Questions Sheet – August Schell | Red Hat | Carahsoft Webcast 8/2/07
Can we download this presentation slides? How?
- Nikki Nabi, Carahsoft: Today's presentation is being recorded. We will send you a link to this recording in an email following the presentation.
Does this mean its diacap/niacap compliant too?
- Michael Brown, August Schell: The DIACAP and NIACAP regime's you are speaking of are primarily for applications... The FIPS 140-2 regime being discussed here is specifically for security libraries running within applications. In a lot of cases if an application is using FIPS certified security libraries that assists greatly in the certification of the apps
Are the FIPS Validated libraries available publicly?
- Michael Brown, August Schell: The FIPS validated libraries are open source libraries called NSS, which are described and available at
Can we download and reference a local copy of the Certificate Revocation list as well as the LDAP subset?
- Michael Brown, August Schell: The repository hosting the CRLs is an LDAP server. They can be obtained via standard LDAP tools. The subset of data can be obtained via LDAP replication or by use of the standard tools.
Can this be used with Linux?
- Michael Brown, August Schell: Yes. The Red Hat Directory Server and Fortitude Web Server run on Linux. Fortitude is a security plug-in to the standard open source Apache web server
Does August Schell deal with PIV-II cards as well as CAC?
- Peter Romness, August Schell: Yes we do. The PIV-II works basically the same as the CAC card and, in fact, the CAC card will meet PIV standards in the future. A white paper on using the PIV for Single Sign-On is included in the resources from this webcast.
Can a single CAC card be assigned to users on multiple Windows domains (development, test, operations, etc.?)
- Michael Brown, August Schell: This is possible but is manually intensive. The user's Windows Domain Universal Principal Name (UPN) embedded on the PKI credential will need to be provisioned on each Windows domain on which you want to use the CAC
Can the CAC card be used to log in directly to a Red Hat Linux workstation?
- Michael Brown, August Schell: Yes they can with Red Hat Enterprise Linux (RHEL 5). The client workstation functionality supported by Red Hat is described here -
Is support from August Schell currently existing through a long-standing contract and freely available, or would support require a project-specific contract?
- Bill Schell, August Schell: August Schell has a GSA Schedule and is a subcontractor on several other contracts. Please contact us to talk about specifics.
Can the CAC "heavy lifting" be applied outside DOD?
- Michael Brown, August Schell: If you are referring to using the CAC with federated partners, the CAC is being evolved to the FIPS 201 PIV standard to facilitate information exchange outside DOD
- Peter Romness, August Schell: HSPD-12 has mandated that all Civilian Agencies perform the “heavy lifting” done by the CAC and DoD PKI in the form of the PIV-II Card. Agencies are in various stages of implementing these requirements. August Schell played a large role in developing the DoD PKI and can help Civilian Agencies as well.
How does data get entered into the main LDAP server? That is, what is the administrative interface available to my organization?
- Michael Brown: The data can be entered via LDAP replication from a supplier LDAP server, via standard LDAP tools such as ldapsearch and ldapadd, or via the Directory Server Gateway that comes standard with the Red Hat Directory Server
The mention of a "Directory Server Gateway" seemed to be getting close to answering my question about admin input to the directory. We also use the Argonne LDAP browser as a useful tool, but at present we have our own web based interface that inputs data to an Oracle DB that is fed into our LDAP server.
- Michael Brown, August Schell: Indeed there are many LDAP Admin tools out there... SoftTerra also makes an LDAP Browser that is easy to use
Can the directory server perform CRL caching to increase uptime for a Microsoft AD enterprise network?
- Michael Brown: The CRLs from the DoD Certificate Authorities can be obtained in either binary or text formats. These CRLs can be loaded and reside in memory using standard programming libraries. The Directory Server typically stores the CRLs in binary form so that applications can access them efficiently.
How can we integrate SSO / CAC card login with web based applications?
- Michael Brown, August Schell: The web based application needs to be able to understand how to read x509v3 certificates. There are standard java libraries, for instance, to read these certificates and can be integrated into already existing applications
What is the URL for the API and SDK? Are they found on the August Schell website?
- Michael Brown, August Schell: The draft of the CAC API is found here at the DMDC web site
- ActivIdentity, the CAC integrator, has developed an SDK found here -
I am in the military the CAC infrastructure is in place. How can I get my applications to CAC?
- Bill Schell, August Schell: This presentation gives an overview of how to cac-enable applicatons. Feel free to call us if you need further support.
Does system admin can track down where a person is located through CAC?
- Bill Schell, August Schell: The certificates on the CAC contain information identifying the organization to which the individual belongs. The use of the CAC verifies the identity of the user – other tools would be needed to provide any further information on the actual location of the user.
Do we need all three packages for SSO to work (RH Cert System, RH Directory Server and RH Enterprise Server)?
- Michael Brown, August Schell: No you do not. The building blocks for SSO are described in the webinar, and are unrelated to specific applications. The Red Hat products provide a level of assurance above many other vendor products based upon the NIST certifications that have been performed on the products
The next three questions are answered together:
Are there online documents that discuss how to implement SSO on a RHEL ES 4 system (given a Win 2003 Domain)?
We get this question a lot a DISA "I was hoping you were going to cover the client side for a linux machine, not running IE."
I was hoping you were going to cover the client side for a linux machine, not running IE.
- Michael Brown: The functionality that enables smart card based SSO is new in RHEL 5, and is discussed in further detail in the following online doc -
What version of Linux is required on the client side? RHEL5?
- Michael Brown: Yes, if you wish to implement the client side on Red Hat Linux, RHEL 5 is required.
(Michael Brown - The next two questions are answered together)
How easy is this to implement for administrative accounts using ssh, such as oracle dba accounts?
Can PKI-enabled SSO be used for remote logins to servers, e.g. logging in via SSH?
- Michael Brown: If the SSH software being used supports use of x509v3 certificates then yes, to can be used for these purposes. The ease of implementation will depend on the specific SSH software and the environment in which it is being used.
Are you aware of a DoD CAC access solution to routers and switches through ssh?
- Michael Brown: No, I am not aware of a specific SSO solution for routers and switches through ssh
Does the CAC or PIV-II implementation support authentication and authorization of privileged users?
- Michael Brown: The CAC or PIV itself does not perform authentication and authorization. The information embedded in the PKI credentials on the CAC or PIV can be used by applications to make authentication and authorization decisions.
What progress has been made, if any, with the DOD HPC (high performance computing) community which uses Kerberos/SecurID currently?
- Michael Brown: RHEL 5 currently supports authentication via Kerberos name/password. It’s not known how the inclusion of a SecurID Radius server impacts the Kerberos authentication on RHEL 5.
If network connectivity is lost on a workstation, are local machine resources still available using the CAC to log in?
- Michael Brown: I’m assuming you are not referring to smart card logon to a domain, but rather to machine logon. If that is the case the answer is yes.
Has anybody considered supporting a "false pin" that could be used in a case like a soldier being captured? A pin that appears to function but is a signal that the card has been compromised?
- Michael Brown: Unknown, but if there were I’m guessing it could not be discussed in an unclassified forum.