Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW,
INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE, POLICYCENTER, PROXYAV,
PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS APPLIANCE, SEE EVERYTHING. KNOW EVERYTHING.,
SECURITY EMPOWERS BUSINESS, BLUETOUCH, the Blue Coat shield, K9, and Solera Networks logos and other Blue Coat logos are
registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be
complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped
using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective
owners. This document is for informational purposes only.
BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
BLUE COAT PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE
SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO
EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS,
REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY
LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN
COUNTRY OR IMPORT AFTER DELIVERY TO YOU.
Americas:
Blue Coat Systems, Inc.
420 N. Mary Ave.
Sunnyvale, CA 94085
ii
Contents
Preface
Audience .............................................................................................................................................. 1
How This Document Is Organized................................................................................................... 1
Document Conventions ..................................................................................................................... 2
Typography................................................................................................................................... 2
Notes and Warnings .................................................................................................................... 2
Related Documentation...................................................................................................................... 3
Blue Coat Knowledge Base................................................................................................................ 3
Chapter 1: Overview of Common Access Card Authentication
iii
iv
Preface
This Preface provides you with an overview of the intended audience for this
document, document organization, Blue Coat typographical conventions, and
related documentation.
Audience
This document is written for system administrators who want to establish a
session between a ProxySG appliance (including virtual appliances) and client
using mutual SSL authentication to support Common Access Card (CAC)
authentication.
Description
Chapter 1: "Overview of
Common Access Card
Authentication" on page 5
Chapter 3: "Set up
Authentication and
Authorization" on page 11
Document Conventions
This document uses the following conventions.
Typography
Refer to the following typographical conventions.
Conventions
Definition
Italics
The first use of a new or Blue Coatproprietary term; also used for
emphasis.
Courier New
Command-line text.
{ }
[ ]
Important:
WARNING!
Related Documentation
Document
Description
Solutions
FAQs
Blue Coat recommends you regularly search the Knowledge Base for latebreaking information that might not be available in product documentation or
Release Notes.
To view articles in the Knowledge Base:
1. Enter the following URL in the web browsers address or location field:
https://kb.bluecoat.com
2. Do one of the following:
question
This document discusses using the Common Access Card (CAC) for
administrator authentication. The CAC is a smart card that an individual uses onpremises as an identification badge, and it contains one or more X.509 certificates
and the users private key.
The CAC performs certificate-based client authentication over an SSL connection
to the ProxySG appliance Management Console or the appliances SSH interface.
The serial interface does not support certificate-based client authentication.
Support for CAC authentication was introduced in SGOS 6.1.2.
Note: Whether TLS is supported depends on the ProxySG appliance and client
in use. For brevity, this document refers only to SSL; however, in procedures and
descriptions, SSL is interchangeable with TLS.
The following process describes Figure 11, "Mutual SSL authentication process
using CAC" on page 5.
The browser confirms that the appliance has the certificate's private key by
challenging the appliance to sign random data. The browser validates the
signature using the appliance's certificate.
(If the appliance is checking for revoked certificates) The certificate must
not have been revoked.
5. If appliance authentication succeeds, the browser uses the CAC to access the
client certificate and private key. It then presents the certificate to the
appliance.
6. The appliance validates the certificate that the browser presents. This includes
the following checks:
The appliance confirms that the browser has the certificate's private key by
challenging the browser to sign random data. The appliance validates the
signature using the browsers certificate.
(If the appliance is checking for revoked certificates) The certificate must
not have been revoked.
Security Recommendations
For security reasons, advise users to:
Remove the CAC from the card reader whenever they step away from the
client workstation.
Close the browser (not just browser tabs) after they have logged out of the
Management Console.
This chapter contains steps for configuring Common Access Card (CAC)
authentication for the Management Console and serial/SSH console.
The following table outlines the steps required to set up CAC authentication
through the Management Console to the ProxySG appliance, including an
optional step for setting up the Notice and Consent banner.
Perform the steps in the specified order, referring to the appropriate sections/
documents in the Instructions column.
Table 21
Step
Description
Instructions
Table 21
Step
Description
Instructions
10
Text Editor: Enter the CPL directly in the Text Editor or copy the contents
from an existing policy file and paste them into the Text Editor.
Local file: Install the CPL from a policy file that exists on a local directory.
Remote file: Install the CPL from a policy file that exists on a web server
that the appliance can access.
The ProxySG appliance compiles the new policy from all source files. If
compilation is successful, the policy is installed.
Note: After you click Install, the appliance displays a summary of any errors or
warnings that occurred while it attempted to compile policy. If errors occurred,
the policy file is not installed; fix the errors and then try to install the policy again.
Policy is installed if warnings occurred; however, some policy or features may not
work as you intended. Review the warnings and then take corrective action as
needed.
Prerequisite
Before installing CAC authentication policy, you must have completed the steps
in Table 21, "Set up CAC authentication" on page 9.
(If applicable) Determine the name of the HTTPS reverse proxy service for the
Notice and Consent banner as defined on the ProxySG appliance (for
example, CAC-MC-Notify).
11
To use similar policy in your deployment and ensure that it compiles, edit the
following samples for your specific configuration.
12
13
14
The use cases in this chapter describe how users log in using the Common Access
Card (CAC) in different environments:
The certificate realm uses an LDAP realm for authorization; an LDAP search
using the following filter to determine authorization:
(userPrincipalName=$(user.name))
You configured a Notice and Consent banner and provided users with the
banner address:
https://<IP_address>:<port>
where <IP_address> is the appliance IP address and <port> is the specific port
for the banner.
1. The user goes to the address of the Notice and Consent banner. The browser
displays the banner.
2. The user clicks the link to accept the banner statement. The Notice and
Consent action completes and the browser redirects to the Management
Console URL in a web browser:
https://<IP_address>:<port>
where <IP_address> is the appliance IP address and <port> is the specific port
for the Management Console.
The browser displays a dialog that shows the authentication certificate from
the users CAC.
15
3. The user selects the certificate. They might be prompted for the CAC PIN,
depending on the CAC software on the workstation and whether the user has
recently logged in using the card.
The browser presents the selected certificate to the ProxySG appliance. The
appliance validates the certificate against the configured CA list. You can
configure the appliance to use Online Certificate Status Protocol (OCSP) or a
Certificate Revocation List (CRL) to check for certificate revocation.
For information, refer to the Checking Certificate Revocation Status in Real
Time (OCSP) and Using Certificate Revocation Lists sections in the
Managing X.509 Certificates chapter in the SGOS 6.x Administration Guide.
4. The certificate realm extracts the username from the SubjectAltName
extension in the certificate.
5. The LDAP realm searches for the user using the following filter:
(userPrincipalName=$(user.name))
1. The user starts an SSH client and enters the IP address of the ProxySG
appliance.
2. The SSH client connects to the appliance and displays the Notice and Consent
banner, followed by the password prompt.
Note: No formal consent is required; however, the users consent is implied
when they enter the password in the following step.
3. The user enters their Active Directory password.
4. LDAP retrieves the users group memberships and the user is granted access
to the SSH console.
16
You have secured the ProxySG appliance serial console (users must enter their
credentials)
1. The user starts a terminal client and enters the IP address of the ProxySG
appliance.
2. The terminal client connects to the appliance.
3. The user enters their Active Directory username and password.
4. LDAP retrieves the users group memberships and the user is granted access
to the serial console.
17
18