Loging into Livelink Using a CAC (Common Access Card)

[wilsontm]

Hello Everyone and thanks Tek-Tips for allowing me to join this community at no expense!

Just a little background info before I begin... Like most of you, I am a Systems Engineer currently supporting Livelink 9.7.1 on a Oracle 10g database (we just upgraded from 9.2 back in June this year). My system is government owned so in order to even access the login site, you have to have a government/DoD approved certificate/CAC. Of course with the invention of the CAC more and more users began to rely on remembering just one PIN number to access all of their tools rather than trusting their brain to remember hundreds of passwords Unfortunately this bug has found its way to system causing a lot of unhappy people. The simple point, none of my users want to use a username/password to login to our Livelink instance no more.

The biggest problem is, I don't know where to start. I have been reading about directory services, but it doesn't look as simple as installing a module and "BAM!" there it is. Nor am I 100% sure what it is that I need to implement as a solution. Am I looking for a Single Sign-On solution or Cyrptographic logon? Perhaps it is a combination of both... What we want is for our users with a CAC to authenticate and then granted access. Our Livelink instance is available over the public internet, and always requires authentication regardless if you are accessing it from known workstation on the network. Any tips and information about this is greatly appreciated.

 

[ggriffit]

If you are authenticated onto the local machine you are using with a valid windows login on the right domain then NTLM authentication "should" be able to use those controls to log you into Livelink.

I've recently done some work in the following areas which may be of interest :

1. Extend Livelink SSO support to Novell Netware clients running on Windows

2. Add support for SSO users to login to a Livelink instance from outside the network without a VPN, e.g. from a cybercafe etc.

Greg Griffiths
Livelink Certified Developer & ECM Global Star Champion 2005 & 2006

http://www.greggriffiths.org/livelink/

 

[appnair]

I saw Chris posting a reply in the KB but Livelink SSO is a very simple affair.If you look at the underlying authentication scheme I will put here perhaps you may be able to derive something out of it.

User Requests Livelink page
Livelink webserver intercepts and send to livelink
Livelink has to see if user is permitted for which it provides the logon page.When user is vindicated he is let in.

Now lets look at what SSO is doing.A user may be logged on to a domain so you may have a userid that resembles <domain name>\<userid>.the reason why you are logged in because AD or LDAP or Novell let you in correct.So why can't livelink do it that is the rationale behind livelink's SSO.

To do that on a IIS machine you put the flag that says instead of anonymous access let's use Integrated Windows authentication.This ensures windows to check if the web server user is permitted.If so a standard http variable called REMOTE_USER is issued.This is given/passed to livelink.If you on a livelink SSO if you are a sysadmin you can issue func=admin.testargs and catually see the variable passed to livelink.Livelink then checks if the username is in its database and then the process is the same.

On other systems other than IIS you have to rely on the manufacturer of the webserver to see how they do authentication.I have seen a lot of people using Livelink SSO with apache as the web server so it is possible.

So regardless of what CAC is (I do not know what it is) if it will allow the user to get to a website then you can write a script to see if REMOTE_USER is passed in if so then livelink shouldnot be your problem.BTW REMOTE_USER is a variable that can be changed.Site Minder uses something elses like SMSESSIOn or sometthing like that.

Pls post your experinces as I am alos interested in new developments in livelink

Well, if I called the wrong number, why did you answer the phone?
James Thurber, New Yorker cartoon caption, June 5, 1937
Certified OT Developer,Livelink ECM Champion 2008

http://www.tek-tips.com/faqs.cfm?fid=2884

http://www.linkedin.com/in/appunair

 

[wilsontm]

Greg,

Thanks for writing back. After speaking with my superior, what we are trying to accomplish is CLO Cryptographic Log-on and not essentially SSO. However, Its almost like you can't do CLO without having some support of SSO...??? What you said on #2 sounds about right. The users would need access to the system without a VPN tunnel. So perhaps your experiences in that area would at least guide us in the right direction. Please read below, I am going to answer appnair's question about what a CAC is. Maybe you'll see more clearly it is that we need to do.

Appnair,

To answer you question about my experience: I have been supporting Microsoft systems for about 6 years (Exchange, Active Directory, etc...) 3 of those 6 years I initially spent as a Network Admin, configuring cisco routers/switches and several dell network devices (switchs, SANs etc...) and general network/user support. When it comes to Livelink, I have 1&1/2 years of backend support. One of my biggest projects here was the upgrade from Livelink 9.2, up to 9.7.1. So pretty much I just built the system, now I am looking for information on hardcore administrating for this software. Some of our future projects include the intergrating MS SharePoint and setting up File System Archiving.

A CAC is used in all sorts of systems as a means of security. You may also know these as Smart Cards. These cards are identification cards that have a chip built into them that looks like a SIM card from a cell phone which a lot of information is written on. Just about all SIM cards in government systems store just everything about a person, SSN, date of birth including a picture of the individual down to the type of algorithm the card uses to sign a signature.

More importantly, these cards contain the trusted key (certificate) that is used to authenticate the user. In my case, I have 3 certificates that have their own functions. One is a ID certificate that is used to ID the user for most applications. Email certificate that is used to ID my exchange mailbox and a encryption certificate which is used to encrypt messages should I need to. The only way for you to hack this setup is to physically own a CAC or have stollen it etc... this is because once your CAC is generated, a key is stored at ECA (External Certificate Authority) and then you have the physical key in your hands. Both keys are checked during authentication to make sure they match, then you are granted access.

The above certificates contain multiple differnt things... the ID certificate only contain general information about the user. Such as who you are employed by, your name, expiration date and a unique identifier issued to a user by the government. The email certificate however, has the same information, but this one contains your email address and the ability to digitally sign emails. The last one, the encryption one is only used for doing just that... encryption.

Now that you have the background on CAC/smart cards, here is an example of it in action. I am at my home computer and need to check my Navy email. I pull out my CAC and insert it into the reader and enter my PIN. I then go to the OWA webmail web address (sometimes you are prompted with a screen that has your certificates listed, you must select the right one before you can continue)... without entering any information, the page opens and there is my email. On standard exchange environments that have OWA enabled. Users type in a username and password at a prompt. The username and password is your domain account. I got a general idea about what I need... but my brain is lost thinking about it. I need to capture the right info off the CAC and pass it into something the will check if this person has account, if so then who is this user etc... I will elaborate some more later, I have to leave work now

 

[ggriffit]

given your requirements I think you need to do something along the lines of the following when Livelink gets a request :

1. Check for a REMOTE_USER HTTP Header
2. Check for an additional header/cookie with the CAC info
3. If 1 & 2 then check the CAC info and then allow them into Livelink
4. Otherwise redirect them to a serverside script that will process and authenticate the CAC and then redirect to step 1.

This is similar to what we did for the Netware client.

Greg Griffiths
Livelink Certified Developer & ECM Global Star Champion 2005 & 2006

http://www.greggriffiths.org/livelink/

 

[tatyttrb]

hey ;

we did what you are asking for;
basically you need sso via ako.

i assume your a gov worker then; to log into LL using a CAC card you need to first look up AKO-SSO and apply for a license/agent. This takes time as the paper work & process is complex (complex to get approved that is). some people took 6 months to get approved. approval means that your servers can now access AKO's LDAP servers via the sso agents. so their is an agent for IIS/Apache/etc...

once your able to do this basically you will have an agent that will handle sso authentication via CAC or username then redirect you back to your vdl server either authenticated or rejected.

so we authenticate using ako cac then if succesful we check the username to ensure the individual has an LL account.