Configuring DoD PKI This document describes the procedures to configure an XML Firewall that is interoperable with the United Stated Department of Defense (DoD) Public Key Infrastructure (PKI). High-level for installing DoD PKI trust points The following procedure is an overview of the procedures that can be used to install a DoD trust point: 1. Generating keys and SSL Certificate Signing Requests (CSRs) 2. Certificate request submission and key recovery 3. Creating Crypto Key objects 4. Importing and managing crypto keys and certificates 5. Creating Crypto Certificate objects 6. Creating Crypto Validation Credential objects You can also exclude non-dod trust points. Details for installing DoD PKI trust points This section breaks down the high-level procedure in High-level for installing DoD PKI trust points. The labels used for each high-level step is shown in an UNDERLINED SMALL CAPITAL LETTER typeface. GENERATING KEYS AND SSL CERTIFICATE SIGNING REQUESTS 1. Generate a new private key. This key and CSR will be used to obtain a certificate for the IBM WebSphere DataPower appliance from the DoD CA. a. Select Administration Miscellaneous Crypto Tools to display a form to create a new private key. b. Follow the relevant DoD guidelines for the fields of the Distinguished Name (DN). CERTIFICATE REQUEST AND KEY RECOVERY c. If key recovery is required, set Export Key to on. Provide a password in the Password and Confirm Password fields. This places an encrypted version of the generated key in the temporary: directory instead of in the cert: directory. d. Click Generate Key. This action generates both a key and a CSR. Remember the name of the key file. If the key is exported, it can be copied from the temporary: directory. e. To obtain a copy of the CSR or the exported key file, click the File Management icon from the Control Panel. Navigate to the temporary: directory. The CSR file can be copied from this location and submitted to the appropriate CA. f. If the key was exported, the encrypted key can be retrieved from the temporary: directory and submitted to the appropriate key recovery manager (KRM) for safekeeping and later retrieval. This key should then be moved from the temporary: directory to the cert: directory for security reasons. Refer to 4 on page 2 for more information about the file system. CREATING CRYPTO KEY OBJECTS 2. Create a private key object for use in other cryptographic operations. This key can be used for SSL operations, for example. a. Select Objects Crypto Key Object to display a list of all configured key objects appears. b. Click Add.
c. Specify a name for the object. You will use this name during the creation of a Crypto Identification Credential object (Step 7 on page 3). d. Select the newly created key file from the File Name list. It is possible to import a key by clicking the Upload. e. Supply a password alias if desired and click Apply. IMPORTING AND MANAGING CRYPTO KEYS AND CERTIFICATES 3. Obtain the root CA certificate (the trust point). Also obtain the certificate corresponding to the CSR you submitted to the appropriate CA. 4. Place copies of the certificates in the cert: or pubcert: directory. Use one of following methods: v Upload Files v Fetch Files a. Select Administration File Management to open the File Management screen. v If the files are not in one of the directories on the DataPower appliance: 1) Navigate to the directory where you want to place the copies of the certificates, either the cert: or pubcert: directory. 2) Click Actions to open the Directory Actions menu. 3) Click either Upload Files or Fetch Files to copy the file to the appliance. Use Upload Files when the file are on the workstation of the administrator who is configuring the DataPower appliance. Use Fetch Files when the files are across the network. Note: Files in the cert: and pubcert: directories cannot be deleted, copied, moved or renamed. b. If the files are in one of the directories on the DataPower appliance, but not in the cert: or pubcert: directory: 1) Navigate to the directory that contains the files. 2) Click the check box alongside the desired files. 3) Click Move. 4) Move the file to the cert: directory. Moving files remove them from the source directory to the destination directory. CREATING CRYPTO CERTIFICATE OBJECTS The Crypto Certificate object will be used in credential validation and other cryptographic actions. 5. Select Objects Crypto Certificate to create a Certificate object using the root certificate. a. Click Add to create a new object. b. Provide a name for this object in the Name field. You will use this name when creating a Crypto Validation Credential object in Step 6 on page 3. c. Use the File Name fields to identify the root certificate file just placed on the appliance. d. Complete the form as needed e. Click Apply. Repeat steps 5ato 5e to create another Crypto Certificate object. Use the certificate issued by the CA as a result of the CSR submission rather than the root certificate. This Certificate Object will be used in creating a Crypto Identification Credential object. CREATING A CRYPTO VALIDATION CREDENTIAL OBJECT The Crypto Validation Credential object establishes the DoD trust point. A validation credential object provides the necessary information for a firewall to validate the credentials of other entities communicating with the firewall. 2
6. Select Objects Crypto Validation Credentials to create a Crypto Validation Credential object using the Crypto Certificate object that is based on the root certificate. A list of all configured credential objects appears. b. Provide a name for this object in the Name field. c. Select an available certificate object that is based on the Certificate object of the root CA that was created in 5 on page 2. d. Click Add. The certificate appears in the list of installed certificates. Include no other certificates. e. Set the Certificate Validation Mode to Full certificate chain checking (PKIX). f. Set the Require CRLs radio button set to on. g. Optionally configure other settings as needed. h. Click Apply to save the object to the running configuration. i. Optionally, click Save Config to save the object to the startup configuration. Note: By creating a Crypto Validation Credential based solely on the DoD root CA certificate, this validation object necessarily excludes all non-dod trust points from validation checking. Only this Crypto Validation Object should be used by XML Firewall services or other services to ensure that all certificate chains end in the DoD root CA. SSL communication take advantage of the DoD PKI trust point created in the above procedure. To fully enable SSL communications, complete the following procedures. CREATING CRYPTO IDENTIFICATION CREDENTIAL OBJECTS The Crypto Identification Credential object is a certificate object that is not based on the root certificate. A Crypto Identification Credential is used to verify client identity during an SSL handshake. 7. Select Objects Crypto Identification Credentials to create a Crypto Identification Credential object using the generated key and corresponding certificate object. A list of all configured credential objects is displayed. b. Provide a name for this object in the Name field. You will use this name in Step 9 on page 4. c. Select the Crypto Key object just created the Crypto Key list. d. Select the Certificate object based on the original CSR from the Certificate list. e. Click Apply to save the object to the running configuration. CREATING CRYPTO PROFILES 8. Select Objects Crypto Profile to create a new Crypto Profile that uses the newly created Crypto Validation Credential and Crypto Identification Credential. A list of all configured profiles appears. b. Provide a name for this object in the Name field. You will use this name in Step 9 on page 4. c. Select the Identification Credentials and Validation Credential objects that you just created from their respective lists. ENCRYPTION ALGORITHMS d. Specify DES-CBC3-SHA in the Ciphers field to limit the encryption algorithms that is allowed. This is a hyphen-separated list. e. In the Options field, select all of the check boxes, except for the last option. f. Click Apply to save the object to the running configuration. CREATING AN SSL PROXY PROFILE The SSL Proxy Profile will use the Crypto Profile that was created in Step 8. 3
9. Select Objects SSL Proxy Profile to create a new SSL Proxy Profile. A list of all configured SSL Proxy Profile objects is displayed. b. Specify a name for the profile. You can use this name in subsequent operations, such as configuring an XML Firewall or XSL Proxy. c. To create a Server profile, which validates the credentials of clients requesting connections, leave the Direction to Reverse and set the Reverse Crypto Profile to the profile created in Step 8 on page 3. The same profile could be used for any of the Direction values. 10. Click Apply to save the object to the running configuration. 11. Optionally, click Save Config to save the object to the startup configuration. Certificate Revocation Lists (CRLs) can be retrieved from one or more distribution points using HTTP, HTTPS, LDAP or LDAPS. To obtain CRLs, complete the following procedures. MANAGING CRLS 12. Click Objects CRL Retrieval to display the CRL Retrieval Configuration (Main) screen. 13. Click enabled, if it is not already enabled. 14. Click the CRL Policy tab to display the CRL Policy catalog. b. Specify a name for the policy. c. Select a protocol for communication with the distribution point. d. Select the Validation Credential just created in step 6 on page 3. You can create Validation Credentials for additional CRL distribution points by following these procedures. Click the + button to begin this process. e. Specify then name of the Crypto Profile created in step 8 on page 3 to manage SSL communications. To create an alternate profile for additional CRL distribution points, return to Step 8 on page 3. f. If the protocol is HTTP or HTTPS, specify the URL for retrieving the list from the authority. g. If the protocol for communication is LDAP or LDAPS, provide the additional LDAP-specific information required to complete the communication. There are several fields required. The last three are not required for an anonymous LDAP Bind. h. Click Apply. Repeat these steps 14a to 14h for each CRL distribution point desired. Key compromise Care should be taken to keep private key files secret. Ideally, the files should be created on the appliance with the Crypto Tools (Step 1 on page 1) and not removed from the appliance. This is not possible if a key recovery manager (KRM) is used. In the event of a suspected key compromise, the CA issuing the certificate of the key in question should be contacted and told to revoke the certificate. The key in question and its certificate should be deleted. A new key and certificate should be generated in its place. 4
First Edition (January 2009) This edition applies to the current release of IBM WebSphere DataPower SOA Appliances and to all subsequent releases and modifications until otherwise indicated in new editions. Copyright International Business Machines Corporation 2002, 2009. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.