Introduction to Personal Identity Verification (PIV) card authentication:
For any IT organization, Authentication is crucial component of cybersecurity for verifying a user's identity and ensuring that only authorized individuals or systems can access resources, protecting sensitive information and maintaining system integrity. It is important because it helps maintain security, data protection, access control, audit trails and may more.
With introduction of PIV card authentication in IBM Infosphere Data Replication (IIDR), as one of the MFA modes will help many of the customers securely use the product and protect from misuse of the data. Also helps reduce Access Server user management time
Why password is not enough?
Password based authentication has been the primary mode on authentication for many years. However, it suffers from security vulnerabilities, user experience issues and password management challenges, including the risk of weak passwords, password reuse, password storage, password fatigue and password theft.
What is Multi-Factor Authentication (MFA)?
Multi-Factor Authentication (MFA) is a security measure that adds an extra layer of protection to the traditional password-based login process. It requires users to provide two or more verification factors to access a system or application, making it much harder for unauthorized individuals to gain access to accounts.
How MFA Works
MFA works by requiring users to verify their identity using multiple factors, such as:
-
Something they know (e.g., a password or PIN)
-
Something they have (e.g., a smartphone or token)
-
Something they are (e.g., a fingerprint or face recognition)
By requiring multiple factors, MFA significantly enhances security and reduces the risk of unauthorized access, even if passwords are compromised.
Benefits of MFA
-
Improved security: MFA makes it much harder for hackers to gain access to accounts using stolen or guessed passwords.
-
Reduced risk: MFA reduces the risk of data breaches and cyber attacks.
-
Compliance: MFA is often required by regulatory bodies and industry standards to ensure the security of sensitive data.
Personal Identity Verification Card Authentication
PIV card authentication is a secure way to access systems using a smart card, known as a PIV card, and a reader. To authenticate, you need to:
-
Insert the PIV card into the reader
-
Enter your Personal Identification Number (PIN)
-
Possibly provide biometric verification (e.g., fingerprint or facial recognition)
While you do this, the PIV card's chip communicates with the reader and server to verify your identity.
How Does PIV Work?
The PIV system uses smart cards with a special digital file stored in the card, that can only be accessed by the owner, on verification of PIN.
This file contains an X.509 compliant certificate and key pair, which is like a digital ID.
Once the PIV card is inserted into the card reader, the PIV credential can be verified in several ways:
-
Issuance: The credential was issued by an authorized entity.
-
Expiration: The credential has not expired.
-
Revocation: The credential has not been revoked.
-
Identity: The holder of the credential is the same individual it was issued to.
This ensures that only authorized individuals can access secure systems, and that the PIV card is a trusted way to verify identities.
Enhanced Authentication for IIDR Management Console
For years, IIDR Management Console has relied on traditional password-based authentication. However, with growing security concerns, the need for Multi-Factor Authentication (MFA) has become increasingly important. To address this, we have introduced a new login method: PIV Card Authentication.
What is PIV Card Authentication?
PIV Card Authentication uses certificates stored on smart cards, protected by a personal identification number (PIN). This method is considered one of the strongest forms of MFA available, offering enhanced security for our users.
Benefits of PIV Card Authentication
-
Stronger Security: PIV Card Authentication provides an additional layer of protection, making it more difficult for unauthorized users to access sensitive information.
-
Convenience: With PIV Card Authentication, users can replace traditional password-based authentication, simplifying the login process.
-
Ease of Use: Users only need to remember their PIN, eliminating the need to manage complex passwords.
By introducing PIV Card Authentication, we aim to provide a more secure and user-friendly experience for our customers.
The below image illustrates the state for PIV card authentication on Management Console.
How does PIV card authentication work?
When enabling PIV card authentication on IIDR Management Console, there are some configurations to be followed.
-
Loading Certificates onto Windows Certificate Manager
Important Note: Make sure to enter your PIN correctly to successfully load the certificates.
By following these steps, you'll be able to load the necessary certificates onto your Windows Certificate Manager, ensuring secure access to your system.
-
Adding PIV Certificate to Server Trust Store:
To ensure secure authentication, client certificates loaded with a PIV card must be validated on the server. This validation checks if the certificate is issued by a trusted issuer.
To successfully validate the PIV certificate, it must be added as a trusted entity to the server's trust store. If not, the validation process will fail.
The administrator (or a designated user with sufficient privileges) adds the PIV certificate to the truststore. This is typically done by importing the certificate's public key (or the entire certificate chain) into a trusted root or intermediate certificate store
-
Trusting server certificates:
To ensure secure authentication, PIV card authentication always occurs over mutually secure connections. This requires two key steps:
By following these steps, you can ensure that PIV card authentication is secure and trustworthy.
-
Configuring PIV card Authentication Properties:
To enable PIV card authentication functionality, you need to add properties on both the server and client. The system admin user on the server is responsible for adding all Common Names (CN) of users to be validated.
Important Note To allow PIV users to be added without a password, you must set enableNoUserAuth=true on the server. Setting enableNoUserAuth=false will follow password based user login.
Configuring TLS Encryption Properties
Locate the “tls.properties”, the TLS encryption properties configuration files under the installation folder of both the Management Console and Access server.
Access Server Configuration
Add the following properties to the Access Server configuration file:
-
enableNoUserAuth=true
-
enableTLS=true
-
enableMutualTLS=true
Management Console Configuration
Add the following properties to the Management Console configuration file:
-
enableTLS=true
-
enableNoUserAuth=true
-
privateKeyStoreType=<Windows cert manager> (e.g., Windows-MY)
-
javaKeystoreProvider=<Java provider for CAC or MSCAPI> (e.g., IBMCAC or SunMSCAPI)
Important Note
Management Console packed with Java 8 JRE should use IBMCAC and the one packed with Java 17 JRE should use SunMSCAPI.
Adding Java Security Provider (If Necessary):
If the Java provider is not already listed under java.security for the JRE provided with the client, you need to add it to the list as the first entry.
-
Open the java.security file under <Managament Console install folder>\jre32\jre\lib\security.
-
Add the following line under “List of providers and their preference orders“:
security.provider.1=com.ibm.security.capi.IBMCAC
This will ensure that the IBMCAC provider is used for PIV card authentication.
-
Logging with PIV card:
Once all the configurations are complete, as soon as the end user can start the client, there is window pop up.
Login Process with Client Certificate Validation
To access the server, follow these steps:
Step 1: Select Client Certificate
Step 2: Enter Server Details
-
On the login page, enter the Hostname and Port of the Access Server.
-
Click Login to initiate the authentication process.
-
It prompt the user to enter the PIV card PIN. Please enter the correct PIN to proceed with validation.
Certificate Validation and Login
-
The selected client certificate is validated on the server.
-
If the user with the corresponding Common Name (CN) already exists on the server, you will be allowed to complete the login process.
-
If the validation is successful, but the user does not exist, an Invalid or no user message will be displayed.
-
If the certificate validation fails, a Bad certificate error will be issued.
Important Note: Ensure that you have selected the correct client certificate and entered the correct server details to avoid any errors during the login process.
Limitations
-
PIV Card Authentication is currently supported on Management Console login only. Command Line Utility (CHCCLP) does not support PIV Card Authentication for now.
-
PIV Card Authentication is not supported for database credentials under Management Console datastore connection properties and IIDR instance configuration.
Conclusion
In conclusion, the introduction of PIV card authentication in IIDR Management Console provides a robust and secure multi-factor authentication method for users. By leveraging the strengths of smart card technology and X.509 compliant certificates, PIV card authentication offers a highly secure and user-friendly alternative to traditional password-based authentication.
With the step-by-step configuration process outlined in this guide, system administrators can easily enable PIV card authentication on the server and client sides, ensuring a seamless and secure login experience for users. By following these configurations and best practices, organizations can significantly enhance the security of their systems and data, while also reducing the administrative burden associated with password management.
The implementation of PIV card authentication in IIDR Management Console demonstrates a commitment to providing a secure and reliable solution for customers, and we are confident that this feature will play a critical role in protecting sensitive information and maintaining system integrity.