CCAC - Accounts

CCAC Accounts Center

877 CCAC-039 (1-877-222-2039) – 937-255-0679
785-0679 (DSN) - 937-656-9538 (FAX)
accounts@ccac.hpc.mil

Obtaining an Account
Take the steps to apply for an account with CCAC Accounts.

Using Your Account
Follow these guidelines to make the most effective use of your account.

Maintaining Your Account
Know how to keep your account up-to-date.

Registering CAC Card
How to use the PKINIT/CAC/hToken login authentication option.

Obtaining an Account

Accounts are available to DoD or DoD-sponsored personnel. To obtain an account, the first step is to contact a Service Agency Approval Authority (S/AAA) for guidance. The S/AAA is an individual within your organization who can authorize your access to DoD resources. If you do not know who your S/AAA is, email require@hpcmo.hpc.mil for assistance.

Be prepared to discuss the following with your S/AAA:

Belonging to a DoD organization or having a DoD sponsor.
Applying for a Program Element Number (obtained via the S/AAA).
Obtaining approval by an S/AAA.

Using Your Account

User Responsibilities

All HPCMP customers using DoD resources are expected to adhere to the following guidelines.

Password Security

Commit your password to memory; never leave your password where it may be seen or used by others.

Do not share your password or give it to anyone. Sharing passwords will result in the loss of your account.

Account Security

Any suspected security problem should be immediately reported to the Customer Service Center.

Maintaining Your Account

Communication

Keep CCAC apprised of your current email address and other contact information. The most effective way to make information changes is through the Portal to Information Environment (pIE) at: https://ieapp.erdc.hpc.mil/info/kerberosValidate.jsp. This information will propogate to all sites where you have an HPCMP account.

Registering CAC Card

All inquiries related to registering and supporting your CAC (SMART) Card should be directed to the CCAC Help Desk, which can be reached at: 1-877-222-2039 or help@ccac.hpc.mil.

What Is PKINIT/CAC?

PKINIT/CAC is an additional option being offered that will allow HPCMP Kerberos users the ability to obtain Kerberos tickets with their current DoD Identification Card, also known as a CAC (Common Access Card). This will provide the same function as obtaining a ticket with a SecurID card. Once the applicable software kit is loaded and a user's CAC is registered, the user will be able to get Kerberos tickets using the PIN# assigned to their CAC card instead of their Kerberos password and SecurID passcode. Registered CAC users will still be able to use their Kerberos password and SecurID to authenticate.

Benefits?

PKINIT/CAC provides an additional option for Kerberos authentication.
Users only need to type in their CAC PINs instead of their Kerberos passwords and SecurID passcode.

How Do I Register My CAC?

You will be able to register your CAC card in pIE (portal to Information Environment): https://ieapp.erdc.hpc.mil/info/kerberosValidate.jsp
Log in to your account with your Kerberos principal, Kerberos password, and SecurID passcode
- Go to: User Information Environment.
- Go to: Register My Smart Card (CAC).
- You will receive an email from pIE validating your registration request.
Once registered, you will be able to use CAC to log into pIE in addition to Kerberos/SecurID (select "PKI Logon" at login screen)
Once you receive email notification that your CAC has been registered in pIE it must still be registered in the KDC. This process usually takes up to two (2) business days.

Requirements?

You must have a working DoD CAC card with a CAC enabled machine.
Supported client Operating Systems:
- Windows XP
- Windows Vista
- Linux
- MacOS 10.4
Beta versions are available for the following OSes
- MacOS 10.5 [Leopard]
- Solaris 10 - Sparc
- Solaris 10 - x86
Users must be 'homed' in one of the following HPCMP Kerberos realms:
- HPCMP.HPC.MIL
- ARL.HPC.MIL
- ASC.HPC.MIL
- NAVO.HPC.MIL
- WES.HPC.MIL

Where Do I Get PKINIT Software?

Some sites may have already deployed PKINIT software to user desktops. To check for existence of PKINIT-enabled Kerberos:
- Unix and Mac: Look for the 'pkinit' command in the Kerberos program director (should be a symbolic link to 'kinit')
- Windows: In krb5.exe in the Options Menu look for checkbox "Attempt PKINIT"
PKINIT client kits can be obtained from this link: http://www.hpcmo.hpc.mil/security/kerberos/
- Select Kerberos Login or PKI login
- Click on Software (Menu on left side of screen)
- If you wish to download and compile from source, choose "HPCMP_RELEASE_20090331"
- If you wish to use binary kits, choose from the "Binary" section
PKINIT kits and other related issues should be reported to the CCAC Service Center.

Where Do I Get Support?

User Guides and additional information can be obtained from this link: http://www.hpcmo.hpc.mil/security/kerberos/
- Select Kerberos Login or PKI login
- Click on Software (Menu on left side of screen)
- Scroll down to PKINIT documentation links
CAC card and middleware support must be provided by your LOCAL CAC support personnel.
- Examples: Broken card, Locked out PIN, Name Change, etc.
PKINIT kits and other related issues should be reported to the CCAC Service Center.

What Else Should I Know?

Before selecting this option, you should be aware of the following:

All new users will still be issued a SecurID card.
Existing SecurID cards will not be taken away, and should be kept functional and available
The SecurID should be available as a backup option in the event it is required.
Not all web sites are CAC ready - SecurID must still be used on some web sites.
Users that cannot get a CAC will be supported soon with alternated PKI tokens.
Because Kerberos Password/SecurID authentication is still enabled your Kerberos Password will still expire. If you allow your Kerberos Password to expire your account will be locked until you change it, using PKINIT to authenticate will not change this behavior.

WHAT IS AN hToken (eToken)?

An hToken (or eToken) is a small USB device that plugs into a user's USB port and enables them to obtain a Kerberos ticket. The hToken USB has been approved for DoD use, and the memo for the approval containing the DoD regulations is available at:
https://www.hpcmo.hpc.mil/Htdocs/SECURITY/hToken%20Approval%20Memo.pdf

hTokens are typically for users that do not have CAC cards. The S/AAA will decide if a user will have an hToken when the Kerberos account is being set up. Currently, only HPCMP and ASC realmed users are being issued hTokens; however, other realms will issue hTokens in the future.

PKINIT will allow HPCMP Kerberos users the ability to obtain Kerberos tickets with their hToken. This will provide the same function as obtaining a ticket with a SecurID or CAC card. Once the applicable software kit is loaded, the user will be able to get Kerberos tickets using the PIN# assigned to their hToken instead of their Kerberos password and SecurID passcode. Registered CAC users will still be able to use their Kerberos password and SecurID to authenticate.

BENEFITS?

PKINIT/hToken provides Kerberos authentication.
Users type in their hToken PIN and password instead of their Kerberos password and SecurID passcode.

Registering your hToken

All inquiries related to registering and supporting your hToken should be directed to the CCAC Help Desk, which can be reached at: 1-877-222-2039 or help@ccac.hpc.mil.

Once your token is activated, it is registered and ready to use.
Once registered, you will be able to use hToken to log into pIE in addition to Kerberos/SecurID/CAC (select "PKI Logon" at login screen).

REQUIREMENTS?

Supported client Operating Systems:
- Windows XP
- Windows Vista
- MacOS 10.4
  
  NOTE: Linux (currently not supported, but will be in the near future).
Beta versions are available for the following OS:
- MacOS 10.5 [Leopard]
- Solaris 10 - Sparc
- Solaris 10 - x86
Users must be 'homed' in one of the following HPCMP Kerberos realms:
- HPCMP.HPC.MIL
- ASC.HPC.MIL
  
  NOTE: Other realms will issue hTokens in the near future.

WHERE DO I GET PKINIT SOFTWARE?

Some sites may have already deployed PKINIT software to user desktops. To check for existence of PKINIT-enabled Kerberos:
- Unix and Mac: Look for the 'pkinit' command in the Kerberos program director (should be a symbolic link to 'kinit')
- Windows: In krb5.exe in the Options Menu look for checkbox "Attempt PKINIT"
PKINIT client kits can be obtained from this link:
http://www.hpcmo.hpc.mil/security/kerberos/
- Select Kerberos Login or PKI login
- Click on Software (Menu on left side of screen)
- If you wish to download and compile from source, choose the last HPCMP release.
- If you wish to use binary kits, choose from the "Binary" section
PKINIT kits and other related issues should be reported to the CCAC Service Center.

WHERE DO I GET SUPPORT?

User Guides and additional information can be obtained from this link:
http://www.hpcmo.hpc.mil/security/kerberos/
- Select Kerberos Login or PKI login
- Click on Software (Menu on left side of screen)
- Scroll down to PKINIT documentation links
htoken use, software and other related issues should be reported to the CCAC Service Center.
- Examples: hToken not responding, PIN not working, error messages, etc.
PKINIT kits and other related issues should be reported to the CCAC Service Center.

WHAT ELSE SHOULD I KNOW?