Technical Description

Transcription

1 DLS - Certificate Management for 802.1x/EAP-TLS Version: 1.01 Date: OpenScale Baseline Security Office Siemens Enterprise Communications GmbH & Co. KG Communication for the open minded Siemens Enterprise Communications

2 1 Abstract This Technical Description provides An overview of the concept how the DLS (Deployment Service) manages certificates - in general, and in particular for use by VoIP Phones in 802.1x-enabled networks. The focus is on OpenStage phones, but similarly applies to optipoint 410/420 and optipoint WL2 Professional. Direct references to the relevant configuration screens in DLS The description is based on the currently released version DLS V2 R4. Further information and more details can be found in the associated documentation: /1/ White Paper: Layer 2 authentication on VoIP phones (802.1x) /2/ Administration Manual: IEEE 802.1x Configuration Management /3/ Slide set "DLS at a Glance" /4/ Administration Manual: Deployment Service The most up-to-date version is part of the DLS delivery; find it on CD or after installation in the DLS installation folder. The file name is: doc\deployment-service_en.pdf /5/ Interface Documentation: DlsAPI (WebServices Interface of DLS) The most up-to-date version is part of the DLS delivery; find it on CD or after installation in the DLS installation folder. The file name is: api\doc\index.html 1.1 History of Change Date Version What Initial release by SB; input from UG,EN, KN, MP Added comments from MM, MP Version 1.01, Page 2

3 1.2 Contents 1 Abstract History of Change Contents 3 2 Overview and General Concept Deployment Service (DLS) at a Glance Certificate Management in DLS Certificates for Various Purposes Types of Certificates Managed by DLS x Specifics x Overview The 802.1x Device Certificate The Enterprise Server CA Certificate A Second Enterprise Server CA Certificate 7 3 Configuration in DLS Import and Deployment of Certificates via DLS Overview Screen "IEEE 802.1x" "Import Certificate" - Dialog "Remove Certificate" - Dialog "Import Certificate for Template" - Dialog "Remove Certificate from Template" - Dialog "Apply Template" Automatic Deployment of the Root CA Certificate Overview Step-by-Step Automatic Deployment of PSEs (Phone Certificates) Monitor Lifetime of Certificates Capabilities in the DLS GUI DLS Alarm Configuration 17 4 Outlook to DlsAPI Capabilities 18 5 Terms and Abbreviations Abbreviations Terms 19 Version 1.01, Page 3

4 2 Overview and General Concept 2.1 Deployment Service (DLS) at a Glance Refer to the slide set in /3/ for a quick overview on DLS itself, plus particular features being used in the context of this document: Certificate Management in DLS Certificates for Various Purposes Electronic certificates are used for various authentication purposes by the IP devices managed by DLS. This includes: Certificates for use in 802.1x-enabled network access (EAP-TLS) Certificates for use in secure voice communication (TLS for signalling, SRTP for payload) Certificates for use by IP devices' integrated web server (https) Certificates for other purposes, to ensure authenticated and encrypted communication with applications, directories etc. Note that this document does not cover certificates used by DLS for its own purposes i.e. for securing its own interfaces, like the DLS' own WebService interfaces (GUI and DlsAPI) and the interface with the managed IP devices (WPI). Independence of certificates: By design, the certificates being used for various purposes are identified and configured independently in both the DLS and the managed IP device. This means that if a customer wants to use the same certificate for two different purposes (e.g. the CA certificate to authenticate a RADIUS server in 802.1x to be used for authentication of a LDAPS server as well) he/she needs to configure and maintain it twice. Although this generates some configuration overhead, customers and administrators benefit from full flexibility: They are able to implement certificate management procedures and policies individually per purpose without restrictions caused by "built-in" dependencies Types of Certificates Managed by DLS In general, DLS does not provide an own CA, but just transparently deploys the certificates issues by a separate CA (the customer's Enterprise PKI) to the managed IP devices. The only exception is the DLS feature "Automatic SPE Configuration", as described in /2/ /4/, chapter This feature creates a DLS-internal CA and associated certificates and deploys them for activation of Signalling and Payload encryption in Hi- Path 4000 / HiPath 3000 networks. The use of this feature is recommended only for customers that don't have or don't want to use their own PKI to issue certificates, but use VoIP encryption anyway. There is a significant commonality among the various purposes, certificates are being used: they all make use of the TLS protocol, either with authentication of the Version 1.01, Page 4

5 server by the client only, or with mutual authentication (MTLS), where the server authenticates the client as well. All certificates have to be in the ITU-T standard X.509 V3 (according to RFC 5280). Different properties and limitations apply to the individual use of certificates. However, these properties are transparent to DLS, thus the DLS will accept any certificate that is conformant with the X.509 V3 specification. In total, there are only two different types of certificates relevant for being managed by DLS and deployed to the IP devices: "PSE": used by the device to prove its own identity against its communication partner. Contains the private key and the public key, plus a certificate chain up to (but excluding) the root CA. The DLS requires the PSE to be available in a PCKS#12-formatted (passphraseprotected) file. Common file extensions are.p12 or.pfx To manage PSEs for a huge list of devices it is convenient to create them o using the same passphrase and o to name the files according to their device ID (for IP phones, the device ID is their 6-Byte Mac-Address in format aabbccddeeff). For details see chapter 3.1 below. "CA Certificate": used by the device to authenticate its communication partner. Contains the public key of the CA. The DLS requires the CA Certificate to be available in DER format or PEM format (i.e. Base64-encoded DER). Common file extensions are.cer,.crt or.pem x Specifics x Overview 802.1x authenticates a device (PC, printer, VoIP phone etc.) to the corporate IP network and allows the access switch (where the device is attached to) to enforce an access control policy. For more information on 802.1x see /1/ (which also contains further links) and /2/. The access switch itself hands over the authentication process to a RADIUS server, which is specialized in authentication and authorization functionalities. The authentication between the device and the RADIUS server is based on the protocol EAP. EAP knows a lot of different authentication methods. The authentication method supported by all SEN Phones is EAP-TLS. EAP-TLS is based on electronic certificates (format X.509v3) and MTLS (mutually authenticated TLS) is used between the network device and the RADIUS server. This means that: Both the client (here: the VoIP phone/workpoint) authenticates the server And the server (here: the RADIUS server) authenticates the client By using certificates and associated private keys. Version 1.01, Page 5

6 Figure 1: 802.1x with PKI in operation Thus, two different certificates are required for DLS to enable an IP device for EAP- TLS: The 802.1x Device Certificate In DLS, this is called the "Phone Certificate" in the IEEE 802.1x configuration screens and is of type "PSE". The following picture outlines its context: Figure 2: Use of PSEs in 802.1x The Enterprise Server CA Certificate In DLS, this is called the "RADIUS Server CA Certificate 1" in the IEEE 802.1x configuration screens and is of type "CA Certificate". Version 1.01, Page 6

7 The following picture outlines its context: Figure 3: Use of CA certificates in 802.1x A Second Enterprise Server CA Certificate OpenStage Phones also support a second Enterprise Server CA certificate, called the "RADIUS Server CA Certificate 2". During EAP-TLS authentication process, the phones accept RADIUS servers with a valid certificate issued by either CA. This may be used, if two different CAs are active in the enterprise network. If CA is to be changed (e.g. current CA certificate is going to expire), the following process allows smooth changeover to the new CA: 1. Create New CA and export new CA certificate as PEM or CER file 2. Import new CA certificate into DLS 3. Deploy to all phones as additional CA certificate; from now on, phones accept all RADIUS servers with PSE issued either by old or by new CA 4. Exchange PSE on RADIUS servers 5. When exchange is done: remove old CA certificates from phones (DLS: deployment of an empty RADIUS Server CA certificate); from now on, phones accept RADIUS servers with PSE issued by new CA only Version 1.01, Page 7

8 3 Configuration in DLS 3.1 Import and Deployment of Certificates via DLS Overview This chapter describes the capabilities of the DLS GUI how to import certificates into DLS, deploy ("activate") them to associated IP devices Further information on this can be found in /4/, chapters and Starting with V2 R4, DLS provides a new feature that allows for automatic deployment of certificates which are common to all or a subset of IP devices. See chapter 3.2 below. In general, the handling of certificates via the DLS GUI is based on the same principles and features that are also used for other device configuration parameters and objects. This applies especially to search, sort, save capabilities as well as the use of templates, device profiles and plug and play. If you are not yet familiar with the DLS GUI, refer to /4/, chapter 5 for general DLS GUI overview, and to chapter 15.4 for the use of templates. The following description focuses on the administration steps that are specific to the management of certificates. Certificates can be imported in several ways: 1. import a certificate for a single device 2. import a certificate for multiple devices (bulk import) 3. import individual certificate for a single device 4. import individual certificates for multiple devices (bulk import) 5. import a certificate into a template for later use 6. apply template for a single device 7. apply template for multiple devices (bulk) Accordingly the certificates can also be removed 1. remove a certificate from a single device 2. remove certificates from several devices (bulk remove) 3. remove certificate from a template These actions shall be explained in detail using IEEE 802.1x screen as example Screen "IEEE 802.1x" There are 3 similar tab sheets to handle Phone Certificate: mandatory certificate, used for the phone's own authentication, see 2.3.2) Radius Server CA Certificate 1 and Radius ServerCA Certificate 2: Version 1.01, Page 8

9 One CA certificate is mandatory, used by the phone to authenticate the server, see The second CA certificate is optional; for its purpose refer to Each tab shows certificate specific information, both, for an "Active certificate", i.e. the certificate is already activated in the device and an "Imported certificate", i.e. the certificate that is currently imported into DLS for the selected device(s). Figure 4: IEEE 802.1x configuration screen Status Active/Import: The status is set automatically after a certificate import (or remove) or after read from a device, dependant on a certificate is imported and/or existing in the device and if these certificates are different or not. Values: "no certificate", "different", "equal", "no active certificate" or "no imported certificate". Serialnumber / Owner / Issuer / Valid from / Valid to / Fingerprint (SHA1) / Expires in / Alarm Status Detailed information of a certificate. These values are read-only an only for use in the search view. Activate Certificate (Phone) / (Radius 1) / Radius 2) If checked, the imported certificate is activated automatically when the record is saved. Afterwards the box is reset to unchecked. Version 1.01, Page 9

10 GENERAL: The buttons "Import Certificate" and "Remove Certificate" are shown in the object view only. Pressing "Import Certificate" opens a dialog mask to enter more details "Import Certificate" - Dialog Figure 5: "Import Certificate" - Dialog Device ID: Shows the device ID (either MAC-Address or e164-number) for the selected device. This field is not editable. Certificate Type: The IEEE 802.1x screen supports the import of 3 different certificate types. The radio buttons are initialized dependent on the currently used tab sheet of the IEEE 802.1x screen. For the certificate type "Phone Certificate" the input of "Filename" and "Passphrase" is mandatory. For the RADIUS certificates only "Filename" is necessary. Individual certificate files... : If checked, the selected object(s) will get individual certificates instead of the same certificate for all objects Version 1.01, Page 10

11 Individual certificates are assigned using a fixed filename format (see "Certificate File Names based on " For individual certificates instead of a filename a directory must be specified, where the individual files are located If unchecked, the radio buttons for "Certificate File Names based on " is not available Certificate File Names based on... : Radio buttons to define whether the filename for individual certificates is based on the objects MAC address or e164 number. The message box shows the according sample filename, e.g. 0001E3261E01.p12 based on the MAC address, or p12 based on the e164 number. Import certificate to DLS and activate on device (1-step): Option to import certificate not only into DLS database, but additionally activate this certificate on the device within one step. Thus the user does not have to activate the certificate in a further step. Filename / Directory: If "Individual certificate files " is unchecked, a filename is expected, otherwise a directory where the individual files are located Filename/Directory can be specified directly, or using the "Browse" Allowed file formats are specified in the file browser automatically - PKCS#12 format for the phone certificate or PEM for the RADIUS certificates. Browse Button: Opens a file browser dialog with a filter on the relevant file types for PEM or PKCS#12 format Passphrase: Mandatory for "Phone Certificate" (PKCS#12 format), otherwise not editable. OK The specified certificate will be imported for the current object. Cancel Cancels the import operation for the current object. In case of a bulk import, the import proceeds with the next object. Apply to all This button only appears in case of a bulk import (if more than 1 object is left) If pressed once, a message appears for sure and the user has to confirm by pressing it again. Not till then the certificate is imported to all marked objects. Cancel all This button only appears in case of a bulk import (if more than 1 object is left) All certificates imported till then stay imported. For all certificates remaining the import operation is cancelled GENERAL: DLS verifies the input. Erroneous or missing input causes in an error message in the message area. Version 1.01, Page 11

12 Accepted input is stored for later use of this dialog window (within the same session) "Cancel" or erroneous processing causes an error message in the IEEE 802.1x screen After an import a refresh of the IEEE 802.1x screen is done (unless an error message is to be displayed) "Remove Certificate" - Dialog Figure 6: "Remove Certificate" - Dialog Device ID: Shows the device ID (either MAC-Address or e164-number) for the selected device. This field is not editable. Certificate Type: The IEEE 802.1x screen supports the import of 3 different certificate types. The radio buttons are initialized dependent on the currently used tab sheet of the IEEE 802.1x screen. Remove certificate from DLS and device (1-step): Option to remove certificate not only from DLS database, but additionally removes it on the device within one step. Thus the user does not have to activate the "empty" certificate in a further step. OK The specified certificate will be removed for the current object. Cancel Cancels the remove operation for the current object. In case of a bulk remove, the remove proceeds with the next object.. Version 1.01, Page 12

13 Apply to all This button only appears in case of a bulk remove (if more than 1 object is left) If pressed once, a message appears for sure and the user has to confirm by pressing it again. Not till then the certificate is removed for all marked objects. Cancel all This button only appears in case of a bulk remove (if more than 1 object is left) All certificates removed till then are really removed. For all certificates remaining the remove operation is cancelled. GENERAL: After the remove operation a refresh of the IEEE 802.1x screen is done (unless an error message is to be displayed) "Import Certificate for Template" - Dialog There are several ways to get a certificate into a template: 1. from scratch: i. go to template view ii. import a certificate iii. save the template as a new one 2. import certificate to existing template: i. go to template view ii. load an existing template (button "Get") iii. import a certificate iv. save the template 3. derive template from an existing device containing a certificate: i. go to search view ii. select a device iii. save as template For variants 1 and 2 the "Import Certificate for Template" dialog appears Version 1.01, Page 13

14 Figure 7: "Import Certificate for Template" - Dialog Template: If a template is built from scratch the template name is unknown. If it is derived from an existing device the name is derived from its device id. The field is not editable. All other fields and buttons: The functionality of all other fields and buttons is rather the same as for the normal "Import" scenario. Please refer to the respective description above. GENERAL: There is no individual import for templates. That is obvious, since we do know neither a MAC address nor a e164 number at this time. There is no 1-step option, since we do not activate the certificate at this moment. After importing a certificate for a template, the certificate is created and known to DLS. But it is not referenced to the template unless the template itself is saved - so do not forget to save the template "Remove Certificate from Template" - Dialog Version 1.01, Page 14

15 Figure 8: "Remove Certificate from Template" - Dialog All fields and buttons: The functionality of all other fields and buttons is rather the same as for the normal "Remove" scenario. Please refer to the respective description above. There is no 1-step option either. GENERAL: To make the template know about the removed certificate, do not forget to save the template itself "Apply Template" is a standard operation in DLS. There is no special handling for certificates. The procedure is as follows: 1. go to template view 2. load template 3. go to object view (or table view for bulk operation) 4. select Action -> Apply Template and do not forget to save the object 3.2 Automatic Deployment of the Root CA Certificate Overview Starting with V2 R4, DLS provides a new feature that allows for automatic deployment of certificates which are common to all or a subset of IP devices. This usually applies to all CA certificates, as they belong to the Enterprise PKI's issuing CA and are therefore identical to all purposes. Version 1.01, Page 15

16 In the 802.1x context, this feature automates the provisioning of the RADIUS Server CA Certificate(s) to the IP devices. First refer to /3/ to get an overview on the Auto-Configuration principles of DLS. More configuration details can be found in /4/, chapters and Figure 9: New dialog in DLS V2 R4 Automatic Certificate Deployment Step-by-Step The basic administration steps to achieve automatic certificate deployment are: 1. Optionally configure customer-specific locations or use the "Default Location" (-> follow-up steps apply to all IP devices). 2. Create a Certificate Deployment Task 3. Assign it to an existing location and specify the deploy date 4. Specify the certifcate type (e.g. RADIUS Server CA Certificate 1) to be used and import the corresponding certificate for automatic deployment. The certificate deployment (activation) will be done automatically starting at the specified date and time and takes in effect for all IP devices (that support the specified certificate type). Similar to the automatic SW deployment (i.e. automatic update of IP devices with new SW images), deployment restrictions can be specified to avoid that the automatic deployment takes in effect at undesired times (e.g. during working hours) Automatic Deployment of PSEs (Phone Certificates) The Automatic Certificate Deployment is preferably used to deploy CA Certificates, as the same certificate is configured for all affected IP devices. However, it can optionally also be used for the 802.1x phone certificates, which are of type PSE. Although an individual PSE are intended to be used by a single device only, DLS does not place a restriction here. Version 1.01, Page 16

17 Provided that the Enterprise PKI does not dictate the use of individual PSEs, e.g. bound to their MAC address, this approach can be used for full automation of 802.1x certificate handling. The disadvantages of this approach are obvious, especially due to the inability to revoke an individual device's certificate: It is not possible to exclude e.g. broken, stolen or lost devices from valid authentication to the 802.1x network. 3.3 Monitor Lifetime of Certificates Capabilities in the DLS GUI DLS extracts all attributes of the certificates it manages to store them as separate data in its database. This allows the administrator to apply all DLS GUI functions on particular certificate properties, as if they were common configuration parameters. That way, an administrator can for example easily select all or a defined set of devices, and sort them according to the days until a particular certificate expires. Thus, he/she may get a quick overview of devices, where a replacement of the certificate becomes necessary DLS Alarm Configuration DLS includes alarming capabilities that can be used to inform administrators or monitoring / fault management systems about important events that happen during (unattended) operation of the DLS server. Various alarm classes (events) are defined, among them is the impending Certificate Expiration. For this event you may specify the number of days to get warned before a certificate expires (e.g. 14 days), and the time period, this check is automatically repeated by DLS (e.g. daily). Three methods are offered for the administrators or monitoring systems to be informed they can be activated in parallel SNMP Trap SMTP A command file (.bat on the DLS server) for any customized application to be started from there. This may lead to the creation of an SMS, distribute the event to various applications etc. The configuration capabilities are described in detail in /4/, chapters and Version 1.01, Page 17

18 4 Outlook to DlsAPI Capabilities Refer to /3/ and to /4/, chapter for a first overview of the DlsAPI. /5/ contains the DlsAPI interface documentation. Starting with DLS V2 R4, the DlsAPI v200 adds a new Area of Concern "802.1x". It provides the necessary configuration items (parameters) to add/modify/delete/query the certificates to be used for 802.1x for selected IP devices: A certificate lifecycle middleware between the DLS and the Enterprise PKI could therefore be implemented to automate the lifecycle of device certificates being issued for and used by the IP devices. Note however, that there is no reference implementation or proof of concept yet available. Figure 10: Possible Certificate Lifecycle Management for 802.1x Version 1.01, Page 18

19 5 Terms and Abbreviations 5.1 Abbreviations CA Certification Authority DLS Deployment Service EAP Extensible Authentication Protocol EAP-TLS EAP with TLS authentication method GUI Graphical User Interface HFA HiPath Feature Access (SEN proprietary signaling protocol) HTTP Hypertext Transfer Protocol HTTPS Hypertext Transfer Protocol Secure (HTTP over TLS) LDAP Lightweight Directory Access Protocol LDAPS Lightweight Directory Access Protocol Secure (LDAP over TLS) MG Media Gateway MGCP Media Gateway Control Protocol MTLS Mutual TLS Authentication OCSP Online Certificate Status Protocol OSC OpenScape PKCS Public Key Cryptography Standards PKI Public Key Infrastructure PSE Personal Security Environment RADIUS Remote Authentication Dial-In User Service RTP Real-Time Transport Protocol SEN Siemens Enterprise Communications SIP Session Initialization Protocol SPE Signaling & Payload Encryption SRTP Secure Real-Time Transport Protocol TLS Transport Layer Security UC Unified Communication WBM Web based Management WPI WorkPoint Interface 5.2 Terms EAP-TLS PSE WPI EAP-Transport Layer Security or EAP-TLS, defined in RFC 5216, is an IETF open standard, and is well-supported among wireless vendors. The security of the TLS protocol is strong, as long as the certificate status is checked. It uses PKI to secure communication to the RADIUS authentication server. Data structure including an asymmetric key pair (normally RSA keys) and the belonging electronic certificate. The certificates of the issuing CA and of the root CA can be included. A PSE can be stored on a token (smart card, secure USB token) or in a PKCS#12 file. WorkPoint Interface https/xml-based Interface between DLS and its managed IP devices Version 1.01, Page 19

20 About Siemens Enterprise Communications Group (SEN Group) The SEN Group is a premier provider of enterprise communications solutions. More than 14,000 employees in 80 countries carry on the tradition of voice and data excellence started more than 160 years ago with Werner von Siemens and the invention of the pointer telegraph. Today the company leads the market with its "Open Communications" approach that enables teams working within any IT infrastructure to improve productivity through a unified collaboration experience. SEN Group is a joint venture between the private equity firm, The Gores Group, and Siemens AG and incorporates Siemens Enterprise Communications, Enterasys Networks, SER Solutions, Cycos and isec. For more information about Siemens Enterprise Communications, please visit Communication for the open minded Siemens Enterprise Communications Siemens Enterprise Communications GmbH & Co. KG Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG Status 03/2009 The information provided in this brochure contains merely general descriptions or characteristics of performance which in case of actual use do not always apply as described or which may change as a result of further development of the products. An obligation to provide the respective characteristics shall only exist if expressly agreed in the terms of contract. Availability and technical specifications are subject to change without notice. OpenScape, OpenStage and HiPath are registered trademarks of Siemens Enterprise Communications GmbH & Co. KG. All other company, brand, product and service names are trademarks or registered trademarks of their respective holders. Printed in Germany.