How TrustEnabler Works
The Value of TrustEnabler
SSL with mutual authentication allows a web server to authenticate a client using the client’s digital certificate. Current SSL servers have focused on making this technology work with small, hierarchical, and well-defined PKIs. • • • Microsoft IIS: Performs revocation checking; cannot build paths in complex PKIs Netscape/iPlanet/SunONE Web Servers: Some versions perform no revocation checking; others check against local files. Cannot build paths in complex PKIs Apache with mod_ssl: Performs revocation checking against local files; cannot build paths in complex PKIs.
What if your PKI isn’t small, hierarchical, or well-defined? What if your PKI is a member of a larger community, such as the Federal Bridge Certification Authority or the SAFE Bio-Pharma Association? You’ll need a solution which expands the capability provided by standard web servers. TrustEnabler is that solution.
Portions of the TrustEnabler technology are patent pending. TrustEnabler is designed for portability and to run on multiple platforms; it is currently available for Windows, Linux, and certain *NIX installations of the Netscape/iPlanet/SunONE series of web servers, and the Apache 2 web server on Debian Linux.
�How does it work?
The TrustEnabler Explorer starts by mapping out your PKI. It explores the structure of your PKI by starting with your domain trust anchors, and finding all the issuer certificates you’re your domain trusts. It continues to find all trusted issuers throughout your PKI. And, it runs periodically to ensure it captures new trust relationships.
TrustEnabler Explorer mapping out trust relationships
After this exploration is done, TrustEnabler Explorer places the issuers trusted by your PKI into the trust list of your off-the-shelf web server. This allows users from your complex PKI to be considered acceptable to the web server—something that doesn’t happen without TrustEnabler technology.
Without TrustEnabler, our server doesn’t trust the whole PKI…
With TrustEnabler, all users in the PKI can access our server!
The heart of the TrustEnabler system is the TrustEnabler Plugin, which provides an additional level of access control to your web server. The plugin uses the Certificate Management Library (CML) to perform full certification path development and validation against the client’s certificate. Only clients with trusted, valid, and unrevoked certificates are permitted access to the web application—otherwise the session is terminated. Additionally, the plugin provides information from the client’s certificate to the web application, to assist the web application to perform its own access control. Finally, TrustEnabler provides user-friendly documentation on how to set up your web application to use SSL with mutual authentication, and how to install, configure, and use the TrustEnabler components. TrustEnabler is currently available for Apache, Netscape, iPlanet, and SunONE web servers. For more information, visit http://www.trustenabler.com
Gemini Security Solutions, Inc. 4451 Brookfield Corporate Drive Suite 200 Chantilly, Virginia 20151 Telephone: 703-378-5808 Email: trustenabler@geminisecurity.com www.trustenabler.com
�