cern certificates platform ca.cern.ch ruben gaspar on behalf
DESCRIPTION
CERN Certificates platform http://ca.cern.ch Ruben Gaspar On behalf Emmanuel Ormancey / Anatoly Gladkov IT/IS HEPIX Fall 2005. Agenda. Cern Certification Authority overview Architecture User, Host, “Enrollment” certificates Certificate usage Web sites SmartCards Project status. - PowerPoint PPT PresentationTRANSCRIPT
April 22, 2023 1
CERN Certificates platformhttp://ca.cern.ch
Ruben GasparOn behalf
Emmanuel Ormancey / Anatoly GladkovIT/IS
HEPIX Fall 2005
April 22, 2023 2
AgendaAgenda Cern Certification Authority overview
Architecture User, Host, “Enrollment” certificates
Certificate usage Web sites SmartCards
Project status
April 22, 2023 3
CERN Certification AuthorityCERN Certification AuthorityArchitectureArchitecture
Offline Root CA: Run on Virtual PC. Root CA Server image on removable disks. Root will be trusted by default inside CERN.
Online Issuing CA: User request for ‘software’ certificates (client certificates) Enrollment station for SmartCard certificates (authorized user
on authorized desktop only can issue certificates on smartcards), i.e. Card Service.
User request for Host certificates. Allow users to map existing certificates (i.e.
Grid,CACert,Thawte) to their account.
April 22, 2023 4
CERN Certification AuthorityCERN Certification AuthorityCertificate RequestCertificate Request
“Software” (client) certificates are requested by Users.
Internet Explorer or Mozilla browsers can handle automatically certificate request.
A manual procedure with OpenSSL is also provided.
April 22, 2023 5
CERN Certification AuthorityCERN Certification AuthorityEnrollment StationEnrollment Station
Smartcard certificates can be issued only by users with a valid “enrollment agent” certificate installed on dedicated machine.
April 22, 2023 6
CERN Certification AuthorityCERN Certification AuthorityHost Certificates and Certificate mappingHost Certificates and Certificate mapping
Users can request Host certificates for CERN Hosts they manage, and any non-CERN host (not already certificated).
Users can map an existing certificate to their account for authentication (i.e. Grid certificates).
April 22, 2023 7
Certificate usageCertificate usage Short term:
Authenticate to IS Websites (Win, Web, Mail, Terminal services, etc…)
Provide a common authentication interface for all CERN services: sort of Single Sign On
Sign and encrypt mails Medium to long term:
Provide Windows and Linux desktop authentication using Smartcard certificates.
Embed SmartCard chip to CERN Access card.
April 22, 2023 8
Websites authenticationWebsites authentication Certificate can be installed in any browser, on
any platform. Certificate is mapped to user account
Several certificates can be mapped. Authentication done automatically
Popup for selection if several certificates installed: multiple identity supported.
If no client certificate: Move to forms authentication:
Useful if using a public computer, but can be a security issue. Policy to be defined: force client certificate
User must always use their own computers, increased security but accessibility issue.
April 22, 2023 9
IT/IS Websites authenticationIT/IS Websites authenticationOverviewOverview
Opening a website
Cancelled or no certificate installed
If several client certificates matching server requirements are found, browser asks to choose.
Certificate authentication
complete.
April 22, 2023 10
Email signing and encryptingEmail signing and encrypting
In Outlook 2003:
April 22, 2023 11
SmartCards SmartCards for Desktop authenticationfor Desktop authentication
Medium to Long term achievement: Integrate SmartCard ship to CERN Access card Use SmartCard to authenticate Windows or Linux
desktop session. Use software (client) certificates for alternate accounts
authentication (in browser). No more passwords typed in:
Passwords can be set to random string not known even by the user, and can be reset automatically very often.
Policy to be defined: keep alternate password authentication ?
April 22, 2023 12
SmartCardsSmartCardsfor cross platform authenticationfor cross platform authentication
Use the same SmartCard for: Windows desktop (and laptop)
Browser authentication Linux desktop
Browser authentication Mac OS X desktop
Browser authentication Remote windows
Windows Terminal Services Remote Linux
Putty (to be defined, possible with OpenSC) OpenSSH (to be defined, possible with OpenSC) Exceed (to be confirmed)
April 22, 2023 13
Project statusProject status CERN Certification authority:
CERN CA is up and running. All described functionalities are available. Grid specifications taken into account (EUGridPMA specification).
Software (client) certificates: Available for SSO on IT/IS Websites, planned to be extended on all web
sites. CERN Certificate issuing available to all CERN users. Alternate Certificate mapping available, including Grid certificates.
SmartCards: Test cards have been issued, testing on Windows and Linux in
progress. Hardware vendors being evaluated with TS dept. to provide next
generation of CERN Access cards (Smartcard + Mifare contact less card + Magnetic stripe + Photo printed).
Estimated cost: ~5€ / card, ~15€ to 25€ / card reader (USB or PCMCIA).