services directorate dual persona user guide for dod enterprise … · 2019-08-20 · 2 dual...
Post on 26-Apr-2020
4 Views
Preview:
TRANSCRIPT
Services Directorate
Dual Persona User Guide for DoD Enterprise Portal Service
Military Sealift Command Version September 8, 2016
ii
Document Approval
Document Approved By Date Approved
Name: Brian Purdy ??/??/2016
iii
Revision History
Table 2. Revision History
VERSION DATE PRIMARY AUTHOR(S) REVISION/CHANGE PAGES AFFECTED
0.1 17 July 2016 Mike Lacher Initial Draft All
0.2 8 August 2016 Greg Lane Customized for MSC
0.3 8 September 2016
Greg Lane Updated to include AC7 9, 10
iv
Table of Contents
Document Approval .................................................................................................................................... ii
Revision History ......................................................................................................................................... iii
Abbreviations, Acronyms, and Definitions ............................................................................................. vi
1. INTRODUCTION .................................................................................................................................. 1
1.1 PURPOSE .................................................................................................................................... 2
1.2 SCOPE ........................................................................................................................................ 2
1.3 PREREQUISITES .......................................................................................................................... 2
2 DUAL PERSONA DEPS SETUP ......................................................................................................... 3
2.1 DMDC Self-Service and Activating PIV Auth Cert .......................................................................... 3
2.2 Resetting the state of your cards in ActivClient ........................................................................... 8
2.3 Selecting the correct Certificate ................................................................................................ 11
Appendix 1: Troubleshooting Dual Persona PIV Auth Cert Process ................................................................ 13
v
DISCLAIMER This supplement is provided as a tool to support Mission Partner Migration Project Managers and their Dual Persona end-users. The steps for managing DUAL Persona certification are based on the experience gathered from previous migrations. These steps may differ somewhat from a specific Mission Partner’s configuration, but they should be of use the end users and their Level I Service Desk.
OVERVIEW Some individuals may have two or more personas (active identities) in the Defense Manpower Data
Center (DMDC) database. This is commonly known as having a Dual Persona – for instance, someone
who is a DoD civilian employee or contractor and in the Army Reserve.
As part of DISA’s implementation of DoD Enterprise Portal Service (DEPS), there is a requirement for
users with Dual Personas to activate the personal identity verification authentication certificate (PIV Auth
Cert) on each of their CACs. This PIV Auth Cert will then be used during login to DEPS.
There are also people who may have a “surprise” Dual Persona. This can happen when someone has
transitioned from one DoD role to another (for instance, from being a contractor to becoming a civilian
employee). There is a grace period that keeps the person’s old CAC recognized: if this overlaps with the
new active role, a Dual Persona will be seen in the system.
This document provides detailed information on how to activate the PIV Auth Cert. These steps need to
be performed by end users with a Dual Persona.
Most problems with starting DEPS access will occur when someone is unaware of his or her Dual
Persona status. The key here is to be aware of the possibility and go through the steps required for those
who are bona fide Dual Persona. The most common indicator that a user may be dual persona is if he or
she receives an F5 Access Policy Module error page with a session ID number when accessing DEPS
after selecting the Email Certificate.
vi
Abbreviations, Acronyms, and Definitions
The following abbreviations, acronyms, and definitions aid in the understanding of this document.
Abbreviations and Acronyms Description
CAC Common Access Card – Identification and sometimes
benefits and privilege card produced by the DoD, which
contains an Integrated Circuit Chip (ICC) holding
demographic data and digital certificates
DMDC Defense Manpower Data Center
DNS Domain Name System
DoD Department of Defense
DSC DMDC Support Center
DSLogon Unique Logon ID and Password given to DoD Beneficiaries
to access DoD web applications in lieu of a CAC
FASC-N Federal Agency Smart Credential Number
JDM Joint Data Model
JRE Java Runtime Environment
PCC Personnel Category Code
PIV Personal Identity Verification
RAPIDS Real-time Automated Personnel Identification System –
Application used to update data on the DEERS Person Data
Repository (PDR) and create DoD Identification cards
RSS RAPIDS Self Service
UMP User Maintenance Portal
UPN User Principle Name
UNCLASSIFIED // FOR OFFICIAL USE ONLY September 8, 2016
1
1. INTRODUCTION
This guide provides instructions on how Dual Persona end users coming onboard to DoD Enterprise
Portal Service (DEPS) can use the DMDC RAPIDS Self-Service web application to update the firmware
on their CAC to display the PIV Auth cert.
This must be done because DEPS leverages the DISA Enterprise Applications Services Forest (EASF)
for authentication control. For DoD personnel with one persona ─e.g., one of the following: Military (.mil);
Civilian (civ); or Contractor (.ctr)─the login token is their Common Access Card Email Signing Certificate.
Users with multiple personas (e.g. civilian employee and reservist) have a CAC for each persona,
however the login token is the personal identity verification authentication certificate (PIV Auth Cert)
located on each CAC.
CAC cards do not, by default, display the PIV Auth cert; they must be updated by the card-holder. Even
when activated they will still look like your other (non-email) certificates until you roll the cursor over your
name. A regular cert will display 10 numbers and the PIV Auth Cert will show 16 numbers. When logging
in to DEPS, the PIV cert needs to be selected.
PIV Auth Cert – 16 digits
UNCLASSIFIED // FOR OFFICIAL USE ONLY September 8, 2016
2
1.1 PURPOSE
With a mission partner managed SharePoint environment, accounts are typically provisioned as needed,
and restricted to the specific identity associated with that mission partner (civilian, contractor, military,
etc.). The DISA EASF, leveraged by many of DISA’s Enterprise Services, automatically provisions
accounts for all DoD CAC users. But only one digital identity is recognized until an individual who has two
CACs activates the PIV Auth cert on both cards. The PIV Auth certificates have a field that is unique for
the CAC-holder called the Federal Agency Smart Credential Number (FASC-N).This lets a Dual Persona
apply the PIV Auth cert to login with either CAC, depending on which account is to be accessed.
The FASC-N number is added to the 10 digit EDIPI; when logging into DEPS, the system passes the
unique number from the PIV certificate and matches it to the correct account and authenticates the user
(the number is the EDIPI plus a much longer FASC-N, of which only 16 numbers are displayed when the
cursor is rolled over the certificate).
The end user will need to ensure the correct CAC is used for the particular account he or she wants to
access.
1.2 SCOPE
The reason for activation of this certificate is to support multiple personas in the EASF Domain with a
simplified CAC login (once properly set up) to DEPS.
1.3 PREREQUISITES
In order to update your CAC, your laptop or work station must be CAC-enabled (a DEPS requirement).
WARNING—Only people with Dual Personas should proceed with these steps; those who aren’t sure, but
think they may qualify, should check open a ticket with their support team for escalation to DISA to verify.
UNCLASSIFIED // FOR OFFICIAL USE ONLY September 8, 2016
3
2 DUAL PERSONA DEPS SETUP
1. Setting up your Dual Persona PIV Auth Cert requires a number of steps:
2. Connecting to DMDC RAPIDS Self-Service
3. Activating each CAC’s PIV Auth Cert
4. Having the system “forget” your individual certificates
5. Resetting your CAC identities in ActivClient
2.1 DMDC Self-Service and Activating PIV Auth Cert
In order to access DEPS, you need to activate your PIV authentication certificate for each CAC and then
have ActivClient forget the previous state of all your CACs.
Go to RAPIDS Self Service @ https://www.dmdc.osd.mil/self_service and sign on.
Welcome to RAPIDS
Click Ok.
DEERS
UNCLASSIFIED // FOR OFFICIAL USE ONLY September 8, 2016
4
Log in with your CAC.
Login with CAC
Select your identity certificate (this is NOT the email certificate), enter your PIN if asked, and click OK.
NOTE: When you complete activation for one CAC, insert the other CAC and repeat the process.
Select certificate
UNCLASSIFIED // FOR OFFICIAL USE ONLY September 8, 2016
5
Select Activate PIV certificate.
UNCLASSIFIED // FOR OFFICIAL USE ONLY September 8, 2016
6
Select Activate PIV
The PIV Update will process through JAVA.
Java processing activation
Make certain you select your MSC CAC here and not an Active Duty, Reservist, or previously used CAC. Your MSC CAC must be in the card reader to load the PIV Certificate. Any mismatch (i.e. selecting the wrong CAC, not having the right CAC in the reader will result in an error message.
UNCLASSIFIED // FOR OFFICIAL USE ONLY September 8, 2016
7
PIV Update will continue to process: “This might take a few minutes.”
Reading data from CAC
Java needs approval to move forward. Click No.
Java message
When the process is complete the system will tell you “the PIV Authentication Certificate is active.”
PIV is active
UNCLASSIFIED // FOR OFFICIAL USE ONLY September 8, 2016
8
2.2 Resetting the state of your cards in ActivClient
Now that your PIV cert is active you need to tell the system to reset (forget) the state of all cards in
ActivClient; it also lets you see the properties associated with your CAC and certificates. The ActivClient
Agent is accessed from the System Tray (lower right of your computer screen) and may appear differently
according to how a computer is set up. Below are two examples.
In the example below (left), the ActivClient is in a group of hidden icons that are visible when you click on the triangle on the left side of the System Tray.
In the example below (right), the ActivClient is on the left in the System Tray.
ActivClient
Note: MSC is currently using two versions of ActivClient – 6.xx and 7.xx. Instructions for both follow.
Locate the icon for your ActivClient Agent and click it. Then click Open.
Open ActivClient
UNCLASSIFIED // FOR OFFICIAL USE ONLY September 8, 2016
9
ActivClient 6.xx (See below for ActivClient 7)
Select: Tools; Advanced; and then click Forget state for all cards.
Forget state for all cards
Select: Tools; Advanced; and then click Make Certificates Available to Window.
ActivClient 7.xx
Select: Tools; Advanced; and then click Reset optimization cache
Once completed you must reboot your computer to make the Certificates visible.
UNCLASSIFIED // FOR OFFICIAL USE ONLY September 8, 2016
10
Close ActivClient and the re-open it. Double-click the My Certificates icon.
Note: Views lets you select how you see the certificates—as icons, as a list, or as a detailed list.
View my Certificates
For both versions of ActivClient-
Confirm that you see four certs. Click on View and select Details to understand which certs you have.
Certificates
NOTE: The reason for exposing the PIV Auth Cert is that Dual-Persona users are now required to use this
Piv Auth Cert to authenticate to DEPS. The email cert will be used only for signing and encrypting.
Sites that you have been using your email certificate to authenticate to do not change, continue to use the
email certificate. Only DISA DEPS sites will require the PIV Certificate for authentication.
LastName.First...LastName.First... LastName.First... LastName.First...
UNCLASSIFIED // FOR OFFICIAL USE ONLY September 8, 2016
11
2.3 Selecting the correct Certificate
When the browser prompts the user to select a certificate, three selections will be available
Placing the cursor on each certificate reveals the hyperlink “Click Here to view certificate prope…”
Select the Hyperlink and on the General Tab find the certificate that says DOD PIV – that is the correct
one to use for authentication
In the event the type of Certificate is not visible in the General Tab, select the Certification Path Tab and
scroll in the window to find the information on the last item
UNCLASSIFIED // FOR OFFICIAL USE ONLY September 8, 2016
12
Use the scroll bar to see DOD Identity or DOD PIV Certificate to determine which is the PIV Certificate
needed for login.
UNCLASSIFIED // FOR OFFICIAL USE ONLY September 8, 2016
13
Appendix 1: Troubleshooting Dual Persona PIV Auth Cert Process
A.1 Compatibility Conflict: 32-bit vs 64-bit settings
Some people receive a RAPIDS Self Service (RSS) error message regarding a compatibility conflict that
exists between settings related to 32-bit and 64-bit desktop installations?
As more users upgrade their Operating System (OS) to 64-bit compatibility, issues may arise if using
ActivClient, Internet Explorer (or other browsers), and JRE versions that are not the same bit level. Please
confirm that your ActivClient Middleware, JRE, and browser (Internet Explorer or an alternative) are all set
to the same bit:
ActivClient (32-bit), JRE (32-bit), and Internet Explorer (32-bit) or
ActivClient (64-bit), JRE (64-bit), and Internet Explorer (64-bit).
Any inconsistency among those three components means that you will not be able to use RSS and/or
other smart card-enabled applications.
A.2 Problem accessing RAPIDS Self-Service
If there is a problem accessing the RAPIDS Self Service web site, contact the DMDC Support Center
(DSC) at 1-800-372-7437.
A.3 PIV Auth Cert is enabled, problem accessing DEPS
If someone's PIV Auth Cert is enabled, but there are problems accessing DEPS- for guidance or help
checking their provisioned account try contacting the DEPS team via the Mission Partner local help desk.
A.4 Personnel data seems to be incorrect
If someone's personnel data seems to be incorrect and not reflect their affiliations correctly, try the DMDC
Support Office at 1-800-538-9552.
top related