Enabling Common Access Card (CAC) authentication

This topic helps you set up AppScan® Source to allow a connection to an AppScan® Enterprise Server that is enabled for Common Access Card (CAC) authentication.

Before you begin

CAC authentication is only supported on Windows. AppScan® Source supports CAC authentication with Subject Alternative Name - Multi-Domain (SAN) certificates.


  1. If you are using an older installation of AppScan® Source that is using SolidDB, perform the following steps first. If you are using an newer installation with a connection to the AppScan® Enterprise Server as your database, continue to step 2.
    1. Ensure that AppScan Enterprise Server is not yet set up for CAC authentication.
    2. Log in to AppScan® Source for Analysis or the AppScan® Source command line interface (CLI) as an AppScan® Source administrator.
    3. Follow installation instructions for setting all AppScan® Enterprise Server users to have all permissions. This will set the initial default permissions for AppScan® Enterprise Server users to full administrative access. However, after CAC setup is complete, you will be able to change the default permissions to suit the needs of your organization.
    4. Exit or shut down all AppScan® Source client applications.
  2. Set up AppScan® Enterprise Server to allow CAC authentication
  3. Open <data_dir>\config\ounce.ozsettings (where <data_dir> is the location of your AppScan® Source program data, as described in Installation and user data file locations)). In this file, locate this setting:
    		 description="Uses client certificate authentication"
    		 display_name="Uses client certificate authentication"
  4. In the setting, change value="false" to value="true" and then save the file.
  5. If you are using SolidDB as the AppScan® Source database:
    1. Log in as an AppScan® Source administrator to AppScan® Source for Analysis.
    2. Change the default permissions of AppScan® Enterprise Serverusers to suit the needs of your organization.
      If the permissions use a SAN (Subject Alternative Name)-based authentication, make sure you use the correct username from the certificate when logging in to AppScan® Source.

What to do next

Your certificate cannot be SHA-1 if you want to enforce Federal Information Processing Standard (FIPS) mode.

To determine what certificate you have:

  1. Open the Windows Certificate Manager: In the Windows Start menu, type certmgr.msc in the Search box and then press Enter. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  2. Open the certificate by double-click or user interface Open action.
  3. Select the Details tab in the certificate.
  4. Locate the Signature hash algorithm field. The value for this field indicates the type of certificate.