Am 25.10.2010 21:04, schrieb Michał Pysz:
CAS expects an X.509 cert in the request sent to CAS. I can't imagine any way to meet that requirement other than the browser sending it. Yes, it's a major pain to deal with the client requirements of cert installation, especially when the cert resides on a hardware security device. We have a good deal of experience in this area, and I personally believe it's not scalable for large enterprises due to the client setup and support costs.
I can only underline the problems that marvin mentions. We started a smartcard project 5 years ago and ran in to major problems on all fronts. While client x509 certs are alread problematic due to ssl troubles/cert stores etc. harware tokens are an additional nightmare.
I can only tell you a few of the many problems you with face if you want a dual username/pw and smartcard setup. We a running this setup 4 years i guess.
Hardware:-every vendor brings his own drivers having it's own set of problems that create additional support calls overlapping real issues with your product -some drivers are crappy preventing access from 2 apps (firefox, thunderbird etc.)
-64bit architectures are non existent to some vendors or in a beta stage-while most vendors ship windows api compatible drivers most dont ship a pkcs11 driver or even some java driver/interface
Browser Integration:-Internet Explorer or generally Microsoft API is really great once you have a working driver..
-any mozilla product works fine if you have a pkcs11 lib -every mozilla product requires a seperate configuration of your smartcard-Firefox vs IE handling is completely different. In IE you pre register your certs and the browser prompts you to chose the cert. Firefox requires a pluged in card. This is really nasty if you have an optional card -The optional card prompt can't preceeded by some info page on the same server because the cert handshake is part of the ssl tunnel around the web server connection. This means no error page either ;) -Safari dev people have to be slapped with a telephone book. They a too stupid to write a certificate chooser dialog. You can't abort on an optional cert. They always chose the first cert as default for a long time. And many more issues related to client certificates..
CAS clients:- We initially had many issues with cas clients since the optional certs caused some problems during ticket validation. All official clients work now but i can't speak for the other clients. Be prepared to encounter problems here. We created a fallback port without client certs for ticket validation on the cas server for those clients until they are fixed.
Java Applets: - you need a driver between your jre and the native driver - will require jni- you might need to copy additional dlls to the client (very nasty) and restart app :/
As a summary i would only suggest smartcards in a managed environment, where you control the setup on all clients and you already have a lot of experience with SSL/X509. I would really suggest that you start with softtokens first even in a mananged env. This will give you a chance to chance to iron out problems over time and _maybe_ later switch to hw tokens. This might actually have a chance of widespread use without a support nightmare. You don't need special hw / drivers which takes care of a lot of problems mentioned above.
If you have more specific questions just ask. Regards, Joachim
smime.p7s
Description: S/MIME Cryptographic Signature
