Red Hat Identity Management:Directory Server and Certificate System
Joachim Schrö[email protected] Hat GmbH
How Identity Management can Save In a one year period in a typical 10,000 user organization:
● 54,180 employeehours are spent administrating users, user stores, and authentication and entitlement.
● 2,666 employeehours are spent logging on applications.● 45% of help desk calls are password related, and deploying
Identity management will reduce help desk call volumes by 33% and a 32% increase in overall security.
META Group research conducted on behalf of PricewaterhouseCoopers, June 2002
With Identity Management / Red Hat Directory Server:
Improve TCO from Efficient Management and Access
A bit of history.... Dec. 8, 2004 : Red Hat acquires AOL's Netscape Security Solutions
business unit ● Netscape Certificate Management System (Red
Hat Certificate System)● Netscape Directory Server (Red Hat Directory Server)● Netscape Enterprise Server
Code outsourced Fedora DS
● 60 000+ downloads....● A leading OSS product already
Red Hat Directory Server
Networkcentric, Centralized LDAP Data Store for: ● Application Settings● User Profiles● Group Data● Policies● Access Control Information
Scalable Identity Management
Red Hat Directory Server
ApplicationsSystems
ResourcesData
Users Customers
Sample Directory Information Tree (DIT)
The organizationitself
uid=bjensen
ou=Engineering ou=Sales
ou=People ou=Servers
cn=engweb
A person entry Organizational units(departments)
A server entry
dc=redhat, dc=com
Red Hat Directory Server: Scalable Identity
LDAPbased authentication (“who are you”): ● Widely supported; OS access through NIS or PAM “g ateway”● Supports Kerberos via SASL● Integrated support for X.509 certificates● Supports databases, legacy systems via plug-in API
Fine-grained access control (“what can you do”)● Using external criteria
● type of connection, day of week/time, hostname/IP● Role-Based Access Control - groups (“ engineering” ) and roles
(“m anagers”) High availability and scalability through Multi-Master
Replication
Red Hat Directory Server : Key Features Master-slave, multi-master replication
● Service continuity● Scalability● Load balancing
Sophisticated access control HTTP applications
● phonebook● org chart
SNMP support Schema extensions : LDIF
Red Hat Directory Server : Key Features (cont.) Plug-ins
● New syntaxes... SDKs & tools
● API C/C++, Java, Perl DSML/XML support Strong authentication
● GSS/SASL : Kerberos WinSync
SSLTLS
Active Dir.
Dir. Srv.
Key Features: Flexible Administration
Many tasks possible without downtime, e.g.:● Change server and database configuration● Bulk-load data, export data, back up database● Add new/change schema, create new indexes
LDAP used for configuration and monitoring● Configuration exposed as a set of LDAP entries● Real-time status and statistics available over LDAP● Configuration files are LDIF● File format same as LDAP format● Can also use SNMP for monitoring
Administration can be done from the command line or a GUI console
Administration architecture Modular yet homogeneous
architecture 3 levels
● Admin. client● Admin. server● Target server
HTTPAdmin.client Admin.
server
Target servers
Configuration data stored in directory● Custom applications
possible● o=netscaperoot
RHDS : configuration data stored in directory
Custom applications made easier● o=netscaperoot
Directory Server Administration
What Is Multi-Master Replication?
Master copies reside on multiple servers
Masters can be situated in different data centers, different geographic areas
Changes to data can be made to closest server, and are then propagated to the other masters
Failover ensures continuous service
Automatic time-based conflict resolution
Not appropriate for every deployment—add s some complexity
Easy Replication Configuration Multi-master, master-slave Highly reliable mechanim
● changelog
Typical multi-Master configuration
Updateable Masters
Replica Hubs
(image masters)
Read-Only Replicas
(specialized directories)
MMR Example: Over WANEnterprise with remote
offices connected via WAN
Master(New York)
Replicas
Master(Brisbane)
Replicas
WAN
Office 1 Office 2
MMR Example: Frequent Searches/Updates
Enterprise application with high
search and update rates Master
Replicas
Client
ReplicasLoad Balancer
MastersLoad Balancer
Query
Update
Master
Winsync RHDS-Microsoft replication
● Active Directory● NT (product installs an LDAP
instance
SSL TLS
Active Dir.
Dir. Srv.
Plugins Insert custom code
● Syntaxes, ...● Pre/Post LDAP processing● Password management● New backend● Example : Uniqueness plugin
● uids Every plugin has a DN
● cn=plugin_name, cn=plugin, cn=config
● Parameters allowed
Plugins (cont.)
Access control
“ Who is allowed to do what ?”● For every Directory
object
Typical ACIaci: (targetattr="userPassword || homePhone |homePostalAddress") (version 3.0; acl "Write example.com"; allow (write) userdn= "ldap:///self" and dns="*.example.com";)
● ACI editor to ease writing instructions
Bind rules Who can bind to the Directory, when,from where Managed attributes
● Userdn, groupdn, roledn● IP_address, DNS_host_name● dayofweek● Authmethod (SASL...)
Monitoring SNMP agent Local status data
available
HTTP application : DirExpress
HTTP application : Org. Chart
Annex : Certificate System An highly sophisticated PKI
● To manage the whole lifecycle of a certificate
Certificate Authority (CA)● Creates X.509 certificates & CRLs
Token Management System (TMS)● Smartcards & software tokens support
Data Recovery Manager (DRM)● Private keys secure storage● Needed for key recovery
Online Certificate Status Protocol (OCSP) Responder● Provides certificates status in realtime
Token Key Service (TKS)● Inter subsystems communication services
Red Hat Identity Management
Identity Management ensures that the RIGHT users get access to systems, data, and applications quickly and securely.
Foundation for low-cost, high-value identity management solution:
● Directory Server: Scalable Identity
●Who are you?
●What can you do?
● Certificate System: Simplified Assurance
●Are you who you say you are?
What Is PKI? Public Key Infrastructure Set of standards and services that facilitate the use of public-
key cryptography in a networked environment SSL uses PKI: cornerstone of Internet commerce Benefits:
● Allows two strangers to communicate in a secure fashion● Permits authentication without requiring user to send
secret over the wire (unlike name & password)● Encryption protects confidentiality of sensitive information
Problems:● Enrollment and initial application configuration has
historically been a difficult problem to solve
What Are Certificates?
A certificate binds a name to a public key Public key and private key have special relationship:
● Data encrypted with a public key can be decrypted only with corresponding private key
● Public key is published as part of certificate● Private key is kept secret (e.g. on user's hard disk)● Private key can be stored on smartcard (token) for
improved security, portability Certificates can be used to
● Log in securely (rather than passwords)● Prevent eavesdropping (e.g. SSL)● Sign documents, code● Encrypt data
What Are Certificates (cont'd)?
X.509 Certificates contain:● Serial number● User’s nam e● User’s pub lic key● Usage flags● Validity period
Certificates are digitally signed by a Certificate Authority (CA)
What Is a Certificate Authority (CA)?
A CA validates identities and issues certificates Can be independent third party (e.g. VeriSign) or
organization (e.g. Department of Defense) Analogous to DMV issuing driver's licenses
● Recognized authority that verifies who you are and gives you an ID to use for specific purposes
Can revoke certificate (i.e., break the name--public key binding) if private key is compromised● Certificate Revocation List (CRL) lists revoked certificates● CA publishes CRLs
What a PKI Looks Like
Public KeyEnabled
Community
RegistrationAuthority
CertificationAuthority
KeyRecoveryAuthority
Certificate and CRLRepositories
SSL servers
Routers
VPN clients
Browsers
Databaseclients and
servers
Otherproducts
Certificate and Key Management Systems
Certificate Chaining
Subject=DoDIssuer=DoD
Subject=NavyIssuer=DoD
Subject=Steve PIssuer=Navy
Root CA
Subordinate CA
Leaf Certificates
Certificate Hierarchy
Root CA
Subordinate CA
Leaf Certificates
Certificate Revocation
Certificate Authority periodically issues Certificate Revocation List (CRL)
Revocation Reasons:
● Key compromise or loss
● Change of affiliation
Relying Parties are supposed to check the CRL when verifying a certificate
Certificates expire after a period of time
● They can then be removed from the CRL
Relying Party Verification
1. Does the data being signed match the public key in the certificate?
2. Is the certificate issuer one that I trust?
3. Has the certificate expired?
4. Is the certificate on the latest CRL?
5. Is the certificate certified for this usage?
Overview of Red Hat Certificate System
Red Hat Certificate System: Simplified AssuranceHighly flexible, standards-based PKI solution
Built on open source Network Security Services (NSS) crypto libraries used by Mozilla, all Netscape Servers, and Sun Directory Server.
Unique approach with integrated smartcard deployment
High scalability and performance via integrated Directory Server
Unmatched availability and disaster recovery
IPS-140-2 certification underway for NSS
Common Criteria certification by NIAP (partnership between NSA and NIST) at Evaluation Assurance Level 4 augmented under CIMC protection profile
Java SDK and tools
Basic Functions
Issues certificates Issues CRLs Modular deployment – web based Archives user’s privat e keys (optional) Lots of auditing Flexible access control Provides a management interface
Main Components Certificate Authority (CA): Issues X.509 digital certificates and CRLs Token Management System (TMS):
● Supports Global Platform smartcards & software tokens● Makes smartcards as easy to use as an ATM
Registration Authority (RA): Supported for the benefit of pre-7.0 deployments
Data Recovery Manager (DRM):● Secure repository for backup/recovery of user's private keys● Configurable multi-person approval for recovery
Online Certificate Status Protocol (OCSP) Responder:● Responds to OCSP requests to verify certificate validity in real time
Token Key Service (TKS)● Manages symmetric keys for securing communication between
subsystems and tokens
Demo: Token Enrollment & Usage
Certificate System 7.1 Alpha build running on RHEL 3 Enterprise Security Client running on Windows XP ESC detects uninitialized token, displays custom enrollment UI
from back end Cert System back end
● Updates applet● Triggers key generation on token● Formulates certificates, injects into token● Sets Thunderbird preferences
Firefox and Thunderbird clients● Recognize token insertion and removal for client
authentication, signed & encrypted email
Certificate System Architecture
PublishingDirectory
CertificateAuthority
Enterprise System Client
Token Key Service
TokenProcessing
System
Data RecoveryManager
Token
User
Protocol DataUnit
HTML
Firewall
Enterprise Security Client Architecture
IE
USB
eGate Driver
NSS
Firefox ThunderbirdOutlook
VPNLogin
CAPI PKCS#11
CAPI
Firefox
PKCS#11Implementation Module
ESC
Key Features of Red Hat Certificate System
Key Features: Token Innovations Certificate System works with Global Platform compatible
smartcards (tokens)
● Greatly simplifies enrollment and all other aspects of token management
● Customizable enrollment process
● First to market with integrated soft certificate/hardware token solution
Enterprise Security Client:
● Runs on RHEL, Windows, Mac OS X
● Facilitates communication between Certificate System back end and token
Firefox and Thunderbird “ do the right thing” with tokens
● We have built special versions with improved token support
● Code contributed to Mozilla projects
Key Features: Scalability and Performance
Solid HTTP Engine Based on Netscape Enterprise Server
Database optimizations
Lab tests:
● Issued over 12 million certificates from single server in less than 35 days (~14,000 certificates/hour)
● Simultaneously published to Directory Server and archived private keys
● 10% of certificates revoked, resulting in 1.2-million-entry CRL
● Generated CRL in less than 30 minutes
High Availability and Disaster Recovery
Cloning/failover mechanism:
Reduces unplanned outages by making one or more subsystem clones available for failover
CA, DRM, and OCSP Responder can be cloned
● CA key material available 24x7
● Data sources for cloned systems are replicated, so data is shared seamlessly between subsystem databases
Master and cloned instances typically installed on different machines behind a load balancer
When a failure occurs, load balancer transparently redirects all requests to a clone that's still running, without any service interruption
Tools & SDKs
Java SDK for integrating with other enterprise applications
● Documentation for creating plug-ins
● Bootstraps authentication mechanisms using existing databases and other applications
● Facilitates customized publishing, e.g. to trigger billing when a certificate is published
Uses Console, a GUI application for typical admin tasks
Command-line administrative and testing tools for additional tasks
NSS Crypto Libraries
Open source C libraries designed to support cross-platform development of security-enabled client and server applications● Tri-license: GPL, LGPL, MPL
Underlies crypto features of Mozilla clients, all Netscape servers, Sun Directory
Highly portable codebase: supports 20+ platforms● Available as RPMs on Red Hat Linux
Crypto algorithms, X.509 v3 certificates, CRLs, OCSP, SSL/TLS, S/MIME, PKCS #5, PKCS #7, PKCS #11, PKCS #12, etc.
Smartcard and other hardware crypto device support JSS: open source Java bindings for NSS
● Gives Java programs access to NSS via JNI
Government Support
Fully compatible with Federal Bridge
● Gateway mechanism used by government agencies FIPS-140-2 certification for NSS underway (not available for 7.1)
● Third-party crypto certification required for government contracts
● FIPS-140-1 certification obtained for earlier version of NSS Support for certificate issuance with Windows extensions for
Windows Smartcard Logon
New Features Since Netscape Releases Supported Platforms:
● Solaris 9 (32- and 64-bit)● RHEL 3, 4 (32-bit)
Improved Token Support● DRM-generated private keys, archival, and key recovery for
tokens● Injection of wrapped private key from DRM during
enrollment/recovery ESC Improvements:
● Support for Red Hat Enterprise Linux 3, 4, Mac OS X, Windows XP
● Support for key recovery, PKCS #11 interface ● Client installers (including security libraries)
Improved migration support, including to Red Hat Enterprise Linux SHA-256 and SHA-512 HSM Support: nCipher nShield 9.01, Chrysalis Luna SA 3.1
Product Benefits & Roadmap
Benefits
Mature product: 8+ years of specialized engineering expertise End-to-end solution
● Uses same NSS crypto libraries as Mozilla products● Leverages Red Hat Directory Server features and performance● Supports heterogeneous environments● Key element of cross-platform Red Hat identity management
solution Easy for users
● Mature life cycle management● Protected from complexity of PKI● Military-grade crypto that just works● Fewer calls to Help desk● Leverages AOL experience to dramatically simplify smartcard
deployment and usability
Benefits (Cont'd)
Robust administration● High availability and automated disaster recovery through
Directory-based Multi-Master replication, cloning, and failover● Console application provides GUI for routine tasks● Mature command-line tools permit specialized or bulk
operations● Remote smartcard administration● Hides complexity without sacrificing flexibility
Consistent, reliable maintenance after initial rollout● Red Hat commitment to support and training● Red Hat Network for hot fixes, updates, new releases
Roadmap
Solidify leadership in ease of use and administration: Integrate Kerberos via SAMBA Streamline backup procedures Use RHN to simplify installation, upgrades, patches UI tools for configuration of TPS server
New platform support:● 64-bit Red Hat Enterprise Linux● Windows 2000 (for ESC)
Next year: Integrate ESC and related drivers with Red Hat Enterprise Linux Build out cross-platform Red Hat identity management solution
● Identity management/policy server
Roadmap: Common Criteria
Third-party certification of processes etc., required for government contracts
Earlier Netscape release certified on Solaris by NIAP (partnership between NSA and NIST) at Evaluation Assurance Level 4 augmented under the CIMC protection profile
● One of the first PKI products to receive this certification
● Special CC setup guide for highly secure deployments
● Extensive CC documentation
● Special CC features:● Signed logs● Self tests
● Looking into certification on Red Hat Enterprise Linux 4
Questions?
Questions?