Mavenir Systems Inc. SSX-3000 Security Gateway

Similar documents
Xceedium Xsuite. Secured by RSA Implementation Guide for 3rd Party PKI Applications. Partner Information. Last Modified: February 10 th, 2014

SSH Communications Tectia SSH

Zenprise Zenprise RSA Adapter

How to Set Up External CA VPN Certificates

AirWatch Mobile Device Management

Create Decryption Policies to Control HTTPS Traffic

PKI Configuration Examples

Configuring Certificate Authorities and Digital Certificates

Send documentation comments to

Manage Certificates. Certificates Overview

This chapter describes how to configure digital certificates.

How to Set Up VPN Certificates

Server-based Certificate Validation Protocol

PKI Trustpool Management

Digital Certificates. About Digital Certificates

Copyright

Configuring Authorization and Revocation of Certificates in a PKI

Configuring PKI CHAPTER

Understanding HTTPS CRL and OCSP

6 Public Key Infrastructure 6.1 Certificates Structure of an X.509 certificate X.500 Distinguished Name and X.509v3 subjectalternativename

Public Key Infrastructure Configuration Guide, Cisco IOS XE Release 2

Apple Inc. Apple IOS 11 VPN Client on iphone and ipad Guidance Documentation

Digital Certificates Demystified

HTTPS--HTTP Server and Client with SSL 3.0

Check Point Mobile VPN for ios

Electronic Seal Administrator Guide Published:December 27, 2017

3GPP TR V6.0.0 ( )

Managing AON Security

Public Key Infrastructure Configuration Guide, Cisco IOS Release 15SY

Security Certifications Compliance

Legacy of Heartbleed: MITM and Revoked Certificates. Alexey Busygin NeoBIT

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

This version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.

This chapter describes how to configure digital certificates.

Managing Certificates

Key Management and Distribution

SSL Certificates Certificate Policy (CP)

ETSI TS V ( )

How to Configure SSL Interception in the Firewall

Integrating AirWatch and VMware Identity Manager

Public Key Infrastructure Configuration Guide, Cisco IOS XE Release 3S

Public. Atos Trustcenter. Server Certificates + Codesigning Certificates. Version 1.2

Public Key Infrastructure

VMware AirWatch Integration with OpenTrust CMS Mobile 2.0

Certificate Enrollment for the Atlas Platform

Security and Certificates

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

IOS PKI Deployment Guide: Initial Design and Deployment Contents

Public Key Enabling Oracle Weblogic Server

Axway Validation Authority Suite

Data Sheet NCP Secure Enterprise Management

Configuring the Cisco VPN 3000 Concentrator 4.7.x to Get a Digital Certificate and a SSL Certificate

Implementing Core Cisco ASA Security (SASAC)

VMware AirWatch Integration with RSA PKI Guide

HTTPS--HTTP Server and Client with SSL 3.0

IPSec Network Applications

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 6.0 Version

Configuring Certificate Enrollment for a PKI

Public Key Infrastructure Configuration Guide

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Security Digital Certificate Manager

Configuring Certification Authority Interoperability

O Commands. Send documentation comments to CHAPTER

But where'd that extra "s" come from, and what does it mean?

RSA Validation Solution

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

IBM. Security Digital Certificate Manager. IBM i 7.1

Configuring SSL CHAPTER

The SafeNet Security System Version 3 Overview

Teldat Secure IPSec Client - for professional application Teldat IPSec Client

IBM i Version 7.2. Security Digital Certificate Manager IBM

Implementing Secure Socket Layer

Bugzilla ID: Bugzilla Summary:

KEY ARCHIVAL AND OCSP

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

DoD Wireless Smartphone Security Requirements Matrix Version January 2011

How to Set Up an IPsec Connection Between Two Ingate Firewalls/SIParators. Lisa Hallingström Paul Donald

Using Cloud VPN Service

crypto ca authenticate through crypto ca trustpoint

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

Configuring SSH with x509 authentication on IOS devices

Release Notes. Release Purpose... 1 Platform Compatibility... 1 Upgrading Information... 1 Browser Support... 2 Known Issues... 3 Resolved Issues...

VMware AirWatch Integration with SecureAuth PKI Guide

Crypto Templates. Crypto Template Parameters

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

EMC Bus-Tech DLm. Secured by RSA Implementation Guide. Partner Information. Last Modified: September Partner Name Web Site.

IBM Education Assistance for z/os V2R2

Configuring Secure Socket Layer HTTP

Pulse Policy Secure. UAC Interoperability with the ScreenOS Enforcer. Product Release 5.1. Document Revision 1.0 Published:

Configuring Secure Socket Layer HTTP

Workspace ONE UEM Integration with OpenTrust CMS Mobile 2. VMware Workspace ONE UEM 1811

Public Key Infrastructures. Using PKC to solve network security problems

<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Check Point SmartEndpoint Security

crypto ca authenticate through customization Commands

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Service Configurations

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1811

SECARDEO. certbox. Help-Manual. Secardeo GmbH Release:

WHITE PAPER. VeriSign Architecture for Securing Your VPN Go Secure! For Check Point Overview

Transcription:

Secured by RSA Implementation Guide for 3rd Party PKI Applications Partner Information Last Modified: June 16, 2015 Product Information Partner Name Web Site Product Name Version & Platform Product Description Mavenir Systems Inc. www.mavenir.com Evolved Packet Data Gateway 13.1R6 / ATCA Chassis Designed to support optimized packet processing, high throughput and peruser QOS to provide a transparent user experience regardless of access technology. It provides reliable handling of packet routing and forwarding functions with efficient IPSec tunnel implementation & policy enforcement.

Solution Summary The Mavenir Systems integrates with the RSA Certificate Manager to secure enodeb traffic and utilize independent registration of signed certificates from the CA. (CMPv2 or Manual approach) During IPSec session establishment, these certificates are exchanged in order to provide mutualauthentication between the enodeb and security gateway. Likewise, both entities independently retrieve a copy of the CRL or use OCSP protocol to verify that the received certificate has not been revoked. - 2 -

Product Requirements Partner Product / Operating System Requirements: Partner Product Hardware Requirements: Management Card Memory 2 Gb Line Card Memory 16 GB Storage 40 Gb Firmware Version Stoke Boot Release 6.0 (2013011510). Operating System Stoke Operating System Release 13.1R6 Product Configuration Install RSA Certificate Manager Version number RSA Certificate Manager, version 6.9, Build 554 Special OSI-level privileges None RSA Certificate Manager Configuration Configuration of Certificate Publishing 1. Add a new Extension profile under system configuration. 2. Create Root CA certificate and select the above extension profile with Basic PKIX-Compliant End-Entity and Basic PKIX-Compliant CA. Enable the Requestor can select and Vetter can override options. 3. Once the Root CA is created, In the Jurisdiction configuration, navigate to inside CMP Auto vetting, enable the option Enable auto vetting of CMP requests. Configuration of CRL Publishing 1. In the CA page select, Generated Complete CRL and generate the CRL. 2. Go to Local Complete CRL Publishing and select enable and Publish to HTTP Server and note down the url. 3. Select Jurisdiction configuration and select CRL distribution point and add the URL in "Use the URI" test box with the ip address eg: http://172.16.26.4:447/stokeca.crl. Configuration of OCSP Responder 1. After the configuration of the RSA Validation manager, configure Delegated OCSP Responder in the extension profile. - 3 -

Install Mavenir SSX 1. Install the required SSX operating system software version. eg: Stoke OS Release 13.1R6 Mavenir Configuration CRL Checking Mechanism 1. By default CRL checking is enabled in SSX. When client certificate is received, SSX downloads CRL using CDP (certificate distribution point) in the certificate. 2. SSX contacts the crl server, downloads the CRL, and populates the CRL table. By default, the interval is 8 hours and can be configured for as low as one hour. OCSP Checking Mechanism 1. Enabling of the OCSP checking mechanism is done in phase1 policy level in peer-authentication. 2. OCSP profile can also be configured to define the OCSP responder URL. Trust Validation 1. By default, SSX validates received certificate by validating signature on client certificate using certificate authority certificate stored locally. There is no explicit configuration that allows skipping trust validation. Enrollment 1. Automatic via cmpv2. Configure the cmpv2 profile specifying the RSA server URL 2. Manual via copy paste to RSA server and get it signed. Create a PKCS#10 request on device and use copy paste to avail a certificate from RSA certificate manager. Product Operation Functions of SMIME email --- Sending signed email --- Sending Encrypted email --- Validating signatures There is no explicit configuration to disable certification validation (validating signatures). Every received certificate needs to pass through trust validation in order to be considered as valid IKE peer. Decrypting email --- Access to certificates via address book --- - 4 -

RSA Certificate Manager Extension Profile creation This step is to create a profile for issuing of certificate to end users. Various parameters (Certificate expiry policy etc.) can be configured that will be availed by all users issued certificates under this profile. - 5 -

Root CA operations This section provides the user with a means of creating and downloading the CA cert to be uploaded to SSX as well as a peer device that will be performing cert validation of certificate issued by this CA. Certificate Generation Use the configuration below to enable issuing certificate using CMv2 protocol. - 6 -

Certificate Renewal Certificate Revocation - 7 -

Mavenir SSX Enrollment 1. Issue following command to generate PKCS#10 request that to be copied to the UI interface provided by CA authority. Keywords used in generating certificate request Context EVAL Create a certificate request for a context named EVAL. Context is virtual security gateway. Days Number of days for which certificate is valid. Key length Size of the key used when generating private and public keys. Format Format of the certificate request. - 8 -

2. Copy the certificate request, created during enrollment and paste it in the CA UI interface provided by CA authority. - 9 -

Certificate Import within Mavenir The following screen capture demonstrates the method by which a copy of the signed certificate is copied to the device. This certificate is signed by the CA during the certificate request. - 10 -

Status Mechanism within Mavenir Several CLI s are provided to check the status of various PKI components. Some of the items that you can check status on are; 1. Certificate add / delete requests 2. CRL add / delete / fetch requests 3. CRL fetch counts 4. Failed CRL verification count 5. ocsp cache list Status Checking - 11 -

Certification Checklist for 3 rd Party Applications Date Tested: June 16, 2015 Product Operating System Tested Version RSA Certificate Manager Linux version 6.9 SSX- 3000 Stoke-OS 13.1R6 Test Case Results Certificate Enrollment P10 Certificate Request P7 Response installed correctly CMP Certificate Request CMP Response installed correctly SCEP Certificate Request SCEP Response installed correctly Import Certificate Import PKCS#12 envelope Import via cut & paste Install Root Certificate via cut/paste Install SubCA Certificate via cut/paste Install Root Certificate via SCEP Install SubCA Certificate via SCEP Verify Certificate chain is installed Tested Certificate Usage Sign Encrypt SSL S/MIME Document and Files SSL Client Authentication LDAP Support Results Name lookup Certificate retrieval Status Check of Certificate OCSP CRL Other Success with a valid certificate Fails with a revoked certificate Fails with a suspended certificate Pass with a re-instated certificate RSA Remote Authentication Client RAC Access certificates via MS CAPI (Internet Explorer) DRP / PAR = Pass = Fail = Non-Available Function - 12 -

Appendix EnodeB The element in E-UTRA of LTE that is the evolution of the element Node B in UTRA of UMTS. It is the hardware that is connected to mobile phone network that communicates directly with mobile handsets (UEs), like a base transceiver station (BTS) in GSM networks. Security Gateway The primary function of this gateway is to enable simple, seamless, highly secure access to subscribers as they roam between trusted mobile networks and untrusted public networks. CA Certificate authority Issues, manages, validates, and revokes certificates CRL Certificate revocation list This list is checked by security gateway to check the status of the certificate. CMPv2 Certificate management protocol Protocol used for automating PKI functions such as enrollment, renewal of certificates. OCSP Online certificate status protocol Additional mechanism to check revocation status of the certificate. No download is required to check the status. Online server responds to the status of the certificate. - 13 -

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback