DoD PKI CAC authentication in Tomcat (embedded in JBoss)
Asked Answered
P

1

3

I need to support DoD issued CAC-based authentication in my web application deployed in JBoss. Could someone give me pointers on where to start, the steps involved, etc?

Also, which JCE provider should I go with (OpenSSO, BountyCastle, etc)? I tried to google for a list of (active/current) providers but couldn't really find it. Is there a list of JCE providers that are most popular (by virtue of their underlying security algorithms? Thanks.

Phira answered 10/7, 2010 at 14:41 Comment(1)
For anyone else who comes looking here, I have been looking into a similar situation, and from my research, it seems that this answer is very helpful in understanding CAC authentication.Peekaboo
P
2

I haven't worked with CAC cards, but PKI integration is typically handled by PKCS#11 middleware installed on the client CPU. On the server, you may need to intercept the request at the apache module level to enable PKI/SSO, here's a slideshow with more info on how they did it for forge.mil: http://www.slideshare.net/rbulling/enabling-web-apps-for-dod-security-via-pkicac-enablement-forgemil-case-study

If you need to do other web based interactions with the card (non PKCS11 functions like if you want to talk to one of the other apps installed on the card from your web app, or install an applet on the card) you'll need some kind of browser plug-in to send raw APDUs or higher level commands via PCSC. My company makes a plug-in for this purpose, it's available at https://cardboss.cometway.com.

Finally, I like bouncycastle... I doubt you will find any lists of JCE providers sorted by popularity.

Polynomial answered 29/9, 2010 at 23:5 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.