cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 5

ESM DoD ASCL CAC Log in function fails

Jump to solution

I am looking for an answer to fix the CAC log in to the ESM 9.5, I have attempted to load CAC certs to enable CAC Log in only, but DoD ASCL CAC card appears to be a challange for McAfee SIEM ESM. As always your comments are greatly appreciated

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Re: ESM DoD ASCL CAC Log in function fails

Jump to solution

The way that CAC auth works is as follows:

- Upload CA Chain that signed the certificate (DoD Root CA 2 + Intermediates CA-21-32).

- For large certificate chains, it may be necessary to put the root CA's at the bottom with the intermediates at the top.

- Each certificate in the chain must be in base-64 format (text, readable), starts like this:

-----BEGIN CERTIFICATE-----

MIIEYDCCA0igAwIBAgICATAwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMx

GDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEhMB8GA1UE

AxMYRmVkZXJhbCBDb21tb24gUG9saWN5IENBMB4XDTEwMTIwMTE2NDUyN1oXDTMw

MTIwMTE2NDUyN1owWTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJu

-Once the certificate is validated, you can set it to OPTIONAL or MANDATORY.

-Under System Properties | Users and Groups | Create a group for your CAC operators.

-Then add a user account with the name matching the EDIPI on the CAC.

-Assign the account to the group.

-Clear your cache, close your browser and access the ESM.

-You should be prompted for your pin, prompted for which cert to use.

-Then you should see your initial view load bypassing the authentication dialogue.

If I read your post correctly, I believe you are trying to import your own certificate as opposed to the CA's that signed your certifcate.

I don't know is how this pertains to ASCL since I don't know how the tokens function in relation to PKI auth. Thanks.

View solution in original post

4 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: ESM DoD ASCL CAC Log in function fails

Jump to solution

I haven't seen a request for ASCL authentication before. Do you know any technical details or documentation about the token? Thanks.

Highlighted
Level 7
Report Inappropriate Content
Message 3 of 5

Re: Re: ESM DoD ASCL CAC Log in function fails

Jump to solution

Alternative Smart Card Logon (ASCL) token as an alternative PKI credential to the CAC for logical two-factor authentication to DoD NIPRNET.

The technical manual for SIEM v9.5 is somewhat cryptic in how to load CAC credentials for ESM Cac log on.

The process goes like this: -Export ASCL Cert from the Active Client application (3rd Party)

-Import the .cer (from Active Client) certificate by doing the following: ESM – Logon Security – CAC (Tab) - Upload (Certificate Credentials)

The following error "Error: Could not execute command on device (ER122)"

Then I would "Apply" after I cleared the error and I would receive another Error. "Error: No Valid CAC Certificate. Confirm you are using a .DER format (ER801)"

After further research I found that you can use IE certificate stores to export in various formats such as; DER Encoded Binary x.509 Base-64 encoded x.509 So in my infinite wisdom I exported the ASCL cert that already resides within IE certificate stores to a .DER format since that is what the error message is referring too. But to my amazement, same error messages. (Note: The cert exports with a .cer extension but is a DER format according to IE, this is also true when you export to a Base64)

What is interesting is when I perform a WIN SCP I look in the /etc/httpd/conf.d/cac/cacert.pem I see a .pem file? (What?) So the million dollar question is what format will the ESM accept  .DER, .PEM, .CER or DER, Base64 with a .CER extension? As always your comments are greatly appreciated

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Re: ESM DoD ASCL CAC Log in function fails

Jump to solution

The way that CAC auth works is as follows:

- Upload CA Chain that signed the certificate (DoD Root CA 2 + Intermediates CA-21-32).

- For large certificate chains, it may be necessary to put the root CA's at the bottom with the intermediates at the top.

- Each certificate in the chain must be in base-64 format (text, readable), starts like this:

-----BEGIN CERTIFICATE-----

MIIEYDCCA0igAwIBAgICATAwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMx

GDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEhMB8GA1UE

AxMYRmVkZXJhbCBDb21tb24gUG9saWN5IENBMB4XDTEwMTIwMTE2NDUyN1oXDTMw

MTIwMTE2NDUyN1owWTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJu

-Once the certificate is validated, you can set it to OPTIONAL or MANDATORY.

-Under System Properties | Users and Groups | Create a group for your CAC operators.

-Then add a user account with the name matching the EDIPI on the CAC.

-Assign the account to the group.

-Clear your cache, close your browser and access the ESM.

-You should be prompted for your pin, prompted for which cert to use.

-Then you should see your initial view load bypassing the authentication dialogue.

If I read your post correctly, I believe you are trying to import your own certificate as opposed to the CA's that signed your certifcate.

I don't know is how this pertains to ASCL since I don't know how the tokens function in relation to PKI auth. Thanks.

View solution in original post

Highlighted
Level 7
Report Inappropriate Content
Message 5 of 5

Re: Re: ESM DoD ASCL CAC Log in function fails

Jump to solution

Bingo!!!!

You are hired!

I performed an analysis and upon inspection I still have the "cacert.pem.bad"  in the /etc/httpd/conf.d/cac apparently that is a good name regardless if the file names itself as "bad".

The DoD Root CA 2 is the certificate that I loaded into the SIEM, I then enabled "Optional" and built a special group. That was the ticket. (Cleard Cache on IE)

I will relay the fix to McAfee tier support and also update the special instructions from my FED Reps to diseminate to fellow DoD personnel.

I appreciate the fix.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community