The Common Access Card is a secure identification for user of a system. It is a Smart Card in that it has an embedded chip which, along with a secret personal identification number (PIN) code, securely identifies the card holder.
Web sites secured by CAC require the user to swipe the card through a card reader that is attached to their personal computer. The user must also enter the PIN code before they can gain access to the web site.
Enable CAC authentication
Your web site needs to enable X509 certificate-based authentication. X509 certificates are files that prove that the user is who they claim to be. The Common Access Card contains one (or more) of these certificates and presents it to your web site when the user tries to log in.
X509 certificate working - X509 user security needs two files. Each user of your site needs an X509 certificate file. This file is issued to every user that needs one, by a certificate authority. In this case the file comes to the user embedded on the CAC (smart card).
The second file is the Certificate Authority (CA) file. For CAC, this file comes from the authority (ex. PIVCard providers) as a plain old file. These CA files are installed on your website (on server) and let your website know that it can trust users with a Common Access Card.
Enable CAC authentication on Tomcat
1. Create the key & cert for the Tomcat server - Go to any directory where you want to generate the keys and open command prompt and run following command -
keytool -genkey -v -alias tomcat -keyalg RSA -sigalg SHA256withRSA -validity 365 -keystore <pathToYourDirectory>/tomcat.keystore -storepass ezestpass -keypass ezestpass -dname "CN=localhost, OU=orgUnit, O=org, L=pune, ST=MH, C=IN"
pathToYourDirectory - this is path to your directory where you want to store the generated keystore file, if not given then the keystore file will get saved to the directory from where command prompt is opened
genkeypair :- generates a key pair (public and private key)
keyalg :- specifies the algorithm to be used to generate the key
sigalg :- specifies the algorithm that should be used to sign the self-signed certificate.
validity :- specifies the days till when this certificate will be valid. It is good practice to keep this low and keep changing the self signed certificate periodically for security purpose.
Public key generated by this command will be wrapped into an X.509 self-signed certificate and stored with the private key on the keystore created.
Once you enter