I have a requirement to support two factor authentication using client certificates on CAC and PIV cards. I am having a little trouble getting a clear understanding on how to configure certificate checking on our Shibboleth System. Our system uses:
- RHEL 7 with SELinux enabled
- Apache Tomcat 8.5.16
- Java 1.8
- Shibboleth IDP 3.3.1
- DoD CAC and Federal PIV card based client certificates
I have configured the Tomcat server.xml as follows:
<Connector defaultSSLHostConfigName="domain.gov" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig hostName="domain.gov" sessionTimeout="3600" protocols="+TLSv1.2+TLSv1.1" honorCipherOrder="true" truststoreFile="/app/keystores/certs.jks" truststorePassword="changeThis!" certificateVerification="optional" >
<Certificate certificateKeyAlias="tomcat_gov" certificateKeystoreFile="/app/keystores/certs.jks" certificateKeystorePassword="changeThis!" />
</SSLHostConfig>
<SSLHostConfig hostName="domain.mil" sessionTimeout="3600" protocols="+TLSv1.2+TLSv1.1" honorCipherOrder="true" truststoreFile="/app/keystores/certs.jks" truststorePassword="changeThis!" certificateVerification="required" certificateRevocationList="http://ocsp.disa.mil/" >
<Certificate certificateKeyAlias="tomcat_mil" certificateKeystoreFile="/app/keystores/certs.jks" certificateKeystorePassword="changeThis!" />
</SSLHostConfig>
</Connector>
The problem is that the configuration above causes the users with PIV cards to be unable to login to the system. In addition, there seems to be some discrepancy in the documentation as to what the attribute for CRL is actually named. I have seen that using certificateRevocationList fails if using a local CRL file, but certificateRevocationListFile works.
Thanks in Advance!
