August 12, 2009<br />Richard Bullington-McGuire, Director of Technology, Three Pillar Software<br />http://threepillarsoft...
Introduction<br />Forge.mil Public Key Enablement of CollabNetTeamForge<br />Faced many challenges<br />Many solutions may...
You’re here because…<br />You are considering PKI enabling your DoD web app<br />You are having issues with implementation...
Why use Public Key Enablement?<br />You have to: Executive Directives<br />Homeland Security Presidential Directive-12<br ...
PKE Challenges<br />Legacy systems use user names and passwords<br />Adapting these systems to use certificates is difficu...
Certificate Challenges<br />Multiple identity mediums pose challenges<br />Common Access Card (CAC) smart cards on NIPRNet...
More Certificate Challenges<br />ECA certificates (mostly software) for contractors<br />Issuers: Verisign, IdenTrust, Ope...
Certificate-to-Identity mapping<br />Where’s the unique ID?<br />Why not use EDIPI?<br />No, not in ECA certs<br />Privacy...
Forge.mil internal architecture<br />Deployment Architecture<br />Key Systems and Concepts<br />Forge.mil User<br />With x...
Open Source foundation: Apache HTTPD, mod_ssl, mod_python, JBoss, Tomcat, Subversion, Lucene, Apache James, PostgreSQL
Key insight: intercept request at Apache module level for PKI & SSO enablement</li></ul>software.forge.mil<br />Applicatio...
software.forge.mil / svn.forge.mil<br />Application Server or Integration Server<br />Forge.mil User<br />Apache HTTPD<br ...
Web Rendering
 SOAP Server
JAAS module: masterpassword.jar</li></ul>Client -> Server<br />https / TCP 443<br />http<br />proxy<br />+<br />SOAP<br />...
sf_sso</li></ul> looks up cert-&gt;user mappings in SSO db<br /><ul><li>sf_pki</li></ul>calls TeamForge login() method via...
Subversion clients (DAV over https)
Custom SOAP clients
All must use client cert auth.</li></ul>JBOSS -> Tomcat<br />Java RMI<br />Single Sign On (SSO)<br /> Database<br />Server...
Lucene Indexes
Upcoming SlideShare
Loading in …5
×

Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)

24,844 views

Published on

Richard Bullington-McGuire presented this talk on PKI enabling web applications for the DoD at the 2009 MIL-OSS conference:

http://www.mil-oss.org/

It is a case study that shares some of the challenges and solutions surrounding the implementation of the Forge.mil system.

Published in: Technology, Business

Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)

  1. 1. August 12, 2009<br />Richard Bullington-McGuire, Director of Technology, Three Pillar Software<br />http://threepillarsoftware.com/<br />Kevin Hourihane, Principal Collaborative Development Consultant, CollabNet<br />http://www.collab.net/<br />Enabling Web Apps for DoD Security via PKI/CAC Enablement<br />Presentation for MIL-OSS 2009 http://www.mil-oss.org/<br />
  2. 2. Introduction<br />Forge.mil Public Key Enablement of CollabNetTeamForge<br />Faced many challenges<br />Many solutions may be reusable<br />Not a “how-to” or “everything you wanted to know” <br />Sharing “lessons learned”<br />
  3. 3. You’re here because…<br />You are considering PKI enabling your DoD web app<br />You are having issues with implementation<br />You want to know how Open Source helped us<br />Other reasons? (Please speak up)<br />
  4. 4. Why use Public Key Enablement?<br />You have to: Executive Directives<br />Homeland Security Presidential Directive-12<br />DoD Directive 8500<br />Application Security STIG: comply or you’ll never go live<br />You want to: Key benefits<br />Better security through centralized x509 CA authentication<br />Eliminates password management headaches<br />Easy to revoke a compromised identity through CRLs<br />
  5. 5. PKE Challenges<br />Legacy systems use user names and passwords<br />Adapting these systems to use certificates is difficult<br />COTS integration: may need to wrap black-box systems<br />Mapping certificates to principals has many tricky issues<br />Cryptography library integration may be needed<br />
  6. 6. Certificate Challenges<br />Multiple identity mediums pose challenges<br />Common Access Card (CAC) smart cards on NIPRNet<br />government employees, some contractors get these DoD issued certs<br />Smart card middleware on client computers mediates SSL handshake<br />Soft certificates only on SIPRNet, smart cards coming soon<br />
  7. 7. More Certificate Challenges<br />ECA certificates (mostly software) for contractors<br />Issuers: Verisign, IdenTrust, Operational Research Consultants<br />Format of subject DNs vary, no EDIPI on ECA certificates<br />Frequent DoS for Verisign ECA users due to annoyingly short expiration time on Verisign ECA CRL, and flakiness of crl.gds.disa.mil<br />Getting ECA certificates<br />Pay $100<br />Provide notarized forms<br />Wait 1-2 weeks for issuance<br />
  8. 8. Certificate-to-Identity mapping<br />Where’s the unique ID?<br />Why not use EDIPI?<br />No, not in ECA certs<br />Privacy concerns<br />Subject and Issuer DN are insufficient<br /> Need serial # also, to record distinct certs<br />$ # show JITC certificate for “Jon Jones”<br />$ openssl pkcs12 -clcerts -nokeys -in Good.p12 | openssl x509 –text | less<br />Certificate:<br /> Data:<br /> Version: 3 (0x2)<br /> Serial Number: 12356 (0x3044)<br /> Signature Algorithm: sha1WithRSAEncryption<br /> Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD JITC CA-19<br /> Validity<br /> Not Before: Sep 16 16:39:58 2008 GMT<br /> Not After : Sep 17 16:39:58 2011 GMT<br /> Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, OU=Contractor, CN=Jones.Jon.1234567890<br />
  9. 9. Forge.mil internal architecture<br />Deployment Architecture<br />Key Systems and Concepts<br />Forge.mil User<br />With x509 Client Certificate (CAC/ECA)<br /><ul><li>CollabNetTeamForge on Red Hat Enterprise Linux 5
  10. 10. Open Source foundation: Apache HTTPD, mod_ssl, mod_python, JBoss, Tomcat, Subversion, Lucene, Apache James, PostgreSQL
  11. 11. Key insight: intercept request at Apache module level for PKI & SSO enablement</li></ul>software.forge.mil<br />Application Server<br />svn.forge.mil<br />Integration Server<br />Single Sign On (SSO)<br /> Database<br />Application Database<br />
  12. 12. software.forge.mil / svn.forge.mil<br />Application Server or Integration Server<br />Forge.mil User<br />Apache HTTPD<br />Application Database<br />JBoss<br /><ul><li>On App server only
  13. 13. Web Rendering
  14. 14. SOAP Server
  15. 15. JAAS module: masterpassword.jar</li></ul>Client -> Server<br />https / TCP 443<br />http<br />proxy<br />+<br />SOAP<br />mod_python<br /><ul><li>sfauth (svn auth)
  16. 16. sf_sso</li></ul> looks up cert-&gt;user mappings in SSO db<br /><ul><li>sf_pki</li></ul>calls TeamForge login() method via SOAP using master password, redirects user through alternate login path accepting username + session ID<br />Client Software<br /><ul><li>Web browsers (IE, Firefox)
  17. 17. Subversion clients (DAV over https)
  18. 18. Custom SOAP clients
  19. 19. All must use client cert auth.</li></ul>JBOSS -> Tomcat<br />Java RMI<br />Single Sign On (SSO)<br /> Database<br />Server -> Database<br />PostgreSQL / TCP 5432<br />Tomcat<br /><ul><li>James Mail
  20. 20. Lucene Indexes
  21. 21. SCM viewer (on integration server)</li></ul>External System (via SOAP)<br />w/ x509 Server Cert,<br />Reused as Client Cert<br />PostgreSQL 8.2<br />Databases<br />On Separate <br />RHEL 5 VMs<br />Red Hat Enterprise Linux 5<br />VmwareESXi<br />PKE changes to baseline are listed in italics<br />Forge.mil PKE: HTTPD modules<br />
  22. 22. Development Challenges<br />Both server-side and client-side work was required<br />Apache httpd and mod_ssl (server-side)<br />authenticate via SSL handshake, extracts SSL variables<br />Handle CRLs (beware 1GB+ CRL memory footprint)<br />mod_python (server-side)<br />provides access to SSL variables<br />SOAP clients SOAP.py and SUDS allow calls into JBoss layer<br />
  23. 23. Subversion Client Development<br />Subversion modified for smart card authentication (PKCS#11 support)<br />Work complete: <br />Windows command line<br />Subclipse<br />jsvn<br />Ongoing challenges:<br />Linux command line (CoolKey bug, GnuTLS version clash), Mac command line, TortoiseSVN new versions<br />
  24. 24. Critical Cryptography Stacks<br />Open Source cryptography libraries = big win<br />Low-level crypto<br />Present: OpenSSL, GnuTLS Future: NSS<br />Web Server and Client SSL / HTTPS APIs<br />Apache mod_ssl, neon, Python libhttp, Java PKCS#11 <br />Smart Card integration<br />Windows Crypto API / PKCS#11 / CoolKey / ActivClient<br />Python language support<br />mod_python, m2crypto, m2secret<br />
  25. 25. Forge.mil Agile Approach<br /><ul><li>Agile development process:</li></ul>Fast-maturing application needs fast development team<br />1-2 week iterations<br />Embrace changes in requirements<br />Find biggest integration wins fast, deliver high-value items first<br />Deliver incrementally, test continuously<br /><ul><li>Results: Key capabilities in place in 6 weeks</li></ul>Dev team started software.forge.mil work on Nov 10, 2008, delivered key PKI enablement features (client and server) by Dec 19, 2008.<br />Go-live (LOA) on Jan 23, 2009 with 1:1 cert-&gt;user mapping<br />Admin tools for many-to-1 cert management and SSO delivered later<br />
  26. 26. Dealing with Change<br />People will ultimately change certificates<br />CAC certs expire in 3 years, ECA in 1 year<br />People’s names change (e.g. by marriage), but people don’t<br />Map certificates to users: many-to-one mapping<br />Admin tools needed to support changes<br />Mapping request support and management console<br />User account request, review and approval process<br />User self service – request to change/add mapping<br />Shortcut to automatic mapping: match EDIPI or (subjectdn+isssuerdn), record new cert, and notify admins<br />
  27. 27. SSO implementation<br />SSO challenges<br />Interoperable systems should share the same user store<br />There is no centralized, mandated way to do this yet<br />OpenLDAP & cert-based authentication: more work required to prove out integration path<br />Pull model chosen for Forge.mil SSO capability<br />Central PostgreSQL database stores SSO user mappings<br />Single user name space in SSO DB identifies principals<br />Users are demand-loaded into local Forge.mil instance<br />If an enrolled certificate exists in the SSO database, that principal gets registered locally on the first visit<br />8/10/2009<br />
  28. 28. Open Source tools: opportunities and challenges (part 1)<br />Core open source components made for a win:<br />Apache httpd, mod_ssl, OpenSSL, mod_python, OpenSSL, mod_ssl, m2crypto, Suds, SOAP.py, Key Manager<br />RPM: a huge win for packaging application extensions<br />RHEL 5: a great foundation, look to Fedora 7+ for SRPMS if you need a newer version of a library<br />Python: a good tool for extending systems<br />short test cycles, reasonable library availability, fast maturing as an integration tool. <br />Limited support for SSL and PKI calls in core libraries.<br />Multiple imperfect SOAP libraries, beware of limitations<br />
  29. 29. Open Source tools: opportunities and challenges (part 2)<br />PostgreSQL<br />good integration characteristics overall<br />client certificate authentication support just released in 8.4<br />Subversion<br />Almost all clients support soft certificates out-of-the box<br />Driving PKCS#11 / smart card support into client apps is a continuing challenge <br />TortoiseSVN reverted their support, present in 1.5.4 & 1.5.5<br />Subclipse-CAC & jsvn & Windows CLI now on software.forge.mil<br />
  30. 30. Useful Information<br />JITC PKI team: http://jitc.fhu.disa.mil/pki/<br />JITC test certs are very useful for interoperability testing<br />SmartCard Resources<br />ActivClienthttp://www.actividentity.com/products/activclient_family__home.php<br />Run your own OpenSSL CA http://sial.org/howto/openssl/ca/<br />Key Manager https://addons.mozilla.org/en-US/firefox/addon/4471<br />Sun Java PKCS#11 Provider http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html<br />Python SUDS / HTTPS client cert auth<br />http://threepillarsoftware.com/soap_client_auth<br />SoftwareForge.mil projects<br />Subversion https://software.forge.mil/sf/projects/subversion<br />Community CAC https://software.forge.mil/sf/projects/community_cac<br />
  31. 31. Any Questions?<br />

×