Date post: | 22-Apr-2015 |
Category: |
Technology |
Upload: | kuwait-computer-services |
View: | 235 times |
Download: | 39 times |
OpenTrust PKI
Trust your Network
© OpenTrust - All rights reserved.
Contents
• OpenTrust PKI – Mission, Features and Architecture– Distribution workflows– Directory Integration– SCEP– Monitoring– Separation of duties– Reporting– Audit Logs
2
© OpenTrust - All rights reserved.
OpenTrust PKI: Missions
• Lifecycle Management for Certification Authorities• Online or Offline CAs• Creation of Root and Operational CAs
• Lifecycle Management for Certificates• Define certificate templates• Request, Approve, Revoke, Renew, Recover• Publish to directories
• Interoperability and Integration• OCSP Server• CRL Publication• SOAP Connectors
3
© OpenTrust - All rights reserved.
OpenTrust PKI: Features
Workflows for certificate delivery, renewal and revocation
Self-Enrollment Protocols• Self-enrollment for Windows machines• SCEP for self-enrollment of other devices: routers, firewalls,
servers
User-friendly interfaces• Certificate Profiles: detailed configuration of X509 extensions,
DN, life times, notification policies• Email Profiles: highly customizable and multilingual email
templates• Publication Profiles: for certificates and CRL
4
© OpenTrust - All rights reserved.
OpenTrust PKI: Features
Flexible Rights Management by Users, Zones, Groups
Traceability• Logs are chained and signed• Logs are searchable through a web interface
Open and Modular Architecture• Split into functional modules: CA, RA, EE• Dedicated module for log management• Possible multi-server installation• HSM support• Control through SOAP
High-Availability Active/PassiveCommon Criteria EAL3+ Certification
5
© OpenTrust - All rights reserved.
OpenTrust PKI: Architecture
Registration Authority (RA)
Enrollment Entity (EE) Microsoft Connector CMC/AEP
Device ConnectorSCEP
Third partyApplications
(IAM – others)
VPN Certificates
Encryption Certificates
AuthenticationCertificates
SignatureCertificates
Code Signing Certificates
SSL Certificates
SSL Certificates
Data SourceManager
Certificate Publication
NotificationManager Log / Audit CRL
Web Services(SO
AP)
Interfaces
CertificateRequests
CertificateRequests
MicrosoftObjects
UsersAdministrators
HTTPS HTTPS
NetworkComponents
SOAP/HTTPS
LDAP/AD Directory
LDAP OpenTrust PKIRegistration AuthorityEnrollment Entity
Certification Authority A
Certification Authority B
SecurityDevices
(HSM)OpenTrust PKIOperational CA
Root CA
OpenTrust PKIOffline or Online CA
Certification Authority (CA)
6
© OpenTrust - All rights reserved.
OpenTrust PKI: Distribution Workflows
Flexible workflows for Certificate Delivery• Decentralized: on-board key generation• Centralized with optional key escrow: on-server key gen• Validation levels:
Pre-approval, approval or self-enrollment using LDAP• DN definition
Manual entry or fetched from directory
7
© OpenTrust - All rights reserved.
OpenTrust PKI: Workflows
Certificate Renewal• Configurable renewal period with email reminders• Optionally administrator-approved
Certificate Recovery• User request, operator-approved, or operator request
Certificate revocation• Revocation by an operator or self-revocation with
revocation code
8
© OpenTrust - All rights reserved.
OpenTrust PKI: Directory Integration
Microsoft CA behavior for WCCE requestsWithout the limitations
• Self-enrollment for users, domain controllers and workstations• Better network security: prevent virus propagation to affect your PKI• One PKI instance hosts several CAs• Segregation of duty: AD administrators have no rights on the PKI
Publish certificates in ADPublish CRLs in AD
MicrosoftObjects
OpenTrust AEP*
DCOM (125 + variable port)HTTPS
* AEP: Auto Enrollment Proxy
9
© OpenTrust - All rights reserved.
OpenTrust PKI: SCEP
2 – SCEP-basedcertificate request
3 – Request approval
4 – Request forwarding
6 – Certificateforwarding
CARA
5 – Certificate creation
1 – Certificate andkey pair
generation(manual
generation)
8 – SCEP-basedcertificateretrieval 7 – LDAP
Publishing of certificate (Optional)
Key pairs and certificate requests are generated by network components:• Native support for Cisco’s SCEP protocol• Certification request is sent to the CA using the enterprise network• Asynchronous mode: enrolling devices obtain certificates through a polling process• Synchronous mode: request is pre-approved and the certificate is generated and
immediately returned
10
© OpenTrust - All rights reserved.
OpenTrust PKI: Monitoring
OpenTrust SNMP monitoring agent
• Unix service• Connected to directories• Certificates and CRL
expiration• Connected to HSM• Disk information• Host system data:
RAM, swap, CPU
Integrated Dashboard
11
© OpenTrust - All rights reserved.
OpenTrust PKI: Segregation of Duties
Flexible rights model
Rights are defined for Users, Groups
Separated Rights for– Modules– Zones and Profiles
12
© OpenTrust - All rights reserved.
OpenTrust PKI: Segregation of Duties
Rights on ModulesGlobal to the platform
– Access to a module– Rights to manage
platform-wide properties• Control rights and groups• Configure server• Configure certificate
profiles
13
© OpenTrust - All rights reserved.
OpenTrust PKI: Segregation of Duties
Rights on ProfilesManage Administrator actions for
– Enrollment– Revocation– Activity report– Recovery
14
© OpenTrust - All rights reserved.
OpenTrust PKI: Zones
Going further in segregation on duties
• Rights are usually granted per Certificate Profile• Rights can be granted per Certificate Profile and Zone
Users enrolled with a certificate profile can be associated to a zone
Administrators will manage a subset of certificates issued using a certificate profile
15
© OpenTrust - All rights reserved.
OpenTrust PKI: Reporting
Activity Report• Exportable to CSV• Count enrollments, revocations, and expirations per: date
interval, profile, zone or CA
Expiration Report• Exportable to CSV• Lists all certificates for a given CA or certificate profile that
will expire in a given date interval
Rights Report• Who has access to a given module• Who has access to a given certificate profile/zone
16
© OpenTrust - All rights reserved.
OpenTrust PKI: Audit Logs
All events are logged in the audit databaseLogs can be signed and chained to detect tampering
Dynamic interface to browse Audit Logs– Custom searches that can be saved and replayed– Exportable to CSV or XML
17
Thanks for your attention
11-13 rue René Jacques - 92131 Issy-les-Moulineaux Cedex France+33 (0)1 55 64 22 00 - www.keynectis.com
Thanks for your attention.
11-13 rue René Jacques - 92131 Issy-les-Moulineaux Cedex -France
+33 (0)1 55 64 22 00 - www.opentrust.com
Musaad Al-Saleh Bldg.Soor Street, Al-Sharq, KuwaitP.O.Box: 5113,Safat 13052,Kuwait.TEL: (+965) 2241 7966/5/7FAX: 2459019WEB: www.kcs.com.kwEMAIL: [email protected]