StoneGate SSL VPN Technical Note Setting Up BankID

Transcription

1 StoneGate SSL VPN Technical Note 2071 Setting Up BankID

2 Table of Contents Introduction page 3 Overview page 3 StoneGate BankID Authentication Methods page 6 Installing StoneGate BankID Authentication Methods..... page 6 Configuring StoneGate BankID Authentication Method.... page 7 Configuring StoneGate BankID Signer Method page 9 Feedback page 10 Table of Contents 2

3 Introduction This technical note covers all aspects of the installation and configuration of BankID for StoneGate SSL VPN 1.0. Changes since the previous revision (SG_SVTN_2071_ ) are marked in the left margin with a change bar as seen here to the left of this paragraph. Note This technical note will not cover installation and configuration of Nexus MultiID Server. For information on installation and configuration, please read the documentation provided with Nexus MultiID Server. Prerequisite This technical note assumes a thorough understanding of StoneGate SSL VPN administration and especially of authentication methods. Use the further reading listed below to gain the required knowledge. Further Reading More information on StoneGate SSL VPN administration can be found in the StoneGate SSL VPN Administrator s Guide, the Online Help, and the Technical Note repository provided with the product. Another source of information is the Stonesoft Support site, which can be found at For more information on related subjects, visit the following Web resources: Overview BankID is a service that offers secure electronic identification and signature on the Internet. One of the driving forces behind BankID is changed legislature. Electronic signatures are now legally binding in the EU. The BankID service has been developed by a number of large banks for use by members of the public, authorities, companies, and other organizations. Many governments and municipalities are beginning to offer 24/7 services, which generally presupposes a secure electronic identification and signature system such as that offered by BankID. An example of this is the Swedish National Tax Board as well as the Swedish Social Insurance Agency. Their Web sites are now fully operational and both offer their customers access to BankID. When an application in a BankID-associated organization needs to authenticate an access request by a user, a challenge/response procedure is initiated. The request is forwarded to an authentication server and a challenge is generated and returned to the client. The client sends a response that is interpreted by the authentication server and the client certificate is verified. A control question is sent to the Certificate Authority to further verify the validity of the client certificate. When all controls check out, the user is authenticated. This interaction flow is illustrated below. Introduction 3

4 Illustration 1 Challenge/Response Procedure 1. The user requests access to the system 2. The system generates a challenge for the user to sign 3. The user signs the challenge using the BankID certificate and responds to the challenge with the signed challenge 4. The system validates the signed challenge 5. The system performs a revocation check by sending an OCSP (Online Certificate Status Protocol) request to the Certificate Authority 6. The Certificate Authority responds with the certificate status 7. The system either grants or denies the user access to the system depending on the validation result The system in the interaction flow above denotes both StoneGate SSL VPN and Nexus MultiID Server. Clients The BankID client is called CBT (Crypto-Based Transactions) and is developed by IBM. CBT is Java-based and the only client requirement is a Java runtime environment. This requirement is met by all current Windows, Mac OS, and Linux systems (as of ). Users do not have to install the client, they simply accept the download the first time it is requested in a session. To limit the download times the CBT is divided in three packages: Order Used by the Internet bank when ordering and installing BankID Administration Used by the Internet bank to import and export BankID Usage Users identify and sign documents for authorities and companies StoneGate SSL VPN supports five types of Public Key Infrastructure (PKI) clients, which are introduced in the sections below. IBM CBT The IBM CBT client runs as a Java applet and has two templates. One authentication template, IbmCbtAuth, and a sign template IbmCbtSign. These templates are delivered with StoneGate SSL VPN and are placed in the folder /data/portwise/access-point/files/built-in-files/wwwroot/wa/authmech/. Overview 4

5 StoneGate SSL VPN supports IBM CBT by default. If a previous version is used the IbmCbtAuth and IbmCbtSign templates need to be edited. Replace 3_2_5 with 3_2_0 where applicable in the example below. Illustration 2 Template for IBM CBT <applet vspace= 175 hspace= 63 width= 430 height= 140 mayscript code= com.ibm.cbt_bidt_3_2_5.thinclient.logonapplet.class archive= /wa/authmech/cbt_bidt_3_2_5_sign.jar name= LoginApplet > <param name= scriptable value= true /> <param name= mayscript value= true /> <param name= cabbase value= /wa/authmech/cbt_bidt_3_2_5_sign.cab /> <param name= locale value= sv /> <param name= adddata value= [$challenge] /> </applet> VeriSign PTA StoneGate SSL VPN supports VeriSign PTA version 3. The VeriSign PTA client can be used in both authentication and signing. SmartTrust StoneGate SSL VPN supports SmartTrust version 3. SmartTrust uses SSL authentication in the same manner as for example the User Certificate authentication method. Nexus StoneGate SSL VPN supports Nexus version 4. Nexus uses SSL authentication in the same manner as for example the User Certificate authentication method. Support for this client in authentication and signing has been added in StoneGate SSL VPN. Netmaker NetID StoneGate SSL VPN supports Netmaker NetID version 4. Netmaker NetID uses SSL authentication in the same manner as for example the User Certificate authentication method. Support for this client in authentication and signing has been added in StoneGate SSL VPN. Nexus MultiID Server The Nexus MultiID Server supports all Swedish Certificate Authorities and PKI clients and it is certified by Finansiell ID-Teknik AB (BankID) and TeliaSonera AB. It should be noted that the Nexus MultiID Server can be installed and configured independently of the back-end security solution. The Nexus MultiID Server also contains an application programming interface (API) for easy integration with existing or new Web applications. Please consult the available documentation from Nexus regarding the API. StoneGate SSL VPN supports Nexus MultiID Server Note Nexus MultiID Server is not yet supported on the Solaris 10 operating system. Please contact Nexus for more information on availability of Nexus MultiID Server for Solaris 10. Overview 5

6 StoneGate BankID Authentication Methods The reason for using BankID and Nexus MultiID server in combination with StoneGate SSL VPN is the tight connection to the StoneGate SSL VPN user management and access control functionality. The StoneGate BankID solution consists of two authentication methods: BankID and BankID Signer. BankID Signer, however, is not used for authentication. As the name suggests it is used for signing text using StoneGate SSL VPN with a Nexus MultiID server as authentication service. StoneGate SSL VPN supports the Swedish e-legitimation. The BankID Signer must be accessed with text and a URL to the resource responsible for the signing process. Below is an example of how to access the BankID Signer and in this example, the signing resource is an external application. The signing resource is located at URL and the text to sign is test to sign this text. The signing resource sends a http post to point>/wa/auth?authmech=<configured BankID Signer display name> with the post parameters location= and text=test to sign this text. The BankID Signer will then perform the signing operation and return the result to the specified location with the parameters status=<ok, fail or error> and, if configured, signature=<the signature>. This solution is able to redirect error and result parameters to the resource responsible for the signing process. Further processing can then be performed by the resource. For more information on setting up BankID Signer, see section in section Configuring StoneGate BankID Authentication Method on page 7. Installing StoneGate BankID Authentication Methods Before you can start configuring a BankID authentication method you need to install and configure a Nexus MultiID Server. For information on how to install and configure Nexus MultiID Server, consult the documentation provided with your Nexus MultiID Server. Install Nexus MultiID Server API After the Nexus MultiID Server is installed and configured, you need to install the Nexus MultiID Server API to the StoneGate Policy Service. To install the Nexus API in StoneGate SSL VPN 1. Start the API installation by stopping the StoneGate Policy Service through the Linux command line by running the command /opt/portwise/policy-service/bin/policy-service.sh stop. You can connect to the command line through the administration port using an SSH client. Log in as user root. Password is set through the basic Web console. Consult the Appliance Installation Guide for your appliance if you need information on how to access the command line or on how to change the password. 2. Copy the nms_server.jar from your Nexus MultiID Server installation folder. Copy the file to /opt/portwise/policy-service/lib/. 3. Start the StoneGate Policy Service by running the command /opt/portwise/policy-service/bin/policy-service.sh start. Copy Clients to Administration Service You also need to copy the PKI client software to the Administration Service before you can start configuring BankID. This will enable the Administration Service to distribute the various clients when required. Copy the client files to /data/portwise/administration-service/files/access-point/custom-files/wwwroot/wa/authmech/. StoneGate BankID Authentication Methods 6

7 Configuring StoneGate BankID Authentication Method In this section, you create an authentication method that uses BankID. Follow the steps below to create and configure the BankID authentication method. Replace any placeholder information with your corresponding information where appropriate. To configure StoneGate BankID 1. Login to the StoneGate SSL VPN Administrator. 2. Select Manage System in the main menu and click Authentication Methods in the left-hand menu. 3. Click the Add Authentication Method link to create a new authentication method. 4. Select BankID from the list and click Next. 5. On the General Settings page, enter BankID as display name. 6. Click the Add the Authentication Method Server link. Enter the settings below (refer to your Nexus MultiID Server documentation for details): Example Host: <Nexus MultiID server IP address> Port: 8899 Service Identifier: Use default settings for remaining server settings. 7. Click Next to add the authentication method server. 8. Click Next to display the Extended Properties page. 9. Click the Add Extended Properties link. 10.Enter extended properties for applicable certificates/pki clients using the following examples: TABLE 1 Extended Properties for authentication method BankID Client Extended Property Key All IBM CBT VeriSign PTA SmartTrust Nexus Netmaker NetID BankID user attribute BankID certificate attribute Allow unknown user ID Enable IBM CBT Enable VeriSign PTA Enable SmartTrust Enable Nexus Enable Netmaker NetID cn cn true Configuring StoneGate BankID Authentication Method 7

8 TABLE 1 Extended Properties for authentication method BankID (Continued) Client SmartTrust CA Netmaker NetID CA Extended Property Key SmartTrust CA Name Netmaker NetID CA Name The display name of the CA Certificate that is issuer of the user certificates used for this client (Optional, if set only user certificates issued by this CA are presented to the end user else all the end user s certificates are presented) The display name of the CA Certificate that is issuer of the user certificates used for this client (Optional, if set only user certificates issued by this CA are presented to the end user else all the end user s certificates are presented) 11.Finish the wizard and click Publish to publish the new configuration. Note The mapping between user and certificate in the table above uses the LDAP attribute cn for matching user and certificate. It is possible to use other attributes to match users and certificates. The extended property key Allow unknown user ID may change how the mapping occurs. For more information, please read the section Allow Unknown User ID below. Allow Unknown User ID The optional extended property key Allow unknown user ID can be used to allow user with certificate to authenticate without having to be present in the directory service. This concept is useful in installation where there are an unknown number of users that need access and it is infeasible to add them to the directory service. Note When using the option Allow unknown user ID it is not possible to use group membership, SSO credentials, etc. The following examples will demonstrate the different settings involving extended property key Allow unknown user ID, user attribute, and certificate attribute. In example 1 below, the mapping of the user will occur and obtained user ID will be used, TABLE 2 Allow unknown user ID - Example 1 Extended Property Key BankID user attribute BankID certificate attribute Allow unknown user ID cn cn false In example 2 below, the user ID will be set to the Subject DN from the certificate. TABLE 3 Allow unknown user ID - Example 2 Extended Property Key BankID user attribute BankID certificate attribute Allow unknown user ID <no set> <no set> true Configuring StoneGate BankID Authentication Method 8

9 In example 3 below, the user ID will be set to the CN from the certificate. TABLE 4 Allow unknown user ID - Example 3 Extended Property Key BankID user attribute BankID certificate attribute Allow unknown user ID <no set> cn true In example 4 below, a mapping attempt will try to obtain the user ID and use that. If it mapping fails, an attempt will be made to set the user ID to the value set in the extended property key BankID certificate attribute. If that also fails, the user ID will be set to the Subject DN from the certificate. TABLE 5 Allow unknown user ID - Example 4 Extended Property Key BankID user attribute BankID certificate attribute Extended Property Key Allow unknown user ID <set> <set> true Configuring StoneGate BankID Signer Method In this section you will create an authentication method that will use BankID Signer. Follow the steps below to create and configure the BankID Signer authentication method. Substitute any placeholder information with your corresponding information where appropriate. 1. Select Manage System in the main menu and click Authentication Methods in the left-hand menu. 2. Click the Add Authentication Method link. 3. Select BankID Signer and click Next. 4. On the General Settings page enter BankID Signer as the display name. 5. Click the Add an Authentication Method Server link. Enter the settings below (please refer to your Nexus MultiID server documentation for details): Example Host: <Nexus MultiID server IP address> Port: 8899 Service Identifier: Use the default settings for the remaining server settings. 6. Click Next to add the authentication method server. 7. Click Next to display the Extended Property page. 8. Click the Add Extended Properties link. Configuring StoneGate BankID Signer Method 9

10 9. Enter extended properties for applicable certificates/pki clients using the following examples: TABLE 6 Extended Properties for authentication method BankID Signer Certificate Used Extended Property Key IBM CBT VeriSign PTA SmartTrust Nexus Netmaker NetID Return signature Enable IBM CBT Enable VeriSign PTA Enable SmartTrust Enable Nexus Enable Netmaker NetID Return signature true or false, depending on whether or not the signature should be displayed 10.Finish the wizard and click Publish to publish the new configuration. Feedback Stonesoft is always interested in feedback from our users. For comments regarding Stonesoft s products, contact feedback@stonesoft.com. For comments regarding this technical note, contact documentation@stonesoft.com. Feedback 10

11 Trademarks and Patents Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-link technology, multi-link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGate-are protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. SSL VPN Powered by PortWise Copyright and Disclaimer Copyright Stonesoft Corporation. All rights reserved. These materials, Stonesoft products and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein. THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMA- TION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUD- ING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. SG_SVTN_2071_ Stonesoft Corp. Itälahdenkatu 22a FIN Helsinki Finland tel fax Stonesoft Inc Crown Pointe Parkway Suite 900 Atlanta, GA USA tel fax