Secured by RSA Implementation Guide for 3rd Party PKI Applications Partner Information Last Modified: June 16, 2015 Product Information Partner Name Web Site Product Name Version & Platform Product Description Mavenir Systems Inc. www.mavenir.com Evolved Packet Data Gateway 13.1R6 / ATCA Chassis Designed to support optimized packet processing, high throughput and peruser QOS to provide a transparent user experience regardless of access technology. It provides reliable handling of packet routing and forwarding functions with efficient IPSec tunnel implementation & policy enforcement.
Solution Summary The Mavenir Systems integrates with the RSA Certificate Manager to secure enodeb traffic and utilize independent registration of signed certificates from the CA. (CMPv2 or Manual approach) During IPSec session establishment, these certificates are exchanged in order to provide mutualauthentication between the enodeb and security gateway. Likewise, both entities independently retrieve a copy of the CRL or use OCSP protocol to verify that the received certificate has not been revoked. - 2 -
Product Requirements Partner Product / Operating System Requirements: Partner Product Hardware Requirements: Management Card Memory 2 Gb Line Card Memory 16 GB Storage 40 Gb Firmware Version Stoke Boot Release 6.0 (2013011510). Operating System Stoke Operating System Release 13.1R6 Product Configuration Install RSA Certificate Manager Version number RSA Certificate Manager, version 6.9, Build 554 Special OSI-level privileges None RSA Certificate Manager Configuration Configuration of Certificate Publishing 1. Add a new Extension profile under system configuration. 2. Create Root CA certificate and select the above extension profile with Basic PKIX-Compliant End-Entity and Basic PKIX-Compliant CA. Enable the Requestor can select and Vetter can override options. 3. Once the Root CA is created, In the Jurisdiction configuration, navigate to inside CMP Auto vetting, enable the option Enable auto vetting of CMP requests. Configuration of CRL Publishing 1. In the CA page select, Generated Complete CRL and generate the CRL. 2. Go to Local Complete CRL Publishing and select enable and Publish to HTTP Server and note down the url. 3. Select Jurisdiction configuration and select CRL distribution point and add the URL in "Use the URI" test box with the ip address eg: http://172.16.26.4:447/stokeca.crl. Configuration of OCSP Responder 1. After the configuration of the RSA Validation manager, configure Delegated OCSP Responder in the extension profile. - 3 -
Install Mavenir SSX 1. Install the required SSX operating system software version. eg: Stoke OS Release 13.1R6 Mavenir Configuration CRL Checking Mechanism 1. By default CRL checking is enabled in SSX. When client certificate is received, SSX downloads CRL using CDP (certificate distribution point) in the certificate. 2. SSX contacts the crl server, downloads the CRL, and populates the CRL table. By default, the interval is 8 hours and can be configured for as low as one hour. OCSP Checking Mechanism 1. Enabling of the OCSP checking mechanism is done in phase1 policy level in peer-authentication. 2. OCSP profile can also be configured to define the OCSP responder URL. Trust Validation 1. By default, SSX validates received certificate by validating signature on client certificate using certificate authority certificate stored locally. There is no explicit configuration that allows skipping trust validation. Enrollment 1. Automatic via cmpv2. Configure the cmpv2 profile specifying the RSA server URL 2. Manual via copy paste to RSA server and get it signed. Create a PKCS#10 request on device and use copy paste to avail a certificate from RSA certificate manager. Product Operation Functions of SMIME email --- Sending signed email --- Sending Encrypted email --- Validating signatures There is no explicit configuration to disable certification validation (validating signatures). Every received certificate needs to pass through trust validation in order to be considered as valid IKE peer. Decrypting email --- Access to certificates via address book --- - 4 -
RSA Certificate Manager Extension Profile creation This step is to create a profile for issuing of certificate to end users. Various parameters (Certificate expiry policy etc.) can be configured that will be availed by all users issued certificates under this profile. - 5 -
Root CA operations This section provides the user with a means of creating and downloading the CA cert to be uploaded to SSX as well as a peer device that will be performing cert validation of certificate issued by this CA. Certificate Generation Use the configuration below to enable issuing certificate using CMv2 protocol. - 6 -
Certificate Renewal Certificate Revocation - 7 -
Mavenir SSX Enrollment 1. Issue following command to generate PKCS#10 request that to be copied to the UI interface provided by CA authority. Keywords used in generating certificate request Context EVAL Create a certificate request for a context named EVAL. Context is virtual security gateway. Days Number of days for which certificate is valid. Key length Size of the key used when generating private and public keys. Format Format of the certificate request. - 8 -
2. Copy the certificate request, created during enrollment and paste it in the CA UI interface provided by CA authority. - 9 -
Certificate Import within Mavenir The following screen capture demonstrates the method by which a copy of the signed certificate is copied to the device. This certificate is signed by the CA during the certificate request. - 10 -
Status Mechanism within Mavenir Several CLI s are provided to check the status of various PKI components. Some of the items that you can check status on are; 1. Certificate add / delete requests 2. CRL add / delete / fetch requests 3. CRL fetch counts 4. Failed CRL verification count 5. ocsp cache list Status Checking - 11 -
Certification Checklist for 3 rd Party Applications Date Tested: June 16, 2015 Product Operating System Tested Version RSA Certificate Manager Linux version 6.9 SSX- 3000 Stoke-OS 13.1R6 Test Case Results Certificate Enrollment P10 Certificate Request P7 Response installed correctly CMP Certificate Request CMP Response installed correctly SCEP Certificate Request SCEP Response installed correctly Import Certificate Import PKCS#12 envelope Import via cut & paste Install Root Certificate via cut/paste Install SubCA Certificate via cut/paste Install Root Certificate via SCEP Install SubCA Certificate via SCEP Verify Certificate chain is installed Tested Certificate Usage Sign Encrypt SSL S/MIME Document and Files SSL Client Authentication LDAP Support Results Name lookup Certificate retrieval Status Check of Certificate OCSP CRL Other Success with a valid certificate Fails with a revoked certificate Fails with a suspended certificate Pass with a re-instated certificate RSA Remote Authentication Client RAC Access certificates via MS CAPI (Internet Explorer) DRP / PAR = Pass = Fail = Non-Available Function - 12 -
Appendix EnodeB The element in E-UTRA of LTE that is the evolution of the element Node B in UTRA of UMTS. It is the hardware that is connected to mobile phone network that communicates directly with mobile handsets (UEs), like a base transceiver station (BTS) in GSM networks. Security Gateway The primary function of this gateway is to enable simple, seamless, highly secure access to subscribers as they roam between trusted mobile networks and untrusted public networks. CA Certificate authority Issues, manages, validates, and revokes certificates CRL Certificate revocation list This list is checked by security gateway to check the status of the certificate. CMPv2 Certificate management protocol Protocol used for automating PKI functions such as enrollment, renewal of certificates. OCSP Online certificate status protocol Additional mechanism to check revocation status of the certificate. No download is required to check the status. Online server responds to the status of the certificate. - 13 -