Forum Discussion

D_Miller_25373's avatar
Icon for Nimbostratus rankNimbostratus
Nov 10, 2011

Government PIV Card Integration

As I understand the PIV card, it basically holds a PKI Client Certificate.



We need to alert the client browser to, if it has a PIV card client certificate available, send the certificate.



We need to (either on the LTM or within the web application) process the certificate:


- make sure it is current


- make sure it is not revoked


- make sure it is valid (i.e. signed by the appropriate CA).



Then insert either the certificate signature and/or other data elements within the certificate into the HTML header so that the web application can use it to locate the user within the application identity database.



Anyone work with PIV cards? Does this approach sound valid? Any existing iRules available to accomplish all of this?


2 Replies

  • D,



    Hmmm, this is an interesting topic, love working with different auth mechanisms. So I think you've got it on the nose as to what's on the PIV, more details (than we could ever want to know) at:




    section 3



    section 3.1.3 - States that the card holds the Cert and the private key for that certificate (with a pin required)



    So, with that said, it boils down to basic client authentication of a certificate, then we add the complication of having to add other data elements into headers.



    Client auth:



    Overview of client auth prof:




    Configuring an OCSP or CRLDP certificate checker:




    In a nutshell, you configure a client auth profile that has client authentication turned on.



    Now, as for adding the data headers.. that's an interesting one.. How is the data you want to add presented in the packet? Is it a referencable field in the SSL handshake.. or does it just come across as bytes in the payload?



    If it's referencable, there is a chance that we could pull it with an easy irule and insert a header to the stream (once inserted, it should persist right?)



    If it's not, then might have to do a binary scan for the location and use that to pull the information for the headers.



    Hope this made some sense and isn't completely confusing,



  • D,



    Aha! Knew there had to be more options:



    Using the X509 command in the Irule, we can interrogate the client cert and push forward the data in a header





    And it looks like someone has also built an extensive Irule doing a binary scan:




    Hope this helps a bit!