(Included in Advanced Security Module) Common Access Card (CAC) Authentication is available in EFT Enterprise for LDAP Sites with SSL (HTTPS or FTPS) enabled.
CAC and Certificates
When CAC is enabled on an EFT Enterprise LDAP Site, clients are required to provide a certificate when connecting. Once the user’s certificate is validated, EFT uses the Principal Name (UPN) or RFC822 Name taken from the Subject Alternative Name (SAN) field of the Signature Certificate to search for the user in LDAP and allow or deny access based on the information found. The certificate provisioned via the web browser must have an Electronic Data Interchange Personal Identifier (EDI/PI). If the EDI/PI is not found or otherwise cannot be validated, the connection is denied. If the EDI/PI is found, EFT maps the corresponding fields in LDAP using the appropriate LDAP query string. If the user is found in LDAP, if a certificate is assigned to that user, and if the certificate exactly matches the one provided by the client, the user is allowed access.
The certificate lookup process looks like this:
EFT looks for UPN or RFC822 Name entry in SAN field of certificate (i.e., the OID)
EFT performs an LDAP lookup using the LDAP Auth Manager specifications, searching against the user login attribute for the value found in the entry of SAN.
This lookup returns 0 or more "userCertificate" properties of the matched object, if found.
For each returned userCertificate, EFT does a cryptographically strong comparison of the LDAP-provided certificate and the one supplied by the CAC.
CAC and WTC
When CAC is enabled on a Site:
The WTC uses the JSE instead of the Apache client. The JSE HTTP client provides NTLM v2 proxy authentication support.
Any attempt to access any of the account management pages causes a "page not found" error.
When HTTP and HTTPS are both enabled, the Redirect HTTP to HTTPS check box is selected and disabled, forcing redirection of HTTP traffic to HTTPS.
When FTPS is enabled, the username and password provided are ignored; the authentication is provided by the certificate.
The method EnableCAC() can be used to enable CAC via the COM API.
The following major events are logged:
Could not find proper SAN field in certificate
The value received from the SAN field
If user had no certificates in LDAP
If certificates were present but no certificate matched
More than one user was retrieved when LDAP was queried (authentication is only attempted against the first one)
Refer to Defining Connections (Sites) for details of creating an LDAP-authenticated Site that uses CAC.