ICM LRA Training Manual

Document Sample
ICM LRA Training Manual Powered By Docstoc
					Government of Canada

Internal Credential Management Public Key Infrastructure

LRA Training Manual 2009/2010
Version: 4.0


Internal Credential Management • ICM is a PKI based credential management service for internal government business that issues and manages unique digital credentials to individuals, applications and devices.


What is PKI?
The combination of protocols, technologies, infrastructure, services policies and people that define how an organization maintains, distributes, creates, and validates public keys and associated information. • • ICM Service Provider (PWGSC) ICM Client Organizations

• • • • •

Key Management Centre (KMC)
Online Registration and Credential Administration (ORCA) myKEY National LRA Coordinator Local Registration Authority (LRA) Certificate Authority


What are PKI Keys?

Private Key
• Protected by owner • Kept in physical possession of owner • Used to decrypt messages • Used to sign messages

Public Key

• Distributed freely and openly
• Kept in public certificate key directory servers • Used to encrypt messages • Used to verify signatures

Key Types
• Personal Keys • Device/Application Keys • Group Keys


Security and PKI • • • Security Elements Password Rules Securing My Credential


PKI and Security Confidentiality Access Control
Ensures that only authorized users or processes are permitted to access a given resource

Protection against unauthorized disclosure of information



Ensures information arrives to its intended destination as it was originated


Ensures originator is properly identified

Ensures that users cannot deny a transaction that they were involved with


Strong Password Rules • • • A minimum of 8 characters Must contain one uppercase letter Must contain one lowercase letter

• • •

Must contain one digit
Can contain special characters such as & * % $ # @! Should not contain too many instances of the same character Cannot contain a major sub-string of the user profile name (Profile name can be anything - only you will see it)


Securing My Credential  The Credential is protected by security rules  The Credential is protected with a strong password  The user protects the password by not divulging it  The user protects the Credential by storing it in a secure area  The user protects the Credential by activating it themselves


What is ORCA?
• The Online Registration and Credential Administration (ORCA) solution will provide ICM clients with the ability to issue and manage ID-based Public Key Infrastructure (PKI) certificates (myKEY) in an online session. ORCA is an enhancement of the current manual LRA processes. During it’s initial release, ORCA will only be available to employees listed in the Regional Pay System. In it’s first release ORCA will facilitate both creations and recoveries. Other credential requests for Contractors, Devices and Groups will be handled using the current manual processes. ORCA will be rolled out to Departments in a phased approach beginning this year. LRAs will be contacted internally by their organization when ORCA is deployed in their area.

• • • • • •


What is myKEY? • • • “myKEY” has several aliases such as PKI Key, IDbased Certificate, Entrust Profile or PKI Certificate. As part of introducing ORCA, ICM has branded the product with the name “myKEY”. “myKEY” has all of the same functionalities as the current PKI Key.


What is myKEY used for? • • • • • To securely transfer files To securely store information To digitally sign documents and financial transactions To securely access remote networks To authenticate to secured applications


What is an LRA? • A Local Registration Authority (LRA) is the person who performs PKI Credential issuance duties on behalf of their organization.


What is a Guarantor? On behalf of the LRA, a Guarantor is responsible and accountable to identify and authenticate applicants/subscribers by: • • • • Meeting with the applicant Viewing 2 valid pieces of identification, 1 with a photo, both with signatures and valid expiry dates. Return application form to the LRA A Guarantor can be a Manager/Supervisor or equivalent

A Guarantor is not required to have a PKI certificate. The LRA is responsible for identifying and documenting which person of authority (supervisor, manager) acts as the Guarantor on their behalf.


What is a “Third Party”? • A Third Party is an ICM subscriber, with active PKI keys, who agrees to securely transfer an Authorization Code from the LRA to the applicant or subscriber.


Putting it all together

Certificate Authority
Processes and Guidelines

PKI Key Mgmt Services

CrossCertificatio n

Service Desks

Web Services Directory Services


LRA Responsibilities
• Each LRA must read the LRA Obligations document and sign the Appointment Certificate, acknowledging that they have read and understood their obligations

• • • • • •

An LRA must respect the obligations imposed in accordance with the processes identified in this document
Identify and authenticate applicants by viewing 2 pieces of ID, 1 with a photo, both with signatures and valid expiration dates. (Drivers license, Government ID, Passport) Direct applicants to read the PKI “Terms of Use” that are attached to the application form. Verify, sign and submit requests to Key Management Centre In submitting a subscriber request form to KMC, the LRA certifies that the subscriber has been authenticated in accordance with the processes identified in this document Distribute Authorization Code in accordance with the processes identified in this document Notify subscribers of certificate revocation continued …


LRA Responsibilities
• • • • Ensure all Contractor and Term Certificates are kept active or are revoked when contract or term ends. Work with “Guarantors” and “Third Parties” in the Identification and Authentication of individuals and the release of the Authorization Codes. Identify a back-up LRA to your subscribers in the event that you will be away Notify the LRA Coordinator when you are no longer taking care of the LRA responsibilities and identify your replacement (form available on the ICM website) Maintaining records of your LRA functions is not required however, should you wish to maintain records, note that physical and electronic storage should be secured as up to Protected B.  Physical storage by locked container appropriate for up to Protected B sensitivity (e.g. locked filling cabinet).  Electronic storage kept only in encrypted format on the desktop/network. All transaction records must be destroyed using a commercially available paper shredder producing a strip-cut to a maximum width of 3/8" (10mm).




myKEY - Request Processes • • • myKEY – LRA Request myKEY – Authorization Code Delivery Method myKEY – ORCA Request

• •

myKEY Recovery – initiated by a Manager or Legal Authority
myKEY Revocation myKEY Distinguished Name Change


myKEY – LRA Request (new and recovery)
1. 2. 3. Applicant and/or LRA completes section 1 to 4 of the ICM Request Form. LRA completes section 5 and 6 of the form (and where indicated on External Subscriber Application and Change Request). LRA physically or digitally signs the form and sends it to the KMC.

• • 4. 5. 6.

By fax;
By email, once scanned and encrypted; or By email, once completed electronically and encrypted

KMC verifies the LRA signature and processes the request. KMC sends the encrypted Authorization Code to the LRA and the Reference Number to the applicant. The LRA or Guarantor authenticates the applicant by verifying 2 pieces of identification, one with a picture, both with signatures and valid expiry dates. The LRA or Third Party provides the Authorization Code to the applicant.



myKEY – Authorization Code Delivery Method 1. The LRA provides the Authorization Code to the subscriber using one of the following approved methods: Face to Face, Registered Mail, Courier, Guarantor or Third Party Trust method. 2. The LRA provides the Authorization Code to the Guarantor or Third Party using one of the following approved methods: Registered Mail, Courier, or Encrypted Mail method. 3. The Guarantor or Third Party provides the Authorization Code to the subscriber using one of the following approved methods: Face to Face, Registered Mail or Courier.


myKEY - ORCA Request (new and recovery) • ORCA will be available through a web link where applicants can self-perform myKEY creations and recoveries. LRAs will be contacted internally by their organization when ORCA is deployed in their area.



myKEY – Recovery by a Manager / Legal Authority There may be a requirement where an organization needs to recover a subscriber’s myKEY on an urgent basis. Such as: • Access is required to corporate data after an employee leaves the organization, or • A department or criminal investigation is in progress. If this situation were to occur, the LRA opens a ticket with the PWGSC Operations Service Desk to be processed appropriately.


myKEY - Revocation
1. Subscriber / Manager / LRA encounters a myKEY revocation scenario e.g.: a. Cessation of operation (e.g. myKEY is no longer required by subscriber) b. subscriber’s termination of employment

c. myKEY compromise or suspected compromise
2. Subscriber / Manager contacts an LRA to request a key revocation. If the subscriber’s LRA is not available, the request is immediately re-directed to another LRA or to the PWGSC Operations Service Desk. LRA completes the Request Form and sends it to the KMC either by fax or by encrypted e-mail to the KMC requesting revocation.


5. 6.

KMC revokes the subscriber’s credential. The subscriber can no longer use myKEY.
KMC sends by email confirmation of the revocation to the LRA. The LRA informs the user.


myKEY – Distinguished Name Change • • • • LRA indicates on the request form the subscriber’s current information. LRA indicates on the request form the subscriber’s new information. LRA sends the form to the KMC either by fax or electronically. KMC notifies the subscriber of the changes and CCs the LRA.


ICM Forms • • • • ICM Subscriber Application Request Form / Change Request ICM Device/Group/Application Credential Request Form / Change Request ICM External Subscriber Application Form ICM External Subscriber Change Request Form


Trouble Shooting Tips
Your Departmental Help Desk is your first point of contact for assistance. Password Problem • • • • Ensure the CAPS LOCK button has not been engaged. Was the password typed with a French keyboard? Has the user deleted all old profiles from the media/drives? A password cannot be reset by the KMC (Key Recovery is required) Have you downloaded a new ENTRUST.INI file from the ICM website? (not applicable to ESP users) Ensure that two way communication is allowed via your departmental firewall. The Entrust.INI file indicates the ports and IP's required to be identified. Is the network cable properly connected to the PC/Laptop? Were there communication errors while initiating the keys?

Communication Errors • • • •


Incident Escalation Process
Your departmental Help Desk Support is your first point of contact for assistance. • Incidents not resolved internally can be reported to the PWGSC Operations Service Desk  7/24  (613) 738-7782 The      service desk agent will inquire as to: Requestor name Department Telephone number Solution urgency Type of problem (communication, password, key compromise)  Problem description  Error codes



You will be given an Incident Record (IR) number, which you should record and keep until the incident is resolved.


Contact List
• • ICM Website http://www.tpsgc-pwgsc.gc.ca/gji-icm Key Management Centre (KMC)  Monday - Friday  7:00 - 16:00 ET  Fax: (613) 946-9133  E-mail: gcgjicgc.gcicmkmc@tpsgc-pwgsc.gc.ca  Group Key for Encryption of forms/e-mails: Group, PKI OPS National LRA Coordinator

• •

PWGSC Operations Service Desk  7/24  (613) 738-7782