EMC Celerra Version 5.6 Technical Primer: Public Key Infrastructure Support Technology Concepts and Business Considerations Abstract Encryption plays an increasingly important role in IT infrastructure due to the impact of regulations and the risk of data security breaches. Many of these protocols use public key encryption (particularly those tools that are used for session-based encryption or authentication). This primer discusses improvements introduced in EMC Celerra Network Server version 5.6 that enable the use of public key encryption, such as its implementation of a public key infrastructure. June 2009
Copyright 2009 EMC Corporation. All rights reserved. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com All other trademarks used herein are the property of their respective owners. Part Number h6348 Technology Concepts and Business Considerations 2
Table of Contents Executive summary...4 Business problem... 4 Technical problem... 4 Feature introduction... 4 What s new... 4 Introduction...5 Audience... 5 Detailed overview...5 Architecture... 5 Limitations... 7 Compatibility with earlier releases... 8 Conclusion...8 References...8 Technology Concepts and Business Considerations 3
Executive summary Protecting sensitive information is one of the foremost concerns of customers today. With new threats to information security being discovered every day, encryption becomes critical to business. With encryption, however, comes the incremental burden of managing encryption keys and certificates. Public key infrastructure (PKI) tools introduced in EMC Celerra Network Server version 5.6 help mitigate this task by eliminating the need to manage individual keys and certificates. Business problem Securing a wide variety of business data has become a modern day requirement for most businesses. For some, a breach in that security could have a substantially negative impact, including costly litigation, competitive exposure, or public embarrassment, and while the need for security is well understood, achieving a confident level of security is not so straightforward. Complex data centers, globally dispersed locations, and numerous technologies from many suppliers make realizing a secure environment a constant and costly challenge. Technical problem Encryption and authentication certificates are two widely used tools in improving data center security. While they are highly beneficial, both tools increase the burden on system administrators to actively manage and maintain them, and ensure their effectiveness. Feature introduction Celerra version 5.6 introduces PKI tools that help administrators manage encryption keys and certificates for a Data Mover and, to a more limited extent, for the Control Station. These tools ease the use of encryption protocols such as SSL by providing a single, consistent interface that manages the required keys and certificates. PKI tools provide the ability to: Generate key sets Export certificate signing requests or sign persona certificates with the Control Station Certificate Authority (CA) Import signed certificates Store certificates using a current and next model Import CA certificates The Control Station can now serve as a CA and sign Control Station and Data Mover certificates. This is useful in customer environments where an enterprise-level or other external CA is not available. Also, the Celerra Manager SSL certificate is now automatically signed by the Control Station CA rather than being self-signed. What s new The PKI functionality is new to Celerra version 5.6. Several Celerra features now take advantage of the PKI infrastructure. These features include: FileMover HTTP-over-SSL support: Authenticates and encrypts FileMover control channels LDAP-over-SSL support: Authenticates and encrypts LDAP connections Technology Concepts and Business Considerations 4
Introduction This primer includes a discussion of the architecture of the new feature, and lists limitations and compatibility with earlier Celerra versions. Audience This white paper is intended for customers, including IT planners, storage architects, administrators, and others involved in evaluating, acquiring, managing, operating, or designing an EMC networked storage environment. Detailed overview Architecture PKI is an architectural enhancement to Celerra. Consequently, its key and certificate management tools are available for any future features or enhancements that require encryption capabilities, providing a common management interface. While this PKI functionality is largely Data Mover-based, there are some changes to the Control Station that are included in the current release. This is discussed on page 7. PKI manages the following objects: Personas (Data Mover key and certificate pair) External CA certificates Control Station CA key and certificate pair A persona is a digital identity. It consists of a Data Mover private key and the associated Data Mover public key certificate signed by a CA. (Hereafter, this paper refers to the pairing of a private key and public key certificate as a key/certificate pair. ) A persona is identified by a specific name when assigned to a Data Mover feature. In Celerra version 5.6, there is only one persona, called a default. Many Data Mover features may use a single persona to facilitate ease of use. Data Mover key/certificate pairs within a persona are managed by using a current-next model. Each persona recognizes two slots for key/certificate pairs, current and next. The current key/certificate pair is the one that is valid and is being used actively. The next key/certificate pair is a key/certificate pair that replaces the current key/certificate pair when it reaches its start date. You can create and manage personas and certificates using either the Celerra Manager or the CLI. Figure 1 on page 6 shows the Celerra Manager Personas tab, which displays information about the current key/certificate pair, and information about the next key/certificate pair, if available. A new key/certificate pair is always identified as the next key/certificate pair. It becomes the current key/certificate pair only when it becomes valid. Thus, it is possible for there to be a next key/certificate pair (which is not yet valid) but no current key/certificate pair. In this situation, the key and certificate requests fail until the next key/certificate pair becomes valid. The Data Mover s system clock is used when determining key/certificate pair validity, and a 5-minute time skew is allowed. Technology Concepts and Business Considerations 5
Figure 1 Personas management using Celerra Manager It is important to note that Data Mover private keys are not accessible from the Control Station; only the Data Mover can access these keys, which reside in the memory for as short a period of time as possible. (Data Mover private keys are encrypted when not in use.) When a Data Mover feature needs to set up an SSL session, it notifies the SSL about the name of the persona to use, and the SSL code then uses the PKI API to retrieve the associated private key and public key certificate. When a public key certificate is received from the peer host (while negotiating an SSL session), the SSL code uses the PKI API to verify the certificate (by using a CA certificate). Thus, it is the PKI infrastructure that frees other Data Mover functionality (such as SSL) from having to maintain private keys, public key certificates, and CA certificates. In addition to managing personas, the PKI infrastructure also manages CA certificates that belong to CAs imported into the Data Mover. Figure 2 on page 7 shows the Celerra Manager CA Certificates tab, which displays information about the currently available CA certificates. CA certificates are used to validate the chain of trust for public key certificates that the Data Mover receives. For example, when setting up an authenticated SSL session, the client or server on the other end of the SSL session provides its public key certificate and a short message encrypted (signed) by its private key. The Data Mover uses the provided public key certificate to decrypt the message (verifying that the provided public key certificate does, in fact, belong to the computer that provided it.) The Data Mover also validates the chain of trust (found in the other computer s public key certificate) by using the CA certificate to decrypt the signature of the other computer s public key certificate. Technology Concepts and Business Considerations 6
Figure 2 CA certificate management using Celerra Manager In summary, PKI serves two primary purposes: Using the concept of a persona, it frees other Data Mover code from the need to manage private keys and associated public key certificates. The type of Data Mover applications that need this are those that act as secure servers (receive incoming SSL-based connection requests), as servers that offer server authentication, or as clients in a connection where the server on the other end requires client authentication. By managing imported CA certificates, it enables all Data Mover applications that must validate received certificates to use the same common pool of CA certificates. Without this common pool, the CA certificate would have to be provided directly to each application that needs it. The current release also enhances the Control Station with the implementation of the Control Station CA and some CLI tools that enable CA certificate management. In the current release, only CLI commands are available to manage the Control Station CA. More information about this functionality can be found in the EMC Celerra Security Configuration Guide. Limitations In the current release, you cannot create and use customer personas. You can only populate the default persona with keys. Only 2048-bit and 4096-bit RSA keys are supported. You cannot use any other key types or lengths. Only Privacy-enhanced Electronic Mail (PEM) encoding is supported for certificate requests. Only PEM and Distinguished Encoding Rules (DER) encodings are supported for imported certificates. Control Station CA certificate management is available only through the CLI. Technology Concepts and Business Considerations 7
You must identify expired key/certificate pairs manually. Key/certificate pairs are usually fairly longlived (12 months is common), and therefore this is not expected to be a major issue. Certificate Revocation Lists (CRLs) are not supported in the current release. You must explicitly remove or replace certificates. Certificate requests and digital signatures are signed using SHA-1 with RSA encryption. No other signing mechanisms are supported in the current release. Most, if not all, CAs support this signing mechanism. Automatic certificate generation using Microsoft Certificate Authority is not available in the current release. However, Microsoft Certificate Authority can be used to sign manually generated certificate requests. Compatibility with earlier releases This functionality is contained within the Celerra on which it is configured, and it does not interact with other Celerras. Therefore, no compatibility concerns exist. Earlier releases use the authentication mechanisms supported in those releases. Conclusion The PKI functionality simplifies private and public key management. It does this by creating and managing digital identities called personas. It also optimizes the process of validating CA certificates by maintaining and managing a common pool of such certificates. References Name: EMC Celerra Security Configuration Guide Type: URL: Audience: Technical documentation See the Celerra Network Server Documentation CD Version 5.6. Also available on Powerlink. Customer Technical Depth: High Name: Type: URL: Audience: Celerra Manager Online Help System Technical documentation (Help System) See the Celerra Network Server Documentation CD Version 5.6. Also available on Powerlink. Customer Technical Depth: High Technology Concepts and Business Considerations 8