Presentation is loading. Please wait.

Presentation is loading. Please wait.

Universal Certificate Authentication to Key Applications at Argonne National Laboratory Presented at National Labs Information Summit 2008 May 13, 2008.

Published bySylvia Dawson Modified over 8 years ago

Similar presentations

Presentation on theme: "Universal Certificate Authentication to Key Applications at Argonne National Laboratory Presented at National Labs Information Summit 2008 May 13, 2008."— Presentation transcript:

1

2 Universal Certificate Authentication to Key Applications at Argonne National Laboratory Presented at National Labs Information Summit 2008 May 13, 2008 David Salbego Argonne National Laboratory

3 2 Diverse population: –2,500 employees –10,000+ visitors annually –Off-site computer users –Foreign national employees, users, and collaborators Diverse funding: –Not every computer is a DOE computer. –IT is funded in many ways. Every program is working in an increasingly distributed computing model. Our goal: a consistent and comprehensively secure environment that supports the diversity of IT and requirements. Argonne is managed by the UChicago Argonne LLC for the Department of Energy. IT Environment Challenges

4 3 Emphasis on the Synergies of Multi-Program Science, Engineering & Applications Accelerator Research Catalysis Science Nuclear Fuel Cycle Transportation Science Computational Science Materials Characterization Structural Biology Fundamental Physics User Facilities Infrastructure Analysis.. and much more.

5 4 Introduction In 2003, Argonne set out to re-architect its operations web presence Primary issues: Key web resources and applications spread far and wide No central employee web site Poor search engine Weak security due to multiple authentication back-ends Multiple development platforms Few standards No redundancy

6 5 Technologies Used Implement Sun Java Systems product suite –Portal Server –Access Manager and Policy Agents –Directory Server –Application Server F5 BigIP load balancers for redundancy Google Search Appliances for search engine Portal to centralize information Java development standard All on-site persons have Active Directory accounts/identities Public Key Infrastructure using Microsoft Certificate Authority –X.509 Certificates … this talk focuses on the bold items!

7 6 Auto-Enroll Log in Win XP user name password Content Web Servers Policy Agent Access Manager Directory Server Ticket Dom ain Cont roller CA Sun Access Manager Microsoft Desktop SSO Token The Big Picture

8 7 Major Issues How to issue certificates to users How to enable applications Auto-Enroll Log in Win XP user name password Ticket Dom ain Cont roller CA Microsoft Desktop

9 8 Certificate Issuance – Microsoft Enterprise CA Tightly integrated with Active Directory All Argonne employees and on-site users have Active Directory accounts –2,500 employees, 5,000 facility users –66% Windows based Auto enrollment by a Microsoft Enterprise CA –Windows XP and Vista users who are members of the domain Can be Controlled by Group Policy

10 9 User Auto Enrollment Process TLS Log on Request Enroll CA Web Server

11 10 Configuring Auto Enrollment: Step 1 - User Security Group

12 11 Configuring Auto Enrollment: Step 2 – Certificate Templates (Predefined configurations)‏

13 12 Configuring Auto Enrollment: Step 2 - Version 2 Certificate Template Settings

14 13 Configuring Auto Enrollment: Step 3 - Group Policy Setting User Configuration/Windows Settings/Security Settings/Autoenrollment Settings

15 14 Details of user auto enrollment certificates Users who login to a domain XP (or Vista) workstation with domain credentials automatically get an X.509 certificate which is usable for authentication. Expire in 30 days Automatic renewal prior to expiration Subject: CN= Certificates configured for no export of private key

16 15 Certificate auto enrollment Auto enrollment is the key enabler for X.509 certificate authentication to the Argonne Access Manager. Users are generally unaware that they get/have a certificate. Users who have certificates may present them to the Access Manager (also discussed here) and to other resources as well without any more interaction than clicking a login button. Over 2,100 new personal certificates were issued automatically to users in a typical month. Administration, as well as use, is uncomplicated. Permits sites to deploy certificate enabled applications while avoiding user education with regards to certificates. When combined with Sun Access Manager enables single sign-on.

17 16 Major Issues How to issue certificates to users How to enable applications Content Web Servers Policy Agent Access Manager Directory Server Sun Access Manager

18 17 Certificate Authentication Argonne uses two authentication modules for Sun Access Manager: –X.509 User Certificates Microsoft PKI - Certificate Authorities – for all Active Directory users KX509 certificates –LDAP For those not using certificates (usernames/passwords)‏

19 18 Policy Agents Overview Provide single sign-on capability for external applications and services Supported on most major web and application servers Utilizes SSO cookie token provided by Access Manager –Cookie must be protected –Cookie can be made “restricted” to prevent unauthorized use Cookie can be tied to specific agent and application Policy agents do not directly accept user credentials –They rely on SSO tokens provided by Access Manager –Access Manager performs actual validation of credentials

20 19 Policy Agent Flow Diagram Web Browser Application Policy Agent User access application Access Manager Authentication Service SSO Token Not Found! Request certificate Try now Request SSO Token

21 20 Policy Agent Usage Example – Web Server Convert existing application which relies upon HTTP “basic” authentication to use Access Manager Policy Agent –Assumes web server owns access control –Assumes simple application that relies upon REMOTE_USER Simplified outline of steps to convert application: –Install policy agent on SSL-protected web server Adds a few lines into web server configuration to load the module Agent uses a separate configuration file –Modify agent configuration file to protect resource https://myserver.gov:443/my/protected/URL –Create policy on Access Manager for web server and URL https://myserver.gov:443/my/protected/URL –Remove original web server access control

22 21 Policy Agent Usage Example – continued Common problem: –Many applications include their own authentication mechanisms Form-based logins instead of HTTP “basic” authentication Examples: Forum software, Stellent, Wikis, … –Such applications require more work to convert Level of difficulty depends upon how code is structured However… –Many enterprise application vendors are learning to accept the growth of SSO within infrastructures A number of vendors claim to integrate with such solutions, usually with a bit of consulting services Simple LDAP-based mechanisms to tie into enterprise authentication/authorization services are not enough

23 22 Policy Agents – Supported Software URL Agents for web servers –Sun web server –Microsoft IIS –Apache J2EE Agents for Java Application servers –Sun Application Server –BEA WebLogic; IBM WebSphere –Apache Tomcat; JBoss; Oracle

24 23 Access Manager Overview Provides single sign-on capabilities in conjunction with Policy Agents Centralizes authorization services Integrates with many external authentication providers if desired Component of larger “Identity Manager” product suite Open-sourced at http://www.opensso.dev.java.net/

25 24 Access Manager - Authentication Chaining An authentication chain is a list of possible user authentication modules –Preference to particular modules can be given –Multiple modules can be required –Modules can be given an ‘authentication level’ Benefit as a transition technology – multiple authentication techniques can be used simultaneously At Argonne: –Look for user certificate –If not available or not accepted, request username and password Password checked against Active Directory Provides ability to bypass certificate authentication!

26 25 Access Manager – Module Diagram

27 26 Access Manager - Certificate Notes The certificate issuers’ certificates must be imported and trusted by the Access Manager web server Client-side certificates must be defined as “optional” by the web server –Must allow username/password logins Access Manager must be able to map a certificate to an Access Manager profile –This is not a requirement in general, but it is enforced at Argonne The certificate subject CN is used to map to an Access Manager profile

28 27 Benefits ~700 users daily rely on their browser certificate to reach key applications –Goes up dramatically during key times (appraisals, benefits)‏ Applications rely upon Policy Agent for authentication and authorization information – do not have to code for authentication –Developers can code to the same standards Applications do not have to be re-written to conform to new or changing security standards – changes isolated to Access Manager –Using certificate authentication instead of passwords did not require any application re-writing, for example Non-web-based applications can be integrated using standard API

29 Questions?

Download ppt "Universal Certificate Authentication to Key Applications at Argonne National Laboratory Presented at National Labs Information Summit 2008 May 13, 2008."

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Understanding Active Directory

Understanding Active Directory
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Teamcenter™ Security Services SSO

Teamcenter™ Security Services SSO
Identity and Access Management

Identity and Access Management
Enterprise Single Sign On Identity management for web applications.

Enterprise Single Sign On Identity management for web applications.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
1 SAMBA. 2 Module - SAMBA ♦ Overview The presence of diverse machines in the network environment is natural. So their interoperability is critical. This.

1 SAMBA. 2 Module - SAMBA ♦ Overview The presence of diverse machines in the network environment is natural. So their interoperability is critical. This.
How to Deploy a Centralized Web Portal for Accessing all Business, Communications, and Back-Office Applications David Salbego Unix and Operations Manager.

How to Deploy a Centralized Web Portal for Accessing all Business, Communications, and Back-Office Applications David Salbego Unix and Operations Manager.
Overview of Access and Information Protection

Overview of Access and Information Protection

Similar presentations

Ads by Google