Government PIV Card Integration

Question

As I understand the PIV card, it basically holds a PKI Client Certificate.  &nbsp;
&nbsp;We need to alert the client browser to, if it has a PIV card client certificate available, send the certificate.  &nbsp;
&nbsp;We need to (either on the LTM or within the web application) process the certificate:
&nbsp; - make sure it is current
&nbsp; - make sure it is not revoked
&nbsp; - make sure it is valid (i.e. signed by the appropriate CA).&nbsp;
&nbsp;Then insert either the certificate signature and/or other data elements within the certificate into the HTML header so that the web application can use it to locate the user within the application identity database.&nbsp;
&nbsp;Anyone work with PIV cards?  Does this approach sound valid?  Any existing iRules available to accomplish all of this?&nbsp;

jwham20 · Answer

D, 
&nbsp;  
&nbsp; Hmmm, this is an interesting topic, love working with different auth mechanisms.  So I think you've got it on the nose as to what's on the PIV, more details (than we could ever want to know) at: 
&nbsp;  
&nbsp; http://csrc.nist.gov/publications/nistpubs/800-73-3/sp800-73-3_PART1_piv-card-applic-namespace-date-model-rep.pdf   
&nbsp; section 3 
&nbsp;  
&nbsp; section 3.1.3 - States that the card holds the Cert and the private key for that certificate (with a pin required)  
&nbsp;  
&nbsp; So, with that said, it boils down to basic client authentication of a certificate, then we add the complication of having to add other data elements into headers.  
&nbsp;  
&nbsp; Client auth: 
&nbsp;  
&nbsp; Overview of client auth prof: 
&nbsp; http://support.f5.com/kb/en-us/solutions/public/10000/100/sol10167.html?sr=17972137 
&nbsp;  
&nbsp; Configuring an OCSP or CRLDP  certificate checker: 
&nbsp; http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_1/ltm_auth_profiles.html?sr=179721371192202 
&nbsp;  
&nbsp; In a nutshell, you configure a client auth profile that has client authentication turned on.  
&nbsp;  
&nbsp; Now, as for adding the data headers.. that's an interesting one..  How is the data you want to add presented in the packet?  Is it a referencable field in the SSL handshake.. or does it just come across as bytes in the payload? 
&nbsp;  
&nbsp; If it's referencable, there is a chance that we could pull it with an easy irule and insert a header to the stream (once inserted, it should persist right?) 
&nbsp;  
&nbsp; If it's not, then might have to do a binary scan for the location and use that to pull the information for the headers. 
&nbsp;  
&nbsp; Hope this made some sense and isn't completely confusing, 
&nbsp;  
&nbsp; Josh,

jwham20 · Answer

D, 
&nbsp;  
&nbsp; Aha!  Knew there had to be more options:  
&nbsp;  
&nbsp; Using the X509 command in the Irule, we can interrogate the client cert and push forward the data in a header 
&nbsp;  
&nbsp; http://devcentral.f5.com/wiki/iRules.X509.ashx 
&nbsp;  
&nbsp; And it looks like someone has also built an extensive Irule doing a binary scan: 
&nbsp; http://devcentral.f5.com/wiki/iRules.Extended_X509_Certificate_Parsing.ashx 
&nbsp;  
&nbsp; Hope this helps a bit! 
&nbsp;  
&nbsp; Josh

Forum Discussion

Government PIV Card Integration

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

Governance and Automation - Distributed Apps for Hybrid Cloud Architecture

Automate NetApp ONTAP Storage Management with Private and Secure API Governance

OWASP Automated Threats - OAT-001 Carding

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

Making Mobile SDK Integration Ridiculously Easy with F5 XC Mobile SDK Integrator

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS