Presentation is loading. Please wait.

Presentation is loading. Please wait.

CERN Certificates platform Emmanuel Ormancey / Anatoly Gladkov

Published byRuth Krüger Modified over 5 years ago

Similar presentations

Presentation on theme: "CERN Certificates platform Emmanuel Ormancey / Anatoly Gladkov"— Presentation transcript:

1 CERN Certificates platform Emmanuel Ormancey / Anatoly Gladkov
Ruben Gaspar On behalf Emmanuel Ormancey / Anatoly Gladkov IT/IS HEPIX Fall 2005 20 November 2018

2 Agenda Cern Certification Authority overview Certificate usage
Architecture User, Host, “Enrollment” certificates Certificate usage Web sites SmartCards Project status 20 November 2018

3 CERN Certification Authority Architecture
Offline Root CA: Run on Virtual PC. Root CA Server image on removable disks. Root will be trusted by default inside CERN. Online Issuing CA: User request for ‘software’ certificates (client certificates) Enrollment station for SmartCard certificates (authorized user on authorized desktop only can issue certificates on smartcards), i.e. Card Service. User request for Host certificates. Allow users to map existing certificates (i.e. Grid,CACert,Thawte) to their account. 20 November 2018

4 CERN Certification Authority Certificate Request
Internet Explorer or Mozilla browsers can handle automatically certificate request. A manual procedure with OpenSSL is also provided. “Software” (client) certificates are requested by Users. 20 November 2018

5 CERN Certification Authority Enrollment Station
Smartcard certificates can be issued only by users with a valid “enrollment agent” certificate installed on dedicated machine. 20 November 2018

6 CERN Certification Authority Host Certificates and Certificate mapping
Users can request Host certificates for CERN Hosts they manage, and any non-CERN host (not already certificated). Users can map an existing certificate to their account for authentication (i.e. Grid certificates). 20 November 2018

7 Certificate usage Short term: Medium to long term:
Authenticate to IS Websites (Win, Web, Mail, Terminal services, etc…) Provide a common authentication interface for all CERN services: sort of Single Sign On Sign and encrypt mails Medium to long term: Provide Windows and Linux desktop authentication using Smartcard certificates. Embed SmartCard chip to CERN Access card. 20 November 2018

8 Websites authentication
Certificate can be installed in any browser, on any platform. Certificate is mapped to user account Several certificates can be mapped. Authentication done automatically Popup for selection if several certificates installed: multiple identity supported. If no client certificate: Move to forms authentication: Useful if using a public computer, but can be a security issue. Policy to be defined: force client certificate User must always use their own computers, increased security but accessibility issue. 20 November 2018

9 IT/IS Websites authentication Overview
Opening a website If several client certificates matching server requirements are found, browser asks to choose. Certificate authentication complete. Cancelled or no certificate installed 20 November 2018

10 Email signing and encrypting
In Outlook 2003: 20 November 2018

11 SmartCards for Desktop authentication
Medium to Long term achievement: Integrate SmartCard ship to CERN Access card Use SmartCard to authenticate Windows or Linux desktop session. Use software (client) certificates for alternate accounts authentication (in browser). No more passwords typed in: Passwords can be set to random string not known even by the user, and can be reset automatically very often. Policy to be defined: keep alternate password authentication ? 20 November 2018

12 SmartCards for cross platform authentication
Use the same SmartCard for: Windows desktop (and laptop) Browser authentication Linux desktop Mac OS X desktop Remote windows Windows Terminal Services Remote Linux Putty (to be defined, possible with OpenSC) OpenSSH (to be defined, possible with OpenSC) Exceed (to be confirmed) 20 November 2018

13 Project status CERN Certification authority:
CERN CA is up and running. All described functionalities are available. Grid specifications taken into account (EUGridPMA specification). Software (client) certificates: Available for SSO on IT/IS Websites, planned to be extended on all web sites. CERN Certificate issuing available to all CERN users. Alternate Certificate mapping available, including Grid certificates. SmartCards: Test cards have been issued, testing on Windows and Linux in progress. Hardware vendors being evaluated with TS dept. to provide next generation of CERN Access cards (Smartcard + Mifare contact less card + Magnetic stripe + Photo printed). Estimated cost: ~5€ / card, ~15€ to 25€ / card reader (USB or PCMCIA). 20 November 2018

14 Questions ? http://ca.cern.ch
20 November 2018

Download ppt "CERN Certificates platform Emmanuel Ormancey / Anatoly Gladkov"

Similar presentations

Integrating PKI and Kerberos Authentication services Alberto Pace.

Integrating PKI and Kerberos Authentication services Alberto Pace.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
ControlSphere is a computer security and automation solution designed to protect user data and automate most of authentication tasks for the user at work.

ControlSphere is a computer security and automation solution designed to protect user data and automate most of authentication tasks for the user at work.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility. Simplify authentication.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility. Simplify authentication.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Password? CLASP Phase 2: Revised Proposal C5 Meeting, 16 February 2001 Denise Heagerty, IT/IS.

Password? CLASP Phase 2: Revised Proposal C5 Meeting, 16 February 2001 Denise Heagerty, IT/IS.
Collaborative tools in NICE Alex Lossent - CERN IT/IS Hepix Fall 2005.

Collaborative tools in NICE Alex Lossent - CERN IT/IS Hepix Fall 2005.
Objectives  Understand the purpose of the superuser account  Outline the key features of the Linux desktops  Navigate through the menus  Getting help.

Objectives  Understand the purpose of the superuser account  Outline the key features of the Linux desktops  Navigate through the menus  Getting help.
Virtual Machine Management

Virtual Machine Management
Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.

Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Telnet/SSH: Connecting to Hosts Internet Technology1.

Telnet/SSH: Connecting to Hosts Internet Technology1.
CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS Ideas for 2011 Prepare must be done work items –Warranty –Software maintenance –Commitments.

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Ideas for 2011 Prepare must be done work items –Warranty –Software maintenance –Commitments.

Similar presentations

Ads by Google