SSH Communications Tectia SSH

Similar documents
Xceedium Xsuite. Secured by RSA Implementation Guide for 3rd Party PKI Applications. Partner Information. Last Modified: February 10 th, 2014

Mavenir Systems Inc. SSX-3000 Security Gateway

McAfee Endpoint Encryption

<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Check Point SmartEndpoint Security

<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Intel Security Drive Encryption 7.1.3

Intel Security/McAfee Endpoint Encryption

Zenprise Zenprise RSA Adapter

AirWatch Mobile Device Management

SSH Communications Tectia 6.4.5

Symantec Encryption Desktop

Send documentation comments to

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: November 10, 2011

Configuring Certificate Authorities and Digital Certificates

How to Set Up External CA VPN Certificates

OCSP Client Tool V2.2 User Guide

VMware AirWatch Integration with OpenTrust CMS Mobile 2.0

Workspace ONE UEM Integration with OpenTrust CMS Mobile 2. VMware Workspace ONE UEM 1811

Step-by-step installation guide for monitoring untrusted servers using Operations Manager

Hypertext Transfer Protocol Over Secure Sockets Layer (HTTPS)

Dohatec CA. Export/Import Procedure etoken Pro 72K FOR USERS OF ETOKENS [VERSION 1.0]

SECARDEO. certbox. Help-Manual. Secardeo GmbH Release:

Digital Certificates Demystified

CertAgent. Certificate Authority Guide

How to Configure SSL Interception in the Firewall

Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

PKI Configuration Examples

Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

ms-help://ms.technet.2004apr.1033/ad/tnoffline/prodtechnol/ad/windows2000/howto/mapcerts.htm

Configuring SSL CHAPTER

Key Management and Distribution

CertAgent. Certificate Authority Guide

RSA Secured Implementation Guide For User Management Products

PKI Interoperability Test Tool v1.2 (PITT) Usage Guide

Digital Certificates. About Digital Certificates

RSA SecurID Ready Implementation Guide. Last Modified: March 27, Cisco Systems, Inc.

This chapter describes how to configure digital certificates.

<Partner Name> <Partner Product> RSA SECURID ACCESS. Pulse Secure Connect Secure 8.3. Standard Agent Client Implementation Guide

PKI Trustpool Management

Configuring SSL. SSL Overview CHAPTER

Using SSL to Secure Client/Server Connections

Managing Certificates

KeyA3 Certificate Manager

Automated Court Reporter Application. Digital Signatures

Axway Validation Authority Suite

ISY994 Series Network Security Configuration Guide Requires firmware version Requires Java 1.8+

Configuring SSL. SSL Overview CHAPTER

Server-based Certificate Validation Protocol

SSL Certificates Certificate Policy (CP)

Barracuda Networks SSL VPN

6 Public Key Infrastructure 6.1 Certificates Structure of an X.509 certificate X.500 Distinguished Name and X.509v3 subjectalternativename

TFS WorkstationControl White Paper

How to Set Up VPN Certificates

Public Key Infrastructures. Using PKC to solve network security problems

CERTIFICATE POLICY CIGNA PKI Certificates

UCS Manager Communication Services

Integrating AirWatch and VMware Identity Manager

SSL Certificate Based VPN

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

RSA SecurID Implementation

Public Key Enabling Oracle Weblogic Server

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

Using Microsoft Certificates with HP-UX IPSec A.03.00

SOFTEL Communications Password Reset and Identity Management Suite

Public. Atos Trustcenter. Server Certificates + Codesigning Certificates. Version 1.2

USER MANUAL FOR SECURE E MAIL MICROSOFT OUTLOOK (2003)

Thales nshield Series

Managing AON Security

Certificate Enrollment for the Atlas Platform

Oracle Oracle Identity Manager 11g

Manage Certificates. Certificates Overview

KeyOne. Certification Authority

Validation Policy r tra is g e R ANF AC MALTA, LTD

Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

VMware AirWatch Integration with RSA PKI Guide

App Orchestration 2.6

<Partner Name> RSA SECURID ACCESS Standard Agent Implementation Guide. WALLIX WAB Suite 5.0. <Partner Product>

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

DoD Wireless Smartphone Security Requirements Matrix Version January 2011

راهنماي استفاده از توکن امنيتي کيا 3 در نرمافزارهاي مبتني بر PKI توکن امنيتي سخت افزاري

Entrust Connector (econnector) Venafi Trust Protection Platform

Configuring Funk Odyssey Software, Avaya AP-3 Access Point, and Avaya

ConnectUPS-X / -BD /-E How to use and install SSL, SSH

Integration Guide. SafeNet Authentication Client. Using SAC CBA for VMware Horizon 6 Client

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

Bugzilla ID: Bugzilla Summary:

Securing Mainframe File Transfers and TN3270

Mobile RA - User Guide

Best Practices for Security Certificates w/ Connect

PKI Knowledge Dissemination Program. PKI Standards. Dr. Balaji Rajendran Centre for Development of Advanced Computing (C-DAC) Bangalore

Configuring the Cisco VPN 3000 Concentrator 4.7.x to Get a Digital Certificate and a SSL Certificate

RSA Validation Solution

Assureon Installation Guide Client Certificates. for Version 6.4

HOB HOB RD VPN. RSA SecurID Ready Implementation Guide. Partner Information. Product Information Partner Name. Last Modified: March 3, 2014 HOB

RSA SecurID Ready Implementation Guide

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

Transcription:

Secured by RSA Implementation Guide for 3rd Party PKI Applications Last Modified: December 8, 2014 Partner Information Product Information Partner Name Web Site Product Name Version & Platform Product Description SSH Communications www.ssh.com Server and Client 6.4.X Windows is the leading end-to-end communications security solution for the enterprise. The solution is based on the SSH Secure Shell and SSH's other industry leading technologies used by millions worldwide. enables secure system administration, secure file transfer and secure application connectivity with centralized management throughout the internal and external network. provides transparent strong encryption and authentication and easily integrates into heterogeneous, multi-platform environments.

Solution Summary Client and Server form an enterprise-class Secure Shell solution for securing system administration, file transfer, and application connectivity in heterogeneous enterprise networks. Tectia SSH Client and Server are based on the IETF standard Secure Shell (version 2) protocol. Client supports using the RSA SID 800 Hybrid Authenticator for PKI certificate based authentication. Client unlocks the RSA SID 800 Hybrid Authenticator with a pre-defined user PIN allowing the certificate to be used for certificate based authentication. - 2 -

Product Requirements Partner Product Requirements: Client CPU No special requirements Memory No special requirements Storage 100 MB free disk space Firmware Version Operating System Platform Various OSes Required Patches Reference the Tectia Client User Manual for specific OSes. Partner Product Requirements: Server CPU No special requirements Memory 1 GB RAM for hundreds of simultaneous tunnels. Storage 100 MB free disk space Firmware Version Reference the TectiaServer_adminManual for specific OSes. Operating System Platform Various OSes Required Patches Reference the TectiaServer_adminManual for specific OSes. Product Configuration for Interoperability Interoperability between the RSA Authenticators and requires the installation of the RSA Authentication Client, Server, Client(s). A PKI smartcard user certificate provisioned from an RSA Certificate Manager is stored on an RSA SID800 Hybrid Authenticator. Before You Begin This section provides instructions for integrating the RSA SID800 Hybrid Authenticator with. The document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All vendor products/components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. - 3 -

RSA Certificate Manager installable elements RSA Certificate Manager 6.9 RSA Certificate Manager configurable elements Configuration of CRL Publishing 1. Browse to the RSA Certificate Manager Administration. 2. Select CA Operations. 3. Select the appropriate CA and click Local Complete CRL Publishing in the CA Configuration section. 4. Select Enable local Complete CRL publishing and Publish to LDAP server. 5. Click Save Configuration and then OK to change the configuration of the chosen CA. - 4 -

Partner Product Configuration Partner product s installable elements Client/Server version 6.0 or later. Partner product s configurable elements Refer to the RSA Certificate Manager Administrator documentation to ensure the necessary setup for certificate compatibility with Client/Server/ConnectSecure. This includes CRL distribution points, client certificate extensions (e.g. RFC822 email extension) as the server will need to map a certificate attribute to a user account. Configuring User Authentication with Certificates on Windows To configure Tectia Server to allow user authentication with X.509 certificates, perform the following tasks using Tectia Server Configuration GUI: 1. Launch Tectia Server Configuration GUI and select Start > All Programs > Tectia Server > Tectia Server Configuration. - 5 -

2. Under GUI Mode, select Advanced to view all available options and groups. - 6 -

3. Go to the Certificate Validation page and select the CA Certificates tab. 4. Add the trust anchors and intermediate CA certificates that are needed for the certificate validation. Root CA certificates or intermediate CA certificates can be added as trust anchors. Normally you need to add only the CA certificate that can issue certificates for the users into Tectia Server configuration. That is, you need not create the whole trust path in the configuration. Note: CA certificates are by default added to the CA Certificates list as trust anchors, meaning that revocation checks are not performed on them. When adding a new intermediate CA certificate, clear the Trusted CA check box to enable revocation checks. - 7 -

Note: In case you have an LDAP server in use, you only need to add the root CA certificate into the server configuration. Tectia Server can retrieve the intermediate CA certificates that are issued by the root CA certificate automatically from the LDAP server. For example, if Company Users is added as a trust anchor and the intermediate CA certificates are stored in the LDAP, end entities certified by the root or intermediate CA certificates will be trusted. 5. Go to Authentication and select Default Authentication to configure selectors and parameters for the group. Note: This authentication group is available in the default configuration of Tectia Server. 6. On the Selectors tab, enter a name for the authentication group. 7. Leave the selectors list empty, all incoming users are selected into this authentication group and to the authentication method chain. This is the first authentication group that you need to create for the authentication method chain. There will be two authentication groups in the chain. - 8 -

8. On the Parameters tab, make sure that the Allow public-key authentication option is selected. - 9 -

9. Create a child authentication group which will be used to check certain fields from the end user's certificate. That is, you are configuring your selector for the certificates. Click the Add Child button and enter a name for the child authentication group. - 10 -

10. On the Selectors tab of the child authentication group, click the Add Selector button. From the list, select Certificate and click OK. 11. In the Certificate Selector dialog box, select which field on the certificate you wish to authenticate against. - 11 -

12. Enter the pattern in the field. CN=%username-without-domain%, CN=USERS, DC=DEMO, DC=SSH, DC=COM Note:It is extremely important to create a mapping between real OS user accounts and the end users' certificates so that a single end user can only access a single specific OS user account with their personal certificate and not all OS user accounts. For example, if you use subject-name, the pattern could be: - 12 -

13. Once you have made your changes, click OK. - 13 -

14. On the Parameters tab, unselect all authentication methods because the parent authentication group checks whether the public key authentication is successful. 15. Click Apply to save your changes. CRL Checking Mechanism If Server authenticates using certificates and the certificate does not contain the LDAP url as CRL DistributionPoints extension, the location of the LDAP server must be defined on the client side. If the Server user wants to authenticate using certificates, the location of the LDAP server must be defined on the server side. Ensure that you have the Client software installed correctly on the system prior to moving to the configuration steps. 1. Open and select Certificate Validation and then LDAP Servers. - 14 -

2. Click Add and enter LDAP server address. Note: Certificates can only be valid if the issuer is trusted. The issuer can be trusted directly or through path verification. Add Trusted CA certificates into by first exporting them from a web browser and then importing them into Client and/or Server. client s installable elements The RSA Authentication Client is required on each client to insure proper communication between the Client and the RSA SID800 Hybrid Authenticator. client s configurable elements Server-side Certificate Mapping Certificate authentication is a part of the public-key authentication method. It is recommended that you use the Product Guides for setting up the Server and Client. - 15 -

client s CA configuration Exporting the CA Certificate with Microsoft Internet Explorer: 1. Choose Tools -> Internet Options. 2. Click the Content tab. 3. Click Certificates 4. Choose the desired CA certificate(s) under Intermediate Certification Authorities or Trusted Root Certification Authorities. 5. Click the Export button and then Next. 6. Choose the export format to be either DER encoded binary X.509 (.CER) or Cryptographic Message Syntax Standard PKCS #7 (.P7B) and click Next. 7. Specify the name of the file you want to export and then click Next, and Finish. 8. Alternatively the CA certificates can be downloaded from the RSA Certificate Manager Certificate Authority Enrollment Server. 9. Browse to the enrollment page, and choose CA options. 10. From the Save a CA Certificate or a CRL Signer Certificate to a File section select the certificate authority from the drop down menu. 11. Select the format of the certificate to be either PKCS #7 or DER-encoded certificate. 12. Click Save CA Cert Importing CA certificates to Client is described in detail below: Client/ConnectSecure for Windows 1. Open the Tectia Connections Configuration GUI. 2. Select CA Certificates under Server Authentication. 3. Click Add to import required CA certificate(s). Note: If the certificate was exported in the Cryptographic Message Syntax Standard PKCS #7 (.P7B) format, the certificates must be extracted from the package before adding them. This can be done with the ssh-keygen-g3-7 option: > ssh-keygen-g3-7 certfile.p7b - 16 -

User Certificate User Certificate Enrollment 1. Browse to an RSA Certificate Manager enrollment page select the jurisdiction and Continue button. 2. Select Make an End-Entity certificate request. 3. Complete the certificate request form, selecting a Certificate Profile for PKI use, click the Submit button. Note: The RSA Certificate Manager Administrator must create a new Certificate Profile to be used for certificate authentication (RSA Smart Card Authentication). Refer to the RSA Certificate Manager document and the SSH product guide for more details on creating the Certificate Profile and the key requirements for the User Authentication certificate. - 17 -

4. Click OK to start the creation of the certificate. 5. Provide your password/pin for the browser security database, and then click OK. 6. If the request is successful a confirmation page will be displayed. The RSA Certificate Manager will generate a private key and provides steps to download. Export/Import the PKI User Certificate The certificate import is done by first exporting the certificate from the browser and then importing onto the RSA SID 800 Hybrid Authenticator. Use Microsoft Internet Explorer to export the user certificate: 1. Choose Tools -> Internet Options. 2. Click the Content tab. 3. Click Certificates. 4. Choose the desired certificate under Personal. 5. Click Export and then Next. 6. Choose, export the private key and click Next. 7. The certificate can only be imported in PKCS #12 format. Select first and/or third check boxes also if desired and click Next. 8. Type and confirm the password and click Next. 9. Specify the file name, click Next and Finish. Use the RSA Authentication Client to import the certificate onto the RSA SID 800 Hybrid Authenticator: 1. Open the RSA Authentication Client Control Center. 2. Select Import. 3. Browse to the location of the downloaded PKCS#12 certificate file. 4. Select the.pfx file containing the private key and certificate you just exported. 5. Give the password needed for PFX integrity check and click Next. 6. Select Finish to import the users smart card certificate. 7. Enter the Smart card PIN as requested to complete the import. - 18 -

SSH Client Logon and Authentication 1. Initiating an Client session will require the user to input the RSA SID 800 Hybrid Authenticator PIN which will unlock the device and allow the application to use protected user certificate for authentication. - 19 -

Certification Checklist for 3 rd Party Applications Date Tested: December 8, 2014 Product Tested Version Operating System Server 6.4.5 Windows 2008 R2 Client 6.4.6 Windows 7 SP1 RSA Authentication Client 3.6 Windows 7 SP1 RSA SecurID 800 D4 NA Test Case Results Certificate Enrollment P10 Certificate Request P7 Response installed correctly CMP Certificate Request CMP Response installed correctly SCEP Certificate Request SCEP Response installed correctly Import Certificate Import PKCS#12 envelope Import via cut & paste Install Root Certificate via cut/paste Install SubCA Certificate via cut/paste Install Root Certificate via SCEP Install SubCA Certificate via SCEP Verify Certificate chain is installed Certificate Usage Sign Encrypt SSL S/MIME Document and Files SSL Client Authentication SD800 Client Authentication LDAP Support Results Name lookup Certificate retrieval Status Check of Certificate OCSP CRL Other Success with a valid certificate Fails with a revoked certificate Fails with a suspended certificate Pass with a re-instated certificate RSA Remote Authentication Client Access certificates via MS CAPI (Internet Explorer) RAC DRP / PAR = Pass = Fail = Non-Available Function - 20 -

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback