Network Automation 9.22 Features: RIM and PKI Authentication July 31, 2013

Similar documents
Configuring Digital Certificates

Chapter 7 Managing Users, Authentication, and Certificates

Key Management and Distribution

Certificate technology on Pulse Secure Access

Two Factor Authentication in SonicOS

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Security Digital Certificate Manager

Security Digital Certificate Manager

Certificate technology on Junos Pulse Secure Access

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

The IVE also supports using the following additional features with CA certificates:

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

How to Implement Two-Way SSL Authentication in a Web Service

Exchange Reporter Plus SSL Configuration Guide

Smart Card Certificate Authentication with VMware View 4.5 and Above WHITE PAPER

IBM i Version 7.3. Security Digital Certificate Manager IBM

CHAPTER 7 SSL CONFIGURATION AND TESTING

Neutralus Certification Practices Statement

Clearswift Information Governance

Enterprise Content Management System Monitor 5.1 Security Considerations Revision CENIT AG Brandner, Marc

Certificate Management

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

Implementing Secure Sockets Layer on iseries

SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release [August] [2014]

SafeNet KMIP and Google Cloud Storage Integration Guide

Public Key Infrastructure for a Higher Education Environment

SSL Certificate Generation

Junio SSL WebLogic Oracle. Guía de Instalación. Junio, SSL WebLogic Oracle Guía de Instalación CONFIDENCIAL Página 1 de 19

Universal Content Management Version 10gR3. Security Providers Component Administration Guide

Understanding digital certificates

LDAP User Guide PowerSchool Premier 5.1 Student Information System

NSi Mobile Installation Guide. Version 6.2

Using LDAP Authentication in a PowerCenter Domain

How To Understand And Understand The Security Of A Key Infrastructure

User Authentication. FortiOS Handbook v3 for FortiOS 4.0 MR3

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015

Configuring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10.

DEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0

Secure Web Access Solution

prefer to maintain their own Certification Authority (CA) system simply because they don t trust an external organization to

Agenda. How to configure

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Websense Content Gateway HTTPS Configuration

Integrated SSL Scanning

GlobalSign Enterprise PKI Support. GlobalSign Enterprise Solution EPKI Administrator Guide v2.4

Developers Integration Lab (DIL) Certificate Installation Instructions. Version 1.4

Public Key Infrastructure (PKI)

EMC Data Protection Search

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

F-Secure Messaging Security Gateway. Deployment Guide

Installation valid SSL certificate

X.509 Certificate Generator User Manual

CS 356 Lecture 28 Internet Authentication. Spring 2013

Purpose of PKI PUBLIC KEY INFRASTRUCTURE (PKI) Terminology in PKIs. Chain of Certificates

7 Key Management and PKIs

Authentication Methods

HP NA Architectures for Failover and Disaster Recovery Based on NA 9.21 Feb 2013

Use Enterprise SSO as the Credential Server for Protected Sites

Active Directory LDAP Quota and Admin account authentication and management

Concept of Electronic Approvals

Generating and Installing SSL Certificates on the Cisco ISA500

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Security Guide vcenter Operations Manager for Horizon View 1.5 TECHNICAL WHITE PAPER

Alliance Key Manager A Solution Brief for Technical Implementers

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

Microsoft Outlook Web Access 2013 Authenticating Users Using SecurAccess Server by SecurEnvoy

Deploying RSA ClearTrust with the FirePass controller

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Enabling SSL and Client Certificates on the SAP J2EE Engine

ASA 8.x Manually Install 3rd Party Vendor Certificates for use with WebVPN Configuration Example

Using etoken for Securing s Using Outlook and Outlook Express

Avatier Identity Management Suite

StoneGate SSL VPN Technical Note Setting Up BankID

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

SSL Protect your users, start with yourself

Key Management and Distribution

Overview. SSL Cryptography Overview CHAPTER 1

External Authentication with Windows 2008 Server with Routing and Remote Access Service Authenticating Users Using SecurAccess Server by SecurEnvoy

Digital Certificate Infrastructure

ADSelfService Plus: Guide to Install SSL Certificate. 1 P a g e

Lepide Active Directory Self Service. Configuration Guide. Follow the simple steps given in this document to start working with

Public Key Infrastructure in idrac

Schlumberger PKI /Corporate Badge Deployment. Neville Pattinson Director of Business Development & Technology IT & Public Sector

How to Configure Certificate Based Authentication for WorxMail and XenMobile 10

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

VMware Identity Manager Administration

KMIP installation Guide. DataSecure and KeySecure Version SafeNet, Inc

Using custom certificates with Spectralink 8400 Series Handsets

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

UserGuide ReflectionPKIServicesManager

CTS2134 Introduction to Networking. Module Network Security

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Installing Digital Certificates for Server Authentication SSL on. BEA WebLogic 8.1

User's Guide. Product Version: Publication Date: 7/25/2011

SHARPCLOUD SECURITY STATEMENT

Configuring DoD PKI. High-level for installing DoD PKI trust points. Details for installing DoD PKI trust points

External Authentication with Cisco Router with VPN and Cisco EZVpn client Authenticating Users Using SecurAccess Server by SecurEnvoy

Introduction to Network Security Key Management and Distribution

Application Note AN1502

Transcription:

Network Automation 9.22 Features: RIM and PKI Authentication July 31, 2013

Brought to you by Vivit Network Management Special Interest Group (SIG) Leaders: Wendy Wheeler and Chris Powers www.vivit-worldwide.org

Hosted by Wendy Wheeler Content Manager/Operations Manager HP

Today s Presenters Swamy Mandavilli Functional Architect, NA Product Development Team HP Mietek T. Konczyk Software Development Engineer HP

Housekeeping This LIVE session is being recorded The recording will be available on BrightTALK immediately after this session Q&A: Please type questions in the Questions Box below the presentation screen Additional information available for you behind the Attachment button and later on the Vivit website

RIM Agenda 1. Introduction 2. Management/Provisioning Challenges 3. Solution with NA 9.22 4. Use Case Scenarios 5. Some details on RIM functionality in NA

Resource Identity Examples 1. VLAN IDs 2. ACL IDs/Handles 3. HSRP / VRRP IDs 4. Route Targets 5. Route Distinguishers 6. IP Addresses 7. Phone Numbers 8. Licensing Keys 9. Routing Instance Names 10.Firewall Instance Names 11.Load Balancer Instance Names

Some characteristics of Resource Identities 1. Unique within a context 1. Example: VLAN ID unique within an L2-network 2. Applied on one or multiple network devices 1. Example-1: IP Address applied on one device 2. Example-2: VLAN ID applied on multiple devices 3. Some have a range of numbers 1. Example: VLAN ID 1 4k 4. Some have a pre-known set of values 1. Example: set of License-key values 5. Some can not be re-used once used

Management/Provisioning Challenges 1. Need centralized storage including usage information 1. Spreadsheets are error-prone and require manual work; Not possible to integrate with provisioning systems 2. Categorize based on several criteria/dimensions: 1. Type (VLAN-ID), Context, Customer, 3. Associate meaningful context/details to each Identity 4. Easily integrate with provisioning systems 1. Consequences of not having this could cause significant damage to the network operations 5. Enforce uniqueness with usage 6. Track what is available and what is in use 7. Find one Resource Identity that is available 8. Security/Access control 9. Track History

Resource Identity Management Capability overview with NA 9.22 1. Define Resource Identity Pools 1. Example: Bulding_6_VLAN_IDs 2. Add Custom Attributes to Resource Identity Pools 3. Associate Resource Identity Pools to Partitions 4. Define/Assign Security Privileges 5. Load Resource Identities into a Resource Identity Pool 1. GUI 2. CSV Import for bulk loading 3. API/CLI 6. Request to Acquire/Release a specific Resource Identity 7. Request to acquire any-available Resource ID in a Pool

Use Case: Provisioning scenario-1 Requirement: Provision a set of devices via running a custom script in NA, where each device needs a Resource Identity Steps: 1. Create Advance Command script that has API call to obtain Resource Identity 2. Parameterize any Pool identification context 3. Network Engineer executes the command script as a Task in NA providing necessary parameters

Use Case: Provisioning scenario-2 Requirement: Network Engineer would like to create a new VLAN using NA VLAN Provisioning GUI Steps: 1. Obtains an available VLAN ID from GUI (by requesting any available Resource ID in the appropriate Pool) 2. Copies the acquired VLAN ID to the VLAN provisioning GUI of NA

Use Case: Provisioning scenario-3 Requirement: Network Engineer would like to run a custom script in NA to create a new VLAN Steps: 1. Obtains an available VLAN ID from GUI (by requesting any available Resource ID in the appropriate Pool) 2. Copies the VLAN ID as parameter value for running the command script as task in NA

Use Case: Provisioning scenario-4 Requirement: Run a process through HP OO Flow to provision a network device via NA command script Steps: 1. Programmatically (using NA API) obtain next Resource Identity available (from OO) 2. Pass the Resource Identity value as parameter to NA Command Script (from OO)

NA Resource Identity Management in MSP environments 1. Associate All the Resource Identity Pools for a Customer to the corresponding Partition 2. Can have same name for Resource Identity Pools in different Partitions 3. User permissions for the Resource Identities and Pools are governed by the user s privileges for that Partition

Resource Identity Pool Resource Identity Pool allows organizing logical groups of Resource Identities Associated with ONE Partition (optional) Has a set of Resource Identities Can request for Acquiring a Resource Identity (ANY) Associate a set of Custom-fields that apply to ALL IDs in that Pool

Resource Identity Associated with one Pool Has Unique name within the Pool Status: In Use / Available Can request for Acquiring specific Resource Identity Can Release after done using it

Custom Fields Define global set of Custom Fields Associate specific Custom Fields to appropriate Pools E.g., VLAN-Name to Pools: Bldg-6-vlan-ids, Bldg-5- vlans-ids Semantic of Custom Fields: Can be used as constant value through the lifecycle of the ID (e.g., Subnet-mask for IP-Address) Use-specific (e.g., assigned-to-customer-name)

RIM Security 1. Optional: Associate Resource Identity Pool to Partition relationship 2. Standard NA User/User-Group/Role based security mechanism with RIM specific privileges

CLI / APIs for RIM in NA 9.22 1. Resource Identity Pools 1. add, mod, del, show, list 2. Resource Identities 1. add, del, show, list, mod 2. acquire, release 3. Custom Fields for Resource Identities 1. show, mod, list

HP NA PKI Authentication Using certificates to authenticate NA users

HP NA Authentication Methods User Name & Password Local LDAP HP Server Automation TACACS+ RADIUS RSA SecurID PKI added in 9.22

What is PKI Authentication? Known under several other names: HTTPS or SSL client authentication Client-certificate based authentication Smart card (e.g. CAC) logon X509 certificate authentication PKI Public Key Infrastructure -- a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. PKI separates roles of a definer (CA) of user digital authenticity and verifier (VA) who authenticates user

What is digital certificate? Electronic document that uses a digital signature to bind a public key with an identity. It certifies the ownership of a public key by the named subject of the certificate and makes it public. In this model of trust relationships, CA is a trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate -- trust in the user key relies on one's trust in the validity of the CA's key.

Asymmetric Keys Asymmetric keys are used to encrypt and decrypt digital signatures Pair of mathematically associated keys When something is encrypted with one (e.g. private), it can be decrypted with the other (e.g. public). It is infeasible to derive one key using it counterpart Private key should never by distributed or shared. Public key can be distributed to anyone who requests it.

Certificate Authority (CA) CA is identified by the root CA certificate Publicly available commercial CAs Symantec (VeriSign, Thawte, Geotrust) Comodo GoDaddy Private CAs Self-signed certificates CA signed certificates. After receiving a Certificate Signing Request (CSR), CA validates identity and sends back a signed certificate

X.509 X.509 is a standard for PKI X.509 specifies, amongst other things, formats for public key certificates, certificate revocation lists, certificate path validation algorithm. In the X.509 system, a CA issues a certificate binding a public key to a particular distinguished name (DN) or to an alternative name such as an e-mail address or DNS entry.

Digital Certificate Example

Digital Certificate Example

PKI Authentication Configuration Import CA root certificate into NA truststore Manual step that has to be done before PKI authentication is enabled. Use: keytool -import -file -keystore -storepass -alias

PKI Authentication Configuration User Authentication Settings Access: Admin -> Administrative Settings -> User Authentication -> External Authentication Type : PKI Once PKI is saved as an authentication method, it is used solely used to authenticate to NA. No fallback to other methods is supported. Misconfiguration may cause inability to login into NA for everybody.

PKI Authentication Configuration

PKI Authentication Configuration Certificate to user mapping Certificate Subject can be mapped into NA user that is either defined in local or LDAP directory. Even though password is not used for authentication when using PKI, it has to be specified and valid (e.g. not expired). Password is still used to authenticate to devices or for client interfaces that currently cannot be authenticated using PKI (e.g. API, remote telnet/ssh).

PKI Authentication Configuration

PKI Authentication Configuration Certificate constraints To eliminate certificates that don t match the specific conditions in these fields: Extended Key Usage Trusted Issuer Certificate constraints can take multiple values.

PKI Authentication Configuration

PKI Authentication Configuration Certificate revocation checking User certificate can be revoked under various circumstances. Revoked certificates are blacklisted on a certificate revocation list in the PKI, which makes the information available either a list for downloading over HTTP or via OCSP protocol. Both ways of checking for certificate revocation CRL and OCSP are supported in NA. Protocol ordering and if both protocols need to be used for revocation check can be configured. CRL Certificate Revocation List OCSP Online Certificate Status Protocol, direct query to the PKI

PKI Authentication Configuration

PKI Authentication Auto-Login Browser needs a client certificate in a format it can handle to be imported to it. Browser asks to select certificate and provide a pin, if applicable. Browser may use cached authentication data. After successful PKI authentication, user is prompted to press login button to continue. If login directly into Telnet/SSH, user is also prompted for other parameters.

PKI Authentication Logout Authentication data may be cached in browser. Logging out is not good enough NA may receive from the browser the cached authentication data. It is recommended to either close all instances of the browser or to clear cached authentication data.

PKI Authentication Logout Clearing authentication data is browser dependent In IE use Internet Content -> Options Clear SSH state In Firefox use Privacy Options -> Clear recent history, Clear Active Logins

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information