Posted by
Message
PJinAtl
Auburn Fan
Atlanta
Member since Nov 2007
10757 posts

CAC Card authentication under RedHat 8
I'm working on upgrading a set of Drupal servers from RHEL 6 to RHEL 8 and running into an issue with a CAC style card authentication.

The old boxes are running Apache 2.2.5/PHP 5.3.3 and in ssl.conf use SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1. With this, when you hit domain.com/smartcard page, the system asks for the cert on the card, then you enter your PIN, and then you are redirected to the Drupal login screen.

The new RHEL8 boxes (Apache 2.4.3/PHP 7.2.24) with the same SSL.conf return a "You don't have permission to access /smartcard on this server. Reason: Cannot perform Post-Handshake Authentication" message as soon as you go to the page.

If I modify ssl.conf to SSLProtocol all -SSLv3 -TLSv1.3, when I go to the page I can choose the cert off the card, but it then throws an "ERR_BAD_SSL_CLIENT_AUTH_CERT" error instead of asking for the PIN.

Does anyone have any idea what could be causing the issue, and how to fix it or work around it?


BabySam
LSU Fan
FL
Member since Oct 2010
727 posts

re: CAC Card authentication under RedHat 8
Is this related to DoD CAC's? Have RootCerts been installed on the server?

Potential info you might find helpful
https://public.cyber.mil/pki-pke/pkipke-document-library/
This post was edited on 9/24 at 8:27 am


slacker130
Auburn Fan
Your mom
Member since Jul 2010
4349 posts

re: CAC Card authentication under RedHat 8
That's all Greek to me, I'm just here to point out that the last "C" in "CAC" stands for card. No need to say CAC card.

Carry on.


BabySam
LSU Fan
FL
Member since Oct 2010
727 posts

re: CAC Card authentication under RedHat 8
quote:

slacker130

quote:

That's all Greek to me, I'm just here to point out that the last "C" in "CAC" stands for card. No need to say CAC card.

Carry on.


Hahahahahahah....love it, as this was always a pet peeve of mine as well...


Replies (0)
Replies (0)
00
PJinAtl
Auburn Fan
Atlanta
Member since Nov 2007
10757 posts

re: CAC Card authentication under RedHat 8
Thanks, I will take a look at that site.

Not DoD, but that style card with the ICC on it and the personnel security cert on it.

ssl.conf calls Roots.cer as the SSLCACertificateFile, but it is located in /etc/httpd/certs/ and not in /etc/pki/. Not sure if that makes a difference.


Replies (0)
Replies (0)
00
BallsEleven
LSU Fan
Member since Mar 2019
2365 posts

re: CAC Card authentication under RedHat 8
quote:

slacker130




quote:

I'm just here to point out that the last "C" in "CAC" stands for card. No need to say CAC card.





BabySam
LSU Fan
FL
Member since Oct 2010
727 posts

re: CAC Card authentication under RedHat 8
quote:

BallsEleven


Surprised a maintainer can spell correctly....but guess it proves you can follow your TO since username is already spelled for you....


Replies (0)
Replies (0)
00
slacker130
Auburn Fan
Your mom
Member since Jul 2010
4349 posts

re: CAC Card authentication under RedHat 8
quote:

BallsEleven


You a T2 maintainer?


TD SponsorTD Fan
USA
Member since 2001
Thank you for supporting our sponsors
Advertisement
BabySam
LSU Fan
FL
Member since Oct 2010
727 posts

re: CAC Card authentication under RedHat 8
quote:

BallsEleven
-
quote:

You a T2 maintainer?


I'm trying to figure out if he's a pointy-head or damn crew chief....lol

i spent time on T2s


Replies (0)
Replies (0)
00
BallsEleven
LSU Fan
Member since Mar 2019
2365 posts

re: CAC Card authentication under RedHat 8
quote:

You a T2 maintainer?


quote:

damn crew chief


Yessir! I miss those big-nosed bastards.

Edit:

quote:

Surprised a maintainer can spell correctly


Hurts a little bit but I see where you're coming from
This post was edited on 9/24 at 11:38 am


slacker130
Auburn Fan
Your mom
Member since Jul 2010
4349 posts

re: CAC Card authentication under RedHat 8
quote:

Yessir! I miss those big-nosed bastards.


Well, I know you probably love 'em...I'm not a fan.


BallsEleven
LSU Fan
Member since Mar 2019
2365 posts

re: CAC Card authentication under RedHat 8
quote:

Well, I know you probably love 'em...I'm not a fan.


Definitely a love/hate relationship sometimes, especially when it came to pods, but I loved working on them.


slacker130
Auburn Fan
Your mom
Member since Jul 2010
4349 posts

re: CAC Card authentication under RedHat 8
I was hoping they'd be parked by now.


Replies (0)
Replies (0)
00
slutiger5
Southeastern LA Fan
Parroquias de Florida
Member since May 2007
9091 posts

re: CAC Card authentication under RedHat 8
Most authenticating issues I’ve experienced with smart cards involve needing an extra driver or middleware. What is the card make/model?
This post was edited on 9/28 at 2:57 am


PJinAtl
Auburn Fan
Atlanta
Member since Nov 2007
10757 posts

re: CAC Card authentication under RedHat 8
quote:

Most authenticating issues I’ve experienced with smart cards involve needing an extra driver or middleware. What is the card make/model?
To the best of my knowledge it is a HSPD-12 with Entrust PKI Shared Service Provider.

Would the driver/middleware be needed if the RHEL8 box isn't physically accepting the card?

Setup is any user with a computer with card reader and valid PIV card should be able to authenticate.

You go to www.site.org/smartcard. The site detects the card, asks you to select the cert and verify your PIN.

Once that is done, you are redirected to the Drupal login screen so that you can sign in to the the editing suite of Drupal as an editor or admin.


Replies (0)
Replies (0)
00
first pageprev pagePage 1 of 1next pagelast page
refresh

Back to top

logoFollow TigerDroppings for LSU Football News
Follow us on Twitter, Facebook and Instagram to get the latest updates on LSU Football and Recruiting.

FacebookTwitterInstagram