Common Access Card (CAC) Authentication

(Included in Advanced Security Module) Common Access Card (CAC) Authentication is available in EFT Enterprise for LDAP Sites with SSL (HTTPS or FTPS) enabled.

CAC and Certificates

When CAC is enabled on an EFT Enterprise LDAP Site, clients are required to provide a certificate when connecting. Once the user’s certificate is validated, EFT uses the Principal Name (UPN) or RFC822 Name taken from the Subject Alternative Name (SAN) field of the Signature Certificate to search for the user in LDAP and allow or deny access based on the information found. The certificate provisioned via the web browser must have an Electronic Data Interchange Personal Identifier (EDI/PI). If the EDI/PI is not found or otherwise cannot be validated, the connection is denied. If the EDI/PI is found, EFT maps the corresponding fields in LDAP using the appropriate LDAP query string. If the user is found in LDAP, if a certificate is assigned to that user, and if the certificate exactly matches the one provided by the client, the user is allowed access.

The certificate lookup process looks like this:

  1. EFT looks for UPN or RFC822 Name entry in SAN field of certificate (i.e., the OID)

  2. EFT performs an LDAP lookup using the LDAP Auth Manager specifications, searching against the user login attribute for the value found in the entry of SAN.

  3. This lookup returns 0 or more "userCertificate" properties of the matched object, if found.

  4. For each returned userCertificate, EFT does a cryptographically strong comparison of the LDAP-provided certificate and the one supplied by the CAC.


When CAC is enabled on a Site:

Refer to Defining Connections (Sites) for details of creating an LDAP-authenticated Site that uses CAC.

Related Topics