Advanced Topics - Service Integration - CAC Integration

Overview

When enabled for external authentication, MOVEit DMZ can integrate into a Common Access Card (CAC) environment to allow users to access MOVEit DMZ without having to provide a username and password. The hardware certificate provided by the user's CAC Smart Card can be used to both identify and authenticate the user. This page details how to configure MOVEit DMZ to function properly in a CAC environment.

CAC Environments

CAC environments, particularly those used by the U.S. Department of Defense (DOD), typically use Smart Cards containing hardware-based SSL client certificates as identification and authentication mechanisms. User information is stored in a directory, typically Microsoft Active Directory. When a user inserts their Smart Card into a reader at a workstation and enters the proper PIN code, the hardware certificate is used to identify which user is logging on and authenticate them.

MOVEit DMZ can use the same hardware client certificate to determine the identity of the user who is trying to access the site, and match the certificate against the copy contained in the user's Active Directory account to verify the user's identity.

Configuring MOVEit DMZ for CAC Support

Integrating MOVEit DMZ with a CAC environment involves several steps. First, the CAC CA certificate must be trusted as a valid signing certificate on both the MOVEit DMZ server and in MOVEit DMZ itself. Next, a DMZ external authentication source must be configured for the directory, to allow user information and authentication to be controlled by that directory. Next, the Allow Username from Client Certificate option must be enabled in the org-level HTTP policy settings page. This allows MOVEit DMZ to identify an incoming user based solely on their provided client certificate. Finally, the external authentication source must be configured to read a value from the provided client certificate and match it against a value in the user directory. This allows DMZ to identify the user's information in the directory.

Ensure CA Certificate is Trusted

The CA certificate that user client certificates are signed with must be trusted by the Windows server that MOVEit DMZ is running on by "chaining up" to a certificate in the Microsoft Trusted Root Certificate Store. Users will not be allowed to access the MOVEit DMZ application unless the CA certificate that signed it is trusted.

The CA certificate must also be marked as a trusted CA in the MOVEit DMZ application itself. If the CA certificate is not trusted by MOVEit DMZ, users will not be allowed to sign on with their client certificates. See the System Configuration - SSL and SSH - SSL - Client Certs - Trusted CAs documentation page for more information about trusting a CA certificate in MOVEit DMZ.

Configuring External Authentication Source

Initial configuration of the external authentication source will be similar to setting up any other LDAP source. CAC integration requires an LDAP Lookup+Authentication source as many different user properties are queried from the LDAP server. See the Security Policies - External Authentication - LDAP Lookup doc page for more information about configuring such a source.

In addition to the normal parameters, CAC integration requires the proper configuration of the Client Cert Field value. This is the name of the field in the LDAP directory which contains the client certificate data for the user. For Active Directory servers, this value is called "userCertificate". Without this value, MOVEit DMZ will be unable to match the user's client certificate against their certificate in the directory, and will thus be unable to authenticate the user.

Configuring Username from Client Certificate Option

The Allow Username from Client Certificate option can be found on the Settings - Security Policies - Interface - HTTP page in the MOVEit DMZ web interface. This option allows DMZ to identify the user from their client certificate. See the Security Policies - Interface doc page for more information about this setting.

Normally, DMZ will be able to determine the user's identity by looking in its locally cached certificate store. If this is unsuccessful, such as if the user is new to the system, or their client certificate has recently been changed, DMZ will go out to the directory server configured in the external authentication source to look for a matching user record. This is where the following settings take effect.

Configuring User Matching via Client Certificate

When MOVEit DMZ needs to determine the user's identity from the directory server, the Client Certificate Value and Matching LDAP Field settings allow it to more easily search for the user's directory entry based on information in the provided client certificate. These options become available in the external authentication source once the org-level Allow Username from Client Certificate option is enabled. See the Security Policies - External Authentication - LDAP Lookup doc page for more information about these settings.

For CAC environments, typically the Principal Name value in the certificate's Subject Alternative Name (SAN) extension is used as the identifier when matching the certificate to a user entry in the directory server. For Active Directory servers, this value is matched to the "userPrincipalName" field.

User Interaction

Once CAC integration is configured, users will be able to access MOVEit DMZ without providing a username or password, as long as their hardware client certificate is available. First-time access to the DMZ site will still result in the signon page being displayed. However, with the Allow Username from Client Certificate option enabled, a link will be provided prompting the user to click if they have a client certificate and would like to automatically sign on. If this process is successful, a long-term cookie will be set on the user's browser which will instruct DMZ to automatically forward the user to the client certificate identification process in the future, so they shouldn't need to see the signon page again from that point on, unless their cookie gets removed or they access the site from a different computer.

NOTE: MOVEit DMZ can be configured to require passwords with client certificates when authenticating users. If this option is enabled at the organization level, or on a user-by-user basis, users may not be able to access the DMZ site without providing a username and password. Users who require passwords with client certificates will be returned to the signon page if they attempt an automatic signon with a message indicating that further credentials are required.

CAC Authentication Process

MOVEit DMZ CAC authentication assumes that either:

  1. The necessary user records are automatically replicated between LDAP servers on "DoD Network #1" and "DoD Network #2". (MOVEit products play no part in this replication.)
  2. "DoD Network #1" and "DoD Network #2" are really the same network.

How browser-based CAC authentication works with MOVEit DMZ:

  1. DoD user presents their CAC on a computer with a CAC reader and enters a PIN or other credentials.
  2. If CAC authentication succeeds, the computer looks up necessary account information from its domain controller (e.g., Microsoft Active Directory server) and allows the DoD user to access the computer system.
  3. When the DoD user opens a web browser session from this computer, the DoD CA-signed SSL client certificate stored on the CAC will be used to authenticate to any web servers that require client certificate authentication. This certificate (and its private key) will also be used to encrypt SSL communications in these cases.
  4. When the DoD user opens a web browser session from this computer to a MOVEit DMZ system, the related SSL connection will terminate in Microsoft IIS server. Microsoft IIS will only permit this SSL connection if the public part of the DoD CA certificate that signed the CAC client cert is installed in the "Trusted CA" section of the Microsoft Certificate Store on the MOVEit DMZ server.
  5. If IIS permits the SSL connection, the MOVEit DMZ software will display a sign on page, offer a link for CAC authentication or automatically authenticate the DoD user.
  6. If CAC authentication is chosen or used (i.e., no separate username is provided on the MOVEit DMZ sign on page), MOVEit DMZ will look up a valid user on its back end LDAP server using attributes of the CAC client certificate. If a matching user record is found and the public SSL client certificate stored in the LDAP record matches the CAC client certificate, the DoD user will be allowed on to the MOVEit DMZ system.

CACLDAPOverview.png (22112 bytes)