- 27 Aug 2023
- 2 Minutes to read
Setting Up CAC (Common Access Card)
- Updated on 27 Aug 2023
- 2 Minutes to read
When a CAC, Common Access Card, is used, you can set the portal to allow access without the client CAC user entering a user name and password.
To configure the portal servers for CAC authentication:
- Log in to the CTERA Portal primary database server as root, using SSH.
- Copy the root certificate file associated with the CAC certificate and any intermediate certificates in the chain to the /root/ path of the primary database server.
- Create the truststore.
In the primary database server and enter the following commands:
. $bindir/portal-common.sh ; export _JAVA_OPTIONS
Move to the
/usr/local/ctera/apache-tomcat/webapps/directory and run the following keytool commands for the CAC certificate file and any intermediate certificates in the chain. For example, for a CAC certificate file named RootCA1.cer and an intermediate certificate named IntermediateCA1.cer, run the following two commands, changing the jdk1.8.0_201 value to the JDK on the server (use the command
ls -d /usr/local/ctera/jdk*/binto find the current JDK bin directory):
/usr/local/ctera/jdk1.8.0_201/bin/keytool -import -keystore truststore -file /root/RootCA1.cer -alias rootca1 -trustcacerts -deststorepass $(grep -o -P "(?<=SERVER_KEY=).*" /etc/ctera/portal.cfg) /usr/local/ctera/jdk1.8.0_201/bin/keytool -import -keystore truststore -file /root/IntermediateCA1.cer -alias intermediateca1 -trustcacerts -deststorepass $(grep -o -P "(?<=SERVER_KEY=).*" /etc/ctera/portal.cfg)Note
The alias name of each certificate in the keytool command must be unique.
You can display the certificates in the truststore with the following command:
keytool -list -v -keystore truststore -deststorepass $(grep -o -P "(?<=SERVER_KEY=).*" /etc/ctera/portal.cfg)
Convert the truststore format to BCFKS format by running the following command, changing the jdk value to the JDK on the server:
keytool -importkeystore -srckeystore /usr/local/ctera/apache-tomcat/webapps/truststore -srcstoretype JKS -destkeystore /usr/local/ctera/apache-tomcat/webapps/truststore.bcfks -deststoretype BCFKS -srcprovidername "SUN" -providerclass com.safelogic.cryptocomply.jcajce.provider.CryptoComplyFipsProvider -providerpath /usr/local/ctera/jdk1.8.0_201/jre/lib/ext/SafeLogic_CTERA.jar -srcstorepass $(grep -o -P "(?<=SERVER_KEY=).*" /etc/ctera/portal.cfg) -deststorepass $(grep -o -P "(?<=SERVER_KEY=).*" /etc/ctera/portal.cfg)
You can display the entries in the new BCFKS keystore with the following command:
keytool -list -v -keystore truststore.bcfks -storetype BCFKS -deststorepass $(grep -o -P "(?<=SERVER_KEY=).*" /etc/ctera/portal.cfg)
The password is the SERVER_KEY, which is extracted automatically from
/etc/ctera/portal.cfgand used in the following part of the above command
$(grep -o -P "(?<=SERVER_KEY=).*" /etc/ctera/portal.cfg)
Copy the truststore.bcfks file to the same path of the Replication DB server and all the portal servers, such as the application and preview servers. For example, using SCP, run the following command:
scp truststore.bcfks root@portal_ip_address:/usr/local/ctera/apache-tomcat/webapps
- Enable FIPS by running the following in the command line:
set /settings/javaSecurityProviderMode FIPS
- Restart the portal servers.
To configure CAC single sign-on in the portal user interface:
- In the global administration view, select Settings in the navigation pane.
The Control Panel page is displayed.
- Select SSO under USERS in the Control Panel page.
The Single Sign On window is displayed.
- Select Smart Card / Client certificates from the drop-down box.
The Single Sign On window is redisplayed for CAC authentication.
- If an OCSP server is being used for certificate revocation, make sure OCSP Revocation Checking is checked.
When checked, the answer from the OCSP server is used when attempting to log on.
- Click SAVE.
The portal servers are restarted.
Users log on to their systems using CAC.