DOD 通用访问卡 (CAC) 身份验证
我已经弄清楚了在 Apache 中运行基于 DOD CAC 卡的客户端证书身份验证所需的所有必要步骤,但现在我正在努力从我收到的证书中为用户提取一个好的 GUID。 证书上是否有一个 GUID 在更新 CAC 卡时不会更改? 我正在考虑使用 SSL_CLIENT_S_DN ,它看起来像:
/C=US/O=US Government/OU=DoD/OU=PKI/OU=CONTRACTOR/CN=LAST_NAME.FIRST_NAME.MIDDLE_NAME.0123456789
但我听说当CAC卡更新时,末尾的数字会发生变化。 这是真的? 是否有更好的信息可用于 GUID? 我还想获取用户的电子邮件地址,但我在从证书收到的信息中看不到它。 电子邮件地址是否在我没有看到的某些自定义扩展中可用?
谢谢!
I have figured out all the necessary steps to get DOD CAC card based client certificate authentication working in Apache, but am now struggling to pull a good GUID for the user from the certificate I am receiving. Is there a GUID available on the certificate that will not change when the CAC card is renewed? I was thinking of using the SSL_CLIENT_S_DN which would look something like:
/C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=CONTRACTOR/CN=LAST_NAME.FIRST_NAME.MIDDLE_NAME.0123456789
but I have heard that the number on the end changes when the CAC card is renewed. Is this true? Is there a better piece of information to use for a GUID? I'd also like to get the users email address, but I don’t see it available in the information I am receiving from the certificate. Is the email adress available in some custom extension that I am not seeing?
Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
我们遇到过很多例子,最后的数字会发生变化。 我们最终被迫使用一个流程,如果用户获得新的 CAC,我们要求用户将该新卡与其用户帐户重新关联。 这就是现在大多数国防部系统的流程,例如 DKO(国防知识在线)等。 如果我们的数据库中没有提供的 CAC 证书数据,则用户必须使用用户名和密码登录系统。 如果凭证正确,则该 CAC 的标识信息将与系统中的用户帐户相关联。
至少我们就是这么做的。
而且,就获取电子邮件地址而言,@harningt 是正确的。 这取决于向您提供的证书。
We have run into plenty of instances where that number on the end changes. We were eventually beaten into using a process where that if a user gets a new CAC, we require that the user re-associate that new card with their user account. That's the process on most DoD systems now, such as DKO (Defense Knowledge Online) and others. If we do not have the supplied CAC certificate's data in our database, the user must log onto the system using a username and password. If the credentials are correct, the identifying information of that CAC is associated with the user's account in the system.
At least that's how we did it.
And, as far as, getting access to the email address, @harningt is correct. It depends on which certificate is supplied to you.
DOD EDI PIN 不应更改。
我可以给你举很多例子,你可以去 DOD411 网站(需要 CAC)查找某人,它会显示他们是承包商时的证书,然后再次显示同一个人,现在是国防部文职人员(我们看到对于新员工来说这很多)。
我刚刚查了一下我们的一位新员工,他曾在空军工作过,然后是海军承包商,然后是陆军承包商,现在作为一名 DA 文职人员为我们工作。
相同的 DOD EDI PIN。
CN(通用名)可以更改(例如因结婚而更改),但十位数的 DOD EDI 不应更改。
至于根据什么证书进行身份验证,大多数网站都根据电子邮件证书进行身份验证,但有些网站确实使用身份证书。
麦克风
The DOD EDI PIN should NOT change.
I can give you plenty of instances where you can go to the DOD411 site (CAC required) to look up somebody and it will show certificates from when they were a contractor and then show the same person again, now as a DOD civilian (we see this alot with new hires).
I just looked up one of our new hires who has variously been in the Air Force, then a contractor for the Navy, then a contractor for the Army, and now works for us as a DA Civilian.
Same DOD EDI PIN.
The CN (Common Name) can change (e.g. resulting from marriage), but the ten digit DOD EDI should not change.
As to what certificate to authenticate against, most sites are authenticating against the email cert, but some do use the identity cert instead.
Mike
相信大家现在已经有了答案。 但对于稍后阅读这篇文章的其他人来说,只需注意几点:
这是 DISA 参考站点:
http://iase.disa.mil/pki-pke/
PKI是基础设施,PKE正在使用 PKI 身份验证启用您的计算机/服务器/应用程序
这是 PKE 管理员入门指南:
http://iase.disa.mil/pki-pke/getting_started/Pages/administrators.aspx
I'm sure you've all figured out your answers by now. But for others coming to this post later just a couple notes:
This is the DISA reference site:
http://iase.disa.mil/pki-pke/
PKI is the infrastructure, PKE is enabling your computers/servers/applications with PKI auth
This is the PKE admin getting started guide:
http://iase.disa.mil/pki-pke/getting_started/Pages/administrators.aspx
首先,许多支持 PKI 的 DOD 站点应支持通过参与 DOD ECA 计划的商业 CA(Verisign、IdenTrust、ORC)发行的硬件令牌。 这些 ECA 颁发的证书甚至不包含这个“号码”,即 DOD EDI PN。
据我了解,应该做出一些努力来保持特定人的数字稳定。 例如,即使我辞去 DOD 的文职工作并为承包商工作、结婚并更改姓名、辞去工作并加入海岸警卫队,我的 DOD EDI PN 也应该相同。 然而,在实践中,我怀疑它是这样运作的。
即使确实如此,我可能也不应该对应用程序拥有相同的访问权限。 每次我的工作发生变化时,我的 CAC 上的证书都应该被撤销。 如果应用程序仅查看证书的通用名称或使用者备用名称,它将错过组织中可能影响该使用者授权的更改。
基于特定证书(颁发者和序列号)进行身份验证对于用户来说是一种痛苦,但从安全性和稳健性的角度来看,它确实有意义。
First, many PKI-enabled DOD sites should support hardware tokens issued through commercial CAs that participate in the DOD's ECA program (Verisign, IdenTrust, ORC). These ECA-issued certificates don't even include this "number", the DOD EDI PN.
As I understand it, there is supposed to be some effort made to keep the number stable for a particular person. For example even if I quit my civilian job at the DOD and go to work for a contractor, get married and change my name, quit my job and enlist in the Coast Guard, my DOD EDI PN should be the same. However, in practice, I doubt it works like that.
And even if it did, I probably shouldn't have the same access to an application. Each time my employment changes, the certificate on my CAC should be revoked. If an application is only looking at the common name or subject alternative name of the certificate, it will miss changes in the organization that probably affect the authorization of that subject.
Basing authentication on a particular certificate (issuer and serial number) is a pain for users, but it does make sense from a standpoint of security and robustness.
我听说过使用末尾的数字作为个人的唯一标识符的争论,因为其他信息(姓名、组织等)是可以随时间实际变化的信息位,而不是数字。 然而,我还没有看到任何官方文件或任何其他权威信息能够真正说明这一事实。
只是好奇,是否有文档介绍启用 Apache 和 DOD CAC 的分步过程? 这就是我首先想到这个问题的原因:)
I have heard the argument for using the number on the end as the unique identifier for individuals because the other information (name, organization, etc) are the bits of information that can realistically change over time as opposed to the number. However, I have not seen an official document or any other piece of authoritative information that actually states this as a fact.
Just curious, is there a document that speaks to the step-by-step process of enabling Apache and DOD CAC? That's what actually brought me to this question in the first place :)
电子邮件地址可在主题备用名称字段集中找到。 这取决于 CAC 证书,但用于 SSL 登录的证书应该包含它(它也是电子邮件签名证书)。
对于特定的人来说,主题不太可能经常改变。 该号码确实是识别一个人的唯一号码。 此数字还会出现在 Windows 登录主题备用名称的 UPN 字段中(采用 NUMBER@MIL 等形式)
The email address is available in the Subject Alternative Name fieldset. This depends on CAC certificate, but that used for SSL login should contain it (it's also the email signing cert).
The subject would not likely change for a given person very often. The number is indeed the unique number identifying a person. This number would also be present in a UPN field in the Subject Alternative Name for windows login (in a form such as NUMBER@MIL)
您可以从 PIV 检索所有者的 SSN。 这不会改变
You could retrieve the owners SSN from the PIV. That will not change