Services Directorate Dual Persona User Guide for … Dual-Persona...Services Directorate Dual...

Services Directorate

Dual Persona User Guide for DoD Enterprise Portal Service

Military Sealift Command Version September 8, 2016

ii

Document Approval

Document Approved By Date Approved

Name: Brian Purdy ??/??/2016

iii

Revision History

Table 2. Revision History

VERSION DATE PRIMARY AUTHOR(S) REVISION/CHANGE PAGES AFFECTED

0.1 17 July 2016 Mike Lacher Initial Draft All

0.2 8 August 2016 Greg Lane Customized for MSC

0.3 8 September 2016

Greg Lane Updated to include AC7 9, 10

iv

Table of Contents

Document Approval .................................................................................................................................... ii

Revision History ......................................................................................................................................... iii

Abbreviations, Acronyms, and Definitions ............................................................................................. vi

1. INTRODUCTION .................................................................................................................................. 1

1.1 PURPOSE .................................................................................................................................... 2

1.2 SCOPE ........................................................................................................................................ 2

1.3 PREREQUISITES .......................................................................................................................... 2

2 DUAL PERSONA DEPS SETUP ......................................................................................................... 3

2.1 DMDC Self-Service and Activating PIV Auth Cert .......................................................................... 3

2.2 Resetting the state of your cards in ActivClient ........................................................................... 8

2.3 Selecting the correct Certificate ................................................................................................ 11

Appendix 1: Troubleshooting Dual Persona PIV Auth Cert Process ................................................................ 13

v

DISCLAIMER This supplement is provided as a tool to support Mission Partner Migration Project Managers and their Dual Persona end-users. The steps for managing DUAL Persona certification are based on the experience gathered from previous migrations. These steps may differ somewhat from a specific Mission Partner’s configuration, but they should be of use the end users and their Level I Service Desk.

OVERVIEW Some individuals may have two or more personas (active identities) in the Defense Manpower Data

Center (DMDC) database. This is commonly known as having a Dual Persona – for instance, someone

who is a DoD civilian employee or contractor and in the Army Reserve.

As part of DISA’s implementation of DoD Enterprise Portal Service (DEPS), there is a requirement for

users with Dual Personas to activate the personal identity verification authentication certificate (PIV Auth

Cert) on each of their CACs. This PIV Auth Cert will then be used during login to DEPS.

There are also people who may have a “surprise” Dual Persona. This can happen when someone has

transitioned from one DoD role to another (for instance, from being a contractor to becoming a civilian

employee). There is a grace period that keeps the person’s old CAC recognized: if this overlaps with the

new active role, a Dual Persona will be seen in the system.

This document provides detailed information on how to activate the PIV Auth Cert. These steps need to

be performed by end users with a Dual Persona.

Most problems with starting DEPS access will occur when someone is unaware of his or her Dual

Persona status. The key here is to be aware of the possibility and go through the steps required for those

who are bona fide Dual Persona. The most common indicator that a user may be dual persona is if he or

she receives an F5 Access Policy Module error page with a session ID number when accessing DEPS

after selecting the Email Certificate.

vi

Abbreviations, Acronyms, and Definitions

The following abbreviations, acronyms, and definitions aid in the understanding of this document.

Abbreviations and Acronyms Description

CAC Common Access Card – Identification and sometimes

benefits and privilege card produced by the DoD, which

contains an Integrated Circuit Chip (ICC) holding

demographic data and digital certificates

DMDC Defense Manpower Data Center

DNS Domain Name System

DoD Department of Defense

DSC DMDC Support Center

DSLogon Unique Logon ID and Password given to DoD Beneficiaries

to access DoD web applications in lieu of a CAC

FASC-N Federal Agency Smart Credential Number

JDM Joint Data Model

JRE Java Runtime Environment

PCC Personnel Category Code

PIV Personal Identity Verification

RAPIDS Real-time Automated Personnel Identification System –

Application used to update data on the DEERS Person Data

Repository (PDR) and create DoD Identification cards

RSS RAPIDS Self Service

UMP User Maintenance Portal

UPN User Principle Name

UNCLASSIFIED // FOR OFFICIAL USE ONLY September 8, 2016

1

1. INTRODUCTION

This guide provides instructions on how Dual Persona end users coming onboard to DoD Enterprise

Portal Service (DEPS) can use the DMDC RAPIDS Self-Service web application to update the firmware

on their CAC to display the PIV Auth cert.

This must be done because DEPS leverages the DISA Enterprise Applications Services Forest (EASF)

for authentication control. For DoD personnel with one persona ─e.g., one of the following: Military (.mil);

Civilian (civ); or Contractor (.ctr)─the login token is their Common Access Card Email Signing Certificate.

Users with multiple personas (e.g. civilian employee and reservist) have a CAC for each persona,

however the login token is the personal identity verification authentication certificate (PIV Auth Cert)

located on each CAC.

CAC cards do not, by default, display the PIV Auth cert; they must be updated by the card-holder. Even

when activated they will still look like your other (non-email) certificates until you roll the cursor over your

name. A regular cert will display 10 numbers and the PIV Auth Cert will show 16 numbers. When logging

in to DEPS, the PIV cert needs to be selected.

PIV Auth Cert – 16 digits


2

1.1 PURPOSE

With a mission partner managed SharePoint environment, accounts are typically provisioned as needed,

and restricted to the specific identity associated with that mission partner (civilian, contractor, military,

etc.). The DISA EASF, leveraged by many of DISA’s Enterprise Services, automatically provisions

accounts for all DoD CAC users. But only one digital identity is recognized until an individual who has two

CACs activates the PIV Auth cert on both cards. The PIV Auth certificates have a field that is unique for

the CAC-holder called the Federal Agency Smart Credential Number (FASC-N).This lets a Dual Persona

apply the PIV Auth cert to login with either CAC, depending on which account is to be accessed.

The FASC-N number is added to the 10 digit EDIPI; when logging into DEPS, the system passes the

unique number from the PIV certificate and matches it to the correct account and authenticates the user

(the number is the EDIPI plus a much longer FASC-N, of which only 16 numbers are displayed when the

cursor is rolled over the certificate).

The end user will need to ensure the correct CAC is used for the particular account he or she wants to

access.

1.2 SCOPE

The reason for activation of this certificate is to support multiple personas in the EASF Domain with a

simplified CAC login (once properly set up) to DEPS.

1.3 PREREQUISITES

In order to update your CAC, your laptop or work station must be CAC-enabled (a DEPS requirement).

WARNING—Only people with Dual Personas should proceed with these steps; those who aren’t sure, but

think they may qualify, should check open a ticket with their support team for escalation to DISA to verify.


3

2 DUAL PERSONA DEPS SETUP

1. Setting up your Dual Persona PIV Auth Cert requires a number of steps:

2. Connecting to DMDC RAPIDS Self-Service

3. Activating each CAC’s PIV Auth Cert

4. Having the system “forget” your individual certificates

5. Resetting your CAC identities in ActivClient

2.1 DMDC Self-Service and Activating PIV Auth Cert

In order to access DEPS, you need to activate your PIV authentication certificate for each CAC and then

have ActivClient forget the previous state of all your CACs.

Go to RAPIDS Self Service @ https://www.dmdc.osd.mil/self_service and sign on.

Welcome to RAPIDS

Click Ok.

DEERS

https://www.dmdc.osd.mil/self_service


4

Log in with your CAC.

Login with CAC

Select your identity certificate (this is NOT the email certificate), enter your PIN if asked, and click OK.

NOTE: When you complete activation for one CAC, insert the other CAC and repeat the process.

Select certificate


5

Select Activate PIV certificate.


6

Select Activate PIV

The PIV Update will process through JAVA.

Java processing activation

Make certain you select your MSC CAC here and not an Active Duty, Reservist, or previously used CAC. Your MSC CAC must be in the card reader to load the PIV Certificate. Any mismatch (i.e. selecting the wrong CAC, not having the right CAC in the reader will result in an error message.


7

PIV Update will continue to process: “This might take a few minutes.”

Reading data from CAC

Java needs approval to move forward. Click No.

Java message

When the process is complete the system will tell you “the PIV Authentication Certificate is active.”

PIV is active


8

2.2 Resetting the state of your cards in ActivClient

Now that your PIV cert is active you need to tell the system to reset (forget) the state of all cards in

ActivClient; it also lets you see the properties associated with your CAC and certificates. The ActivClient

Agent is accessed from the System Tray (lower right of your computer screen) and may appear differently

according to how a computer is set up. Below are two examples.

In the example below (left), the ActivClient is in a group of hidden icons that are visible when you click on the triangle on the left side of the System Tray.

In the example below (right), the ActivClient is on the left in the System Tray.

ActivClient

Note: MSC is currently using two versions of ActivClient – 6.xx and 7.xx. Instructions for both follow.

Locate the icon for your ActivClient Agent and click it. Then click Open.

Open ActivClient


9

ActivClient 6.xx (See below for ActivClient 7)

Select: Tools; Advanced; and then click Forget state for all cards.

Forget state for all cards

Select: Tools; Advanced; and then click Make Certificates Available to Window.

ActivClient 7.xx

Select: Tools; Advanced; and then click Reset optimization cache

Once completed you must reboot your computer to make the Certificates visible.


10

Close ActivClient and the re-open it. Double-click the My Certificates icon.

Note: Views lets you select how you see the certificates—as icons, as a list, or as a detailed list.

View my Certificates

For both versions of ActivClient-

Confirm that you see four certs. Click on View and select Details to understand which certs you have.

Certificates

NOTE: The reason for exposing the PIV Auth Cert is that Dual-Persona users are now required to use this

Piv Auth Cert to authenticate to DEPS. The email cert will be used only for signing and encrypting.

Sites that you have been using your email certificate to authenticate to do not change, continue to use the

email certificate. Only DISA DEPS sites will require the PIV Certificate for authentication.

LastName.First...LastName.First... LastName.First... LastName.First...


11

2.3 Selecting the correct Certificate

When the browser prompts the user to select a certificate, three selections will be available

Placing the cursor on each certificate reveals the hyperlink “Click Here to view certificate prope…”

Select the Hyperlink and on the General Tab find the certificate that says DOD PIV – that is the correct

one to use for authentication

In the event the type of Certificate is not visible in the General Tab, select the Certification Path Tab and

scroll in the window to find the information on the last item


12

Use the scroll bar to see DOD Identity or DOD PIV Certificate to determine which is the PIV Certificate

needed for login.


13

Appendix 1: Troubleshooting Dual Persona PIV Auth Cert Process

A.1 Compatibility Conflict: 32-bit vs 64-bit settings

Some people receive a RAPIDS Self Service (RSS) error message regarding a compatibility conflict that

exists between settings related to 32-bit and 64-bit desktop installations?

As more users upgrade their Operating System (OS) to 64-bit compatibility, issues may arise if using

ActivClient, Internet Explorer (or other browsers), and JRE versions that are not the same bit level. Please

confirm that your ActivClient Middleware, JRE, and browser (Internet Explorer or an alternative) are all set

to the same bit:

ActivClient (32-bit), JRE (32-bit), and Internet Explorer (32-bit) or

ActivClient (64-bit), JRE (64-bit), and Internet Explorer (64-bit).

Any inconsistency among those three components means that you will not be able to use RSS and/or

other smart card-enabled applications.

A.2 Problem accessing RAPIDS Self-Service

If there is a problem accessing the RAPIDS Self Service web site, contact the DMDC Support Center

(DSC) at 1-800-372-7437.

A.3 PIV Auth Cert is enabled, problem accessing DEPS

If someone's PIV Auth Cert is enabled, but there are problems accessing DEPS- for guidance or help

checking their provisioned account try contacting the DEPS team via the Mission Partner local help desk.

A.4 Personnel data seems to be incorrect

If someone's personnel data seems to be incorrect and not reflect their affiliations correctly, try the DMDC

Support Office at 1-800-538-9552.

Services Directorate Dual Persona User Guide for … Dual-Persona...Services Directorate Dual...

Documents

Transcript of Services Directorate Dual Persona User Guide for … Dual-Persona...Services Directorate Dual...