OK...I'm with you. Then after that to actually authenticate the user via CAC you're calling an API of some sort via a run process?
-----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Michaud, Christopher W Mr CTR USA MEDCOM Sent: Tuesday, September 02, 2008 2:48 PM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE The answer is, it's up to you. The user must supply a username with a password at least once. If you turn login prompt off or make it "By Preference" the user can then not be prompted subsequently. We aren't really using this account or password to authenticate the user from a security stand-point so we don't care about password management (we'll let AD do that) -- it's only used to validate the user and track them once they have pass through the CAC authentication process. Thank you, Christopher Michaud Remedy System Administrator/Developer US Army Medical Information Technology Center (USAMITC) Core Technology Division - Systems Engineering Branch Office: 210.295.3589 DSN: 421-3589 -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Kaiser Norm E CIV USAF 96 CS/SCCE Sent: Tuesday, September 02, 2008 2:28 PM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) I follow you. I think the point I'm just hung up on is the login prompt. When the user double clicks the Remedy User icon, is he presented the User tool login prompt? If yes, what username and password does he supply? -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Michaud, Christopher W Mr CTR USA MEDCOM Sent: Tuesday, September 02, 2008 2:10 PM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE The Army does the same. You are correct regarding the user not knowing their AD password and for that reason I don't use cross-reference passwords here. Since AD is already doing password length, complexity, expiration enforcement there is no need to repeat this process within Remedy (no different than if we were using Area Authentication) -- we are simply using the CAC w/PIN coupled with a CAC identification/matching process to authenticate. This is the same process you would use if implementing the external DLL and then passing the username and password to the client. So here's the concept behind this -- with this approach you let everyone with a Remedy User account in the door -- technically we are not authenticating users at this point. Once the user passes the AR login piece, the CAC authentication process (PIN prompt) occurs (this is the authentication we care about). If the CAC/PIN authentication fails for any reason, their session is immediately terminated. Otherwise, we next perform CAC identification (matching the presented CAC certificate to an LDAP entry (info stored in the People/User record) and to the $USER$ value. Now we've confirmed that all checks match and they are who they say they are. Lastly, we can now do additional CAC validation to allow/disallow access based on other business rules. Think of it this way, the bouncer at the front door asks you for your name and lets you walk in. The hostess then ensures you have an authentic Drivers ID that has not been suspended, meets the minimum age and matches the person presenting it (including the name you originally provided). Once complete, you get a pretty stamp to show for the rest of your visit and you get to drink all night -- if not you're escorted back out the door which slams behind you. Thank you, Christopher Michaud Remedy System Administrator/Developer US Army Medical Information Technology Center (USAMITC) Core Technology Division - Systems Engineering Branch Office: 210.295.3589 DSN: 421-3589 -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Kaiser Norm E CIV USAF 96 CS/SCCE Sent: Tuesday, September 02, 2008 1:21 PM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) Hmmm...OK, so I understand, allow me to propose a sample case. Suppose you have a technician with a CAC. I'm not sure how the Army does it, but in the AF, unless a person is added to what they call an "exception group" all users have a randomized password in the Active Directory that is unknown to the user. Thus, from the user's perspective, he has no password. Thus, turning on CROSS REF BLANK PASSWORD in this case is useless because he doesn't have a password to cross reference. So then how do you do password length, complexity, expiration enforcement? Do folks in the Army still have "known" passwords in AD? -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Michaud, Christopher W Mr CTR USA MEDCOM Sent: Tuesday, September 02, 2008 1:12 PM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE Users sharing a machine will still have a blank PW. However they won't get the benefit of SSO or "auto-login" as I prefer to refer to it. CAC validation will still occur after login. In all cases once the login is complete, whether automatic or not, they will be prompted for their CAC PIN. Once they've entered their pin, if they have an invalid CAC (based on whatever criteria you can implement in W/F), they get the boot. For instance, one criteria is that $USER$ value match the People record associated to the unique CAC ID. If not, they get the boot. Otherwise they are redirected to whatever form I want to send them to. The goal here is to let the AD directory manage the User/Password process. We perform nightly imports of AD via LDAP which populates and creates Users. Since the ITSM People record will be updated with expired/disabled accounts, this will in turn be seen by the CAC validation W/F. In short, Remedy PW management becomes moot as long. However, an account having a password and employing password length, complexity, history, and expiration rules will still get CAC validated. Thank you, Christopher Michaud Remedy System Administrator/Developer US Army Medical Information Technology Center (USAMITC) Core Technology Division - Systems Engineering Branch Office: 210.295.3589 DSN: 421-3589 -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Kaiser Norm E CIV USAF 96 CS/SCCE Sent: Tuesday, September 02, 2008 12:12 PM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) So for those users you have a hardcoded password in the User form? If yes, are you employing password length, complexity, history, and expiration rules? -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Michaud, Christopher W Mr CTR USA MEDCOM Sent: Tuesday, September 02, 2008 11:33 AM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE Norm, I forgot to mention we can use the option of setting login prompt to "By Preference" and for most users this would allow them to log in automatically without a prompt. However, when a user shares a system with multiple people, they'll need to set their Preference record to always prompt for login. Thank you, Christopher Michaud Remedy System Administrator/Developer US Army Medical Information Technology Center (USAMITC) Core Technology Division - Systems Engineering Branch Office: 210.295.3589 DSN: 421-3589 -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Michaud, Christopher W Mr CTR USA MEDCOM Sent: Tuesday, September 02, 2008 10:55 AM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE Norm: For now, users will still receive a login prompt. However, they can enter their username once and create an account on the client. Following that they can select the username from the dropdown and click OK - no password. My workflow picks up from there. Thank you, Christopher Michaud Remedy System Administrator/Developer US Army Medical Information Technology Center (USAMITC) Core Technology Division - Systems Engineering Branch Office: 210.295.3589 DSN: 421-3589 -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Kaiser Norm E CIV USAF 96 CS/SCCE Sent: Tuesday, September 02, 2008 10:23 AM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) Chris: If you're doing CAC authentication via workflow, how do you overcome the Remedy User tool's need for username and password? That is, one must first be logged onto the client before one can begin executing workflow. Your approach sounds very interesting to me...the username/password challenge is what throws me. Norm -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Michaud, Christopher W Mr CTR USA MEDCOM Sent: Tuesday, September 02, 2008 10:02 AM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE We chose a phased CAC implementation. The first phase was to CAC enable the Mid-Tier via the IIS server. From there I control the users access to Remedy and the Mid-Tier application through a process that performs the CAC validation and then passes the validated CAC user to the correct Mid-Tier starting point based on criteria we determine. This required closing a couple holes in the Mid-Tier product to prevent users from trying to circumvent the validation and directly accessing forms via URLs. In some cases we populate the login id, lock it and require a password to be entered based on Remedy permission level. In other cases, I pass the users directly to specific Mid-Tier forms. This is not true SSO but it does perform the required application access validation via CAC card quite well. Next I'm planning on implementing CAC validation for both the Mid-Tier and the User Tool using simple Remedy-based workflow I've developed. This code does not rely on the DLL hooks to function, but again it performs CAC validation and control - not true SSO. The upside to this is that because it's almost entirely Remedy workflow, it's easy to maintain and customize as needed and it does not need to be updated and recompiled each time your ARS release changes. The last phase will be to work out the SSO capability. Thank you, Christopher Michaud Remedy System Administrator/Developer US Army Medical Information Technology Center (USAMITC) Core Technology Division - Systems Engineering Branch Office: 210.295.3589 DSN: 421-3589 -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Steve Michadick Sent: Friday, August 29, 2008 7:13 AM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) You can add the US Marine Corps to that list. We, too, are upgrading to ARS 7.1 ITSM 7.0 and have to use CAC login. We have our BMC professional services "team" working on a solution. I'll have them take a look at the USAF's solution and see if it can work for us. Steve Michadick Remedy Engineer Marine Corps Network Operations and Security Center (MCNOSC) Phone: 703-432-6726 -----Original Message----- From: Easter, David [mailto:[EMAIL PROTECTED] Sent: Thursday, August 28, 2008 4:42 PM Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) I can try to help a little, although I'm somewhat bound by confidentiality, so I apologize that I can't go into detail beyond what I'll say here. When the "Single Sign-On (SSO) and Other Client-Side Login Intercept Technologies" interface was created, it was BMC's expectation that customers or partners would take this interface and create point-to-point integrations with solutions in the marketplace. At this time, there are no short term plans for BMC to productize such integrations. If this remains a "gap" in the marketplace, that decision may be revisited - but I would encourage the development community to share work done in this area among other community members or for an enterprising partner or solution provider to create a marketable solution for such point-to-point integrations to popular SSO environments. Also, There is a Department of Defense Instruction NUMBER 8520.2 (http://www.dtic.mil/whs/directives/corres/html/852002.htm). This Instruction applies to: "2.4. All DoD unclassified and classified information systems including networks (e.g., Non-secure Internet Protocol Router Network , Secret Internet Protocol Router Network, web servers, and e-mail systems. E3.4.1.3. Other Information Systems. For information systems requiring authentication other than network login or web servers, the system owner shall perform a business case analysis to determine if PK-Enabling is warranted. The business case analysis shall be submitted to the DoD Component CIO for review and approval. If warranted, the information system shall be PK-Enabled." This has influenced several U.S. military bases to pursue integrating the CAC with their Remedy systems. Because this request affects multiple branches of the U.S. Armed Services, one would expect that work done at one base could be shared with other bases - although I certainly understand that there may be bureaucratic or other barriers to such sharing. However, if there are any shared DoD resources, you may wish to reach out internally to other bases that have Remedy based solutions. My understanding is that the military has, for the most part, chosen a single vendor for CAC - so work done once should be applicable in most other environments. Of the branches that I'm aware of, I believe the Air Force is currently the farthest along with the Army also making requests for the CAC integration. In addition, if this cannot be solved at a community or partner level, I believe there is some work being done by BMC Professional Services to assist in the use of CAC and SSO with the predominant SSO vendor solution chosen by the Air Force. Customers may wish to individually contact BMC Professional Services for assistance in creating such integrations. Hope this helps... -David J. Easter Sr. Product Manager, Solution Strategy and Development BMC Software, Inc. The opinions, statements, and/or suggested courses of action expressed in this E-mail do not necessarily reflect those of BMC Software, Inc. My voluntary participation in this forum is not intended to convey a role as a spokesperson, liaison or public relations representative for BMC Software, Inc. -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Abdullah Baytops Sent: Wednesday, August 27, 2008 10:37 AM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) I would be interested as well for our Army organization just gave us this requirement as well this week. I was hoping someone else has done it as well. V/R Abdul Baytops Director of Business Operations Digital Foundation Corporation Web: www.thedigitalcorp.com Toll Free: 888-754-0341 Phone: 240-346-4628 (Direct Mobile) Fax: 301-710-5368 Email: [EMAIL PROTECTED] (Service Disabled Veteran Owned Small Business ) -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Begosh, Kevin Sent: Wednesday, August 27, 2008 12:40 PM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) That is a good question, I know some military customers that I have worked with that wanted this too. From what I know I have never seen it. I know I asked BMC about it a couple of years ago and they did not have anything for it. I would be interested in this information as well. Kevin Begosh, RSP External Initiatives System Design & Integration 301-791-3540 Phone 410-422-3623 Cell [EMAIL PROTECTED] -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Nguyen, AnhThien Mr CTR NG NGB ARNG Sent: Wednesday, August 27, 2008 10:22 AM To: arslist@ARSLIST.ORG Subject: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE Hi List, Currently ARS 6.3, SQL 2000. Planning to upgrade to ARS 7.1 & SQL 2005. ITSM v7 down the road but not right now. >From the documentation, Remedy User Tool 7.x includes a hook that allows one >to specify a DLL that will be called instead of the login page at startup. This DLL can do whatever work you want-interact with other systems, open windows, perform calculations, and so on. However, we do not have a solution in place yet. I was hoping to see if anyone has implemented CAC card with Remedy User Tool. Any information you can provide will be greatly appreciated. Thanks, Thien Classification: UNCLASSIFIED Caveats: NONE ________________________________________________________________________ _______ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" ____________________________________________________________________________ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" Classification: UNCLASSIFIED Caveats: NONE _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" Classification: UNCLASSIFIED Caveats: NONE _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" Classification: UNCLASSIFIED Caveats: NONE _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" Classification: UNCLASSIFIED Caveats: NONE _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" Classification: UNCLASSIFIED Caveats: NONE _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" Classification: UNCLASSIFIED Caveats: NONE _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
