- My Forums
- Tiger Rant
- LSU Recruiting
- SEC Rant
- Saints Talk
- Pelicans Talk
- More Sports Board
- Fantasy Sports
- Golf Board
- Soccer Board
- O-T Lounge
- Tech Board
- Home/Garden Board
- Outdoor Board
- Health/Fitness Board
- Movie/TV Board
- Book Board
- Music Board
- Political Talk
- Money Talk
- Fark Board
- Gaming Board
- Travel Board
- Food/Drink Board
- Ticket Exchange
- TD Help Board
Customize My Forums- View All Forums
- Show Left Links
- Topic Sort Options
- Trending Topics
- Recent Topics
- Active Topics
Started By
Message
CAC Card authentication under RedHat 8
Posted on 9/24/20 at 7:57 am
Posted on 9/24/20 at 7:57 am
I'm working on upgrading a set of Drupal servers from RHEL 6 to RHEL 8 and running into an issue with a CAC style card authentication.
The old boxes are running Apache 2.2.5/PHP 5.3.3 and in ssl.conf use SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1. With this, when you hit domain.com/smartcard page, the system asks for the cert on the card, then you enter your PIN, and then you are redirected to the Drupal login screen.
The new RHEL8 boxes (Apache 2.4.3/PHP 7.2.24) with the same SSL.conf return a "You don't have permission to access /smartcard on this server. Reason: Cannot perform Post-Handshake Authentication" message as soon as you go to the page.
If I modify ssl.conf to SSLProtocol all -SSLv3 -TLSv1.3, when I go to the page I can choose the cert off the card, but it then throws an "ERR_BAD_SSL_CLIENT_AUTH_CERT" error instead of asking for the PIN.
Does anyone have any idea what could be causing the issue, and how to fix it or work around it?
The old boxes are running Apache 2.2.5/PHP 5.3.3 and in ssl.conf use SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1. With this, when you hit domain.com/smartcard page, the system asks for the cert on the card, then you enter your PIN, and then you are redirected to the Drupal login screen.
The new RHEL8 boxes (Apache 2.4.3/PHP 7.2.24) with the same SSL.conf return a "You don't have permission to access /smartcard on this server. Reason: Cannot perform Post-Handshake Authentication" message as soon as you go to the page.
If I modify ssl.conf to SSLProtocol all -SSLv3 -TLSv1.3, when I go to the page I can choose the cert off the card, but it then throws an "ERR_BAD_SSL_CLIENT_AUTH_CERT" error instead of asking for the PIN.
Does anyone have any idea what could be causing the issue, and how to fix it or work around it?
3
Posted on 9/24/20 at 8:25 am to PJinAtl
Is this related to DoD CAC's? Have RootCerts been installed on the server?
Potential info you might find helpful
https://public.cyber.mil/pki-pke/pkipke-document-library/
Potential info you might find helpful
https://public.cyber.mil/pki-pke/pkipke-document-library/
This post was edited on 9/24/20 at 8:27 am
Posted on 9/24/20 at 8:49 am to PJinAtl
That's all Greek to me, I'm just here to point out that the last "C" in "CAC" stands for card. No need to say CAC card.
Carry on.
Carry on.
Posted on 9/24/20 at 9:02 am to slacker130
quote:
slacker130
quote:
That's all Greek to me, I'm just here to point out that the last "C" in "CAC" stands for card. No need to say CAC card.
Carry on.
Hahahahahahah....love it, as this was always a pet peeve of mine as well...
Posted on 9/24/20 at 9:04 am to BabySam
Thanks, I will take a look at that site.
Not DoD, but that style card with the ICC on it and the personnel security cert on it.
ssl.conf calls Roots.cer as the SSLCACertificateFile, but it is located in /etc/httpd/certs/ and not in /etc/pki/. Not sure if that makes a difference.
Not DoD, but that style card with the ICC on it and the personnel security cert on it.
ssl.conf calls Roots.cer as the SSLCACertificateFile, but it is located in /etc/httpd/certs/ and not in /etc/pki/. Not sure if that makes a difference.
Posted on 9/24/20 at 9:38 am to slacker130
quote:
slacker130
quote:
I'm just here to point out that the last "C" in "CAC" stands for card. No need to say CAC card.
Posted on 9/24/20 at 10:40 am to BallsEleven
quote:
BallsEleven
Surprised a maintainer can spell correctly....but guess it proves you can follow your TO since username is already spelled for you....
Posted on 9/24/20 at 11:06 am to BallsEleven
quote:
BallsEleven
You a T2 maintainer?
Posted on 9/24/20 at 11:29 am to slacker130
quote:-
BallsEleven
quote:
You a T2 maintainer?
I'm trying to figure out if he's a pointy-head or damn crew chief....lol
i spent time on T2s
Posted on 9/24/20 at 11:31 am to slacker130
quote:
You a T2 maintainer?
quote:
damn crew chief
Yessir! I miss those big-nosed bastards.
Edit:
quote:
Surprised a maintainer can spell correctly
Hurts a little bit but I see where you're coming from
This post was edited on 9/24/20 at 11:38 am
Posted on 9/25/20 at 7:11 am to BallsEleven
quote:
Yessir! I miss those big-nosed bastards.
Well, I know you probably love 'em...I'm not a fan.
Posted on 9/25/20 at 8:23 am to slacker130
quote:
Well, I know you probably love 'em...I'm not a fan.
Definitely a love/hate relationship sometimes, especially when it came to pods, but I loved working on them.
Posted on 9/25/20 at 9:15 am to BallsEleven
I was hoping they'd be parked by now.
Posted on 9/28/20 at 2:54 am to PJinAtl
Most authenticating issues I’ve experienced with smart cards involve needing an extra driver or middleware. What is the card make/model?
This post was edited on 9/28/20 at 2:57 am
Posted on 9/28/20 at 12:00 pm to slutiger5
quote:To the best of my knowledge it is a HSPD-12 with Entrust PKI Shared Service Provider.
Most authenticating issues I’ve experienced with smart cards involve needing an extra driver or middleware. What is the card make/model?
Would the driver/middleware be needed if the RHEL8 box isn't physically accepting the card?
Setup is any user with a computer with card reader and valid PIV card should be able to authenticate.
You go to www.site.org/smartcard. The site detects the card, asks you to select the cert and verify your PIN.
Once that is done, you are redirected to the Drupal login screen so that you can sign in to the the editing suite of Drupal as an editor or admin.
Page 1 of 1
Popular
Back to top
Follow TigerDroppings for LSU Football News