WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)



Similar documents
New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Cybersecurity and Secure Authentication with SAP Single Sign-On

CA SiteMinder SSO Agents for ERP Systems

Single Sign-on (SSO) technologies for the Domino Web Server

IDENTITY MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Security solutions Executive brief. Understand the varieties and business value of single sign-on.

Enhancing Web Application Security

The Essentials Series: Enterprise Identity and Access Management. Authentication. sponsored by. by Richard Siddaway

Simplifying Security with Datakey Axis Single Sign-On. White Paper

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

HP Software as a Service. Federated SSO Guide

Smart Card Two Factor Authentication

Using SAP Logon Tickets for Single Sign on to Microsoft based web applications

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Samsung KNOX EMM Authentication Services. SDK Quick Start Guide

Oracle Identity Management for SAP in Heterogeneous IT Environments. An Oracle White Paper January 2007

Kerberos -Based Active Directory Authentication to Support Smart Card and Single Sign-On Login to DRAC5

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

Centrify Mobile Authentication Services for Samsung KNOX

Likewise Security Benefits

CA Spectrum and CA Embedded Entitlements Manager

Vintela Single Sign-on for Java from Quest Software. Deployment Guide WebSphere Edition 3.2

Service management White paper. Manage access control effectively across the enterprise with IBM solutions.

SAML-Based SSO Solution

IBM WebSphere Application Server

Centrify Mobile Authentication Services

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Leveraging SAML for Federated Single Sign-on:

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

identity management in Linux and UNIX environments

HP Software as a Service

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Interstage Application Server V7.0 Single Sign-on Operator's Guide

OVERVIEW. DIGIPASS Authentication for Office 365

Single Sign-On for Kerberized Linux and UNIX Applications

Defender Delegated Administration. User Guide

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

QLIKVIEW MOBILE SECURITY

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Entrust Managed Services PKI Administrator Guide

White paper December Addressing single sign-on inside, outside, and between organizations

User Pass-Through Authentication in IBM Cognos 8 (SSO to data sources)

CA Nimsoft Service Desk

Active Directory and DirectControl

Vyom SSO-Edge: Single Sign-On for BMC Remedy

Dell Compellent Storage Center

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Leverage Active Directory with Kerberos to Eliminate HTTP Password

Windows Security and Directory Services for UNIX using Centrify DirectControl

Entrust Managed Services PKI

What s New in Juniper Networks Secure Access (SA) SSL VPN Version 6.4

Application Note Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services on Windows 2008

CA Nimsoft Service Desk

How To Manage A Privileged Account Management

HP Device Manager 4.7

HP Asset Manager. Implementing Single Sign On for Asset Manager Web 5.x. Legal Notices Introduction Using AM

Deploying Smart Cards in Your Enterprise

Active Directory Compatibility with ExtremeZ-IP. A Technical Best Practices Whitepaper

Integrated Authentication

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

SECO Whitepaper. SuisseID Smart Card Logon Configuration Guide. Prepared for SECO. Publish Date Version V1.0

Secure Web Access Solution

An Oracle White Paper December Integrating Oracle Enterprise Single Sign-On Suite Plus with Strong Authentication

Configuring IBM Cognos Controller 8 to use Single Sign- On

Getting Started with AD/LDAP SSO

CA ArcotOTP Versatile Authentication Solution for Mobile Phones

NCSU SSO. Case Study

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public

RSA SecurID Software Token Security Best Practices Guide

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

How To Secure An Rsa Authentication Agent

Enterprise SSO Manager (E-SSO-M)

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

The Convergence of IT Security and Physical Access Control

solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service?

IBM Security SiteProtector System Two-Factor Authentication API Guide

Mashup Sites for SharePoint 2007 Authentication Guide. Version 3.1.1

Federated Identity in the Enterprise

Defender Token Deployment System Quick Start Guide

How the Quest One Identity Solution Products Enhance Each Other

An Overview of Samsung KNOX Active Directory and Group Policy Features

CA Performance Center

Parallels Plesk Panel

How To Secure Your Data Center From Hackers

White paper December IBM Tivoli Access Manager for Enterprise Single Sign-On: An overview

Requesting Access to IBM Director Agent on Windows Planning / Implementation

WHITE PAPER AUGUST Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords

managing SSO with shared credentials

Integrated Approach to User Account Management

Transcription:

WHITE PAPER Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ) SEPTEMBER 2004

Overview Password-based authentication is weak and smart cards offer a way to address this weakness, however smart cards have previously been difficult to integrate with backend services. The Microsoft Windows network operating system supports smart card authentication and Single Sign-On but does not extend this capability to Java application servers. By adding Windows Integrated Authentication to the application server, smart card authentication is automatically supported. This means that the benefits of Single Sign-On and smart card authentication can be easily extended to Java applications, providing security and usability at minimal cost to the enterprise without any extra programming or infrastructure. Increasingly governments and enterprises are seeking to implement new access control systems that verify a person s identity and privileges before granting them access to information and other online resources. Key requirements for these systems include more secure access control, improved user convenience, simpler identification or identity verification processes and lower overall administration and management costs. By enabling access control systems to implement more secure identity verification and by providing a technology platform for adding new applications that further enhance the user experience and simplify business processes, smart card technology is an obvious choice for fulfilling these requirements. This whitepaper discusses how smart card authentication can be achieved for J2EE applications using Vintela SSO for Java (VSJ). Intended Audience This whitepaper is intended for: Smart Cards CIOs and project managers planning smart card authentication projects Security architects evaluating security products from different vendors and architecting secure smart card solutions Developers of J2EE and smart card authentication solutions A smart card, within the context of a login, is simply a replacement for a username and a password. A smart card, containing a user s credentials, can be issued to each network user. Smart cards provide two-factor authentication, also known as strong authentication. Put simply, two-factor authentication is something you have (a smart card) and something you know (a PIN). Its strength lies in ensuring that a user s identification is reliant on two distinctive factors. Passwords, on the other hand, only provide single-factor authentication both the user id and the password are something you know and so the user presents a common point of weakness. Most people are already familiar with two-factor authentication in their everyday lives through the use of a keycard and a PIN to perform Automatic Teller Machine (ATM) transactions. Vintela 2 September 2004

Figure 1. Smart Card Smart Card Security Smart cards provide a tamper-resistant storage mechanism for protecting private keys and other forms of personal information. Importantly, they segregate security-critical functions, including authentication, digital signatures and key exchange form other part of a system, while enabling the portability of user credentials and other private information between computers at work, at home and on the road. Conversely, traditional password-based approaches have a number of failings: Weak passwords are easily compromised by dictionary and brute force attacks. Password compromise may go undetected. Passwords are often physically recorded by users, particularly where users are required to access systems with multiple IDs and passwords. Passwords can be compromised through keystroke and network monitoring ( packet sniffing ). Users are vulnerable to social engineering attacks, for example, a well-meaning employee may be manipulated into revealing a password through deception. Authentication of users and services. Authorization to control and protect access to resources. On the other hand, smart cards: Use a longer key and protection with a PIN avoids dictionary and brute force attacks. Smart cards are physically secure and loss or theft is detectable. The memory capacity of smart cards means that advanced cryptographic mechanisms can be used, resulting in better security. Credential information (for example Kerberos tickets) can be stored on smart cards when the card is removed from its reader slot, system resources cannot be accessed. Smart cards are one of the most common tokens used in two-factor authentication. Another example is biometric security which can work equally well with the solution discussed in this paper. The requirement for strong authentication is often found alongside the requirement for Single Sign-On as together they deliver security and usability. Single Sign-On (SSO) Single Sign-On (SSO) allows users to authenticate themselves just once to access information on any of several systems. When smart card desktop authentication is combined with network login, users can log in to their desktop and then access network resources Vintela 3 September 2004

without further authentication. This is known as Single Sign-On. SSO is often paired with smart card authentication because of the increased importance of that initial authentication. SSO can reduce the costs associated with password resets and improves user productivity as the user only needs to remember one password. Windows Integrated Login provides SSO using the Kerberos technology associated with Active Directory. Windows Integrated Login In addition to support for Kerberos through its Active Directory service, Microsoft has added Windows Integrated Login to Internet Explorer which allows it to participate in a Kerberosbased Single Sign-On environment. When a Web server receives a request from an Internet Explorer browser, it can request that the browser uses the SPNEGO protocol to authenticate itself. This protocol performs a Kerberos authentication via HTTP, and allows Internet Explorer to pass a delegated credential to allow a Web application to log in to subsequent Kerberized services on the user s behalf. Microsoft s Kerberos implementation uses the Authorization field of the Kerberos ticket to pass Privilege Attribute Certificates (PACs) to Kerberized applications. Applications that support Microsoft s PAC format can use this information to provide fine-grained access control to services. When a Windows user logs on to an Active Directory domain, Active Directory builds a token (a PAC) containing the list of all the groups of which the user is a member, and that are visible in the login domain. In addition to Active Directory group information, the PAC specifies the method of authentication. This allows authorization to be performed commensurate with the strength of the authentication method that is used. For example, an application that processes highly sensitive information or high-value transactions may only be accessed using a smart card. Microsoft Windows Smart Card Login Microsoft has smart card-enabled its Windows NT 4.0, Windows 95, Windows 98, Windows 2000 and Windows XP operating systems. Future releases of the Windows platform will also contain smart card support as part of the base platform. Windows Smart Card Login requires a PC/SC-compliant smart card or token which has been initialized with the user s credentials. When a desktop is configured to perform smart card login, the user is authenticated by inserting the smart card or token into a reader and authenticating themselves to the token using a PIN. The system can then access the key material on the card to perform a Windows login using the PKINIT protocol. PKINIT uses the public key material (private key and X.509 digital certificate) to perform the Kerberos login upon which Windows Integrated Login is based. In short, a cryptographic binding is created between the credential on the user s card and the network operating system credentials. These credentials can then be used to access network services. The system can be configured to lock the user s desktop or log the user off when the card is removed from the reader. Windows Integrated Login for J2EE Applications Smart card authentication for J2EE applications can be achieved using the VSJ solution which implements Windows Integrated Login. VSJ provides Windows Integrated Authentication for J2EE applications by implementing the SPNEGO protocol. This provides a higher degree of security and integration than cookie-based mechanisms. VSJ allows Vintela 4 September 2004

authorization using Active Directory groups by using the group information contained in the PAC. Figure 2. Windows Integrated Login for J2EE Applications Another advantage of using this Kerberos-based authentication is the ability to delegate credentials to other services such as.net applications. Integration can be achieved without modifying the source of the application which allows integration to be completed by application developers for in-house or off-the-shelf applications. VSJ is a pure Java implementation, so it supports a wide variety of server platforms. Because VSJ uses Windows Integrated Login, no client software installation is required. VSJ leverages you investment in Windows and J2EE to provide security, ease of use and ease of administration without additional heavyweight infrastructure. VSJ allows you to implement smart card authentication for J2EE applications with a minimum of cost. Conclusion With smart cards it is possible to make stronger assertions about the authenticity of transactions increasing security and enhancing trust in the system. By extending smart card authentication to a Single Sign-On environment integrated with the Windows desktop login, this trust can be extended to the entire enterprise. VSJ allows you to continue to leverage your investment in smart card technology by extending this trust base into J2EE applications. This whitepaper has demonstrated how the unique integration provided with VSJ supports smart card authentication using existing infrastructure and without deploying new services, installing software on clients or changing a single line of code. Vintela 5 September 2004

COPYRIGHT 2004 Vintela Inc. All Rights Reserved. Vintela documents are protected by the copyright laws of the United States and International Treaties. Permission to copy, view and print Vintela documents is authorized provided that: 1. It is used for non-commercial and informational purposes. 2. It is not modified. 3. The above copyright notice and this permission notice is contained in each Vintela document. Notwithstanding the above, nothing contained herein shall be construed as conferring any right or license under any copyright of Vintela. RESTRICTED RIGHTS LEGEND When licensed to a U.S., State, or Local Government, all Software produced by Vintela is commercial computer software as defined in FAR 12.212, and has been developed exclusively at private expense. All technical data, or Vintela commercial computer software/documentation is subject to the provisions of FAR 12.211 - "Technical Data", and FAR 12.212 - "Computer Software" respectively, or clauses providing Vintela equivalent protections in DFARS or other agency specific regulations. Manufacturer: Vintela Inc., 333 South 520 West, Lindon, Utah 84042. DISCLAIMER THE VINTELA DOCUMENTS ARE PROVIDED "AS IS" AND MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. VINTELA, INC. RESERVES THE RIGHT TO ADD, DELETE, CHANGE OR MODIFY THE VINTELA DOCUMENTS AT ANY TIME WITHOUT NOTICE. THE DOCUMENTS ARE FOR INFORMATION ONLY. VINTELA MAKES NO EXPRESS OR IMPLIED REPRESENTATIONS OR WARRANTIES OF ANY KIND. TRADEMARKS Vintela and the Vintela logo are trademarks or registered trademarks of Vintela, Inc. in the U.S.A. and other countries. Linux is a registered trademark of Linus Torvalds in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Java is a trademark of Sun Microsystems, Inc. in the U.S.A. and other countries. Netscape and Netscape Communicator are trademarks or registered trademarks of Netscape Communications Corporation. Microsoft, MS-DOS, Windows, Windows NT, Windows 2000/Windows 2003, Windows XP, and Active Directory are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. All other brand and product names are trademarks or registered marks of the respective owners. Vintela 6 September 2004

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information