Forum Discussion
D_Miller_25373
Nimbostratus
NimbostratusGovernment PIV Card Integration
As I understand the PIV card, it basically holds a PKI Client Certificate.
We need to alert the client browser to, if it has a PIV card client certificate available, send the certificate. ...
jwham20Nimbostratus
NimbostratusD,
Hmmm, this is an interesting topic, love working with different auth mechanisms. So I think you've got it on the nose as to what's on the PIV, more details (than we could ever want to know) at:
http://csrc.nist.gov/publications/nistpubs/800-73-3/sp800-73-3_PART1_piv-card-applic-namespace-date-model-rep.pdf
section 3
section 3.1.3 - States that the card holds the Cert and the private key for that certificate (with a pin required)
So, with that said, it boils down to basic client authentication of a certificate, then we add the complication of having to add other data elements into headers.
Client auth:
Overview of client auth prof:
http://support.f5.com/kb/en-us/solutions/public/10000/100/sol10167.html?sr=17972137
Configuring an OCSP or CRLDP certificate checker:
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_1/ltm_auth_profiles.html?sr=179721371192202
In a nutshell, you configure a client auth profile that has client authentication turned on.
Now, as for adding the data headers.. that's an interesting one.. How is the data you want to add presented in the packet? Is it a referencable field in the SSL handshake.. or does it just come across as bytes in the payload?
If it's referencable, there is a chance that we could pull it with an easy irule and insert a header to the stream (once inserted, it should persist right?)
If it's not, then might have to do a binary scan for the location and use that to pull the information for the headers.
Hope this made some sense and isn't completely confusing,
Josh,
