Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
August 12, 2009<br />Richard Bullington-McGuire, Director of Technology, Three Pillar Software<br />http://threepillarsoft...
Introduction<br />Forge.mil Public Key Enablement of CollabNetTeamForge<br />Faced many challenges<br />Many solutions may...
You’re here because…<br />You are considering PKI enabling your DoD web app<br />You are having issues with implementation...
Why use Public Key Enablement?<br />You have to: Executive Directives<br />Homeland Security Presidential Directive-12<br ...
PKE Challenges<br />Legacy systems use user names and passwords<br />Adapting these systems to use certificates is difficu...
Certificate Challenges<br />Multiple identity mediums pose challenges<br />Common Access Card (CAC) smart cards on NIPRNet...
More Certificate Challenges<br />ECA certificates (mostly software) for contractors<br />Issuers: Verisign, IdenTrust, Ope...
Certificate-to-Identity mapping<br />Where’s the unique ID?<br />Why not use EDIPI?<br />No, not in ECA certs<br />Privacy...
Forge.mil internal architecture<br />Deployment Architecture<br />Key Systems and Concepts<br />Forge.mil User<br />With x...
Open Source foundation: Apache HTTPD, mod_ssl, mod_python, JBoss, Tomcat, Subversion, Lucene, Apache James, PostgreSQL
Key insight: intercept request at Apache module level for PKI & SSO enablement</li></ul>software.forge.mil<br />Applicatio...
software.forge.mil / svn.forge.mil<br />Application Server or Integration Server<br />Forge.mil User<br />Apache HTTPD<br ...
Web Rendering
 SOAP Server
JAAS module: masterpassword.jar</li></ul>Client -> Server<br />https / TCP 443<br />http<br />proxy<br />+<br />SOAP<br />...
sf_sso</li></ul> looks up cert-&gt;user mappings in SSO db<br /><ul><li>sf_pki</li></ul>calls TeamForge login() method via...
Subversion clients (DAV over https)
Custom SOAP clients
All must use client cert auth.</li></ul>JBOSS -> Tomcat<br />Java RMI<br />Single Sign On (SSO)<br /> Database<br />Server...
Lucene Indexes
Upcoming SlideShare
Loading in …5
×

Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)

25,773 views

Published on

Richard Bullington-McGuire presented this talk on PKI enabling web applications for the DoD at the 2009 MIL-OSS conference:

http://www.mil-oss.org/

It is a case study that shares some of the challenges and solutions surrounding the implementation of the Forge.mil system.

Published in: Technology, Business
  • Memory Improvement: How To Improve Your Memory In Just 30 Days, click here.. ♥♥♥ https://tinyurl.com/brainpill101
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Single Sign one
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)

  1. 1. August 12, 2009<br />Richard Bullington-McGuire, Director of Technology, Three Pillar Software<br />http://threepillarsoftware.com/<br />Kevin Hourihane, Principal Collaborative Development Consultant, CollabNet<br />http://www.collab.net/<br />Enabling Web Apps for DoD Security via PKI/CAC Enablement<br />Presentation for MIL-OSS 2009 http://www.mil-oss.org/<br />
  2. 2. Introduction<br />Forge.mil Public Key Enablement of CollabNetTeamForge<br />Faced many challenges<br />Many solutions may be reusable<br />Not a “how-to” or “everything you wanted to know” <br />Sharing “lessons learned”<br />
  3. 3. You’re here because…<br />You are considering PKI enabling your DoD web app<br />You are having issues with implementation<br />You want to know how Open Source helped us<br />Other reasons? (Please speak up)<br />
  4. 4. Why use Public Key Enablement?<br />You have to: Executive Directives<br />Homeland Security Presidential Directive-12<br />DoD Directive 8500<br />Application Security STIG: comply or you’ll never go live<br />You want to: Key benefits<br />Better security through centralized x509 CA authentication<br />Eliminates password management headaches<br />Easy to revoke a compromised identity through CRLs<br />
  5. 5. PKE Challenges<br />Legacy systems use user names and passwords<br />Adapting these systems to use certificates is difficult<br />COTS integration: may need to wrap black-box systems<br />Mapping certificates to principals has many tricky issues<br />Cryptography library integration may be needed<br />
  6. 6. Certificate Challenges<br />Multiple identity mediums pose challenges<br />Common Access Card (CAC) smart cards on NIPRNet<br />government employees, some contractors get these DoD issued certs<br />Smart card middleware on client computers mediates SSL handshake<br />Soft certificates only on SIPRNet, smart cards coming soon<br />
  7. 7. More Certificate Challenges<br />ECA certificates (mostly software) for contractors<br />Issuers: Verisign, IdenTrust, Operational Research Consultants<br />Format of subject DNs vary, no EDIPI on ECA certificates<br />Frequent DoS for Verisign ECA users due to annoyingly short expiration time on Verisign ECA CRL, and flakiness of crl.gds.disa.mil<br />Getting ECA certificates<br />Pay $100<br />Provide notarized forms<br />Wait 1-2 weeks for issuance<br />
  8. 8. Certificate-to-Identity mapping<br />Where’s the unique ID?<br />Why not use EDIPI?<br />No, not in ECA certs<br />Privacy concerns<br />Subject and Issuer DN are insufficient<br /> Need serial # also, to record distinct certs<br />$ # show JITC certificate for “Jon Jones”<br />$ openssl pkcs12 -clcerts -nokeys -in Good.p12 | openssl x509 –text | less<br />Certificate:<br /> Data:<br /> Version: 3 (0x2)<br /> Serial Number: 12356 (0x3044)<br /> Signature Algorithm: sha1WithRSAEncryption<br /> Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD JITC CA-19<br /> Validity<br /> Not Before: Sep 16 16:39:58 2008 GMT<br /> Not After : Sep 17 16:39:58 2011 GMT<br /> Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, OU=Contractor, CN=Jones.Jon.1234567890<br />
  9. 9. Forge.mil internal architecture<br />Deployment Architecture<br />Key Systems and Concepts<br />Forge.mil User<br />With x509 Client Certificate (CAC/ECA)<br /><ul><li>CollabNetTeamForge on Red Hat Enterprise Linux 5
  10. 10. Open Source foundation: Apache HTTPD, mod_ssl, mod_python, JBoss, Tomcat, Subversion, Lucene, Apache James, PostgreSQL
  11. 11. Key insight: intercept request at Apache module level for PKI & SSO enablement</li></ul>software.forge.mil<br />Application Server<br />svn.forge.mil<br />Integration Server<br />Single Sign On (SSO)<br /> Database<br />Application Database<br />
  12. 12. software.forge.mil / svn.forge.mil<br />Application Server or Integration Server<br />Forge.mil User<br />Apache HTTPD<br />Application Database<br />JBoss<br /><ul><li>On App server only
  13. 13. Web Rendering
  14. 14. SOAP Server
  15. 15. JAAS module: masterpassword.jar</li></ul>Client -> Server<br />https / TCP 443<br />http<br />proxy<br />+<br />SOAP<br />mod_python<br /><ul><li>sfauth (svn auth)
  16. 16. sf_sso</li></ul> looks up cert-&gt;user mappings in SSO db<br /><ul><li>sf_pki</li></ul>calls TeamForge login() method via SOAP using master password, redirects user through alternate login path accepting username + session ID<br />Client Software<br /><ul><li>Web browsers (IE, Firefox)
  17. 17. Subversion clients (DAV over https)
  18. 18. Custom SOAP clients
  19. 19. All must use client cert auth.</li></ul>JBOSS -> Tomcat<br />Java RMI<br />Single Sign On (SSO)<br /> Database<br />Server -> Database<br />PostgreSQL / TCP 5432<br />Tomcat<br /><ul><li>James Mail
  20. 20. Lucene Indexes
  21. 21. SCM viewer (on integration server)</li></ul>External System (via SOAP)<br />w/ x509 Server Cert,<br />Reused as Client Cert<br />PostgreSQL 8.2<br />Databases<br />On Separate <br />RHEL 5 VMs<br />Red Hat Enterprise Linux 5<br />VmwareESXi<br />PKE changes to baseline are listed in italics<br />Forge.mil PKE: HTTPD modules<br />
  22. 22. Development Challenges<br />Both server-side and client-side work was required<br />Apache httpd and mod_ssl (server-side)<br />authenticate via SSL handshake, extracts SSL variables<br />Handle CRLs (beware 1GB+ CRL memory footprint)<br />mod_python (server-side)<br />provides access to SSL variables<br />SOAP clients SOAP.py and SUDS allow calls into JBoss layer<br />
  23. 23. Subversion Client Development<br />Subversion modified for smart card authentication (PKCS#11 support)<br />Work complete: <br />Windows command line<br />Subclipse<br />jsvn<br />Ongoing challenges:<br />Linux command line (CoolKey bug, GnuTLS version clash), Mac command line, TortoiseSVN new versions<br />
  24. 24. Critical Cryptography Stacks<br />Open Source cryptography libraries = big win<br />Low-level crypto<br />Present: OpenSSL, GnuTLS Future: NSS<br />Web Server and Client SSL / HTTPS APIs<br />Apache mod_ssl, neon, Python libhttp, Java PKCS#11 <br />Smart Card integration<br />Windows Crypto API / PKCS#11 / CoolKey / ActivClient<br />Python language support<br />mod_python, m2crypto, m2secret<br />
  25. 25. Forge.mil Agile Approach<br /><ul><li>Agile development process:</li></ul>Fast-maturing application needs fast development team<br />1-2 week iterations<br />Embrace changes in requirements<br />Find biggest integration wins fast, deliver high-value items first<br />Deliver incrementally, test continuously<br /><ul><li>Results: Key capabilities in place in 6 weeks</li></ul>Dev team started software.forge.mil work on Nov 10, 2008, delivered key PKI enablement features (client and server) by Dec 19, 2008.<br />Go-live (LOA) on Jan 23, 2009 with 1:1 cert-&gt;user mapping<br />Admin tools for many-to-1 cert management and SSO delivered later<br />
  26. 26. Dealing with Change<br />People will ultimately change certificates<br />CAC certs expire in 3 years, ECA in 1 year<br />People’s names change (e.g. by marriage), but people don’t<br />Map certificates to users: many-to-one mapping<br />Admin tools needed to support changes<br />Mapping request support and management console<br />User account request, review and approval process<br />User self service – request to change/add mapping<br />Shortcut to automatic mapping: match EDIPI or (subjectdn+isssuerdn), record new cert, and notify admins<br />
  27. 27. SSO implementation<br />SSO challenges<br />Interoperable systems should share the same user store<br />There is no centralized, mandated way to do this yet<br />OpenLDAP & cert-based authentication: more work required to prove out integration path<br />Pull model chosen for Forge.mil SSO capability<br />Central PostgreSQL database stores SSO user mappings<br />Single user name space in SSO DB identifies principals<br />Users are demand-loaded into local Forge.mil instance<br />If an enrolled certificate exists in the SSO database, that principal gets registered locally on the first visit<br />8/10/2009<br />
  28. 28. Open Source tools: opportunities and challenges (part 1)<br />Core open source components made for a win:<br />Apache httpd, mod_ssl, OpenSSL, mod_python, OpenSSL, mod_ssl, m2crypto, Suds, SOAP.py, Key Manager<br />RPM: a huge win for packaging application extensions<br />RHEL 5: a great foundation, look to Fedora 7+ for SRPMS if you need a newer version of a library<br />Python: a good tool for extending systems<br />short test cycles, reasonable library availability, fast maturing as an integration tool. <br />Limited support for SSL and PKI calls in core libraries.<br />Multiple imperfect SOAP libraries, beware of limitations<br />
  29. 29. Open Source tools: opportunities and challenges (part 2)<br />PostgreSQL<br />good integration characteristics overall<br />client certificate authentication support just released in 8.4<br />Subversion<br />Almost all clients support soft certificates out-of-the box<br />Driving PKCS#11 / smart card support into client apps is a continuing challenge <br />TortoiseSVN reverted their support, present in 1.5.4 & 1.5.5<br />Subclipse-CAC & jsvn & Windows CLI now on software.forge.mil<br />
  30. 30. Useful Information<br />JITC PKI team: http://jitc.fhu.disa.mil/pki/<br />JITC test certs are very useful for interoperability testing<br />SmartCard Resources<br />ActivClienthttp://www.actividentity.com/products/activclient_family__home.php<br />Run your own OpenSSL CA http://sial.org/howto/openssl/ca/<br />Key Manager https://addons.mozilla.org/en-US/firefox/addon/4471<br />Sun Java PKCS#11 Provider http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html<br />Python SUDS / HTTPS client cert auth<br />http://threepillarsoftware.com/soap_client_auth<br />SoftwareForge.mil projects<br />Subversion https://software.forge.mil/sf/projects/subversion<br />Community CAC https://software.forge.mil/sf/projects/community_cac<br />
  31. 31. Any Questions?<br />

×