1 / 14

CERN Certificates platform ca.cern.ch Ruben Gaspar On behalf

CERN Certificates platform http://ca.cern.ch Ruben Gaspar On behalf Emmanuel Ormancey / Anatoly Gladkov IT/IS HEPIX Fall 2005. Agenda. Cern Certification Authority overview Architecture User, Host, “Enrollment” certificates Certificate usage Web sites SmartCards Project status.

keanu
Download Presentation

CERN Certificates platform ca.cern.ch Ruben Gaspar On behalf

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CERN Certificates platform http://ca.cern.ch Ruben Gaspar On behalf Emmanuel Ormancey / Anatoly Gladkov IT/IS HEPIX Fall 2005

  2. Agenda • Cern Certification Authority overview • Architecture • User, Host, “Enrollment” certificates • Certificate usage • Web sites • SmartCards • Project status

  3. CERN Certification AuthorityArchitecture • Offline Root CA: • Run on Virtual PC. • Root CA Server image on removable disks. • Root will be trusted by default inside CERN. • Online Issuing CA: • User request for ‘software’ certificates (client certificates) • Enrollment station for SmartCard certificates (authorized user on authorized desktop only can issue certificates on smartcards), i.e. Card Service. • User request for Host certificates. • Allow users to map existing certificates (i.e. Grid,CACert,Thawte) to their account.

  4. CERN Certification AuthorityCertificate Request Internet Explorer or Mozilla browsers can handle automatically certificate request. • “Software” (client) certificates are requested by Users. A manual procedure with OpenSSL is also provided.

  5. CERN Certification AuthorityEnrollment Station • Smartcard certificates can be issued only by users with a valid “enrollment agent” certificate installed on dedicated machine.

  6. CERN Certification AuthorityHost Certificates and Certificate mapping • Users can request Host certificates for CERN Hosts they manage, and any non-CERN host (not already certificated). • Users can map an existing certificate to their account for authentication (i.e. Grid certificates).

  7. Certificate usage • Short term: • Authenticate to IS Websites (Win, Web, Mail, Terminal services, etc…) • Provide a common authentication interface for all CERN services: sort of Single Sign On • Sign and encrypt mails • Medium to long term: • Provide Windows and Linux desktop authentication using Smartcard certificates. • Embed SmartCard chip to CERN Access card.

  8. Websites authentication • Certificate can be installed in any browser, on any platform. • Certificate is mapped to user account • Several certificates can be mapped. • Authentication done automatically • Popup for selection if several certificates installed: multiple identity supported. • If no client certificate: • Move to forms authentication: • Useful if using a public computer, but can be a security issue. • Policy to be defined: force client certificate • User must always use their own computers, increased security but accessibility issue.

  9. IT/IS Websites authenticationOverview Opening a website If several client certificates matching server requirements are found, browser asks to choose. Certificate authentication complete. Cancelled or no certificate installed

  10. Email signing and encrypting • In Outlook 2003:

  11. SmartCards for Desktop authentication • Medium to Long term achievement: • Integrate SmartCard ship to CERN Access card • Use SmartCard to authenticate Windows or Linux desktop session. • Use software (client) certificates for alternate accounts authentication (in browser). • No more passwords typed in: • Passwords can be set to random string not known even by the user, and can be reset automatically very often. • Policy to be defined: keep alternate password authentication ?

  12. SmartCardsfor cross platform authentication • Use the same SmartCard for: • Windows desktop (and laptop) • Browser authentication • Linux desktop • Browser authentication • Mac OS X desktop • Browser authentication • Remote windows • Windows Terminal Services • Remote Linux • Putty (to be defined, possible with OpenSC) • OpenSSH (to be defined, possible with OpenSC) • Exceed (to be confirmed)

  13. Project status • CERN Certification authority: • CERN CA is up and running. • All described functionalities are available. • Grid specifications taken into account (EUGridPMA specification). • Software (client) certificates: • Available for SSO on IT/IS Websites, planned to be extended on all web sites. • CERN Certificate issuing available to all CERN users. • Alternate Certificate mapping available, including Grid certificates. • SmartCards: • Test cards have been issued, testing on Windows and Linux in progress. • Hardware vendors being evaluated with TS dept. to provide next generation of CERN Access cards (Smartcard + Mifare contact less card + Magnetic stripe + Photo printed). • Estimated cost: ~5€ / card, ~15€ to 25€ / card reader (USB or PCMCIA).

  14. Questions ? http://ca.cern.ch

More Related