Information and Technology for Better Decision Making · PDF file · 2015-10-07Information and Technology for Better Decision Making 1 DoD Decentralized Smart Card Issuance Lynne

Information and Technology for Better Decision Making

1

DoDDecentralized Smart Card Issuance

Lynne PrinceJuly 16, 2003


22/3 of Smart card Issuance is hidden from view

How is an iceberg like a

Smart Card Issuance Program?


3

2/3 of Smart Card Issuance is hidden from view


4

Overview

• Business Drivers of the DoD Common Access Card Issuance (CAC)

• High Level Architecture of the CAC Issuance System

• CAC Issuance System Maintenance Considerations

• Future CAC Issuance Directions


5

DMDC Partnerships


6

Business Rationale for Decentralized Issuance

• DMDC has successful experience with large scale, enterprise solutions related to identity management

• DoD already had a centralized Identity model –DEERS

• DoD already had a decentralized ID card issuance model – RAPIDS


7

Business Rationale for Decentralized Issuance

• Reduce operational cost to retrofit existing system to handle smartcard issuance– Hardware in place– Modularized Software which could be enhanced– Trainers, Trusted officials and Installers already

established– 24 x 7 Help Desk already available

• Shorten time to the market for DoD PKI program

• Improve security and reduce the potential for fraud


8

DEERS/RAPIDS is a Person Based DoD Benefit Delivery SystemDEERS - over 25,000 users throughout DoD, 23 million recordsRAPIDS - 1500 workstations at 900 sites in 13 countries

ARMY, NAVY, AIR FORCE, MARINE CORPS, COAST GUARD, NOAA, PUBLIC HEALTH

The Decentralized System


9

High Level Architecture

• RAPIDS System High Level Architecture– RAPIDS Server – RAPIDS Workstation – DEERS– CAC Issuance Portal– Common Access Card

RAPIDSServer

RAPIDSWorkstation

DEERS

IssuancePortal

CertificateAuthority


10

RAPIDS Server

• Serves as the Windows NT Domain Controller for a site or group of sites– Manages computers that are part of the domain– Manages users of the domain

• Stores DEERS user data in internal Oracle database• Stores Offline data in internal Oracle database• Stores audited events in internal Oracle database• Serves as communication concentrator for some

remote sites


11

RAPIDS Workstation


12

RAPIDS Workstation

• Main RAPIDS application runs on the workstation– Sponsor and Dependent data is maintained– DoD supplied benefits are calculated and displayed– Biometrics are captured and confirmed (photo and fingerprint)– Teslin and CAC identification cards are produced

• CAC’s are encoded

• Secondary Verifying Official (VO) Maintenance Application– Adds and maintains VO data on DEERS– Adds and maintains VO data at the assigned RAPIDS server

• Establish and maintains VO passwords– Maintains RAPIDS site data


13

RAPIDS Workstation Cont’d

• RAPIDS Workstation and DEERS data exchange– All data exchange is over a Client-side Authenticated SSLv3

session using the VO’s identity certificate on their CAC– Data transmitted over the SSL connection in DEERS

proprietary format:• Family Data• Electronic Representations of ID Cards and Certificates• Photograph images• Fingerprint images and minutia templates

• RAPIDS Workstation and Issuance Portal dataexchange– All data exchange is over a Client-side Authenticated SSLv3

session using the VO’s identity certificate on their CAC


14


• RAPIDS Workstation and RAPIDS server data exchange– The RAPIDS workstation relies on the RAPIDS server to

authenticate its users using normal NT domain logon procedures over NETBIOS

• CAC enabled workstations retrieve the users Logon ID and Password off of the CAC after the correct PIN is supplied

– The RAPIDS workstation makes ODBC database calls to the RAPIDS Server using the Advanced Security Option

• User and Site data is retrieved/updated• Audit information is written• Off-line data is written• Lookup Table data is retrieved


15


• Major RAPIDS User Roles– Site Security Manager (SSM) - Manages users of the RAPIDS

application for a site.• 2 SSM’s at every site • Only SSM’s can run the secondary VO maintenance application

– Verifying Officer (VO) - Typical RAPIDS user• Sponsor and Dependent updates• Produce Teslin cards for Sponsors and dependents

– Verifying Officer /Local Registration Authority (VO/LRA) - VO’sthat have the added authority of producing the CAC

• Non-US Citizens can not be a VO/LRA– Super Verifying Officer (SVO) - Performs Reporting and Audit

data maintenance for a group of sites.


16

RAPIDS Maintenance• Regular software releases

– Major releases on CD – 2x/year– Small updates are pushed to the RAPIDS Servers

• Hardware upgrades– Maintain extra equipment at strategic locations

– Installers provide hardware repair and replacement – Site maintains consumables

• Training and Help Desk– Maintain a program of Field Service Representatives– Provide a centralized Help desk – 24 x 7

• Technology refresh cycle – 5 year cycle– Hardware changes to support peripherals– New capabilities


17

DEERS

• DEERS Person Data Repository– Sponsor and Dependent data is maintained– DoD supplied benefits are calculated and displayed– Biometrics are captured and confirmed (photo and fingerprint)– Teslin and CAC identification cards are produced

• Authentication/Access Maintenance Application– Adds and maintains SSM registration – Adds and maintains RAPIDS site registration– Adds and maintains VO data – Binds SSM and VO to DEERS application access


18

DEERS High Level Architecture

• Layered approach to data access, preparation and transformation

database

CORE - encapsulates knowledge and function of data access

SERVER - encapsulates knowledge and function for data preparation

CLIENT - encapsulates knowledge and function for data transformation,display, and maintenance


19

CLAIMSCLAIMS

PATIENTRECORDSPATIENTRECORDS

TUMORREGISTRYTUMOR

REGISTRYIMMUNIZATION IMMUNIZATION

DENTALINSURANCE

DENTALINSURANCE

RECRUITERINQUIRIES

RECRUITERINQUIRIES

RDDBRDDB

MGIBINQUIRIES

MGIBINQUIRIES

DBIDSDBIDSREPORTINGREPORTING DMDCPERSON

REPOSITORY

General Maintenance – Respond to User Requirements

NEONEO NEO LANGUAGESLANGUAGESRAPIDS/CACRAPIDS/CAC

JPASJPAS

DEERS Maintenance


20

CAC Issuance Portal Architecture

SD

4

FOUNDRYNETWORKS

Console

Power

IP1 IP2 IP3 IP4 IP5 IP6 IP7 IP8

InventoryLogisticsSystem

CardRepository

System

IPAudit

System

IP9

Load BalancerILP Console

IP10

DenverIDCA ECA

ChambersburgIDCA ECA


21

Load Balancing of RAPIDS sites− 10 NT Issuance Portal Servers− T-3 Disk Array storage for Backend systems

Load Balancing for Certificate Authorities• Group 1:

– Primary CA – Chambersberg, PA – Secondary CA – Denver, CO

• Group 2:– Primary CA – Denver, CO– Secondary CA – Chambersberg, PA

•Load Balancer - Balances production RAPIDS workstations across the 10 Issuance Portals.

CAC Issuance Portal Components


22

• Issuance Portal (IP) - The Issuance Portal is dedicated to theinitialization and issuance of the CAC, the applications thatreside on the CAC, and the keys and credentials needed tosecurely use/issue the CAC.

• Card Repository System (CRS) - Manages the real estate and the capabilities of the Integrated Circuit Chips of the CACs.

• Inventory Logistics Portal (ILP) - Manages the logistics ofmaintaining and replenishing CAC stock inventoryquantities for individual CAC issuing sites and the DMDC organization

• IP Audit System - Records the commands requested by aRAPIDS system and the outcome of those commands

CAC Issuance Portal Components cont’d


23

CAC Issuance Portal Components cont’d

• Inventory Logistics Console (ILC) - Provides DMDCmanagement and SSM’s the ability to maintain the ILP throughthe use of a GUI.

• Key Management System - Application for controlling key:Generation, Storage, Distribution, Use and Destruction


24

Issuance Portal Maintenance• Regular software releases

– Support increased functionality of the PKI Program– Support new Smartcard/applet technology– Improve Performance and Security

• Hardware/Software upgrades – Migrate from NT server platform to Unix Issuance Portal– Migrate from an LDAP CRS to Oracle

• Technology refresh cycle – ?– Smartcard contactless technology– New 64K cards– Biometrics on the Smartcard– New security features


25

Integrated Circuit Chip

Photograph

Magnetic Stripe

Printed Ghost Image

Organizational Seal

PDF 417 Bar Code

Printed Ghost Image

Code 39 Bar Code

Parker IV,Christopher J.

Armed Forces of theUnited States

Issue Date

2000SEP19Expiration Date

2003SEP18

Active DutyAir Force

Geneva Conventions Identification Card

Rank

SSGTPay Grade

E5

Optically Variable Device

DoD CAC


26

Where are we Today?


27

What is lies in the Future?

• RAPIDS redesign– In development – completed roll out by FY2005

• Issuance– Post issuance capability

• Email certificate renewal• Applet download

– Central Issuance Facility• RAPIDS like workstation• Web enabled interface• CAC mailed back to ordering site

• System Upgrade to PKI Release 4


282/3 of Smart card Issuance is hidden from view

Questions

Lynne [email protected]

Documents

Information and Technology for Better Decision Making · PDF file · 2015-10-07Information and Technology for Better Decision Making 1 DoD Decentralized Smart Card Issuance Lynne