The Ghost of Snapped Shot

Or, welcome to my low-maintenance heck.

<<
 a
 >
>>
An Endless Pile of Technical Cruft

My apologies for the relative quiet around here these past few days. I've been tied up at the office putting together an end-to-end demonstration on using Oracle Application Server (eBusiness Suite 11i, actually) with DOD's PKI authentication (which they so lovingly call "CAC cards") for the past week. I'm scheduled to be done on Friday, but we'll see how well that actually works.

If you're a technical weenie, and you ever have the need to do this, the magic for passing a client certificate from an F5 Big-IP load balancer to an Oracle Single Sign-On server, with traffic on the backend server being sent as unencrypted HTTP, follows the break. I never would've figured this out if it weren't for F5's excellent DevCentral: See these threads for background, and this one (the second iRule down) for a good pointer on how to ensure that no unsecured traffic will ever reach your backend servers:--Which means that you have 100% accountability of the people who are visiting your DOD website, as they'll all be authorized by valid and verified PKI certificates.

I haven't had a chance to get OCSP shaken out and tested yet, since our unit isn't licensed to do it--but it is definitely on the ol' Todo List. I'm also running into problems loading a revocation list (CRL) into our unit as well (since that's the only reliable way I can think of to test certificate validation without OCSP), but hope to have that resolved shortly.

when CLIENTSSL_HANDSHAKE
{
set cur [SSL::sessionid]
set ask [session lookup ssl $cur]
if { $ask eq "" } {
session add ssl [SSL::sessionid] [SSL::cert 0]}
}

when HTTP_REQUEST
{
HTTP::header replace HTTPS on

set id [SSL::sessionid]
set the_cert [session lookup ssl $id]

if { $the_cert != "" }
{
HTTP::header insert SSL-Client-Cert [ join [string trim [string map {
"-----BEGIN CERTIFICATE-----"
""
"-----END CERTIFICATE-----" ""}
[X509::whole $the_cert ] ] ] "" ]

} else {
HTTP::respond 200 content "<html><body>
<h1>Access Denied</h1>
Access to this resource is denied without a valid
DOD Common Access Card. If you do not have one,
please visit the <a href=\"https://www.cac.mil/Home.do\">Common
Access</a> website for information on obtaining a CAC
card. Otherwise, please insert your CAC card into your
reader, close this window, and try accessing this website
again.
</body></html>"
}
}


Previously: For information on how to make Oracle Application Server read this information, check out my previous pile of technical cruft.

 

Powered by Snarf ยท Contact Us