Oracle® Access Manager Integration Guide 10g (10.1.4.2) Part Number E10356-01 |
|
|
View PDF |
Smart cards enable you to support two types of credentials, as follows:
Something the user knows: This is the user's secret personal identification number (PIN), similar in concept to a personal bank code PIN.
Something the user has: This is a cryptographically-based identification and proof-of-possession token.
This can be a token that is generated by a smart card device that you insert into a card reader that is attached to a computer.
You can configure a certificate-based authentication scheme in the Access System that processes an X.509 certificate-based from a smart card. This scheme can be used when a user accesses a resource and the Web server challenges the browser for an X.509 certificate.
This chapter discusses how to implement certificate-based authentication for smart card systems. If you are already familiar with certificate-based authentication in Oracle Access Manager, smart card integration is an instance of this type of authentication scheme.
This chapter discusses the following topics:
Note:
This chapter provides an example of configuring smart card integration using a Windows-based system. However, smart card integration can be done on any system that supports certificate-based authentication. See the chapter on configuring authentication in the Oracle Access Manager Access System Administration Guide for details.Various regulations require strong authentication for people who want to access physical resources, for example buildings and resources, as well as logical assets, for example, Web applications that are protected by Oracle Access Manager. These regulations include the Homeland Security Presidential Directive (HSPD-12) and Signatures and Authentication for Everyone (SAFE). Special hardware tokens are often used to satisfy these regulations, including smart cards. Smart cards are also referred to as smart badges or common access cards (CACs).
Oracle Access Manager supports smart cards. When a user authenticates to a smart card application, the smart card engine produces a certificate-based authentication token. You can configure a certificate-based authentication scheme in the Access System that uses information from the smart card certificate. Certificate-based authentication works with any smard card or similar device that presents an X.509 certificate.
For example, in the case of ActivCard, smart card authentication is triggered when you do either of the following:
Insert an ActivCard that contains a public key certificate previously issued by a Certification Authority (CA) into a reader attached to your computer.
Request access to a resource protected by the Oracle Access Manager Client Certificate authentication scheme before inserting your ActivCard into the reader.
The first method displays a window prompting you for your PIN, rather than requesting a username, password, and domain. The second method displays a window prompting you to insert the ActivCard and provide your PIN.
Note:
When you initialize a smart card, you are asked to supply a PIN. If the PIN is incorrectly entered a specific number of times, the card locks. To restore a locked certificate, either use the unlock code provided during smart card initialization or re-initialize the card.Within Oracle Access Manager, the Access System provides policy-based authentication, authorization, auditing, and Web single sign-on. For an overview of all Oracle Access Manager components, see the Oracle Access Manager Introduction.
If you are familiar with basic components of the Access System within Oracle Access Manager, integration with certificate-based strong authentication systems can be thought of as a particular case of ordinary client certificate authentication. To configure Oracle Access Manager to parse the information in a certificate presented by a strong authentication hardware token, you would do the following:
Create a policy domain to protect various resources that are accessed by users who have a strong authentication token.
Configure a client-certificate authentication scheme.
In the policy domain, include a rule that makes use of the client-certificate authentication scheme.
For more information about policy domains, authentication schemes, and rules, see the Oracle Access Manager Access System Administration Guide.
During Access System installation, a Master Administrator can request automatic configure of a default Client Certificate authentication scheme. You can configure and modify this scheme after installation.
A user must supply a digital certificate when he or she attempts to access a resource that is protected by a policy domain that contains a client certificate authentication scheme. Oracle Access Manager supports client certificate authentication using public key encryption cryptography and X.509 certificates.
You determine how to obtain a certificate. There are no Oracle Access Manager requirements for this.
When you configure client certificate authentication, you must consider the following:
Challenge Method, Challenge Parameter, and SSL Configuration for Smart Cards
Plug-Ins for Certificate-Based Authentication that You Use for Smart Cards
Oracle Access Manager Access System Administration Guide for details on protecting resources using policy domains.
Each authentication scheme requires a challenge method to obtain user credentials for authentication. Only one challenge method is allowed per authentication scheme. The following is required for smart card authentication:
The X509Cert Challenge Method and X509 Challenge Parameter, which support public key encryption cryptography and X.509 certificates.
An SSL connection.
The X509Cert challenge method uses the Secure Sockets Layer (SSL) version 3 certificate authentication protocol (SSLv3) certificate authentication protocol built into browsers and Web servers. Authenticating users with a client certificate requires the client to establish an SSL connection with a Web server that has been configured to process client certificates.
Note:
Smart card authentication has no Challenge Redirect requirement.Two plug-ins supplied with Oracle Access Manager are required when you configure the Client Certificate authentication scheme for a smart card. The order of execution in the Client Certificate authentication scheme for smart card logon is as follows.
Authentication Scheme | Plug-Ins and Order of Execution |
---|---|
Client Certificate |
|
Each plug-in defines how information is looked up in the directory server. A number of parameters are available depending upon the plug-in. For more information, see "cert_decode Plug-In" and "credential_mapping Plug-In".
If your certificate is stored in the browser, you can view the certificate details. For more information, including the OIDs of the attributes that are supported by the Access Server with the corresponding suffix used to retrieve the attribute, see the Oracle Access Manager Access System Administration Guide.
The cert_decode plug-in can be used with the X509Cert challenge method. It must be included in the Client Certificate authentication scheme for smart card authentication.
The cert_decode plug-in has no parameters and does not use a data source. This should be the first plug-in in the Client Certificate authentication scheme for smart card authentication.
cert_decode decodes the certificate and extracts the components of the certificate subject's and issuer's Distinguished Name. For each component, the plug-in inserts a credential with a certSubject or certIssuer prefix. For example, if your certificates have the subject name givenName=somename, the plug-in adds the credential certSubject.givenName=somename to the credential list.
If decoding is successful, the elements of the certificate's subject and issuer DN are added to the list of credentials. If not, authentication fails.
The credential_mapping plug-in can be used with the X509Cert challenge method. It must be included in the Client Certificate authentication scheme for smart card authentication.
The credential_mapping plug-in should be second in the Client Certificate authentication scheme for smart card authentication. This plug-in maps the user-provided information to a valid Distinguished Name (DN) in the directory using the following parameters:
obMappingBase="ou=company,dc=yourdc,dc=yourdc,dc=com"obMappingFilter="(&(objectclass=user=)(mail=%certSubject.E%))"
You can configure the attribute to which the user ID is mapped to find the DN by changing the obMappingFilter parameter as shown in the previous paragraph, where:
dc=the Active Directory Domain Controllermail=%certSubject.E%=maps the email in the Active Directory to the email in the certificate
See "To protect resources" for details.
This section focuses on an example of a smart card implementation.
In this scenario, Oracle Access Manager support is shown for smart card authentication with Active Directory and IIS Web servers using ActivCard Cryptographic Service Provider (CSP) for Windows 2000, ActivCard Gold utilities, and ActivCard USB Reader v2.0 in homogeneous Windows environments.
The following process occurs during Smart Card authentication with Oracle Access Manager. Figure 15-1 illustrates the sequence and is followed by a process overview.
Process overview: Smart Card authentication in the ActivCard example
The browser prompts the user for the smart card and the WebGate intercepts the user's resource request and queries the Access Server to determine if and how the resource is protected, and if the user is authenticated.
The Access Server queries the Active Directory server for authentication information and receives information from the directory.
The Access Server responds to the WebGate, which prompts the browser to challenge the user to either insert their ActivCard and/or enter their PIN.
The user submits their credentials, which the browser passes to the WebGate and the WebGate presents to the Access Server, at which point one or more authentication plug-ins are used.
The cert_decode and credential_mapping plug-ins are required with the Client Certificate authentication scheme.
The Access Server performs the authentication dialog with the Active Directory, which maps the certificate information stored in the smart card to the user certificate in the directory and returns a success response to the Access Server.
When the user's credentials are valid, the Access Server provides the response to the WebGate, which starts a session for the user.
The WebGate queries the Access Server for resource authorization.
The Access Server queries Active Directory for authorization information that allows or denies access based upon the policy domain's authentication and authorization rules.
When access is granted, the Access Server passes authorization to the WebGate, which presents the resource to the user.
Oracle Access Manager supports certificate-based authentication, and as a result, can be integrated with any certificate-based smart card or similar strong authentication token.
Several procedures must be completed to set up smart card authentication with Oracle Access Manager. The following sections provide examples of how you would go about this task.
The following sections describe how you would configure client-certificate authentication in an ActivCard environment.
Task overview: Setting up smart card authentication
Confirm your environment meets requirements in "Supported Versions and Platforms".
Set up Active Directory, as described in "Preparing Active Directory".
Set up a certificate, as described in "Preparing the CA and Enrolling for a Certificate".
Set up the IIS Web Servers, as described in "Preparing IIS Web Servers".
Set up Oracle Access Manager, as described in "Preparing Oracle Access Manager for Smart Card Authentication".
Configure your protected resources, as described in "Protecting Resources with Oracle Access Manager".
Set up IIS Manager, as described in "Setting Up the IIS Manager".
The following sections discuss preparing Active Directory.
Tip:
For more information about this procedure, see the Active Directory manual.For details about setting up your Active Directory to operate with Oracle Access Manager, see the Oracle Access Manager Installation Guide and Oracle Access Manager Identity and Common Administration Guide.
Ensure that you have a domain controller and Active Directory installed and properly running.
Ensure that you have a Domain Name System (DNS) server installed and properly running.
Note:
You must install a Microsoft certification server with Active Directory, as discussed next.The following sections discuss preparing the CA and enrolling for a certificate.
See also:
See the ActivCard documentation, Configuring Smart Card logon with ActivCard CSP for Windows 2000 for details.To prepare a certification authority
Confirm that you have met all setup requirements for certification authorities (CAs), installed ActivCard Gold utilities, and set up the Certificate Authority (CA).
If you want to install the user's certificate on the ActivCard only, rather than on both the computer and the ActivCard, you need at least two installations of the ActivCard Gold utilities because you need an administrator's certificate to digitally sign the user's certificate.
Establish the certificate types that an enterprise CA can use.
Prepare a CA to issue smart card certificates.
To complete smart card certificate enrollment
Prepare a smart card certificate enrollment station on a computer that you will use to set up smart cards and install a ActivCard USB reader v2.0.
If you want the user's certificate installed on the ActivCard only, rather than on both the computer and the ActivCard, you need multiple ActivCard USB Readers and at least two ActivCard Gold.
Connect a smart card reader.
Enroll for a Smart Card Logon or Smart Card User certificate, initialize the card, and digitally sign the request.
For more information about downloading certificates onto ActivCards, see the ActivCard Gold User Guide.
Log on with an ActivCard, as described in Configuring Smart Card logon with ActivCard CSP for Windows 2000.
Set policies for smart card removal behavior.
The following sections describe preparing IIS Web Servers.
Tip:
For more information about the following tasks, see the ActivCard documentation, Configuring Smart Card logon with ActivCard CSP for Windows 2000.To prepare the IIS Web server for certification authentication
Deploy a certificate and the CA that issued the certificate within IIS on the Web server that hosts the WebGate.
Enable SSL to protect communication on port 443 on the Web server that hosts the WebGate.
Enable client certificate authentication within IIS.
Download a 1024-bit-length Web server certificate from your Microsoft certificate server.
Note:
Do not use a 512-bit-length certificate.The following sections describe preparing Oracle Access Manager for smart card authentication.
Tip:
For more information, see the Oracle Access Manager Installation GuideTo prepare Oracle Access Manager for smart card authentication
Ensure that Oracle Access Manager is properly installed and running with Active Directory, including the latest patches, for example:
Identity Server and WebPass
Policy Manager and Access System Console
Access Server and WebGates
Confirm that SSL is enabled on the IIS Web server hosting the WebGate.
You need to modify the Client Certificate authentication scheme and add it to a policy domain to protect resources for smart card authentication.
Steps are provided in this procedure. For additional information, see the Oracle Access Manager Access System Administration Guide
To configure the authentication scheme for smart card
Navigate to the Access System Console, Access System Configuration tab, Authentication Management function.
Create or modify the Client Certificate authentication scheme to use the X509Cert challenge method, as shown in the example in Figure 15-2.
Click the Plug-Ins tab and ensure that the cert_decode and credential_mapping plug-ins contain appropriate parameters and values for smart card authentication, as shown in the example in Figure 15-3.
For more information, see "About Client Certificate Authentication Schemes".
This scheme will appear in the Authentication Scheme list when you add authentication rules to the policy domain.
Next, you create a policy domain in the Policy Manager, as described in the following sections.
Navigate to the landing page for Access System administration:
http://
hostname
:port
/access/oblix
Select the Policy Manager application, and click Create Policy Domain in the left navigation pane.
For example:
Name—Your Choice.Description—Optional
Note:
Do not enable the policy domain until all specifications are completed.Click Save.
Click the Resources tab, then click Add and add a resource.
For example:
Resource Type—Your ChoiceURL Prefix—Your ChoiceDescription—Optional
Click Save.
Click Authorization rules, and configure those that apply to your policy domain and resource, then confirm or add plug-in parameters, as usual.
Click the Default Rules tab, click the Add button, enter the details for the authentication rule and confirm that you are using the modified Client Certificate authentication scheme.
For example:
Name—Your choiceDescription—OptionalAuthentication Scheme—Client Certificate
Add an access policy, as needed.
Delegating Administration is done as usual. There are no special requirements. For more information, see the Oracle Access Manager Identity and Common Administration Guide.
Click the General tab and enable the policy domain, as usual.
Continue with "Setting Up the IIS Manager".
Next you must configure the Oracle Access Manager cert_authn.dll to "accept cookies", in the Internet Services Manager.
To configure the cert_authn.dll
Navigate to the Internet Services Manager by clicking Start, then Programs, then Administrative Tools, then Internet Services Manager.
Expand the host, double click the Default Web Site (or another Web site if you are not using the default), then navigate to and double-click the cert_authn.dll.
For example:
hostname > Default Web Siteaccess\oblix\apps\webgate\bin\cert_authn.dll
Note:
If the ISAPI WebGate installation configuration is performed manually, the following information will be presented on an HTML page:"If you are using client certificate authentication you must enable client certificates for the WebGate and SSL must be enabled on the IIS Web server hosting the WebGate. Once this is done, do the following steps to enable client certificates for the WebGate:"
Select the File Security tab, then click Edit in the Secure Communications panel at the bottom of the window: File Security, Secure communications Edit.
In the Client Certificate Authentication subpanel, enable Accept Certificates.
Click OK in the Secure Communications window, and click OK in the cert_authn.dll Properties window.
This section discusses the following troubleshooting tips for smart card authentication:
Oracle Access Manager requires X.509 certificates from Microsoft's Certification Server on Windows 2000 to be downloaded to the smart card. In this case, you need the ActivCard Gold for authentication.
Problem
You request a certificate for smart card from the following Web page:
http://
hostname
/cersrv/certsces.asp
You see the message "Downloading ActiveX Controls..." yet never complete the process.
Solution
Visit the following Web page:
http://www.microsoft.com/windows2000/downloads/critical/q323172/default.asp
Obtain security patch Q323172 for certificate downloads with IIS.
There are several sources of information that you may find useful when setting up smart card authentication for Oracle Access Manager 10g (10.1.4.0.1).
For more information about setting up Active Directory, see:
Microsoft Active Directory documentation
Oracle Access Manager Installation Guide chapter on installing on Active Directory
Oracle Access Manager Identity and Common Administration Guide for details on deploying with Active Directory
For more information about setting up ActivCard utilities and the smart card, see the documentation that accompanies your ActivCard product packages, including:
ActivCard Gold User Guide
ActivCard: Configuring smart card logon with ActivCard CSP for Windows 2000
ActivCard Trouble Shooting Guide
For general information about smart cards, see:
Microsoft Step-by-Step Guide to Installing and Using a Smart Card Reader
Microsoft Step-by-Step Guide to Mapping Certificates to User Accounts
For more information about setting up protecting resources with Oracle Access Manager policy domains, see the Oracle Access Manager Access System Administration Guide.