PKI Security in Map Server using Apache FOSS

  • Slides: 20
Download presentation
PKI Security in Map. Server using Apache FOSS 4 G 2006 EPFL-UNIL • Lausanne

PKI Security in Map. Server using Apache FOSS 4 G 2006 EPFL-UNIL • Lausanne • Switzerland Michael Smith Engineer Research & Development Center - Remote Sensing/GIS Center US Army Corps of Engineers, Hanover, NH michael. smith@erdc. usace. army. mil

About the Corps of Engineers ü 34, 600 civilian and 650 military personnel ü

About the Corps of Engineers ü 34, 600 civilian and 650 military personnel ü USACE provides responsive engineering services to the nation ü Civil Works: ü ü ü Plan, design, build and operate water resources projects Navigation Flood Control Environmental Protection Disaster Response ü Design and manage the construction of military facilities for the Army and Air Force. ü Provide design and construction management support for other Defense and federal agencies.

Army Engineer Research and Development Center Alaska Projects Office European Research Office Anchorage Field

Army Engineer Research and Development Center Alaska Projects Office European Research Office Anchorage Field Office Field Exposure Station Columbia River Fisheries Research Facility The Dalles Research Facility Eau Galle Laboratory Cold Regions Research Engineering Laboratory Construction Engineering Research Laboratory Chemistry Quality Assurance Laboratory Topographic Engineering Center Field Research Facility Trotters Shoals Limnological Research Facility Lewisville Aquatic Ecosystems Research Facility Big Black Test Facility Coastal and Hydraulics Laboratory Environmental Laboratory Geotechnical and Structures Laboratory Information Technology Laboratory

RS/GIS Center Staff Skills & Background (32 Personnel) GIS enterprise applications Geospatial database organization

RS/GIS Center Staff Skills & Background (32 Personnel) GIS enterprise applications Geospatial database organization and development GIS business practice applications development Image processing Sensor evaluation Spatial analysis Algorithm development/programming Emergency management Education and training Statistical analysis Watershed management Hydraulic engineering Geomorphology Forestry Computer programming Image processing Geography Database management Signal processing Electrical engineering Ecology Economics Hydrology Meteorology Statistics Water resources engineering

Business Requirements & Constraints ü Account/password management for thousands of users ü Support for

Business Requirements & Constraints ü Account/password management for thousands of users ü Support for PKI Infrastructure (Do. D Common Access Card) ü Strictly Defined Roles and Access ü Formal Release/Version Control & Reporting Mechanism ü 24 x 7 Systems with Fail-Over/Disaster Recovery ü Replication to Secure Networks ü Support Data Calls & Data Snapshots ü Formal Software Development Process ü Distributed Development Teams

What is PKI - Public Key Infrastructure ü PKI is a framework that enables

What is PKI - Public Key Infrastructure ü PKI is a framework that enables secure transactions to be performed on otherwise non-secure platforms (i. e. , the Internet, etc. ). ü PKI provides security through the use of a private and public cryptographic key pair. ü The private key is unique to the individual. This private key is issued by a trusted third party known as the certificate authority (CA). ü The public key is freely distributed to other users to be matched with the private key to authenticate the transaction.

More on PKI ü Two factor authentication ü Something you know ü Something you

More on PKI ü Two factor authentication ü Something you know ü Something you have ü Passphrase not sent over net, just decrypts private key ü Since private key sent over net, only use string encryption https (TLS, 128 -bit ciphers etc)

PKI in the Do. D = CAC (Common Access Cards) ü The CAC will

PKI in the Do. D = CAC (Common Access Cards) ü The CAC will serve as the user's PKI token, which means that the ICC located on the CAC will be used to store the user's private key identity ü These certificates are used to access PKI on card key generation services and applications

Basic Operation ü SSL used as the security/transport mechanism ü Server’s identity is verified

Basic Operation ü SSL used as the security/transport mechanism ü Server’s identity is verified browser root certificate ü User is authenticated by presenting a client certificate to the server ü Server verifies client by using a Certificate Authority (CA) root certificate

Part of Normal Apache Setup ü Can be placed in a <Location> tag to

Part of Normal Apache Setup ü Can be placed in a <Location> tag to only affect specific locations ü Can be combined with Allow from/Deny from ü Can be combined with specific client requirements (a single department) ü SSLRequire ü Several environment variables can be populated by Client ü SSLOptions +Std. Env. Vars

Apache Setup ü 1) Point Apache to the Root CA ü SSLCACertificate. File /usr/local/apache

Apache Setup ü 1) Point Apache to the Root CA ü SSLCACertificate. File /usr/local/apache 2/conf/ssl. crt/ca. crt ü 2) Set SSLVerify. Client require ü Set how deep to check for root CA ü SSLVerify. Depth n

SSL Environment Variables ü SSL_CLIENT_S_DN_CN ü The client supplied Common Name ü SMITH. MICHAEL.

SSL Environment Variables ü SSL_CLIENT_S_DN_CN ü The client supplied Common Name ü SMITH. MICHAEL. D. 1140324104 ü SSL_CLIENT_S_DN_OU ü The client supplied Organizational Unit ü Do. D ü SSL_CLIENT_S_V_END ü When the certificate expires ü Jul 19 23: 59 2009 GMT

Additional Access Controls SSLRequire ü SSLRequire ( %{SSL_CIPHER} !~ m/^(exp | null)-/ and

Additional Access Controls SSLRequire ü SSLRequire ( %{SSL_CIPHER} !~ m/^(exp | null)-/ and %{SSL_CLIENT_S_DN_OU} eq "Do. D" )

Additional Access Controls Fake. Basic. Auth ü Passes SSL_CLIENT_S_DN_CN as basic authorization user name,

Additional Access Controls Fake. Basic. Auth ü Passes SSL_CLIENT_S_DN_CN as basic authorization user name, sets password to “xxj 31 ZMTZzk. VA” encrypted version of password ü Use standard. htaccess files to limit to certain subsets of users

If using Reverse. Proxy ü Make sure you add the SSL Environment variables explicitly

If using Reverse. Proxy ü Make sure you add the SSL Environment variables explicitly to the headers ü Request. Header set SSL_CLIENT_S_DN_CN %{SSL_CLIENT_S_DN_CN}e ü Request. Header set SSL_CLIENT_S_DN_OU %{SSL_CLIENT_S_DN_OU}e ü Request. Header set SSL_CLIENT_V_END %{SSL_CLIENT_V_END}e

Mapserver Integration ü Done at Environment or Cookie level for CGI or use Mapscript

Mapserver Integration ü Done at Environment or Cookie level for CGI or use Mapscript ü Only certain Map. Server parameters accept variable substitution ü Available for ü ü DATA TILEINDEX CONNECTION FILTER ü Remember to set DATAPATTERN properly

Map. Server Example ü DATA /data/%SSL_CLIENT_S_DN_OU%/nulldata. shp ü Status Default ü Unless Org name

Map. Server Example ü DATA /data/%SSL_CLIENT_S_DN_OU%/nulldata. shp ü Status Default ü Unless Org name passed properly, map won’t draw ü Add error page to indicate security issue ü Use FILTER to display subsets of data to different groups

To Summarize: Basic Steps ü Get a CA certificate ü Set SSLCertificate. File to

To Summarize: Basic Steps ü Get a CA certificate ü Set SSLCertificate. File to point to your CA ü Set SSLVerify. Client to require ü Set SSLRequire as necessary to limit access ü Limit access using ü Fake. Basic. Auth and / or ü Setting SSL Environement Variables and / or ü Setting Session ID variables ü Add variables to Map. Server (as necessary)

Questions?

Questions?

Apache Example SSLVerify. Client require SSLVerify. Depth 5 SSLOptions +Std. Env. Vars Request. Header

Apache Example SSLVerify. Client require SSLVerify. Depth 5 SSLOptions +Std. Env. Vars Request. Header set REMOTE_HOST %{REMOTE_HOST}e Request. Header set SSL_CLIENT_S_DN_CN %{SSL_CLIENT_S_DN_CN}e Request. Header set SSL_CLIENT_S_DN_OU %{SSL_CLIENT_S_DN_OU}e Request. Header set SSL_CLIENT_V_END %{SSL_CLIENT_V_END}e SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ and %{SSL_CLIENT_S_DN_OU} eq "Do. D" )

Apache Server The Apache Server Apache is aApache Server The Apache Server Apache is a
Apache Apache 3 Apache Apache chkconfigApache sbinchkconfig listApache Apache 3 Apache Apache chkconfigApache sbinchkconfig list
Apache Web Server WWW Apache org Apache OverviewApache Web Server WWW Apache org Apache Overview
Linux Apache SSL Server Presentation Process Apache ApacheLinux Apache SSL Server Presentation Process Apache Apache
PKI PKI Public Key Infrastructure PKI is aPKI PKI Public Key Infrastructure PKI is a
EEMAs pki Challenge pki C PKI Forum EuropeanEEMAs pki Challenge pki C PKI Forum European
Apache Apache 5 http www apache org httpApache Apache 5 http www apache org http
Apache Friends 1 0 Apache Friends ApacheWeb ApacheApache Friends 1 0 Apache Friends ApacheWeb Apache
ScienceCentered Language Development through FOSS Ellen Dunn FOSSScienceCentered Language Development through FOSS Ellen Dunn FOSS
APACHE 2 Secure HTTP With Apache Web ServerAPACHE 2 Secure HTTP With Apache Web Server
APACHE SERVER By Innovationframes com chandranjoygmail com ApacheAPACHE SERVER By Innovationframes com chandranjoygmail com Apache
Apache HTTP Server Servidor HTTP Servidor Web ApacheApache HTTP Server Servidor HTTP Servidor Web Apache
Apache Web Server start stop service Apache WebApache Web Server start stop service Apache Web
Apache web server Ceshtjet Njohuri mbi Apache InstalimiApache web server Ceshtjet Njohuri mbi Apache Instalimi
File Server Network Server Database Server Print ServerFile Server Network Server Database Server Print Server
Apache Spark Apache Zeppelin Enterprise Security for productionApache Spark Apache Zeppelin Enterprise Security for production
map 05 ac03 map cpp map include mapmap 05 ac03 map cpp map include map
About PKI Certificates Dartmouth College PKI Lab XAbout PKI Certificates Dartmouth College PKI Lab X
PKI 150 PKI Parts Policy Progress Jim JoklPKI 150 PKI Parts Policy Progress Jim Jokl