PKI Made Easy: Managing Certificates with Dogtag. Ade Lee Sr. Software Engineer Red Hat, Inc. 08.11.2013



Similar documents
Red Hat Enterprise Identity (IPA) Centralized Management of Identities & Authentication

Red Hat Identity Management

LinuxCon North America

How to build an Identity Management System on Linux. Simo Sorce Principal Software Engineer Red Hat, Inc.

Red Hat Identity Management. Certificate System Technical Overview

CAC AND KERBEROS FROM VISION TO REALITY

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

prefer to maintain their own Certification Authority (CA) system simply because they don t trust an external organization to

FreeIPA Client and Server

Installation and Configuration Guide

RSA Digital Certificate Solution

ESnet SSL CA service Certificate Policy And Certification Practice Statement Version 1.0

Certification Practice Statement

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

FreeIPA Client and Server

Certificate Authority Product Overview Technology White Paper

PKI Services: The Best Kept Secret in z/os

Certificate Policy and Certification Practice Statement CNRS/CNRS-Projets/Datagrid-fr

Entrust Managed Services PKI

Using Entrust certificates with VPN

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015

Microsoft vs. Red Hat. A Comparison of PKI Vendors

Public Key Infrastructure for a Higher Education Environment

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Websense Content Gateway HTTPS Configuration

Blending FreeIPA in a Certificate Infrastructure

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Integrating Linux systems with Active Directory

Danske Bank Group Certificate Policy

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

ncipher Modules Integration Guide for Axway Validation Authority Server 4.11 (Responder)

How To Understand And Understand The Security Of A Key Infrastructure

Certification Path Processing in the Tumbleweed Validation Authority Product Line Federal Bridge CA Meeting 10/14/2004

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

Configuring and Troubleshooting Identity and Access Solutions with Windows Server 2008 Active Directory

Rights Management Services

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

Department of Defense PKI Use Case/Experiences

COMODO CERTIFICATE MANAGER. Simplify SSL Certificate Management Across the Enterprise

X.509 Certificate Policy for the Australian Department of Defence Root Certificate Authority and Subordinate Certificate Authorities

apple WWDR Certification Practice Statement Version 1.8 June 11, 2012 Apple Inc.

Public Key Infrastructure

Managing Identity & Access in On-premise and Cloud Environments. Ellen Newlands Identity Management Product Manager Red Hat, Inc

Digital certificates and SSL

Certificate Management

Configuring Digital Certificates

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

SwissSign Certificate Policy and Certification Practice Statement for Gold Certificates

Alliance Key Manager A Solution Brief for Technical Implementers

HKUST CA. Certification Practice Statement

Visa Public Key Infrastructure Certificate Policy (CP)

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

HSM: A Must Have. Applications are everywhere SafeNet Inc. All rights reserved.

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA

CERTIFICATION PRACTICE STATEMENT UPDATE

Exploring ADSS Server Signing Services

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

The Security Framework 4.1 Programming and Design

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory. Chapter 11: Active Directory Certificate Services

Red Hat Identity Management and Security Solutions

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Comodo Certificate Manager Software Version 4.6

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide

Comodo Certification Practice Statement

Implementing Secure Sockets Layer on iseries

The Digital Certificate Journey from RACF to PKI Services Part 2 Session J10 May 11th 2005

Certificate technology on Pulse Secure Access

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

SYMANTEC NON-FEDERAL SHARED SERVICE PROVIDER PKI SERVICE DESCRIPTION

Neutralus Certification Practices Statement

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

Certificate technology on Junos Pulse Secure Access

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

An Introduction to Entrust PKI. Last updated: September 14, 2004

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

FreeIPA Cross Forest Trusts

Identity Management based on FreeIPA

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Thales ncipher modules. Version: 1.2. Date: 22 December Copyright 2009 ncipher Corporation Ltd. All rights reserved.

RELEASE NOTES. Table of Contents. Scope of the Document. [Latest Official] ADYTON Release corrections. ADYTON Release 2.12.

AD CS.

Configuring Advanced Windows Server 2012 Services

CMS Illinois Department of Central Management Services

encryption keys, signing keys are not archived, reducing exposure to unauthorized access to the private key.

Configuration Guide BES12. Version 12.1

Version Highlights. CertainT 100 SSL Accelerator. Version International. New hardware and software version. North America

DEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0

Introduction to the EIS Guide

Configuration Guide BES12. Version 12.2

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005

SEZ SEZ Online Manual Digital Signature Certficate [DSC] V Version 1.2

- X.509 PKI SECURITY GATEWAY. Certificate Policy (CP) & Certification Practice Statement (CPS) Edition 1.1

Configuring DoD PKI. High-level for installing DoD PKI trust points. Details for installing DoD PKI trust points

Technical Certificates Overview

Transcription:

2013 PKI Made Easy: Managing Certificates with Dogtag Ade Lee Sr. Software Engineer Red Hat, Inc. 08.11.2013

Agenda What is PKI? What is Dogtag? Installing Dogtag Interacting with Dogtag using REST Future directions Questions 2 SouthEast LinuxFest

Agenda What is PKI? 3 SouthEast LinuxFest

Mission #1: Buying Beer 4 SouthEast LinuxFest

Need ID? 5 SouthEast LinuxFest

Digital Certificate 6 SouthEast LinuxFest

Public/Private Keys In certificates, the identifier is the public key in a public/private key pair. Messages encrypted with a public key can only be decrypted using the private key, and visa versa. Being able to decrypt proves possession of the private key and hence, identity. We can use private/public key pairs to identify: Servers (eg. bankofamerica.com) Individuals Devices (routers, locomotives etc.) 7 SouthEast LinuxFest

Use Case: Secure Web Browsing A client initiates contact with the secure web server (using https). The server returns a digital certificate. The client checks the validity of the certificate through a trusted certificate authority. The client generates a symmetric key, encrypts it with the server's public key, and sends it to the server. The server decrypts the symmetric key using its private key. The server and client can exchange details using the symmetric key. 8 SouthEast LinuxFest

Use Case: Client Authentication User contacts server application using a browser and establishes SSL connection. Server requests client certificate for authentication. User selects certificate for which he has the private key from browser certificate database. Server checks whether the client certificate is valid, and trusted. Cert is used to establish identity. Server uses authorization checks to provide access to applications. 9 SouthEast LinuxFest

Use Case: Email Encryption User requests an encryption cert. The client optionally encrypts the private key and sends it in a CRMF request to the server for escrow. User imports private key and encryption cert into the email client. User sends recipient a signed email containing his public key. Recipient encrypts a secret message with the public key and sends to the user. Only the user can read the encrypted message. If private key is lost / employee leaves company, encryption key can be recovered from escrow. 10 SouthEast LinuxFest

What about portability? Private key is stored in your browser's certificate database. What if you want to use a different machine? Can't put a certificate database in your wallet... Or can you? 11 SouthEast LinuxFest

What do we need to manage Driver's Licenses? Registration Authorities that issue licenses after verifying proof of identification. Mechanism to revoke, reinstate, renew license. Mechanism for reissuing licenses after licenses are lost/stolen. Mechanism to check license status. 12 SouthEast LinuxFest

Is this License valid? 13 SouthEast LinuxFest

What do we need for PKI? A community of entities with public/private keys Registration Authorities that accept cert requests and confirm the requestors' identities Certificate Authorities that issue certificates to certify the validity of public keys Certificate repositories that store public keys Certificate revocation lists and online certificate status managers to verify certificate status Key recovery authorities to recover lost encryption keys Token management system 14 SouthEast LinuxFest

Agenda What is PKI? What is Dogtag? 15 SouthEast LinuxFest

Dogtag Certificate System Security framework to handle full life cycle of X.509 certificates including issuance, renewal, revocation, publishing, private key escrow, and token management. Red Hat Certificate System is based on Dogtag. RHCS is Common Criteria (EAL4) certified, FIPS 140-2 Level 2 security libraries with Level 3 validated HSM hardware. RHCS is deployed by largest PKI deployments in the world. Scales to millions of certs and keys. Latest version (10.0.4) is currently available on Fedora 18 and 19. 16 SouthEast LinuxFest

Dogtag History Netscape Certificate Server 1.0 [1997] Netscape Certificate Management System 4.1 [1999] Netscape/iPlanet Certificate Management System 4.2 [2000] Sun ONE Certificate Server 4.7 [2002] Netscape Certificate Management System 6.1 SP1 [2003] Red Hat Certificate System 7.3 [2007] Dogtag Certificate Server 1.0.0 [2008] Dogtag Certificate Server 9.0 [2011] Red Hat Certificate Server 8.1 [2012] Dogtag Certificate Server 10.0 [2013] 17 SouthEast LinuxFest

Features Ability to create and manage certificates Easily deployable and maintainable Highly scalable Cloning for high availability and disaster recovery Based on open standards and protocols. Hence, able to interoperate with other certificate systems (not just Red Hat's) 18 SouthEast LinuxFest

Features continued.. Single CA can support multiple registration authorities Root or Subordinate CA, cross-certified CAs, and CA cloning Interfaces: Administration, Agent, and End Entity Signed Auditing Self tests Certificate Issuance, Profiles Plugin Framework for customization 19 SouthEast LinuxFest

Features continued.. Publishing, Notifications, and Jobs CRLs and OCSP Encryption Key escrow and recovery Support for hardware tokens Smart Cards and Crypto Accelerators SCEP Interfaces : web UI, RESTful interface, command line utilities, console (graphical client) 20 SouthEast LinuxFest

Dogtag in IPA FreeIPA Core NTP Dogtag CA Kerberos KDC Directory Server DNS Authentication Users, Groups, Netgroups, HBAC Managed host (client) SSSD Configures Name lookups and service discovery Cert tracking & provisioning ipa-client Configures Certmonger nss_ldap Other maps Enrollment & un-enrollment Management Station Management framework CLI Management 21 WEBUI Browser SouthEast LinuxFest

Dogtag Components 22 SouthEast LinuxFest

Dogtag Token Management 23 SouthEast LinuxFest

Agenda What is PKI? What is Dogtag? Installing Dogtag 24 SouthEast LinuxFest

Installing Dogtag Subsystems Movie demonstrating how to install a Dogtag 10 instance with a CA and KRA using pkispawn. In this case, the CA and KRA are in the same instance https://www.youtube.com/watch?v=c3eeljaz7lu See the man pages for more advanced usage. 25 SouthEast LinuxFest

Enrollment with Key Archival 26 SouthEast LinuxFest

Enrollment with Key Archival Movie showing admin and agent interfaces, and key archival. https://www.youtube.com/watch?v=buapp-jejnk 27 SouthEast LinuxFest

Agenda What is PKI? What is Dogtag? Installing Dogtag Interacting with Dogtag using REST 28 SouthEast LinuxFest

Dogtag Java Architecture 29 SouthEast LinuxFest

Why a new RESTful Interface? We have battle-tested software that has been deployed in the largest public key infrastructures worldwide. We want to become the default PKI implementation for application developers. This means: Simplifying installation and configuration Standard interfaces 30 SouthEast LinuxFest

Why a new RESTful interface? Old interface consists of servlet calls with name-value parameter pairs. In new interface, application is presented as a collection of resources More intuitive URLs. POST /profilesubmitservletsslclient vs. POST /certrequests Standard operations and return codes Framework to automatically handle serialization to XML/JSON, crafting HTTP responses etc. on server and client 31 SouthEast LinuxFest

REST Resources on the CA certs, certrequests, users, groups, profiles Example invocations: GET /certs - list certificates GET /certs/{id} get specific cert by serial number POST /certs/search search for certs with criteria POST /agent/certs/{id}/revoke revoke a cert POST /certrequests create a new cert request GET /certrequests/{id} get cert request POST /agent/certrequests/{id}/approve approve a cert request POST /admin/users create a new user 32 SouthEast LinuxFest

REST Resources on the CA certs, certrequests, users, groups, profiles Example invocations: GET /certs - list certificates GET /certs/{id} get specific cert by serial number POST /certs/search search for certs with criteria POST /agent/certs/{id}/revoke revoke a cert POST /certrequests create a new cert request GET /certrequests/{id} get cert request POST /agent/certrequests/{id}/approve approve a cert request POST /admin/users create a new user 33 SouthEast LinuxFest

RESTEasy Client Proxy Framework RESTEasy client proxy framework is a way to use JAX-RS annotations on the client side. Server and client share a Java annotated interfaces which define REST resource objects and method calls. Client instantiates the REST resource objects, and makes method calls. Client framework converts the method call into HTTP requests, handling all data marshalling to JSON or XML. Server error codes handled through exceptions. Used by new CLI code ( pki ). 34 SouthEast LinuxFest

Writing client code for REST Interface Very easy in Java using the client proxy framework. Movie to provide some details: http://youtu.be/e9m9kkshjnm Some python support available as well. To be enhanced. REST interface documented at : http://pki.fedoraproject.org/wiki/rest http://pki.fedoraproject.org/wiki/resteasy 35 SouthEast LinuxFest

REST Resources on the DRM keys, keyrequests, users, groups, some system resources. GET /agent/keyrequests list key requests GET /agent/keyrequests/{id} get a key request POST /agent/keyrequets/archive submit an archival request POST /agent/keyrequests/recover submit recovery request POST /agent/keyrequests/{id}/approve approve request POST /agent/keyrequests/{id}/reject reject request POST /agent/keyrequests/{id}/cancel cancel request 36 SouthEast LinuxFest

DRM Enhancements in Dogtag 10 The DRM has traditionally been used to store X.509 private keys only, with public key as an identifier. With the REST interface, the client provides an identifier client_id The interface can therefore be used to securely archive just about anything, as long as it is packaged in a CRMF package. We have sample code (DRMTest.java) that stores symmetric keys, passphrases. On recovery, these are wrapped with a symmetric key or passphrase. Being investigated as a back-end for CloudKeep. 37 SouthEast LinuxFest

Agenda What is PKI? What is Dogtag? Installing Dogtag Interacting with Dogtag using REST Future directions 38 SouthEast LinuxFest

Whats next? Dogtag 10.1 scheduled for Fedora 20 (Jan 2014) Extend the REST interface to manage certificate profiles. This will be consumed by FreeIPA. Enhance the python client framework to the REST interface. Rewrite TPS as a Java component residing in a Tomcat instance. And more... 39 SouthEast LinuxFest

Resources Dogtag Project wiki: http://pki.fedoraproject.org Project trac: https://fedorahosted.org/pki Code: https://git.fedorahosted.org/cgit/pki.git Mailing lists: pki-users@redhat.com pki-devel@redhat.com pki-announce@redhat.com IRC (freenode #dogtag-pki) 40 SouthEast LinuxFest

Questions? 41 SouthEast LinuxFest