Guardium UI Login using a Smart card

Guardium Smart card support meets the United States government mandate that all vendors must support multi-factor authentication for user access. Smart card authentication is supported only for access to the web-based Guardium user interface (UI).

Before you begin

Details of the multi-factor authentication requirement are found in the Identification and Authentication (Organizational Users) (IA-2) section the Security and Privacy Controls for Federal Information Systems and Organizations (NIST Special Publication 800-53) document. NIST 800-53 is available through the NIST web site: https://www.nist.gov .

Government applications refer to Personal Identification and Verification Cards (PIV). Civilian applications refer to Common Access Cards (CAC). PIV and CAC cards have different certificate authorities, but the cards are otherwise the same.

Guardium Smart card support meets the HIGH confidence PIV assurance level described in the PIV Cardholder Authentication (6) section of the Personal Identity Verification (PIV) of Federal Employees and Contractors (FIPS Publication 201-2) document. FIPS 201-2 is available through this NIST web site: https://www.nist.gov .

Prerequisites

The device requires the following:

Access to the Guardium UI via a web browser that can access the Smart card certificate
A Smart card reader
A valid PIV/CAC card

About this task

This task describes how to correctly associate the information on a Smart card with a Guardium user.

Create Guardium users to associate with Smart cards. If you want to associate existing users with Smart cards, you do not need to create any new users. For more information about user creation and access management, see Access Management Overview.

Login to the Guardium UI as the admin user.
Navigate to Setup > Tools and Views > Portal.
Under the Authentication Configuration section, select the Smart Card option. If the Smart Card option is not present, verify that the Smart card patch is installed.
In the Regex Match Pattern field, provide a regular expression (regex) that matches user information on a Smart card.

Example

Create Users

The Guardium application provide various ways for users to be created. It doesn’t matter how your users are created, and once you configure your web to use the Smart card for authentication it only uses the Smart card credential to establish SSL/TLS communication (Guardium site uses https).

Here is an example how to manually create a user:

Login as Accessmgr on CM
Select AccessUser Browser.
Click Add.
Add Username Test Cardholder X
Add password twice
Enter first name and last name same as user
Click Add.

Now you will configure the mapping, so when a Smart card is present, the information on the Smart card will be correctly mapped to a user in the system.

Login as Admin from CM or standalone.
After you login, navigate to Setup > Tools and Views > Portal.

If you see a menu screen titled Authentication Configuration, then you have the Smart card support patch installed.

Now use a regular expression, in the Regex Match Pattern, to match the user information on the Smart card. Here is an example of a Regex Match Pattern:

CN ?= ?(.*?), ?OU ?= ?Test Agency, ?OU ?= ?Test Department, ?O ?= ?Test Government, ?C ?= ?US

This works with a Smart card with client certificate, the client certificate you selected to send to the webserver to establish HTTPS. On the Smart card you selected, this client certificate gives to the webserver when the server requests it, which is exactly what happens when this feature is enabled. An example of the client certificate has the details: Version, Serial number, Signature algorithm, Signature hash algorithm, Issuer, Valid from, Valid to, Subject.

In this example you can use one of the following patterns. They both will match the mapping. Pattern 1 is more exact. Pattern 2 depends on your purpose, you can write your own to match your needs. You need to work with someone who is familiar with the data on the Smart card to write efficient mapping patterns.

Pattern 1:

CN ?= ?(.*?), ?OU ?= ?Test Agency, ?OU ?= ?Test Department, ?O ?= ?Test Government, ?C ?= ?US

Pattern 2:

CN ?= ?(.*?)

Both of the examples will get the value for CN attribute in the certificate subject which you can see by examine the detail of the certificate from the browser. In this case it is Test Cardholder X. Configure this pattern correctly is probably the most important part to make sure the authentication on Smart card is successful.

Note that the regex validation tool currently available for other modules is not available for this purpose. (see Troubleshooting section, items 2 and 3).

Now save it. Note, you are not done yet and you need to enable it from CLI since part of the enablement can only be done after the server is shut down, during which there is no GUI.

Before you leave GUI for the CLI part, you need to upload the root CA certificate to the trust store.

Upload the root CA certificate to web server trust store

This part describes how you upload the root CA’s certificate into the trust store used by the GUI. Use the Import Certificate selection from the Guardium Portal and Authentication Configuration screens.

If you do not have the root certificate of the CA that signed the certificates on the Smart cards, you can export a root certificate from a CA-signed user certificate or a Smart card that contains one.

We assume you obtained the certification either by having it given to you by the customer or exporting it from a Smart card using certification management tools such as certMgr.exe or tools like open SSL.

The public root certificate of a trusted CA. This is the most common source of a root certificate in environments that already have a Smart card infrastructure and a standardized approach to Smart card distribution and authentication.

Select a certificate to use for Smart card authentication. The signing chain lists a series of signing authorities. The best certificate to select is usually the intermediate authority above the user certificate.

Enabling the feature from CLI (can only be done in CLI)

To check the status, use the CLI command,

show system websmartcard

To turn on this CLI command, use

store system websmartcard on

To turn off this CLI command, use

store system websmartcard off

When the feature is turned off, the GUI is automatically restarted with the system using local authentication. This is also useful when you first deploy the system and the regular expression you set is not quite right and you see errors.

Note: While the Smart card authentication is used to authenticate, the access control (for example, what module a user has access, what navigation the user has) is still done through the same way as without Smart card authentication.

After enabling the feature

Once the feature is enabled, you can only access the site with a valid Smart card (PIV, CAC etc.)

Now when you visit the GUI site, you’ll see an authentication prompt, asking you to choose a certificate.

The above details are for an administrator to set it up. As for end user, if it is set right, the user just needs to put the card in and the user will go straight to the site content.

For a user with a valid Smart card, when the user load the websites, the browser will prompt for a Smart card pin. This pin allows the client certificate on the card is access when requested.

After the pin is provided, the regular Guardium login page will display with the user field pre-filled with the login extracted from the Smart card. Note there is no password used here. The only thing you see in the user field is the extracted user place holder for mapping.

For example, if the certificate are valid and the root CA of the Smart card issuer for Test Cardholder X is loaded in Guardium web server (See section Upload the root CA’s certificate for how to do it), the user field will be pre-filled with Test Cardholder X and prompt you for the Smart card pin. This is to access the client certificate on the Smart card. The client certificate stays on the Smart card and you cannot export it into a file. You may see the prompt twice and just provide the pin.

What to do next

Troubleshooting or recovery scenarios

After the feature is enabled, when you load Guardium URL, you see an error page.

Diagnostic: Most likely, your configuration of the matching regular expression is not right or you don’t have a valid certificate on the card.

You created a matching Regex and it does not seem to be working. You remember that Guardium has a regex validation tool and used it thinking that if it works in the tool, it's a good Regex. Unfortunately, while the test is successful in that tool, the Regex pattern doesn't work for Smart Card Configuration.

Diagnostic: That tool is to find if an expression can be found inside a text paragraph. So it won't work in this case. This configuration is to extract a piece of text from the certificate text as displayed in the subject as shown in certificate details.

You didn’t get prompt from the browser to select a certificate at all.

Diagnostic: PC/laptop is able to install the card reader and the Smart card. A copy of the certificate in the Smart card gets copied to the certmgr in Windows OS. However, when accessing the site, browser (IE or Firefox or Chrome) does not read the certificate. In other words, all the three browsers are unable to read the certificate and there is no prompt to choose the certificate.

This has been noted on all browsers on some laptops we tested. If this is the case, it’s not only happening to Guardium site. Other sites that require Smart cards to operate will also experience this. This is rare.

Solution: Contact the department that manages your Smart card.