Table of Contents | ||||
---|---|---|---|---|
|
...
The steps necessary to enable CAC authentication in PCR-360 are as follows:
Client Certificates
Note: You may already have these installed.
...
Code Block | ||||
---|---|---|---|---|
| ||||
<VirtualHost *:443> ... # Optionally add request logging CustomLog logs/ssl_client_request_log "%h %l %u %t %{SSL_CLIENT_I_DN}x %{SSL_CLIENT_S_DN}x" # These directives should already be set. Adjust SSLCipherSuite if necessary. SSLEngine on SSLProtocol -all +TLSv1.2 +SSLv3 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # There should already be a SSLCertificateFile and SSLCertificateKeyFile for your server certificates SSLCertificateFile /etc/pki/tls/certs/example.com.crt SSLCertificateKeyFile /etc/pki/tls/private/example.com.key # Add the DoD CA Root Certificates SSLCACertificateFile /etc/pki/tls/certs/DoD_CAs.pem # Add the CA CRL File. Again, this adds a significant amount to the Apache startup # time and has a sight impact on overall performance. SSLCARevocationFile /etc/pki/tls/certs/allDoDCRLs.pem <Location /> SSLRequireSSL # For setup and testing purposes, you can set this value to "require". If you do so, and there's a certificate problem, # the user will see a browser error (ERR_BAD_SSL_CLIENT_AUTH_CERT) rather than a PCR-360 authentication error. # Ensure this value is "optional" once you verify that the server is receiving the certificate. If it's "required", # the browser can/will get stuck in a redirect loop. SSLVerifyClient optional SSLVerifyDepth 10 SSLUserName SSL_CLIENT_S_DN_CN SSLOptions +ExportCertData +FakeBasicAuth +StdEnvVars </Location> ... </VirtualHost> |
FIPS 140-2
FIPS 140-2 cryptography can be enabled in Apache with OpenSSL by using the "SSLFIPS on" directive. This must be placed in the main httpd.conf file. Installation and configuration are outside the scope of this document.
...