PortalProtect. The Complete Security Infrastructure Solution for Applications. Copyright Asseco Denmark A/S -

Transcription

1 PortalProtect The Complete Security Infrastructure Solution for Applications

2 PortalProtect Market Position Known competitors Entrust GetAccess Netegrity Siteminder / Transaction minder IBM Tivoli Access Manager Oracle Access Manager / Identity Management Sun OpenSSO Enterprise PortalProtect Unique Selling Points Full function. Meet enterprise world spanning requirements Strong on non functional requirement (operation) Easy to use light Java code base Web services support, including WS-Security Simultaneous support for all authentication methods Data based security Full X.509 Certificate support First to support NemID (The new Danish log-in solution that supports finance, public and private sections)

3 PortalProtect Business Benefits PortalProtect is a complete security infrastructure delivering authentication, authorization and a non-intrusive operating model. Business benefits Full access management to your mission critical applications. PortalProtect supports integration with standard user repositories. Enterprise Single Sign On. PortalProtect supports single sign-on across an entire set of clients, servers, computers, applications or services. Centralized authorization management. The user s permissions and rights are stored in one or more central directories, where access to all applications and services across the entire infrastructure are stored. Support for digital signature. One of the many different authentication methods that PortalProtect supports is the use of digital certificates, which allows trusted third parties to verify the identity of a person. Includes OCES I and NemID Business partner integration. Provides ability to seamlessly integrate applications from business partners into the portal Scalability and Reliability. PortalProtect provides the scalability and high-availability that a mission critical business site requires. PortalProtect does not contain any single-point-of-failure, and it is highly optimized for business-critical portals that require ability to scale upwards. Application data sharing, and session management through the shared session concept, PortalProtect makes it possible for applications to share state between them, thus enabling various applications to depend on each other for information, so the user only needs to provide it once. Communication Security. PortalProtect provides a secure solution for encrypting infrastructure content. Centralized management and statistics. All components in PortalProtect obtain their configuration from a central administration server, to which they also perform logging and detailed statistics of all actions occurring, giving centralized control. Open and flexible architecture. PP s open and flexible architecture allows easy addition of other technologies, such as custom authentication methods, e.g. smartcards, or even Biometric (e.g. fingerprint) sign-on.

4 PortalProtect Customers One of the leading liner shipping companies in the world PortalProtect is central login solution at maerskline.com The supplier of the Danish log-in solution NemID PortalProtect is a part of the NemID solution The 2. largest insurance company in Denmark PortalProtect handles all identity and access management One of Denmark's leading within banking & mortgage PortalProtect handles all identity and access management Denmark s 2. largest customer-owned pension company PortalProtect handles all identity and access management The Danish securities services PortalProtect handles all identity and access management The Danish Patent and Trademark Office PortalProtect handles login to their online solution

5 PortalProtect Features Overview Single signon and Session sharing Authentication Security Zone Installation User Repository: RACF Database Active Directory/LDAP Others or Combinations UID/PW Digital Signature NemID NTLM / SPNEGO etc. Central access provision and control of authorization Authorization and access protection User Administration across applications and platforms The 5 Classic Security Issues Authentication (Who is the user) Authorization (Access control) Confidentiality (Encryption) Integrity (3rd party modification prevention) Non repudiation (Digital fingerprints, signing) Authorization is granted in levels in relation to trust Central Management of infrastructure and configuration.

6 PortalProtect Production Related Focus on response time with large transaction volumes Security Zone Installation Design Criteria: No single point of failure Focus on continued availability Distribute work on web and application servers Supports application servers from several vendors (simultaneously) Session management Compression of data between client and server Share information about user-situation between application servers Multi vendor OS Log for revision support (Windows, AIX, HP-UX, LINUX and Solaris) Statistics / Reportgeneration

7 Features in Details

8 Main Features Single Sign On Session sharing Cross-domain session sharing Centralized authorization and authentication management Centralized configuration and statistics X.509 Certificates NemID, OCES, PID-CPR lookup (Danish Public Certificate for Electronic Services) OCSP verification. Scalability and performance (Loadbalancing, failover, caching) Small footprint: Standalone development server requires ~ 64Mb RAM (Java heap). Communication security (Secure Communication Layer or SCL) Multiple authentication levels J2EE declarative security support Server is 100% Java Supports standard JCE Encryption, support for hardware acceleration Support for IBM s CBT (used by some Danish banks) Plugins for custom authentication and authorization Supports browser (thin) clients as well as fat clients

9 Centralized Administration and Monitoring Central Administration Browser based Admin GUI Administration client API Distributed as well as centralized logging Centralized configuration Configuration update does not require restart Extensive statistics gathered from all running components Real-time statistics available Statistics PDF Report generation Alert support (SNMP and support for custom plug-ins)

10 Authentication Multiple authentication levels Some of the different Authentication methods User ID/password Database lookup LDAP server or Active Directory Custom One-time pins, SMS delivery CBT (CBT/CTF/PKCS #12 keys) SPNEGO NETID X.509 Certificates Support for custom key-centers CAPICOM Support for MSIE PKCS#7 Signing CRLs lookup OpenSign/OpenLogon Applets (Official Danish Certificates for Electronic Services) NemID OCES, POCES, MOCES, VOCES certificates, PID-CPR lookup (Official Danish Certificates for Electronic Services) Custom auth plugins Step-up authentication if current authentication level is not enough for certain applications. Support for digital signatures, or reconfirmation of credentials if digital signatures are not available. Transaction, revision and non-repudiation logging.

11 Authorization Access Control Lists (ACLs) LDAP Directory (including MS Active Directory) Multiple simultaneous authorization repositories User groups J2EE Declarative security support WebLogic 5.1 and above WebLogic 8.1/9/10/11g SSPI WebSphere 5 TAI WebSphere 6/7 NTAI Tomcat and above Access grants based on authentication level Channel-based (HTTP, HTTPS, WAP, SCL etc.)

12 X.509 Certificates / Digital Signature Supports qualified or unqualified certificates. Self-signed certificates Supports custom CA s Supports internal CA. Client-side 100% Java code. No browser plugin or Active X code needed. SSL Client certificates Logon and digital signatures are supported. PKCS#12 keystore (RSA) RFC 3275 XMLDSIG Standard (w3c.org) Support for Microsoft CAPI / PKCS#7 in MSIE. OCES PID/CPR lookup (Official Danish Certificates) IT Practice / Asseco sponsored openoces.org an open source java applet implementing OCES authentication.

13 NemID specifics Support for authentication with or without OTP card. Support for digital signatures, with or without OTP card. Supports all certificate types, including MOCES, FOCES, VOCES and POCES. POCES or MOCES with or without OTP. OCSP and/or CRL list checking. Attribute service integration. PID-CPR lookup/verification. Asseco helped danid develop NemID applet and backend. DanID uses parts of PortalProtect internally on its servers. All NemID logins travel through PortalProtect components.

14 Secure Communication Layer (SCL) Supports end to end communication encryption, works through HTTP proxy servers. Safer than SSL. Secure socket tunneling with minimal application impact. Supports multiple encryption types, e.g. CBT or JCE based encryption. Encrypted EJB Proxy. Allows use of digital signatures, even on EJB transactions. Data compression. SSL VPN support. (See sample on

15 Shared Session Single sign on sign on once, share session with multiple client and server applications. Session ID kept at client, session data kept at server. Session sharing between application servers. Cross-domain session sharing. Session sharing between client applications, e.g. Browser and Java client. Persistent application data can be stored in a session. Session propagation between server architectures e.g. between WebLogic and Tuxedo.

16 User Database Custom APIs for roll-your-own administration clients. Different actions can require different authorizations (extensive ACL checking, down to attributes on users). Support for Cloudscape, DB2, Oracle. Transaction, revision and non-repudiation logging. Extensive user model supporting organisations, profiles, groups. ACLs on all levels protect access to data. Support for distributed administration e.g. selfadministration for companies. Tested and proven with several millions of users.

17 Web Services / WS-Security Authorization/authentication to web services are supported. WS-Security web service handlers. Seamless authentication, signing and encrypting of in and outgoing web service calls. With centralized key managent and storage. Hardware crypto support Easy access to PortalProtect from non-java clients.

18 Reverse Proxy Server / Dispatcher Cookie based load balancing. Supports multiple application clusters. Advanced filter rules. Persistent connections (RFC 2616). Multiplex many clients on few connections to servers to lessen load. Optional SSL with client certificates for authenticating to backend servers. Proxy forwarding (SOCKS, HTTP Proxy, proxy password). Java plugin support (PP Dispatcher API). User identity forwarding. Extensive statistics

19 Thank you for your attention