General Certificate Authentication to Key Applications at Argonne National Laboratory

1566 days ago, 532 views
PowerPoint PPT Presentation

Presentation Transcript

Slide 1

All inclusive Certificate Authentication to Key Applications at Argonne National Laboratory Presented at 6 th Annual PKI R&D Workshop April 18 th , 2007 Doug Engert, Rich Raffenetti, David Salbego, John Volmer

Slide 3

Introduction In 2003, Argonne set out to re-designer its operations web nearness Primary issues: Key web assets and applications spread far and wide No focal representative site Poor internet searcher Weak security because of numerous verification back-closures Multiple improvement stages Few principles No excess

Slide 4

Technical Solutions Implement Sun Java Systems item suite Portal Server Access Manager and Policy Agents Directory Server Application Server Use F5 BigIP stack balancers for repetition Use Google Search Appliances for web search tool Develop an inner Portal to unify data Standardize Java advancement Link secret word confirmation to Active Directory Investigate far reaching utilization of other validation strategies, particularly client endorsements … this discussion concentrates on the bolded things!

Slide 5

Policy Agents Overview Provide single sign-on capacity for outside applications and administrations Supported on most significant web and application servers Utilizes SSO treat token gave by Access Manager Cookie must be ensured Cookie can be made "confined" to forestall unapproved utilize Cookie can be fixing to particular operator and application Policy specialists don't straightforwardly acknowledge client qualifications They depend on SSO tokens gave by Access Manager Access Manager performs real approval of accreditations

Slide 6

Policy Agent Flow Diagram

Slide 7

Policy Agent Flow Description User gets to application through a web program. Specialist captures and checks for a legitimate SSO token (program session treat) If not substantial, divert to Access Manager Authentication Service. Specialist additionally gives its character. After fruitful verification, diverts client back to target application with SSO token as a feature of URL inquiry parameter. Specialist gets SSO token and sets it as session treat for the host. Specialist approves SSO token with Session Service. Specialist checks consents against Policy Service. Client is permitted to get to application. Same SSO token can't be utilized to access another application since SSO token is one of a kind to every application and may not be shared or reissued to different specialists or applications.

Slide 8

Policy Agent Usage Example – Web Server Convert existing application which depends upon HTTP "fundamental" verification to utilize Access Manager Policy Agent Assumes web server possesses get to control Assumes straightforward application that depends upon REMOTE_USER Simplified framework of ventures to change over application: Install arrangement specialist on SSL-ensured web server Adds a couple lines into web server design to stack the module Agent utilizes a different setup record Modify operator arrangement document to secure asset Create strategy on Access Manager for web server and URL Remove unique web server get to control

Slide 9

Policy Agent Usage Example – proceeded with Common issue: Many applications incorporate their own validation systems Form-based logins rather than HTTP "essential" confirmation Examples: Forum programming, Stellent, Wikis, … Such applications require more work to change over Level of trouble relies on how code is organized However… Many endeavor application merchants are figuring out how to acknowledge the development of SSO inside foundations various sellers claim to coordinate with such arrangements, ordinarily with a touch of counseling administrations Simple LDAP-based instruments to tie into big business validation/approval administrations are insufficient any longer

Slide 10

Policy Agents – Supported Software URL Agents for web servers Sun Microsoft IIS Apache J2EE Agents for Java Application servers Sun Application Server 7, 8, BEA WebLogic, IBM WebSphere Red Hat JBoss 4, Oracle Many others exist, including: Tomcat, Domino, SAP Portal

Slide 11

Access Manager Overview Provides single sign-on capacities in conjunction with Policy Agents Centralizes approval administrations Integrates with numerous outer confirmation suppliers if fancied Component of bigger "Personality Manager" item suite Open-sourced at

Slide 12

Access Manager - Authentication Modules All Argonne representatives and on location clients have Active Directory accounts About 8,000 aggregate Argonne utilizes two validation modules: X.509 User Certificates Smartcards ~100 clients in pilot test Includes PIV smartcards for use in Windows and Unix Microsoft Certificate Authority for all Active Directory clients Kerberos Certificate Authority (KCA) KX509 – for use on any stage LDAP For those not utilizing declarations (usernames/passwords)

Slide 13

Access Manager - Authentication Chaining A verification chain is a rundown of conceivable client verification modules Preference to specific modules can be given Multiple modules can be required Modules can be given a 'verification level' Benefit as a move innovation – various validation procedures can be utilized all the while At Argonne: Look for client endorsement If not accessible or not acknowledged, ask for username and secret key Password checked against Active Directory Provides capacity to sidestep testament validation!

Slide 14

Access Manager – Module Diagram

Slide 15

Access Manager - Certificate Notes The declaration backers' testaments must be foreign made and trusted by the Access Manager web server Client-side endorsements must be characterized as "discretionary" by the web server Must permit username/watchword logins Access Manager must have the capacity to outline declaration to an Access Manager profile This is not a prerequisite as a rule, but rather it is implemented at Argonne The endorsement subject CN is utilized to guide to an Access Manager profile

Slide 16

Benefits ~600 clients every day depend on their program endorsement to achieve scratch applications Goes up significantly amid key times (examinations, benefits) Applications depend upon Policy Agent for confirmation and approval data – don't need to code for validation Developers can code to similar norms Applications don't need to be re-composed to fit in with new or changing security principles – changes secluded to Access Manager Using declaration verification rather than passwords did not require any application re-composing, for instance Non-electronic applications can be incorporated utilizing standard API

Slide 17

Ticket Auto-Enroll Log in client name secret key client name secret key Win XP Portal Server Non AD Log in Access Manager Content Web Servers Domain Controller CA Directory Server Policy Agent Java App Servers Unix Policy Agent Win XP KCA Smart Card Log in Fig.7: Authentication Communication From Logon to Application Credentials Diagram

Slide 18

Access Manager Diagram

Slide 19

Site Map