The document discusses the challenges and solutions of enabling web applications for Department of Defense (DoD) security through Public Key Infrastructure (PKI) and Common Access Card (CAC) systems. It highlights the importance of PKI for secure authentication and the complexities involved in integrating legacy systems with certificates. The presentation emphasizes the use of open source tools in achieving these objectives and shares valuable lessons learned during the process.

1. August 12, 2009Richard Bullington-McGuire, Director of Technology, Three Pillar Softwarehttp://threepillarsoftware.com/Kevin Hourihane, Principal Collaborative Development Consultant, CollabNethttp://www.collab.net/Enabling Web Apps for DoD Security via PKI/CAC EnablementPresentation for MIL-OSS 2009 http://www.mil-oss.org/

2. IntroductionForge.mil Public Key Enablement of CollabNetTeamForgeFaced many challengesMany solutions may be reusableNot a “how-to” or “everything you wanted to know” Sharing “lessons learned”

3. You’re here because…You are considering PKI enabling your DoD web appYou are having issues with implementationYou want to know how Open Source helped usOther reasons? (Please speak up)

4. Why use Public Key Enablement?You have to: Executive DirectivesHomeland Security Presidential Directive-12DoD Directive 8500Application Security STIG: comply or you’ll never go liveYou want to: Key benefitsBetter security through centralized x509 CA authenticationEliminates password management headachesEasy to revoke a compromised identity through CRLs

5. PKE ChallengesLegacy systems use user names and passwordsAdapting these systems to use certificates is difficultCOTS integration: may need to wrap black-box systemsMapping certificates to principals has many tricky issuesCryptography library integration may be needed

6. Certificate ChallengesMultiple identity mediums pose challengesCommon Access Card (CAC) smart cards on NIPRNetgovernment employees, some contractors get these DoD issued certsSmart card middleware on client computers mediates SSL handshakeSoft certificates only on SIPRNet, smart cards coming soon

7. More Certificate ChallengesECA certificates (mostly software) for contractorsIssuers: Verisign, IdenTrust, Operational Research ConsultantsFormat of subject DNs vary, no EDIPI on ECA certificatesFrequent DoS for Verisign ECA users due to annoyingly short expiration time on Verisign ECA CRL, and flakiness of crl.gds.disa.milGetting ECA certificatesPay $100Provide notarized formsWait 1-2 weeks for issuance

8. Certificate-to-Identity mappingWhere’s the unique ID?Why not use EDIPI?No, not in ECA certsPrivacy concernsSubject and Issuer DN are insufficient Need serial # also, to record distinct certs$ # show JITC certificate for “Jon Jones”$ openssl pkcs12 -clcerts -nokeys -in Good.p12 | openssl x509 –text | lessCertificate: Data: Version: 3 (0x2) Serial Number: 12356 (0x3044) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD JITC CA-19 Validity Not Before: Sep 16 16:39:58 2008 GMT Not After : Sep 17 16:39:58 2011 GMT Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, OU=Contractor, CN=Jones.Jon.1234567890

9. Forge.mil internal architectureDeployment ArchitectureKey Systems and ConceptsForge.mil UserWith x509 Client Certificate (CAC/ECA)CollabNetTeamForge on Red Hat Enterprise Linux 5

10. Open Source foundation: Apache HTTPD, mod_ssl, mod_python, JBoss, Tomcat, Subversion, Lucene, Apache James, PostgreSQL

11. Key insight: intercept request at Apache module level for PKI & SSO enablementsoftware.forge.milApplication Serversvn.forge.milIntegration ServerSingle Sign On (SSO) DatabaseApplication Database

12. software.forge.mil / svn.forge.milApplication Server or Integration ServerForge.mil UserApache HTTPDApplication DatabaseJBossOn App server only

13. Web Rendering

14. SOAP Server

15. JAAS module: masterpassword.jarClient -> Serverhttps / TCP 443httpproxy+SOAPmod_pythonsfauth (svn auth)

16. sf_sso looks up cert->user mappings in SSO dbsf_pkicalls TeamForge login() method via SOAP using master password, redirects user through alternate login path accepting username + session IDClient SoftwareWeb browsers (IE, Firefox)

17. Subversion clients (DAV over https)

18. Custom SOAP clients

19. All must use client cert auth.JBOSS -> TomcatJava RMISingle Sign On (SSO) DatabaseServer -> DatabasePostgreSQL / TCP 5432TomcatJames Mail

20. Lucene Indexes