Enable CAC Authentication

After Enhanced Security is enabled on the Stratusphere Hub and Database appliances, you can install and enable the CAC Authentication module for the Hub appliance. This module enables and then requires a CAC Authentication certificate to be presented to access Stratusphere’s Web UI.

Important: Make sure you have enabled Enhanced Security on the Hub appliance prior to proceeding. LDAP/AD import should be configured and tested before enabling CAC authentication. Enforcing the use of a specific TLS version, such as TLS 1.2, may be required.

  1. Log out of all Stratusphere Web UI sessions.
  2. Liquidware recommends taking a snapshot of the Hub appliance for safety before proceeding.
  3. Establish a root shell by completing the following steps:
    1. Open a command line console to the appliance.
    2. Log in by entering the User ID (e.g., friend, ec2-user, azureuser, etc.) followed by your enhanced security STIG compliant password.
    3. Enter the command sudo bash and then enter your enhanced security STIG compliant password to switch to root.

  4. Enter the following command and answer Y to the prompt to install the CAC authentication module:
  5. Copy 
    yum install lwl-stig-base-dod-cac

  6. To make it easier for administrators to manage certificate files, Liquidware recommends editing the client certificate configuration file, commenting out all lines regarding specific CA certificates and adding a line to allow for a CA Certificate path. You may also edit the file to set certificate revocation and network OCSP server settings.
    1. Type the vi command to edit the clientcerts.conf file:
    2. Copy 
      vi /etc/lwl/httpd/conf.d/clientcerts.conf

    3. Go into Insert mode by typing I and then add an entry for the following:
    4. Copy 
      SSLCACertificatePath /etc/lwl/httpd/cacerts/

    5. Comment any SSLCACertificateFile entries by typing # at the beginning of the line.
    6. The following is an example of a clientcerts.conf file:

    7. Copy 
      SSLVerifyDepth 10
      SSLCACertificatePath /etc/lwl/httpd/cacerts/

      #SSLCACertificateFile /etc/lwl/httpd/cacerts/dod-root-certs.pem

      #SSLCACertificateFile /etc/lwl/httpd/cacerts/dod-root-certs-jitc.pem

      #SSLCACertificateFile /etc/lwl/httpd/cacerts/dod-root-certs-eca.pem

      #

      #uncomment and update below if a self-contained CRL is provided

      #SSLCARevocationFile /etc/lwl/httpd/crls/crllist.crl

      #

      #uncomment and update below to use a network OCSP server

      #SSLOCSPEnable on

      #SSLOCSPDefaultResponder http://ocspserver:ocspport

      #SSLOCSPOverrideResponder on

    8. Press ESC, type :wq!, and then press Enter to write and quit the vi editor.

  7. Restart the Apache Web Server for the new settings to take effect.
  8. Copy 
    systemctl restart httpd

  9. Add CA certificate(s) in PEM format using the following commands:
    1. Copy the CA certificate file(s) in Base64 format to the Hub appliance using the command line option or your preferred SCP Client, like WinSCP, to the /home/<username>/ folder such as /home/friend/ on VMware, Hyper-V, and Nutanix.

    2. Important: Do NOT modify the certificates before or after uploading to the hub. For example (replace YOURCERTNAME with the name of your PEM/CER file):

    3. Copy
      scp YOURCERTNAME friend@HUBIP:YOURCERTNAME

    4. Copy the file(s) from the /home/<username>/ folder to the appropriate folder with the following command on the hub:

      Note: You may want to remove the old files from /cacerts that are no longer needed.

    5. Copy
      cp /home/friend/YOURCERTNAME /etc/lwl/httpd/cacerts

    6. Update ownership, permissions, security context, and rehash the certificate files in the cacerts folder with the following commands.

    7. Important: A symlink should be created within the folder for each certificate:

    8. Copy
      chown root:root /etc/lwl/httpd/cacerts/*
      chmod 644 /etc/lwl/httpd/cacerts/*
      c_rehash /etc/lwl/httpd/cacerts
      restorecon -RF /etc/lwl/httpd/cacerts

  10. Execute the following command to reboot the system:
    1. Copy 
      reboot

  11. After the Stratusphere Hub appliance reboots, wait for about 10–15 minutes for all the services on the Stratusphere Hub to start, especially the Web UI.
  12. You will now need a valid CAC to authenticate with the Web UI through a browser. Bring up the browser of your choice and navigate to the Stratusphere Web UI address. The browser will ask you to choose a client certificate and will list either an ID or an Email certificate. Depending on the type of client certificate you select, one of the following will occur:
    • If you select the ID type certificate, access to the Stratusphere Web UI Login page will be granted. There may not be enough information available on the ID certificate to auto-log you in.
    • If you select an Email type certificate and that certificate is associated with a userPrincipalName attribute within a synced Active Directory, and you have been granted a User or Administrative role within Stratusphere, you will be transparently logged into the Stratusphere Web UI.
    • If you try to access the Stratusphere Web UI Login page without a supported client certificate, the browser will display a Bad SSL Client Authentication Certificate error.