Enabling Common Access Card (CAC) authentication

This topic helps you set up AppScan® Source to allow a connection to an AppScan® Enterprise Server that is enabled for Common Access Card (CAC) authentication.

Before you begin

CAC authentication is only supported on Windows. AppScan® Source supports CAC authentication with Subject Alternative Name - Multi-Domain (SAN) certificates.

Procedure

  1. If you are using an older installation of AppScan® Source that is using SolidDB, perform the following steps first. If you are using an newer installation with a connection to the AppScan® Enterprise Server as your database, continue to step 2.
    1. Ensure that AppScan Enterprise Server is not yet set up for CAC authentication.
    2. Log in to AppScan® Source for Analysis or the AppScan® Source command line interface (CLI) as an AppScan® Source administrator.
    3. Follow installation instructions for setting all AppScan® Enterprise Server users to have all permissions. This will set the initial default permissions for AppScan® Enterprise Server users to full administrative access. However, after CAC setup is complete, you will be able to change the default permissions to suit the needs of your organization.
    4. Exit or shut down all AppScan® Source client applications.
  2. Set up AppScan® Enterprise Server to allow CAC authentication
  3. Open <data_dir>\config\ounce.ozsettings (where <data_dir> is the location of your AppScan® Source program data, as described in Installation and user data file locations)). In this file, locate this setting: 
    <Setting
		 name="client_cert_auth"
		 value="false"
		 default_value="false"
		 description="Uses client certificate authentication"
		 display_name="Uses client certificate authentication"
		 type="boolean"
		 read_only="true"
		 hidden="true"
	/>
  4. In the setting, change value="false" to value="true" and then save the file.
  5. If you will be logging in to AppScan® Enterprise Server from AppScan® Source for Analysis or the AppScan® Source for Development Eclipse plug-in:
    1. In your Java installation directory, locate jre/lib/security/java.security. For AppScan® Source for Analysis, the jre folder is located in your AppScan® Source installation directory. Create a backup copy of this file.
    2. Edit java.security.
    3. In the list of providers and their preference orders, add com.ibm.security.capi.IBMCAC as the first security provider. For example, if you are editing java.security for AppScan® Source for Analysis usage, change this: 
      security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
security.provider.3=com.ibm.crypto.provider.IBMJCE
security.provider.4=com.hcl.securitycert.IBMCertPath
security.provider.5=sun.security.provider.Sun

      to this:

      security.provider.1=com.ibm.security.capi.IBMCAC
security.provider.2=com.ibm.crypto.fips.provider.IBMJCEFIPS
security.provider.3=com.ibm.jsse2.IBMJSSEProvider2
security.provider.4=com.ibm.crypto.provider.IBMJCE
security.provider.5=com.hcl.securitycert.IBMCertPath
security.provider.6=sun.security.provider.Sun
    4. Save and close the java.security file.
  6. If you are using SolidDB as the AppScan® Source database:
    1. Log in as an AppScan® Source administrator to AppScan® Source for Analysis.
    2. Change the default permissions of AppScan® Enterprise Serverusers to suit the needs of your organization.
      If the permissions use a SAN (Subject Alternative Name)-based authentication, make sure you use the correct username from the certificate when logging in to AppScan® Source.

What to do next

Your certificate cannot be SHA-1 if you want to enforce Federal Information Processing Standard (FIPS) mode.

To determine what certificate you have:

  1. Open the Windows Certificate Manager: In the Windows Start menu, type certmgr.msc in the Search box and then press Enter. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  2. Open the certificate by double-click or user interface Open action.
  3. Select the Details tab in the certificate.
  4. Locate the Signature hash algorithm field. The value for this field indicates the type of certificate.