fast deployment of iam (‘aaa’) in certificate – based contexts eid and etrust siteminder...

Fast Deployment of IAM (‘AAA’) in Certificate – based Contexts

eID and eTrust SiteMinder

Coexistence

Ir. Guy Duray

Business Technologist

[email protected]

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Agenda

CA, EIM & Security

Certificates, PKI & the eID

Challenges of eID implementations

eTrust SiteMinder as an approach for fast deployment

Other Security functions of importance

Q&A

Thank You and further sessions


Management Software @ CA

Enterprise Infrastructure Management

Simplifies Management

Increases Utilization

Real-time & On-Demand

Aligns IT with Business


The Problem is Growing

Partners

Customers

Contractors

Hackers

Malware

Spam


eTrust Security Management

Partners

Customers

Contractors

Hackers

Malware

Spam


eTrust™ Security Management Solutions

Security Management Who has access to what? What is happening in your

environment? How to address it?

Enabled by world-class research team

Integration with Network and Systems management

On-Demand Security Management


Brave New World…

Is this really a dog?Is this really a dog?Do we know this dog?Do we know this dog?Who’s backing this dog?Who’s backing this dog?


Paper Based Information Electronic Information

Signature RecognitionPhysical RepresentationPhysical OwnershipLegally SupportedPublicly EntrenchedSupported by Forensic Testing

ie Socially and Legally Accredited System

Electronic SignaturesDisks and Archives ?Logical OwnershipSometimesEvolving?????

Some way to go…

Information Evolution


Certificates & PKI are the only technologies able to deliver Users Authentication (true~) Communications Confidentiality Transactions Integrity Non - Repudiation

PKI implementations have long (…) stayed at trial stage

PKI has always been perceived as complex … and costly

But

Companies (now) look upon strong authentication differently

Solution providers brought along technologies that really address their client needs

The Solution Suite Pendulum…

Quotes…


GLOBAL - DISTRIBUTEDOnline User Identification.Online User - Service Profiles.Instant, scalable User recognition.Customer Self ManagementProof of Identity to Others.Proof of Warrantee to Others.Proof of Payment to Others.Users Can Find Each OtherBusiness RelationshipsProduct and Service CataloguesMultiple CA/PKI RegimesVirtual Private Groups.

Why a PKI and Directory Service

This is a business information system design issue - not a protocol spec!


How Does PKI Work?

A MERRY CAN X PRESS

1234 56789 1234507/96 THRU 06/99JOHN SMITHCREDIT CO PTY LTD

12345678

Issuer Name

IssuerKey Material

SubjectKey Material Subject Name

Validity Dates

(sometimes with a PIN)

Issuer and Subject Names are Directory System Names


Vulnerabilities in Today’s Apps/RDBMS Architectures

WebClient

WebServer

AppServer

AppServer

App Client

DBServer2

2

1

1 DB

2

5

5 6

3 4

3 4

3

3 4

7

4

2 2

1. Unauthorized access to transactions2. Eavesdropping3. Unauthorized access to app servers4. Attacks on server availability5. Unauthorized access to app data6. Unprotected database7. Database availability…


Organisational Application of Directories & PKI

A MERRY CAN X PRESS

1234 56789 1234507/96 THRU 06/99JOHN SMITHCREDIT CO PTY LTD12345678

12345678

A MERRY CAN X PRESS

1234 56789 1234507/96 THRU 06/99JOHN SMITHCREDIT CO PTY LTD12345678

12345678

User to User - Digital Proof

Services Offered

OfficeAutomationDirectoriesand LDAPServers.

WEB enabled Databases forService Delivery

Credit Card authentication.

White, Blue,Green, YellowPage Services,Document Mgtand Catalogues

Customer /UserServices and Application Environments(VISP-env)

True Business Services (Digital Signatures, Certificates - Identity and Warrantee services)

Internal Systems -> Customer Facing -> Customer Services and Management

Customer’s Electronic Wallet

Small Scale (Proprietary) integrated with Distributed Large Scale (Standard)


But What Is An Infrastructure?

What is Infrastructure?• It’s roads, power grids, water supply and sewers. Things you need in life but you personally may not want to think about too much.


Secure Transactions : Business Challenges

WebAS, Portals

AppsDBs

OS’es

?

Maximize the added – value of PKI Enforce Strong Authentication

Use Digital Certificates Unify the Authentication process around the certificate

Independently of the accessed application Independently of the user’s location

Minimize Risks and Costs Avoid to modify applications (the hidden face of the PKI Iceberg) What did a user do? How do I audit across multiple applications?


Put challenges in the eID Context

Citizen – Enterprises (+++) – Government (+++)

Provide Fast Deployed Authentication services Authorization services Auditability Non Repudiation

Provide exits to workflow (provisional)

Provide Federation


eTrustSiteMinder

Agent

eIDRun Time

(ApplicationClientSide)

eTrustTransactionMinder Agt

SmartCard

Smart CardReader

CLIENT

AUTHENTICATION SERVER

IPC

PC/SC

Directory Certificate

Manager

XML LDAP

eTrust SM Policy Server &

OSCP Responder

eTrust Infrastructure

Other ID (eTrust)Services


High security administration costsExpensive coding and maintenancePoor user experience

J_Doe1211960

John DoeA23JJ4

John Doe John_D Johnd Mobile Phone

Application Layer

User Store

Operating System

SQL 2000SunONELDAP

OracleOID

OracleRDBMS

Active Directory

Oracle

PKI Cert

LDAP

CRM ERP HRPartner Extranet

SCMCustomer

Self-Service E-Commerce

Employees PartnersCustomers

The Application Silo Challenge

Security Layer

No centralized security enforcementNo standardized security processNo central auditing capability


Application Layer

User Store

Operating System

SQL 2000SunONELDAP

OracleOID

OracleRDBMS

Active Directory

OracleLDAP

CRM ERP HRPartner Extranet SCM

Customer Self-Service E-Commerce

The Solution

Security Layer

Reduced administrative costsReduced development costsSingle sign-on & sign-off

Faster application deploymentIncreased overall system securityMeet regulatory requirements

Employees PartnersCustomers

eTrust™SiteMinder®


eTrust™SiteMinder®

Broad Platform Support

Federation Security Services

Federation Security Services

AuthorizationManagement

AuthorizationManagement

Auditing &ReportingAuditing &Reporting

AuthenticationManagementAuthenticationManagement

SingleSign-OnSingle

Sign-On

Enterprise Manageability

Op

en &

Ext

ensi

ble

Hig

h P

erform

ance

Arch

itecture


Authentication management & multiple authentication scheme support Levels, fall backs, chaining of PKI,

passwords & more

Centralized, policy-based authorization management

Robust federated single sign-on environment Agent & Proxy-based, Comprehensive SAML platform,

Passport, Kerberos

Extensive integration Directories, application servers,

Web servers, RDBMS, & ERP applications

Proven scalability, reliability, & availability Enterprise-class manageability with full

auditing & reporting

eTrust™ SiteMinder® Key Features

Provisioning& User

Administration

Access Control& Management

Web Services

eTrust™ IdentityMinder®

eProvision™

eTrust™ SiteMinder®

eTrust™ TransactionMinder®

eTrust™SiteMinder®Market-leading access

management solution for Web-based applications


SiteMinder in Action

1

1

2

2

3

3

4

5

5

66

7

7 7 7

Web Serverwith Agent

DestinationWeb Server

SecureProxy Server

6

7User & Entitlement Stores

•LDAP•RDBMS•Mainframe•NT Domain•PKI

• Employees• Partners• Customers

Secured Applications

• Customer Service• Supply Chain• Intranet

Secured Applications

• Customer Service• Supply Chain• Intranet

Policy Server

6

7

5


Key Features

Native Directory Enablement

Single Sign – On for Microsoft Applications Proxy implementations Application Servers OS 390 Applications (ERPs, Grouwpwares)

Password Management

Authorization Management

Federation

Manageability

High Performance & Availability

Openess


Single Sign-OnApplication Server Environment

User & Entitlement

Stores

Web Apps

ERP/CRM

J2EE Apps

Web Server

Firewalls

J2EEApplication

Server

Backend Resources J2EE Application Server Agents IBM WebSphere & BEA WebLogic

Enables SSO across the enterprise

Including J2EE application server based applications

Leverages the eTrust

SiteMinder broad range of authentication

system support

Centralized authorization management & audit services

Firewalls

Users

eTrust™SiteMinder®Policy Server


Authentication Management

Methods Passwords Two factor tokens X.509 certificates Passwords over SSL Smart cards SAML Combination of methods Forms-based Custom methods Full CRL & OCSP support Biometric devices

Management Authentication Levels Directory chaining Configured fallbacks to other authentication

schemes

Broad Support for Authentication Systems


Restrict access by user, role, groups, dynamic groups, or exclusions Controlled “impersonation” of users by other users

Fine-grained authorization at the file, page, or object level Determine access based on location and time Policies

Send static, dynamic (SQL queries), or profile attributes in responses Redirect users based on type of authentication or authorization failure Can have global or local policies

Authorization ManagementCentralized Policy Management

SiteMinder Policy

Rule orRule Group

Users or GroupsIn a Directory Time IP Address

Active Response

eTelligentRule

Response or Response

Group

=

Allows ordenies

access to a resource

User, GroupsExclusions,

Roles

+ +

Action thatoccurs whena rule fires

+ + + 1.2.3.4

Expressionusing

ContextualData, Web Services

IP addressthat the policy

applies toTime when thepolicy can or

cannot fire

Dynamic extension of

the policy (optional)

Option(s)

e


www. SiteMinder.com

Authenticate

www. PartnerB.com

www.PartnerA.comFederated Security Services:SAML Producer with SAML Affiliate Agent (SAA)

User

SSO

SSO

InternetInternet

SiteMinder site conducts authentication

User profile must exist at www.SiteMinder.com

Light-weight Web plug-in at partners

Security product/SAML support not required at partners

Converts SAML attribute assertions into HTTP header variables

Provides user profile information to Web application

Synchronized session between sites

Single sign-on/off

Centralized auditing & reporting

Event notification services

SAA

SAA


Manageability

Reports Access Activity Intrusions Audit

Monitor SNMP Web based

Central Management of Distributed Agents, Installation Scripting Interface Environment Collector Testing Tool

Connection, Functionality, Troubleshooting, Regression

Security Confidentiality, mutual authentication, revocation, session cookies, cross site

scripting, nothing stored on agents


Directory Server Directory Server

High Performance Architecture

Automatic fail-over Cluster-to-cluster

fail-over

Agent to Policy Server dynamic load balancing

Policy Server to directory server load balancing & failover

2-level caching in Policy Server & agents

PolicyCache

Policy Server

RulesCache

PolicyCache

Policy Server

RulesCache

128 Bit RC4encryption

Audit Log(ODBC)

Replication

Web ServerWeb Agent w/Cache




Open & ExtensibleFull Java & C SDKs

Use the SiteMinder Agent API to: Build custom agents Manipulate user entries

Use Policy Server APIs to: Integrate authentication schemes Include external data in authorization

policies Define custom event handlers Connect to proprietary

directories for user authentication & authorization


Application Servers BEA WebLogic IBM WebSphere

ERP/CRM Peoplesoft Siebel SAP Oracle

RADIUS Network Access Devices

Firewalls Communication

Servers

Web Agents Microsoft IIS Sun ONE Apache HP Apache Lotus Domino IBM HTTP Oracle HTTP Domino Go

Policy Server MS NT/Win

2000/Win2003 Sun Solaris HP-UX Red Hat

Enterprise Linux

Sun Java System Directory Server

NT Domains Microsoft Active

Directory IBM Directory Server Novell eDirectory MS SQL Server Oracle RDBMS Siemens DirX Oracle Internet

Directory Critical Path

Directory Server Lotus Domino LDAP CA eTrust

Passwords Passwords over SSL Forms-based X.509 certificates Full CRL & OSCP

support Smart cards Two factor tokens Method Chaining SAML Custom methods Biometric devices Combination of

methods

Platforms UserDirectories

Other Systems

Broad Platform SupportLeverages Existing Investments

AuthenticationSystems


Web Applications: User, through a Web client, interacts directly with the application

Web Services: Local application, acting on behalf of the user, interacts with the Web service application

Securing Web ServicesHow is this different?

Customer

InternetInternet

ApplicationWeb Server

InternetInternet

Web Service Consumer ApplicationWeb Service Platform

HTML/HTTP

XML/HTTP, FTP, JMS, MQ,

SECURITY POLICYAuthentication – Username/Password, X509 cert, Token

Authorization – Action on URL & Roles, Group or Entitlements

SECURITY POLICYAuthentication – Username/Password, X509 cert, Token

Authorization – Action on URL & Roles, Group or Entitlements

SiteMinder World

TransactionMinder World


(not so) Future:eTrust™ Security Management

Architecture


Today’s Limitations

Event correlation is limited by event data- Hard to correlate different user ids across different hosts

Federation is limited by its externalization

Policy decisions are limited by in-silo session data

Customer must deploy multiple policy infrastructures which all use different policy syntax


Sample context management object

TomcAt

MQ

CICS

DB2

APACHE

Identity Authentication methodExecution context:• Program/application• State information

User context

Apache context

Tomcat context

MQ context

CICS context

Rules,Auditing and so

on


Conclusion

Identity is a prerequisite for securing and managing eID based applications (as any others) Should externalize security and policy from Web services Identity binding is done at deployment time, not development time

CA provides an enterprise-wide set of shared Identity and Access Management (IAM) services

Identity lifecycle management

Authentication

Authorization

Audit

Directory

Sessioning / Federation

Fast Deployment of IAM (‘AAA’) in Certificate – based Contexts

eID and eTrust SiteMinder

Coexistence

Ir. Guy Duray

Business Technologist

[email protected]

fast deployment of iam (‘aaa’) in certificate – based contexts eid and etrust siteminder...

Documents

trade names

services marks

respective companies

management software

etrust sitemindercoexistenceir

authentication true

technologies able

quotescertificates pki