Government PIV Card Integration

D,

 

 

Hmmm, this is an interesting topic, love working with different auth mechanisms. So I think you've got it on the nose as to what's on the PIV, more details (than we could ever want to know) at:

 

 

http://csrc.nist.gov/publications/nistpubs/800-73-3/sp800-73-3_PART1_piv-card-applic-namespace-date-model-rep.pdf

 

section 3

 

 

section 3.1.3 - States that the card holds the Cert and the private key for that certificate (with a pin required)

 

 

So, with that said, it boils down to basic client authentication of a certificate, then we add the complication of having to add other data elements into headers.

 

 

Client auth:

 

 

Overview of client auth prof:

 

http://support.f5.com/kb/en-us/solutions/public/10000/100/sol10167.html?sr=17972137

 

 

Configuring an OCSP or CRLDP certificate checker:

 

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_1/ltm_auth_profiles.html?sr=179721371192202

 

 

In a nutshell, you configure a client auth profile that has client authentication turned on.

 

 

Now, as for adding the data headers.. that's an interesting one.. How is the data you want to add presented in the packet? Is it a referencable field in the SSL handshake.. or does it just come across as bytes in the payload?

 

 

If it's referencable, there is a chance that we could pull it with an easy irule and insert a header to the stream (once inserted, it should persist right?)

 

 

If it's not, then might have to do a binary scan for the location and use that to pull the information for the headers.

 

 

Hope this made some sense and isn't completely confusing,

 

 

Josh,