It's all about the answers!

Ask a question

How Can I Authenticate via Smart Card (CAC) in a Plain Java Client Application?

Nate Decker (37814561) | asked May 05 '15, 9:19 a.m.
edited Feb 23 '17, 1:38 p.m.

I have many applications that rely on an API for RTC. I primarily use an OSLC API or server-side Java APIs. However, I find that there are some things that can only be done using a Java client (i.e., "plain java") API. My problem with this is that one of our environments requires smart card authentication (specifically, Common Access Card (CAC)).

All of the examples that I've seen for using a java client API involve authenticating via username and password. How can I make my client application authenticate via smart card instead?

Update 23 Feb 2017 - I'd like to bump my question for visibility. Does anyone have an example of a "login" function in the Java Plain Client API that does not use a Username and Password, but relies on Smart Card credentials instead. I'm assuming I still need to use "registerLoginHandler" and I probably still need the challenge function which returns an "ILoginInfo" object, but presumably there is a way to construct the ILoginInfo object so that it uses Smart Card credentials.

One answer

permanent link
June Boston (1942938) | answered Feb 23 '17, 6:16 p.m.
I decompiled the jar and found that there's a along with the other login info classes (Kerberos, integrated windows, keystore, SSLCert, usernameandpassword).  That one uses a and KeyStoreKeyManagerProvider to store some kind of login info, and then it uses the normal Java CertificateFactory and Certificate to read an X.509 cert off the card.  It does that with some byte array passed in, and idk where that comes from.

I would maybe decompile all the RTC Java (they may have source out there, I didn't check) and find out what class invokes/uses a SmartCardLoginInfo(byte[] argument).  If you're lucky, it's in use with the login provider classes somewhere.  Maybe you can find out where the card is read and serialized into an array, I bet whatever's doing/capable of doing that returns a login object.  Or well, that's my wild conjecture.

Goooooood luck Nate.

June Boston commented Feb 23 '17, 6:45 p.m.

 Oh also, there's a teamconcert\jdk\jre\lib\ext\ibmcac.jar that maybe will be useful?

Nate Decker commented Mar 13 '17, 9:53 a.m.

 Thanks June!

I'll try investigating along some of these lines. I hadn't considered researching with this kind of approach so it should give me something to do at least. I'm not sure if I'm confident that I'll figure it out on my own but at least there is a course of action. I've submitted a service request asking for help at this point as well so maybe something will come of that.

Good to hear from you :D

Your answer

Register or to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.