PKI-User Authentication and Authorization

This document describes the process of enabling PKI for a user. Asset Manager can authenticate and authorize a PKI-User by two ways:

User Authentication through Card Reader: This will allow users to bypass the login screen. User will be use an external card reader to authenticate browser authorization.
User Authentication through Workstation Certificate: This will allow users to bypass the login screen. User will use a locally saved certificate to authenticate browser authorization.

Before you Begin

Verify access card is operational and working.
Verify tools putty, winscp, puttygen or similar are installed on your machine.
Discuss with your Network Admin how to access your company's CA public chain certificate.
Example how to Install the CA public certificate onto your workstation via your browser:
1. On IE Navigate to Internet Options Content Certificates.
2. Navigate to Trusted Root CA and select import to open the import tool and install the certificate.
3. Note that this opens an import tool which will import the certificate to your PC. Therefore, installing CA public certificate does not need to be done for each browser.

User Authentication through Card Reader

Certificate files you will need for User Authorization:
1. Below are the files you will need to obtain to configure USER WEBUI authorization. Request the certificates in .pem format.
  1. CA Public Certificate Chain
  2. Card User Public certificate
How to obtain needed certificate files:
1. CA Public Certificate: This is your Certificate Authority public certificate. Please request this file from you Network Administrator in .pem format.
2. Card User Public Certificate: The Card user public certificate can be extracted using IE. Lockdown provisions may prevent the use of IE to extract this certificate. Please discuss with your Network Admin how to extract the Card user public certificate.
3. Using Internet Options, open the Content tab and Certificates.
  1. Select the certificate that does not have 'EMAIL' in the issued by column.
  2. Select Export:
  3. No, do not export the private key
  4. Base-64 encoded X.509 (.cer)
  5. save file to location on local PC; CAC-user-public
  6. Finish
Installing the CA and User Certificates
1. Install the CA Public Certificate via GUI. You can use the GUI or CLI to install the CA Public Certificate. This section details how to use the GUI for the installation.
  1. In Asset Manager, navigate to Settings > Asset Manager Systems.
  2. Select the command center in the Available Systems panel, and then click PKI in the System Information panel.
  3. Select Certificate Authority from the Certificate Type list, verify the Install radial button is selected, and install your CA-Public-Cert-pem file
  4. A notification will pop-up stating the certificate had been installed and httpd will be restarted. Refresh your web browser to log back in.
2. Install the CA Public Certificate via CLI. You can use the GUI or CLI to install the CA Public Certificate. This section details how to use the CLI for the installation.
  1. Verify the name and file location of the CA public certificate on the Lumeta System.
  2. At the CLI type the below command to install the CA public certificate:
    certificate CA install /pathto/certificate/filename
3. Install the User Certificate via GUI. You can use the GUI or CLI to install the USER Certificate. This section details how to use the GUI for the installation.
  1. In Asset Manager, navigate to Settings > Users.
  2. Select the user you wish to install a certificate, and then click Manage PKI.
  3. Under User ID, select the user, select User Certificate for Certificate Type, and verify radial dial Install is selected
  4. Upload the User Public Certificate and click Submit.
4. Install the User Certificate via CLI. You can use the GUI or CLI to install the User Certificate. This section details how to use the GUI for the installation.
  1. 1. 1. Verify the name and file location of the User public certificate in Asset Manager.
      2. At the CLI type the below command to install the CA public certificate
        certificate user install /path to/certificate/filename <user name>
Enable PKI
1. Enable PKI through GUI
  1. Select Settings > Asset Manager Systems > Available Systems panel and select the Command Center.
  2. In the System Information panel, click PKI.
  3. Switch the Require user certificates key to enabled, and verify the action by clicking Enable PKI.
2. Enable PKI through CLI
  1. At the CLI type: certificate pki enable
  2. Note if there are any issues with certificate installation the GUI will be inaccessible. The following CLI command will disable PKI: certificate pki disable
Log In Using Command Access Card
1. The login page with Username and Password fields is replaced with a Select a Certificate prompt. Select the certificate associated with the user account and provide the associate PIN to log in.

User Authentication through UI

Certificate files you will need for User Authorization
1. Below are the files you will need to obtain to configure USER WEBUI authorization. In parenthesis is the common format these files are in; your network admin may distribute the files in a different format.
  1. User Public key .crt
  2. User Private key .p12
  3. CA Certificate Chain .pem
Obtain User certificate files
1. The User Public Key, User Private Key, and CA Certificate Chain are distributed by your network admin. Please verify with them the format of the Certificate files. Also confirm the CA Certificate Contains the full CA Chain.
Convert User Certificate Files in the Correct Format
1. Your Network Admin may have distributed the CA Chain in pkcs7 format. These files need to be PEM formatted
2. This openssl command will convert pkcs7 files to .pem
  openssl pkcs7 -print_certs -in "Original cert in pkcs7 format".cer -out "New cert in PEM format".pem
Install User Private Keys onto workstation
1. Discuss with your network admin the correct way to install your private key. Below is an example on how to install on the Chrome browser.
  1. In your Chrome browser go to Settings > Advanced > Manage Certificates.
  2. Import your private key in p12 format (You will need to select All Files in the drop down box to see this .p12 file).
  3. Enter your Password
  4. Select 'Place all certificates in the following store' (Certificate Store: Personal)
Installing CA Certificate on Command Center
1. Before beginning the certificate installation, verify the admin user has superuser access. At the CLI type: user superuser "user name" true
2. Install the CA Public Certificate via GUI.
  1. Download the PEM encoded CA Public Certificate to the workstation you'll be accessing Lumeta.
  2. On your Lumeta UI Navigate to Settings/Lumeta Systems. Highlight the Command Center and Click Manage PKI
  3. Select Certificate Authority from the drop down box, verify the Install radial button is selected, and install your "CA-Public-Cert-pem".pem file
  4. A notification will pop-up stating the certificate had been installed and HTTPS will be restarted. Refresh your web browser to log back in.
3. This section details how to install CA Public Certificate via CLI:
  1. Verify the name and file location of the CA public certificate on the Lumeta System.
  2. At the CLI type the command to install the CA public certificate: certificate CA install /pathto/certificate/filename
Install the User Public Key on the Command Center
a. Install the User Public Key via GUI.
1. 1. In Asset Manager, navigate to Settings > Users.
  2. Select the User you wish to install a certificate and click Manage PKI.
  3. Select your user, select User Certificate for Certificate Type, and verify radial dial Install is selected
  4. Upload the User Public key and click Submit
b. Install the User Public Key via CLI
1. 1. Verify the name and file location of the User public key in Asset Manager.
  2. At the CLI type the below command to install the CA public certificate: certificate user install /pathto/certificate/filename <user name>
Enable PKI
1. Enable PKI through GUI
  1. Select Settings > Asset Manager Systems > Available Systems panel and select the Command Center.
  2. In the System Information panel, click PKI,
  3. Switch the Require user certificate to enabled, and verify the action by clicking Enable PKI.
2. Enable PKI through CLI
  - At the CLI type: authentication pki enable
    Note: If there are any issues with certificate installation the GUI will be inaccessible. The following CLI command will disable PKI: authentication pki disable
Log In Using Browser Certificate
1. The login page with Username and Password fields is replaced with a Select a Certificate prompt. Select the certificate associated with the user account and provide the associate PIN to log in.

APPENDIX A: Verifying Certificates

Verify the subject line of the CA-public.pem file matches the issuer line of the public-user.cer file using these openssl commands:
openssl x509 -in public-user.cer -noout -subject -issuer
openssl x509 -in CA-chain.pem -noout -subject -issuer
You can change the extension of the "public-user.cer" file to "public-user.txt" to view the certificate in notepad. Then this public-user certificate can be verified by comparing it to the "public-user".cer in the database by running this db command.
select * from system.user_certificate;
The CA certificate can be verified in /etc/pki/lumeta folder. There will be a file 'httpd_ca.crt.' The timestamp should be updated to when the CA cert was uploaded. You can cat the file or run the below command to check the file:
openssl x509 -in CA-chain.pem -noout -subject -issuer
View the issuers on the pkcs12 private/public bundle. Private Key Password needed.
openssl pkcs12 -in hostname.site.ds.army.mil.pfx -nokeys | grep subject
Openssl command to check if certificate is in PEM format
openssl x509 -in cert.pem -text -noout
If you get the following error it means that you are trying to view a non-PEM cert.
unable to load certificate
12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
Convert User Certificate Files in the Correct Format

1. Convert CA Public Certificate from pkcs7 to .pem if necessary. You Network Admin may have distributed the CA Public Certificate in pkcs7 format. The below openssl command will convert the file to .pem:
  openssl pkcs7 -print_certs -in "CA-Public-Cert".cer -out "CA-Public-Cert-pem".pem

APPENDIX B: Common Errors

When Generating the pkcs 12 bundle for Server Authorization you may see this error:
1. Please review the .key and .cer file for spaces or line returns.
2. The CA .cer file is in the wrong format. Please confirm the .cer file is in PEM format
Passphrases with special characters.
1. Special characters like exclamation points may cause problems since shell can misinterpret these characters. A workaround is to force input the passphrases into the openssl command. This will bypass the passphrase prompt.
  openssl pkcs12 -export -in CC-CA-public.cer -inkey*private.key -out cc-server.pfx * -name CNAME -passin 'pass:exp@ss!!!word' -passout 'pass:exp@ss!!!word'
Pkcs7 to PEM conversion fails with below error
1. This can occur if the file uses DER cipher. Please use the openssl command to perform the file conversion
  openssl pkcs7 -in cert.p7b -inform DER -print_certs -out cert.pem

APPENDIX C: Log Debugging

In the CLI type the below commands to turn on proper log debugging to view Certificate info

log level set DEBUG API com.lumeta.api.impl.SessionServiceImpl
log level set DEBUG API com.lumeta.api.dao.UserDaoImpl

View the Lumeta-webapp.out for "Looking for DN" and match the DN column with the database command select * from sytem.user_certificate.

Page tree