Enabling Common Access Card (CAC) authentication

This topic helps you set up AppScan® Source to allow a connection to an AppScan Enterprise Server that is enabled for Common Access Card (CAC) authentication.

Before you begin

CAC authentication is only supported on Windows and for connections to AppScan Enterprise Server Version 9.0.3.1 iFix-001 and higher.

Procedure

  1. Ensure that AppScan Enterprise Server is not yet set up for CAC authentication.
  2. Log in to AppScan Source for Analysis or the AppScan Source command line interface (CLI) as an AppScan Source administrator.
  3. Follow the instructions in the HCL® AppScan Source Installation and Administration Guide for setting all AppScan Enterprise Server users to have all permissions. This will set the initial default permissions for AppScan Enterprise Server users to full administrative access, however, after CAC setup is complete, you will be able to change the default permissions to suit the needs of your organization.
  4. Exit or shut down all AppScan Source client applications.
  5. Set up AppScan Enterprise Server to allow CAC authentication
  6. Follow the instructions in the HCL AppScan Source Installation and Administration Guide for registering the AppScan Source Database with an AppScan Enterprise Server that is enabled for Common Access Card (CAC) authentication.
  7. Open <data_dir>\config\ounce.ozsettings (where <data_dir> is the location of your AppScan Source program data, as described in Installation and user data file locations)). In this file, locate this setting: 
    <Setting
		 name="client_cert_auth"
		 value="false"
		 default_value="false"
		 description="Uses client certificate authentication"
		 display_name="Uses client certificate authentication"
		 type="boolean"
		 read_only="true"
		 hidden="true"
	/>
  8. In the setting, change value="false" to value="true" and then save the file.
  9. If you will be logging in to AppScan Enterprise Server from AppScan Source for Analysis or the AppScan Source for Development Eclipse plug-in:
    1. In your Java™ installation directory, locate jre/lib/security/java.security. For AppScan Source for Analysis, the jre folder is located in your AppScan Source installation directory. Create a backup copy of this file.
    2. Edit java.security.
    3. In the list of providers and their preference orders, add com.ibm.security.capi.IBMCAC as the first security provider. For example, if you are editing java.security for AppScan Source for Analysis usage, change this: 
      security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.hcl.securitycert.IBMCertPath
security.provider.5=sun.security.provider.Sun

      to this:

      security.provider.1=com.ibm.security.capi.IBMCAC
security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.3=com.ibm.jsse2.IBMJSSEProvider2
security.provider.4=com.ibm.crypto.provider.IBMJCE
security.provider.5=com.hcl.securitycert.IBMCertPath
security.provider.6=sun.security.provider.Sun
    4. Save and close the java.security file.
  10. Log in as an AppScan Source administrator to AppScan Source for Analysis or the AppScan Source command line interface (CLI) using CAC authentication.
  11. Change the default permissions of AppScan Enterprise Server users to suit the needs of your organization.

What to do next

Your certificate cannot be SHA-1 if you want to enforce Federal Information Processing Standard (FIPS) mode. You can enforce FIPS mode by using a SHA-2 certificate and by running the appscanserverdbmgr_cac_fips.bat tool that is described in the HCL AppScan Source Installation and Administration Guide. In the guide, locate the help for registering the AppScan Source Database with an AppScan Enterprise Server that is enabled for Common Access Card (CAC) authentication.

To determine what certificate you have:

  1. Open the Windows Certificate Manager: In the Windows Start menu, type certmgr.msc in the Search box and then press Enter. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  2. Open the certificate by double-click or user interface Open action.
  3. Select the Details tab in the certificate.
  4. Locate the Signature hash algorithm field. The value for this field indicates the type of certificate.