I haven't seen a request for ASCL authentication before. Do you know any technical details or documentation about the token? Thanks.
Alternative Smart Card Logon (ASCL) token as an alternative PKI credential to the CAC for logical two-factor authentication to DoD NIPRNET.
The technical manual for SIEM v9.5 is somewhat cryptic in how to load CAC credentials for ESM Cac log on.
The process goes like this: -Export ASCL Cert from the Active Client application (3rd Party)
-Import the .cer (from Active Client) certificate by doing the following: ESM – Logon Security – CAC (Tab) - Upload (Certificate Credentials)
The following error "Error: Could not execute command on device (ER122)"
Then I would "Apply" after I cleared the error and I would receive another Error. "Error: No Valid CAC Certificate. Confirm you are using a .DER format (ER801)"
After further research I found that you can use IE certificate stores to export in various formats such as; DER Encoded Binary x.509 Base-64 encoded x.509 So in my infinite wisdom I exported the ASCL cert that already resides within IE certificate stores to a .DER format since that is what the error message is referring too. But to my amazement, same error messages. (Note: The cert exports with a .cer extension but is a DER format according to IE, this is also true when you export to a Base64)
What is interesting is when I perform a WIN SCP I look in the /etc/httpd/conf.d/cac/cacert.pem I see a .pem file? (What?) So the million dollar question is what format will the ESM accept .DER, .PEM, .CER or DER, Base64 with a .CER extension? As always your comments are greatly appreciated
The way that CAC auth works is as follows:
- Upload CA Chain that signed the certificate (DoD Root CA 2 + Intermediates CA-21-32).
- For large certificate chains, it may be necessary to put the root CA's at the bottom with the intermediates at the top.
- Each certificate in the chain must be in base-64 format (text, readable), starts like this:
-Once the certificate is validated, you can set it to OPTIONAL or MANDATORY.
-Under System Properties | Users and Groups | Create a group for your CAC operators.
-Then add a user account with the name matching the EDIPI on the CAC.
-Assign the account to the group.
-Clear your cache, close your browser and access the ESM.
-You should be prompted for your pin, prompted for which cert to use.
-Then you should see your initial view load bypassing the authentication dialogue.
If I read your post correctly, I believe you are trying to import your own certificate as opposed to the CA's that signed your certifcate.
I don't know is how this pertains to ASCL since I don't know how the tokens function in relation to PKI auth. Thanks.
You are hired!
I performed an analysis and upon inspection I still have the "cacert.pem.bad" in the /etc/httpd/conf.d/cac apparently that is a good name regardless if the file names itself as "bad".
The DoD Root CA 2 is the certificate that I loaded into the SIEM, I then enabled "Optional" and built a special group. That was the ticket. (Cleard Cache on IE)
I will relay the fix to McAfee tier support and also update the special instructions from my FED Reps to diseminate to fellow DoD personnel.
I appreciate the fix.