Smart Cards

Has anyone used Smart Cards with a webMethods product? We are thinking about using it with Broker SSL architecture, but my understanding is the smart cards aren’t accessed the same as a file on a file system.

Curious if anyone has played with this technology and webMethods. Please post or contact me if you have. Thanks.

Jordan,

This is a very interesting question. Personally I have just used Smart Cards to digitally sign documents, and I think it is a bit expensive to use Smart Cards to access webMethods. What is the business process that you are targeting?

Robert

The Broker architecture requires SSL to introduce Authorization and ACL’s. We are not going to use Smart Cards to sign run-time documents, rather use them for User-level authorization on the Broker. Give each developer a smart card (as opposed to a direct certificate), to use the GUI tools to hook into the Broker.

Jordan,

Ok, I see. Let me know if you get this to work.

Regards

Robert

This is a pretty interesting issue - from what I’ve read about them, a cryptographic smart card (as opposed to a memory smart card) is really a little computer that digitally signs authentication requests sent over the wire. That way, your secret key is never exposed outside of the smart card (not even to the computer the smart card terminal is connected to).

There are some standards - notably the Javacard API and PC/SC. Also, some browsers - Mozilla and IE I think - natively support Smart Card functionality so you cna use the Smart Card like a client certificate in a browser. But I don’t see how it would be simple to implement SC functionality in non-browser environments like EI or other developer tools that don’t support Smart Cards directly.

A (more expensive) alternative is using RSA SecurID tokens - these are little matchbox-size boxes that display new passwords every 60 seconds. The login/password request must be validated by a central RSA server which each of these SecurID tokens is synchoronized to. This way, you use constantly-changing username/password pairs – works fine as long as the broker or IS can query the RSA external server for authentication.

Do let us know what you come up with.