For information about Globalscape, visit www.globalscape.com. |
|
|
For information about Globalscape, visit www.globalscape.com. |
|
(Available in EFT Enterprise with the HSM) Common Access Card (CAC) Authentication is available in EFT Enterprise for LDAP Sites with SSL (HTTPS or FTPS) enabled. When CAC is enabled on EFT, clients are required to provide a certificate when connecting. Once the user’s certificate is validated, EFT uses the Principal Name (UPN) taken from the Subject Alternative Name (SAN) field of the Signature Certificate to search for the user in LDAP and allow or deny access based on the information found. The certificate provisioned via the web browser must have an Electronic Data Interchange Personal Identifier (EDI/PI). If the EDI/PI is not found or otherwise cannot be validated, the connection is denied. If the EDI/PI is found, EFT maps the corresponding fields in LDAP using the appropriate LDAP query string. If the user is found in LDAP, if a certificate is assigned to that user, and if the certificate exactly matches the one provided by the client, the user is allowed access.
When CAC is enabled and HTTPS connection is made, the Logout and Change Password buttons on the Web Transfer Client (WTC) and Plain Text Client (PTC) are hidden. To log out, you must close the browser and remove your CAC card. WTC sessions will timeout immediately when the browser is closed. If a user navigates away from the WTC instead of closing the browser, and then goes back to the WTC page, the previous session is expired and a new session ID is generated. This prevents the WTC licenses from being locked when no one is using them.
|
|
The account management page is not available when CAC is enabled. There is no concept of logging out or changing passwords when using CAC. |
When CAC is enabled on a Site:
The WTC uses the JSE instead of the Apache client. The JSE HTTP client provides NTLM v2 proxy authentication support.
Any attempt to access any of the account management pages causes a "page not found" error.
When HTTP and HTTPS are both enabled, the Redirect HTTP to HTTPS check box is selected and disabled, forcing redirection of HTTP traffic to HTTPS.
When FTPS is enabled, the username and password provided are ignored; the authentication is provided by the certificate.
The method EnableCAC() can be used to enable CAC via the COM API.
The following major events are logged:
Could not find proper SAN field in certificate
The value received from the SAN field
If user had no certificates in LDAP
If certificates were present but no certificate matched
More than one user was retrieved when LDAP was queried (authentication is only attempted against the first one)
CAC is incompatible with RADIUS, RSA, PCI DSS, ODBC, NT authentication, AD authentication, and Globalscape authentication. PCI DSS Compliance reports do not report on CAC-enabled Sites.
Refer to Defining Connections (Sites) for details of creating an LDAP-authenticated Site that uses CAC.
