post
by Marvin Addison
Update:
I solved the problem. I had to add another </bean> at the end of the added x509check. Now it just prompts for the activeclient password and if i click cancel enough times, it'll finally redirect me to the cas login page. Can it be the deployerConfigContext.xml? or can it be something else. I believe I'm having troubles with the whole "<property name="identifier" value="$CN" />" and which class to use...it explains in http://www.ja-sig.org/wiki/display/CASUM/X.509+Certificates but I'm still a bit confused. Theres the keystore ./keystore in my home directory(c:\documents and settings\username\) and a trust store in both jdk1.6.0_10\jre\lib\security\cacerts AND jre6\lib\security\cacerts. I can use keyman to open up the keystores and truststores to see what is inside them and I sorta get the picture of what is in them. Certificate Authority is in the trust store, and self signed certificates are in my ./keystore. now aside from all that, there are the CAC card certificates which I have to deal with. Can anyone help dumb it down a little so I can try to see this a different way? Maybe analogies might help? Thank you again in advance. -David Marvin S. Addison wrote: >> I'm still trying to figure out how I can use those certificates and >> automatically authenticate them using CAS so CAS can just pass the >> ticket as soon as they see that there is the certificate there. > > You can certainly do this. > http://www.ja-sig.org/wiki/display/CASUM/X.509+Certificates has > excellent instructions. > > M > -- You are currently subscribed to [hidden email] as: [hidden email] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user |
||||||||||||||||
Shi Yusen
|
First, you should know the CAC is a keystore, so it has a keystore
password. Second, you should enter the CAC password when your browser prompts password input. When setting up the SSL, your browser will try to read the keystores in your client until it can find a match one or failed. More details of your knowledge background and the target scenarios will help the others to know where you are. For example: Does your OS also using this card to login? Does your web system trust public key got from SSL? Regards, Shi Yusen/Beijing Langhua Ltd. 在 2009-07-14二的 16:46 -0700,David Allender写道: > Update: > > I solved the problem. I had to add another </bean> at the end of the > added x509check. Now it just prompts for the activeclient password and > if i click cancel enough times, it'll finally redirect me to the cas > login page. > > Can it be the deployerConfigContext.xml? or can it be something else. > I believe I'm having troubles with the whole "<property > name="identifier" value="$CN" />" and which class to use...it explains > in http://www.ja-sig.org/wiki/display/CASUM/X.509+Certificates but I'm > still a bit confused. > > Theres the keystore ./keystore in my home directory(c:\documents and > settings\username\) and a trust store in both > jdk1.6.0_10\jre\lib\security\cacerts AND jre6\lib\security\cacerts. > I can use keyman to open up the keystores and truststores to see what is > inside them and I sorta get the picture of what is in them. Certificate > Authority is in the trust store, and self signed certificates are in my > ./keystore. > > now aside from all that, there are the CAC card certificates which I > have to deal with. Can anyone help dumb it down a little so I can try > to see this a different way? Maybe analogies might help? Thank you > again in advance. > > -David > > Marvin S. Addison wrote: > >> I'm still trying to figure out how I can use those certificates and > >> automatically authenticate them using CAS so CAS can just pass the > >> ticket as soon as they see that there is the certificate there. > > > > You can certainly do this. > > http://www.ja-sig.org/wiki/display/CASUM/X.509+Certificates has > > excellent instructions. > > > > M > > > > -- You are currently subscribed to [hidden email] as: [hidden email] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user |
||||||||||||||||
|
David-746
|
The OS doesn't use the card to login nor does the web system trust any
public key for ssl Shi Yusen wrote: > First, you should know the CAC is a keystore, so it has a keystore > password. > > Second, you should enter the CAC password when your browser prompts > password input. When setting up the SSL, your browser will try to read > the keystores in your client until it can find a match one or failed. > > More details of your knowledge background and the target scenarios will > help the others to know where you are. > > For example: > Does your OS also using this card to login? > Does your web system trust public key got from SSL? > > Regards, > > Shi Yusen/Beijing Langhua Ltd. > > > 在 2009-07-14二的 16:46 -0700,David Allender写道: > >> Update: >> >> I solved the problem. I had to add another </bean> at the end of the >> added x509check. Now it just prompts for the activeclient password and >> if i click cancel enough times, it'll finally redirect me to the cas >> login page. >> >> Can it be the deployerConfigContext.xml? or can it be something else. >> I believe I'm having troubles with the whole "<property >> name="identifier" value="$CN" />" and which class to use...it explains >> in http://www.ja-sig.org/wiki/display/CASUM/X.509+Certificates but I'm >> still a bit confused. >> >> Theres the keystore ./keystore in my home directory(c:\documents and >> settings\username\) and a trust store in both >> jdk1.6.0_10\jre\lib\security\cacerts AND jre6\lib\security\cacerts. >> I can use keyman to open up the keystores and truststores to see what is >> inside them and I sorta get the picture of what is in them. Certificate >> Authority is in the trust store, and self signed certificates are in my >> ./keystore. >> >> now aside from all that, there are the CAC card certificates which I >> have to deal with. Can anyone help dumb it down a little so I can try >> to see this a different way? Maybe analogies might help? Thank you >> again in advance. >> >> -David >> >> Marvin S. Addison wrote: >> >>>> I'm still trying to figure out how I can use those certificates and >>>> automatically authenticate them using CAS so CAS can just pass the >>>> ticket as soon as they see that there is the certificate there. >>>> >>> You can certainly do this. >>> http://www.ja-sig.org/wiki/display/CASUM/X.509+Certificates has >>> excellent instructions. >>> >>> M >>> >>> >> > > > -- You are currently subscribed to [hidden email] as: [hidden email] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user |
||||||||||||||||
|
David-746
|
In reply to this post
by Shi Yusen
I have it set up now so it checks to see if there is a card inserted in
the reader. The thing is, instead of being transferred directly to the page I had casified, it prompts "Please enter the master password for the ActivIdentity ActivClient 0." Unfortunately, there is no "master password". I had just gotten off the phone with activclient and technical support says that it has nothing to do with the card and that is is firefox's issue. Is anyone getting this error too? -David Shi Yusen wrote: > First, you should know the CAC is a keystore, so it has a keystore > password. > > Second, you should enter the CAC password when your browser prompts > password input. When setting up the SSL, your browser will try to read > the keystores in your client until it can find a match one or failed. > > More details of your knowledge background and the target scenarios will > help the others to know where you are. > > For example: > Does your OS also using this card to login? > Does your web system trust public key got from SSL? > > Regards, > > Shi Yusen/Beijing Langhua Ltd. > > > 在 2009-07-14二的 16:46 -0700,David Allender写道: > >> Update: >> >> I solved the problem. I had to add another </bean> at the end of the >> added x509check. Now it just prompts for the activeclient password and >> if i click cancel enough times, it'll finally redirect me to the cas >> login page. >> >> Can it be the deployerConfigContext.xml? or can it be something else. >> I believe I'm having troubles with the whole "<property >> name="identifier" value="$CN" />" and which class to use...it explains >> in http://www.ja-sig.org/wiki/display/CASUM/X.509+Certificates but I'm >> still a bit confused. >> >> Theres the keystore ./keystore in my home directory(c:\documents and >> settings\username\) and a trust store in both >> jdk1.6.0_10\jre\lib\security\cacerts AND jre6\lib\security\cacerts. >> I can use keyman to open up the keystores and truststores to see what is >> inside them and I sorta get the picture of what is in them. Certificate >> Authority is in the trust store, and self signed certificates are in my >> ./keystore. >> >> now aside from all that, there are the CAC card certificates which I >> have to deal with. Can anyone help dumb it down a little so I can try >> to see this a different way? Maybe analogies might help? Thank you >> again in advance. >> >> -David >> >> Marvin S. Addison wrote: >> >>>> I'm still trying to figure out how I can use those certificates and >>>> automatically authenticate them using CAS so CAS can just pass the >>>> ticket as soon as they see that there is the certificate there. >>>> >>> You can certainly do this. >>> http://www.ja-sig.org/wiki/display/CASUM/X.509+Certificates has >>> excellent instructions. >>> >>> M >>> >>> >> > > > -- You are currently subscribed to [hidden email] as: [hidden email] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user |
||||||||||||||||
| Free Embeddable Forum Powered by Nabble | Help |
