DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication Certificate Based 2010 Integration VASCO Data Security. Guideline All rights reserved. Page 1 of 31
Disclaimer Disclaimer of Warranties and Limitations of Liabilities This Report is provided on an 'as is' basis, without any other warranties, or conditions. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security. Trademarks DIGIPASS & VACMAN are registered trademarks of VASCO Data Security. All trademarks or trade names are the property of their respective owners. VASCO reserves the right to make changes to specifications at any time and without notice. The information furnished by VASCO in this document is believed to be accurate and reliable. However, VASCO may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use. Copyright 2011 VASCO Data Security. All rights reserved. 2010 VASCO Data Security. All rights reserved. Page 2 of 31
Table of Contents 1 Overview... 4 2 Problem Description... 4 3 Solution... 4 4 Technical Concept... 5 4.1 General overview... 5 4.2 Procedure... 5 4.3 Prerequisites... 5 5 Setting up DIGIPASS Juniper Logon... 5 5.1 Certificate Authority... 5 5.1.1 Issue the right type of certificates... 5 5.1.2 Security groups for enrollment station and agents... 6 5.1.3 Specifying the Enrollment Policy... 9 5.2 Enrollment Station...11 6 Enrolling Users... 18 6.1 Requesting certificates...18 7 Download CA Certificate... 21 8 Juniper Configuration... 23 8.1 Import Trusted Client CAs...23 8.2 Create an Certificate Server...26 8.3 User Realms...27 9 Using the DIGIPASS KEY 200... 28 9.1 Logon using the DIGIPASS KEY 200...28 10 About VASCO Data Security... 31 2010 VASCO Data Security. All rights reserved. Page 3 of 31
1 Overview The Purpose of this document is to demonstrate how to secure your Juniper SSL VPN login with he DIGIPASS KEY 200. This device let s you add a certificate and be able to logon with the right user credentials. 2 Problem Description Today s business is built around information applications. To ensure business workflow, productivity and enhancing client relationships, internal network resources are increasingly been made accessible from anywhere. The weakest link in any security infrastructure is the use of static passwords. These passwords are easily stolen, guessed, reused or shared. There is a need for strong user authentication, based on 2-factors: something you have and something you know. 3 Solution By creating an extra profile in your organization, the Enrollment Agent, It will be possible to rollout certificates on the DIGIPASS KEY 200 for every user. With the DIGIPASS KEY 200 it is possible to login to Juniper SSL VPN. This way you create a safe and easy manageable environment for you and all your users. Figure 1: DIGIPASS KEY 200 There is also the possibility to use a simple smart Card, allowing as well the rollout of certificates on the Digipass smart Card. Digipass 905 is VASCO s smart card reader. The procedure for configuring the certificates on the card, is identical to the KEY 200 configuration. Figure 2 : DIGIPASS SMART CARD & DIGIPASS 905 2010 VASCO Data Security. All rights reserved. Page 4 of 31
4 Technical Concept 4.1 General overview The basic working of the Juniper SA is based on authentication to an existing media (Certificate Authentication, LDAP, RADIUS, local authentication ). To use the IDENTIKEY with Juniper SA, the external authentication settings need to be changed or added manually. After configuring the Juniper SA SSL VPN and insert the user certificate to the DIGIPASS KEY 200 in the right way, you eliminate the weakest link in any security infrastructure the use of static passwords that are easily stolen guessed, reused or shared. The DIGIPASS KEY 200 functionality provides document signing; strong authentication against PKI enables software systems (operating systems, virtual private networks, applications); as well as e-mail, file and disk encryption. 4.2 Procedure To make the DIGIPASS KEY 200 work with the login in Juniper SSL VPN, there are a few steps that need to be taken. First of all you have to setup a Certificate Authority. This will be the issuer for the certificate used on the DIGIPASSKEY 200. Next we will make sure all the correct user rights are set. We will make a new group that will be responsible for issuing certificates. This will become a powerful group as they can generate certificates for all domain users, including administrators. Add as last we have to enroll the users to the DIGIPASS KEY 200 and login to Juniper SSL VPN. 4.3 Prerequisites The initial prerequisites for setting up DIGIPASS Juniper SSL VPN are: Active Directory installed on a Windows 2000 or 2003 domain server A Microsoft Certificate Authority (CA) configured with the Enterprise policy module. This may be a root or subordinate CA. Juniper SSL VPN SA appliance 5 Setting up DIGIPASS Juniper Logon 5.1 Certificate Authority 5.1.1 Issue the right type of certificates Start the Certification Authority Microsoft Management Console (MMC), located in the Administrative Tools folder on the Enterprise CA. Open the Certificate Templates (2003) or Policy Settings (2000) folder, and rightclick on this folder. Select New -> Certificate Template to Issue. 2010 VASCO Data Security. All rights reserved. Page 5 of 31
Figure 3: Issue the right type of certificates (1) Select, by holding the CTRL key, The following Items and click OK: Enrollment Agent Smartcard User Figure 4: Issue the right type of certificates (2) 5.1.2 Security groups for enrollment station and agents Open the Active Directory Users and Computers from the Administrative Tools folder on the Domain Controller. Right-click the User folder and select New -> Group. 2010 VASCO Data Security. All rights reserved. Page 6 of 31
Figure 5: Security groups for enrollment station and agents (1) Fill in a relevant group name (e.g. Enrollment_Group) and click OK. Figure 6: Security groups for enrollment station and agents (2) Now add users to this group that will be able to make certificates for the DIGIPASS KEY 200. Caution: Please be aware that these users will become powerful users as they can create a certificate for any user in your domain, include administrators. Right-click the group you just created and select properties. 2010 VASCO Data Security. All rights reserved. Page 7 of 31
Figure7: Security groups for enrollment station and agents (3) At the members tab, choose the Add button. Figure 8: Security groups for enrollment station and agents (4) Select the user you want to add to the group. (E.g. Enrollment Agent) 2010 VASCO Data Security. All rights reserved. Page 8 of 31
Figure 9: Security groups for enrollment stations and agents (5) As you can see below, a computer can also be an Enrollment Agent. You then have to take care of the physical access to this computer. Click OK to finish Figure 10: Security groups for enrollment station and agents (6) 5.1.3 Specifying the Enrollment Policy Certificates issued by the CA are based on certificate templates stored in the Active Directory. The Access Control Lists (ACL) set on these templates determine who (user and computer) can request what (certificates). Open the Active Directory Sites and Services MMC from the Administration Tools folder on the Domain Controller. If the Service folder is not visible, choose View -> Show Service Node. Open Services -> Public Key Services -> Certificate Templates, right click the Enrollment Agent and select Properties. 2010 VASCO Data Security. All rights reserved. Page 9 of 31
Figure 11: Specifying the Enrollment Policy (1) By clicking the Add button, add the enrollment group you created before. Figure 12: Specifying the Enrollment Policy (2) Once added, give this group read and enroll permissions. Click OK to finish 2010 VASCO Data Security. All rights reserved. Page 10 of 31
Figure 13: Specifying the Enrollment Policy (3) Now do the same steps for the Smartcard User template. 5.2 Enrollment Station To setup your enrollment station you need to install the DIGIPASS KEY 200 Middleware DIGIPASS CertID. Login on the Enrollment Station (from any domain computer) with the Enrollment Agent user. Click the Start -> Run -> mmc. Choose File -> Add/Remove Snap-in. Figure 14: Enrollment station (1) 2010 VASCO Data Security. All rights reserved. Page 11 of 31
Click the Add button. Figure 15: Enrollment Station (2) Select Certificates and click the Add button. Figure 16: Enrollment Station (3) Choose My user account and press Finish. 2010 VASCO Data Security. All rights reserved. Page 12 of 31
Figure 17: Enrollment Station (4) Afterwards click the Close button of the Add Standalone Snap-in window. Click OK to go to the main console window. Figure 18: Enrollment Station (5) At the main console window, right-click the Personal folder and select All Tasks -> Request New Certificate 2010 VASCO Data Security. All rights reserved. Page 13 of 31
Figure 19: Enrollment Station (6) Click Next in the first window of the Certificate Request Wizard. Figure 20: Enrollment Station (7) Choose the Enrollment Agent certificate, check the Advanced checkbox and click Next. 2010 VASCO Data Security. All rights reserved. Page 14 of 31
Figure 21: Enrollment Station (8) Choose the Microsoft Enhanced Cryptographic Provide and a key length of 1024 bit. Click Next. Figure 22: Enrollment Station (9) Verify the settings and click Next. 2010 VASCO Data Security. All rights reserved. Page 15 of 31
Figure 23: Enrollment Station (10) Type in a Friendly name and type a meaningful description. Click Next. Figure 24: Enrollment Station (11) Review all the settings and click Finish if everything is OK. 2010 VASCO Data Security. All rights reserved. Page 16 of 31
Figure 25: Enrollment Station (12) 2010 VASCO Data Security. All rights reserved. Page 17 of 31
6 Enrolling Users For enrollment of users, you have the choose Smartcard user. 6.1 Requesting certificates Open your browser and go to: http://ca-server/certsrv. (Where CA-Server is the name of the machine where your CA is installed) Click Request a certificate. Figure 26: Requesting certificates (1) Click the Advanced certificate request link. Figure 27: Requesting certificates (2) Click the request a certificate for a smart card on behalf of another user by using the smart card certificate enrollment station link. 2010 VASCO Data Security. All rights reserved. Page 18 of 31
Figure 28: Requesting certificates (3) Select the right Certificate Template, CA and Cryptographic Service Provider (the VASCO CertID Smart Card Cypto Provider V1.0 CSP in this case). If you are logged in as the Enrollment Agent, the right Administrator Signing Certificate should be selected by default. Otherwise you click the Select Certificate button. In the User to Enroll field, you can select the user you want to create a certificate for. Click the Select User button and a known wizard will start. Figure 29: Requesting certificates (4) Search the user you want to create a certificate for and click OK. 2010 VASCO Data Security. All rights reserved. Page 19 of 31
Figure 30: Requesting certificates (5) Now make sure your DIGIPASS KEY 200 is plugged in the USB port, and then press the Enroll button. Figure 31: Requesting certificates (6) You will be asked for the pin of the DIGIPASS KEY 200 and press OK to continue. This can take a while. Do not navigate away from this page as long as the process is busy. Figure 32: Requesting certificates (7) 2010 VASCO Data Security. All rights reserved. Page 20 of 31
When the certificate is saved on the DIGIPASS KEY 200, you will get a message in the window stating The smartcard is ready. You now have the possibility to view the recently created certificate. To do so, press the View Certificate button. Figure 33: Requesting certificates (8) 7 Download CA Certificate To use the web site to download a certificate authority (CA) certificate, click on Download a CA certificate certificate chain or CRL link. Figure 34: Download CA certificate (1) Click on Download CA certificate link. 2010 VASCO Data Security. All rights reserved. Page 21 of 31
Figure 35: Download CA certificate (2) Save the CA certificate to you local drive. (The CA certificate will use later to import to Juniper SSL VPN.) Figure 36: Download CA certificate (3) 2010 VASCO Data Security. All rights reserved. Page 22 of 31
8 Juniper Configuration 8.1 Import Trusted Client CAs Login to the Juniper SSL VPN administrator console, click on Configuration -> Certificates -> Trusted Client CAs. Figure 37: Juniper SSL VPN configuration (1) Click on Import CA Certificate Figure 38: Juniper SSL VPN configuration (2) Click on Browse~ button. 2010 VASCO Data Security. All rights reserved. Page 23 of 31
Figure 39: Juniper SSL VPN configuration (3) Choose the certificate which exported early (refer to page 21). Figure 40: Juniper SSL VPN configuration (4) Click on Import Certificate button. Figure 41: Juniper SSL VPN configuration (5) Scroll down and leave default setting. 2010 VASCO Data Security. All rights reserved. Page 24 of 31
Figure 42: Juniper SSL VPN configuration (6) Click on Save Changes. Figure 43: Juniper SSL VPN configuration (7) Figure 44: Juniper SSL VPN configuration (8) 2010 VASCO Data Security. All rights reserved. Page 25 of 31
8.2 Create an Certificate Server To create a Certificate Server, click on Auth. Server. In the drop down list of New:, choose Certificate Server. Figure 45: Juniper SSL VPN configuration (9) Name your Certificate Server. Figure 46: Juniper SSL VPN configuration (10) 2010 VASCO Data Security. All rights reserved. Page 26 of 31
8.3 User Realms To link the Certificate Server to the User Realms, click on User Realms and click on your Realms. Figure 47: Juniper SSL VPN configuration (11) In the Authentication, select the Certificate Server. Figure 48: Juniper SSL VPN configuration (12) 2010 VASCO Data Security. All rights reserved. Page 27 of 31
9 Using the DIGIPASS KEY 200 9.1 Logon using the DIGIPASS KEY 200 Make sure the DIGIPASS CertID is installed on the client pc. Open an Internet Explore and enter the Juniper SSL VPN Web Portal URL. Figure 49: Using the DIGIPASS (1) A Security Alert will prompt. Click on Yes to accept the SSL certificate. Figure 50: Using the DIGIPASS (2) 2010 VASCO Data Security. All rights reserved. Page 28 of 31
Select your certificate and click Ok. Figure 51: Using the DIGIPASS (3) Enter your PIN to unlock the DIGIPASS KEY 200. Figure 52: Using the DIGIPASS (4) 2010 VASCO Data Security. All rights reserved. Page 29 of 31
After the Certificate authentication, you be able to login to your Juniper SSL VPN Portal. Figure 53: Using the DIGIPASS (5) 2010 VASCO Data Security. All rights reserved. Page 30 of 31
10 About VASCO Data Security VASCO designs, develops, markets and supports patented Strong User Authentication products for e-business and e-commerce. VASCO s User Authentication software is carried by the end user on its DIGIPASS products which are small calculator hardware devices, or in a software format on mobile phones, other portable devices, and PC s. At the server side, VASCO s VACMAN products guarantee that only the designated DIGIPASS user gets access to the application. VASCO s target markets are the applications and their several hundred million users that utilize fixed password as security. VASCO s time-based system generates a one-time password that changes with every use, and is virtually impossible to hack or break. VASCO designs, develops, markets and supports patented user authentication products for the financial world, remote access, e-business and e-commerce. VASCO s user authentication software is delivered via its DIGIPASS hardware and software security products. With over 25 million DIGIPASS products sold and delivered, VASCO has established itself as a world-leader for strong User Authentication with over 500 international financial institutions and almost 3000 blue-chip corporations and governments located in more than 100 countries. 2010 VASCO Data Security. All rights reserved. Page 31 of 31