Apache authentication via DOD PKI CAC

Mr Gaylen Wong picture Mr Gaylen Wong · May 7, 2009 · Viewed 8.5k times · Source

How does one implement Apache (within Linux) authentication using Department of Defense CAC cards? I've heard it can be done but have not come across any details. Currently we use Windows Active directory for Apache authentication but only using Logins/Passwords. Soon the requirement will to be use CAC cards only. Any hints would be appreciated.

Answer

Cuga picture Cuga · May 7, 2009

Configure Apache Tomcat for 2-way SSL (version 6.0.18)

  1. Open server.xml in a text editor; located in your tomcat directory at <TOMCAT_HOME>\conf\server.xml
  2. Look for this text block and uncomment it:
<Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25"
               maxSpareThreads="75"
               enableLookups="false"
               disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />

3. Modify this text block as follows:

  <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                 maxThreads="150" scheme="https" secure="true"
                 clientAuth="true" sslProtocol="TLS"
                 keystoreFile="<CERTIFICATES_DIR>\localhost.jks"
                 keystorePass="password"
                 truststoreFile="<CERTIFICATES_DIR>\localhost.jks"
                 trustStorePass="password"/>
  1. Start Tomcat and navigate to https://localhost:8443/ using your preferred browser.
  2. The browser will prompt your for your client certificate (Notes: if you are not prompted for your certificate, you can try importing it in IE using tools > internet options > certificates > import). Choose the correct client certificate.
  3. If you see a website, Tomcat is installed and is running correctly. If you see page not found or some other error, Tomcat was installed or configured incorrectly.
  4. Setup Tomcat for client side SSL support. You must also provide tomcat with runtime locations of the trust store and password. You can enable this either via command line or if you run tomcat within your ide: -Djavax.net.ssl.trustStore=C:{somedir}\localhost.jks -Djavax.net.ssl.trustStorePassword=password

Install the Public/Private key certificates to your browser

  1. Your browser must be set up to both recognize your certificates as coming form a trusted Certificate Authority and to know how to identify you using a private key.

Firefox Instructions:

  1. In Firefox's menu, navigate to Tools > Options
  2. Click on the Advanced > Encryption tab > View Certificates button
  3. Click the Authorities tab
  4. Click the Import button
  5. Locate and select the CA certificates you want your browser to recognize as being legit CA's, then click Open
  6. Click all the purposes which you want to trust when signed with this certificate. Options are are websites, email, and software developers.
  7. Click Ok

Firefox will now trust content signed with the certs you just installed.

IE Instructions:

  1. Navigate to Tools > Internet Options
  2. Choose the Content tab
  3. Click the button labeled Certificates
  4. Click the tab labeled Trusted Root Certification Authorities
  5. Click Import
  6. A wizard launches. Click next then select the certificate file you wish to trust as a CA
  7. Select a certificate store. Click finish
  8. You will see a popup to confirm the install. Click Yes

Internet Explorer will now trust content signed with certs issued by the CA you have just installed.

With PKI encryption, your browser needs to know how to identify you to the server using a Private Key. To do this, you must install your certificates manually. Suffix of the certs imported in this example is .p12 Firefox Instructions:

  1. In Firefox's menu, navigate to Tools > Options
  2. Click on the Advanced > Encryption tab > View Certificates button
  3. Click the tab labeled "Your Certificates"
  4. Click Import
  5. Navigate to and select the certificate you wish to choose to identify yourself. Click Open
  6. Enter the password which is used in conjunction with this certificate and click Ok

Your certificate is now installed and can be used to identify you to servers using PKI encryption. The above steps may be repeated to install additional certificates if you wish to identify yourself using different identities at different times. IE Instructions:

  1. Navigate to Tools > Internet Options
  2. Choose the Content tab
  3. Click the button labeled Certificates
  4. Select the Personal tab
  5. Click Import
  6. A wizard launches. Click Next..., then select the pki file you wish to use in identifying yourself. Click Next
  7. Type the password for the cert and any options desired
  8. Choose where to store the cert and then click Next > Finish

Your personal certificate is now installed and you can use it to identify yourself to websites using PKI encryption.