4 Replies Latest reply on May 20, 2015 2:01 PM by pkb

    ESM DoD ASCL CAC Log in function fails


      I am looking for an answer to fix the CAC log in to the ESM 9.5, I have attempted to load CAC certs to enable CAC Log in only, but DoD ASCL CAC card appears to be a challange for McAfee SIEM ESM. As always your comments are greatly appreciated

        • 1. Re: ESM DoD ASCL CAC Log in function fails

          I haven't seen a request for ASCL authentication before. Do you know any technical details or documentation about the token? Thanks.

          • 2. Re: Re: ESM DoD ASCL CAC Log in function fails

            Alternative Smart Card Logon (ASCL) token as an alternative PKI credential to the CAC for logical two-factor authentication to DoD NIPRNET.


            The technical manual for SIEM v9.5 is somewhat cryptic in how to load CAC credentials for ESM Cac log on.


            The process goes like this: -Export ASCL Cert from the Active Client application (3rd Party)

            -Import the .cer (from Active Client) certificate by doing the following: ESM – Logon Security – CAC (Tab) - Upload (Certificate Credentials)

            The following error "Error: Could not execute command on device (ER122)"

            Then I would "Apply" after I cleared the error and I would receive another Error. "Error: No Valid CAC Certificate. Confirm you are using a .DER format (ER801)"


            After further research I found that you can use IE certificate stores to export in various formats such as; DER Encoded Binary x.509 Base-64 encoded x.509 So in my infinite wisdom I exported the ASCL cert that already resides within IE certificate stores to a .DER format since that is what the error message is referring too. But to my amazement, same error messages. (Note: The cert exports with a .cer extension but is a DER format according to IE, this is also true when you export to a Base64)


            What is interesting is when I perform a WIN SCP I look in the /etc/httpd/conf.d/cac/cacert.pem I see a .pem file? (What?) So the million dollar question is what format will the ESM accept  .DER, .PEM, .CER or DER, Base64 with a .CER extension? As always your comments are greatly appreciated

            • 3. Re: Re: ESM DoD ASCL CAC Log in function fails

              The way that CAC auth works is as follows:

              - Upload CA Chain that signed the certificate (DoD Root CA 2 + Intermediates CA-21-32).

              - For large certificate chains, it may be necessary to put the root CA's at the bottom with the intermediates at the top.

              - Each certificate in the chain must be in base-64 format (text, readable), starts like this:

              -----BEGIN CERTIFICATE-----





              -Once the certificate is validated, you can set it to OPTIONAL or MANDATORY.

              -Under System Properties | Users and Groups | Create a group for your CAC operators.

              -Then add a user account with the name matching the EDIPI on the CAC.

              -Assign the account to the group.

              -Clear your cache, close your browser and access the ESM.

              -You should be prompted for your pin, prompted for which cert to use.

              -Then you should see your initial view load bypassing the authentication dialogue.


              If I read your post correctly, I believe you are trying to import your own certificate as opposed to the CA's that signed your certifcate.


              I don't know is how this pertains to ASCL since I don't know how the tokens function in relation to PKI auth. Thanks.

              • 4. Re: Re: ESM DoD ASCL CAC Log in function fails


                You are hired!


                I performed an analysis and upon inspection I still have the "cacert.pem.bad"  in the /etc/httpd/conf.d/cac apparently that is a good name regardless if the file names itself as "bad".

                The DoD Root CA 2 is the certificate that I loaded into the SIEM, I then enabled "Optional" and built a special group. That was the ticket. (Cleard Cache on IE)


                I will relay the fix to McAfee tier support and also update the special instructions from my FED Reps to diseminate to fellow DoD personnel.


                I appreciate the fix.