Managed Reporting Support for Common Access Card (CAC) Trusted Logon

In this section:

How to:

A Common Access Card (CAC) is a smart card issued by the United States Department of Defense for the identification of all Department of Defense personnel and contractors. These cards, in conjunction with the appropriate card reader configuration on an end-user machine, can be used to perform certificate-based authentication when the Web server has been configured to require client-side certificates following the Public Key Infrastructure (PKI) standard. WebFOCUS has the ability to retrieve the Common Name or User Principal Name attributes from the supplied user certificate to populate the REMOTE_USER variable so that CAC can be used to provide a trusted logon to Managed Reporting.


Top of page

x
Pre-Installation Requirements

The Web server must be configured to prompt users for client-side certificates using PKI and the ActivIdentity card-reading software must be properly installed on end-user machines before the WebFOCUS Client can be configured to trust the client certificate. Refer to the documentation provided by the Department of Defense on the proper method to set up the Active Identity software.

In addition, before switching Managed Reporting over to use the REMOTE_USER value for automatic logon, you must create at least one Managed Reporting Administrator that matches the value of the certificate attribute chosen for PKI_userid_source. For example, if the Managed Reporting Administrator has a Common Name (CN) of Joe.Smith.1122334455 and the PKI_userid_source is set to CN, the Managed Reporting User ID must be Joe.Smith.1122334455. If the Managed Reporting Administrator has a User Principal Name (UPN) of 1122334455@mil and the PKI_userid_source is set to UPN, the Managed Reporting User ID must be 1122334455@mil.

For more information, see the WebFOCUS Security and Administration manual.


Top of page

x
Procedure: How to Enable Trusted Logon Using a PKI Client Certificate
To enable a trusted logon using a PKI client certificate, you must configure several properties within the WebFOCUS Administration Console.

  1. Go to the WebFOCUS Welcome page and click the WebFOCUS Administration Console link.
  2. Log on as an administrator.
  3. Click Configuration and then, under Application Settings, click Security.
  4. Edit the Security Settings as necessary and save your changes.

    These attributes are activated as soon as they are saved. You do not need to recycle the application server.


Top of page

x
Reference: Security Settings for Trusted Logon Using a PKI Client Certificate
PKIFilter.enabled

Enables the PKI filter which will populate the REMOTE_USER variable with the attribute specified in PKI_userid_source. Managed Reporting and ReportCaster must be configured to use the REMOTE_USER variable for logon separately.

PKI_allow_ip

Specifies a list of IP addresses, separated by semi-colons, that will be allowed to pass the PKI filter even if there is not a valid client certificate in the request. The ReportCaster distribution server IP address must be included in this list for the ReportCaster distribution server to be able to retrieve Managed Reporting content. A sample list might look like:

127.0.0.1;127.0.0.2

If an IP address is not specified here and a client certificate is not provided, the PKI filter will return a 403 forbidden error when accessed.

PKI_userid_source

Specifies the certificate attribute that should populate REMOTE_USER for the user ID. The possible values are:

cn

The common name for the certificate. For example,

Joe.Smith.1122334455

upn

The userPrincipalName attribute from the Subject Alternate Name section of the certificate. For example,

1122334455@mil

Due to the way the UPN is encoded, you must have a copy of the Bouncy Castle Java Cryptography library within your classpath. It can be downloaded from the Bouncy Castle Web site at http://www.bouncycastle.org/java.html.


Top of page

x
ReportCaster Considerations

To schedule Managed Reporting content within ReportCaster, there must be a path to the WebFOCUS Client that does not require a client certificate, and the IP addresses of the machines where the ReportCaster distribution servers reside must be included in the PKI_allow_ip list.

It is recommended that you configure PKI on a separate Web server, which forwards the request to the application server with the certificate. The ReportCaster distribution server can then be configured to go directly against the application server and bypass the Web server.

For example, on a Windows host, PKI can be configured on IIS, which forwards the requests to Apache Tomcat. The default Tomcat port can be left open on 8080 and you can configure ReportCaster to go to this port by updating the Repository Node on the MR Info tab of the ReportCaster Configuration.

If the ReportCaster distribution server is installed on the same machine as the WebFOCUS Client, it is advisable to set the host name to localhost and include the IP address 127.0.0.1 in the PKI_allow_ip list to keep all traffic local to the machine.

Note: When enabled, the PKI filter will prevent any access to the WebFOCUS Client unless the source IP address of the request is within the PKI_allow_ip. As a result it will not be possible for a regular user to bypass the PKI authentication and go directly to the application server.


Top of page

x
Developer Studio Considerations

At this time, Developer Studio does not support supplying a client certificate using PKI, and so it is not possible to use Developer Studio in an environment where this has been configured.


WebFOCUS