netlock technologies

Document Sample
netlock technologies Powered By Docstoc
					                        Keon Ready Implementation Guide

               Keon Ready Implementation Guide
                   For PKI-Enabled Applications

                                 3 January, 2000

1. Partner Information
  Partner Name               Netlock Technologies, Inc.
  Web Site         
  Product Name               Netlock Manager, Agents and Gateway
  Version & Platform         V3.1 on Windows NT 4.0
  Product Description        Netlock Manager : Policy configuration component
                             used by administrator to define and maintain security
                             policies for Netlock Agents and Gateways.
                             Netlock Agent: User-transparent, intelligent IPsec
                             (TCP/IP protocol) and IPsec-like (IPX protocol) network
                             security client.
                             Netlock Gateway:
                             IPsec (TCP/IP protocol) network security client that
                             provides Netlock’s network security services for
                             mainframes, legacy systems, and all other network
  Product Type               Security Policy application
  Interaction with Keon      Certificate Server

                      Keon Ready Implementation Guide

2. Contact Information

                         Pre-Sales                       Post-Sales
     Name        Hany Sabet                Hany Sabet
     Phone       714.792.1805              714.792.1805

3. Product Requirements

     •= Hardware requirements
        Intel Based workstations, Sun Sparc, HP, RS6000

     •= Software requirements
        Microsoft Windows 95, 98, NT 3.51/ 4.0 Workstation and Server
         Windows 2000 Professional and Server
        Novell Netware 3.12, 4.x, Sun Solaris 2.5 – 2.8
        HP-UX 10.1x, 10.2x, IBM AIX 4.2, 4.3, Apple Mac OS 8.x, 9.x
        Netlock Gateway version 3.1
        Keon Certificate Server v5.5

4. Product Configuration

  The following is a detailed procedure for importing x.509 certificates from a
  Keon Certificate Server.

  Netlock can use the Keon Root CA (CSR Trusted Root) certificate and Keon-
  issued Agent certificates in place of the normal Manager and Agent
  certificates issued by the Netlock Manager.

  Once the Keon certificates are imported into the Netlock Manager and
  distributed to the Netlock Agents, the Agents use them to authenticate each
  other when negotiating IPsec security associations.

  The procedure in this document follows the following basic steps:

  1. Import the CSR Trusted Root Certificate from the Keon Certificate Server
     into the Netlock Manager, which distributes it to the Agents in its local
  2. Agents issue PKCS 10 certificate requests through the Netlock Manager,
     which exports them to files.
  3. The Netlock security administrator takes the PKCS 10 requests and posts
     them to the Keon server through its web interface.
  4. The Keon certificate administrator approves and issues the Agent
  5. The Netlock security administrator imports the Agents certificates into the
     Netlock Manager, which distributes them to the respective Netlock Agents.

                      Keon Ready Implementation Guide

Initial Configuration for Keon Certificates

  1. Keon Certificate Server. Install and test the Keon Certificate Server on
     the Keon certificate administrator’s computer. Generate the appropriate
     root certificate. Verify the Keon’s web interface for local management and
     remote requests. Verify the Keon software’s interface to the email system
     on the local computer to make sure it can issue certificates via email.

     Ensure that the CSR Trusted Root and IPsec Certificate formats are set to
     Base64 X509 format. This is the default for the CRS Trusted Root
     certificate, but not the IPsec certificates.
     Change the IPsec certificate format using the Keon’s Jurisdiction
     configuration through the web interface on the local computer. This
     configuration cannot be changed remotely.
  2. Netlock Manager. Install the Netlock Manager on the Netlock security
     administrator’s computer. The Keon Certificate Server and Netlock
     Manager can be installed on the same computer, if desired. The Keon
     certificate administrator and the Netlock security administrator may be the
     same person.

     Enter the Netlock license code and other initialization information.
  3. Netlock Agents. Install the Netlock Agent software on the remote Agent
     computers. Create corresponding Agents in the Netlock Manager.


     Be sure the Agents are configured with their Domain Participation field set
     to Cooperative Domain – Published. Select the Configuration tab in the
     Create/Modify Agent window. In the Agent Type box, use the Domain
     Participation pull down menu.

                       Keon Ready Implementation Guide

      Be sure the Agents have received their initial certificates and security
      configurations from the Netlock Manager. The Agents should not have
      pending flags displayed in the Netlock Manager. The Netlock Manager
      certificates will be replaced with the Keon certificates below.

Detailed Keon IPsec Certificate Import Procedure
   The following is a detailed procedure required to import and distribute Keon
   IPsec certificates to Netlock Agents:

Importing the Keon CSR Trusted Root (Root CA) Certificate

   0. On the Netlock Manager computer, open a web browser interface to the
      Keon Certificate Server Computer.
   1. Select the correct Jurisdiction and click the Continue button.
   2. Under Trusted Root Services, click on View Server Trusted Root or IPsec
      Trusted Root. (These may be the same. Consult with your Keon certificate

                     Keon Ready Implementation Guide

   administrator.) A certificate will be displayed.

3. Select the entire certificate, including the beginning and ending hyphens,
   and copy it to the clipboard.
4. Open a text editor and paste the certificate into a new text file.
5. Save the text file. Use a filename of your choosing, but give it a “.pem”
6. In the Netlock Manager Window, click on the Domains tab.
7. In the Tools menu, select Import CA Certificate…

                     Keon Ready Implementation Guide

8. Use the Open dialog box to select your file. Click the open button to
   import the certificate. The certificate will now appear in the Domains list
   with a white pennant.

        Exporting Agent Certificate Requests (PKCS 10) to the Keon
Certificate Server
9. In the Netlock Manager Window, click on the Agents tab.
        For each Agent that will use a Keon-issued certificate, do steps 11
through 23
10. Open the Modify Agent window. (Select the Agent in the list on the right
    side of the Manager Window, then choose File->Modify Agent… or just
    double-click the Agent in the list.)
11. In the Modify Agent window, click the Certificate tab.

                    Keon Ready Implementation Guide

12. Click the Export Agent PKCS #10 button. An Export Agent PKCS #10
    dialog box will appear. Choose the PEM Encoded (.pem) Format. This is
    the default setting.

13. Click the Browse button and enter a filename of your choice. Be sure to
    include the .pem extension in your filename, then click the Save button.

                    Keon Ready Implementation Guide

14. In the Export Agent PKCS #10 dialog box, review the choices and click
    the OK button.

   (Note: Step 15 is a work-around for a PKCS 10 incompatibility between
   Keon and Netlock. The incompatibility will be fixed in a future release of

15. Using a text editor, change the word-wrap of the data lines between “-----

   Make each data line exactly 64 characters long. On the first line, place the
   cursor after the 64 character, then enter a return. The extra characters
   from the first line will move to the beginning of a new second line. Move
   the cursor to the end of the new short second line and press the delete
   key to append the beginning of the third line to it. Do not insert any spaces
   or delete any data characters. Rewrap each line in turn to exactly 64
   characters. The last data line will probably be shorter than 64 characters.

   Leave the “-----BEGIN CERTIFICATE REQUEST-----“ and “-----END
   CERTIFICATE REQUEST-----“ lines untouched. Save your changes.

                    Keon Ready Implementation Guide

16. Open the Keon Certificate Server browser window on the Netlock
    Manager computer. If you need to, select the correct Jurisdiction and click
    the Continue button to get to the Subscriber Services for… window.
17. Under Request a Certificate, click Enroll for an IPSec Certificate. The
    IPSec CSR Enrollment for… window will appear.

                    Keon Ready Implementation Guide

18. For Step 1, use the CSR By File text field and/or the Browse… button to
    select the PKCS #10 file you edited in step 16.
19. For Step 2, enter a First Name, Last Name, and Email Address. The other
    fields are optional.
20. For Step 3, enter a challenge phrase of your choice.
21. Optionally, you may enter comments for Step 4.
22. At the bottom of the window, click the Accept button to submit your
    request. The Keon Certificate Server will send a “Certificate Request
    Confirmation” email message to your email address, to let you know that
    your request was received.
        (Repeat steps 11 through 23 to export a certificate request for each
        Netlock Agent.)
        Issue the certificates at the Keon Certificate Server
23. The Keon certificate administrator uses the Keon Certificate Server to
    approve the certificate requests generated in the previous steps. This step
    is performed on the Keon computer using the local web browser interface.
    The Keon Certificate Server will issue a “Your Certificate is Ready” email
    message to the requesting email address for each .
        Receive, Import, and Distribute the Agent Certificates
24. The Netlock security administrator should receive two email messages for
    each Netlock Agent certificate request. The second message (Certificate
    Request Confirmation) contains some descriptive text and the certificate.
    Save the second email messages to separate text files, one text file for
    each Agent’s certificate. Choose any filenames, but give each file a “.pem”
        For each Agent, do steps 26 through 30.

                     Keon Ready Implementation Guide

25. Using a text editor, open the .pem certificate file you saved in step 25 and
    delete the descriptive text at the top of the file. Do not change or delete
    the “-----BEGIN CERTIFICATE-----“, data, and “-----END CERTIFICATE----
    -“ lines. Bring a copy of the certificate file to the Netlock Manager
    computer, if it is not already there.

                     Keon Ready Implementation Guide

26. (The Modify Agent window should still be open from steps 11 through 15.
    Bring it to the front; you can use the Window menu in any Netlock window.
    If the appropriate Modify Agent window is not open, please open it.)
27. In the Modify Agent window, click the Import External Certificate… button.
28. Use the Open dialog box to select your certificate file, then click the Open

29. At this point, the Manager will read the Keon-generated certificate from
    the file and distribute it to the Agent. You can verify that the certificates
    have been properly received by examining the Certificate Information box
    in the Modify Agent window (click the Certificate Tab). Note that the
    Certificate Status reads, “3rd Party CA” and the validity dates have match
    the certificate dates that the Keon certificate administrator saw on the
    local Keon Certificate Server screen when the certificate request was

                         Keon Ready Implementation Guide

Additional Notes, Constraints, and Conclusion
Keon Certificate Expiration
  Just before the Keon-issued certificates expire, the Netlock Agents will
  generate certificate request to the Netlock Manager. The Netlock Manager
  will use its certificate authority capabilities to issue new certificates to the
  Netlock Agents. To prevent this from happening, do the following:
  1. Issue Keon certificates to your Netlock Agents using the procedure
      described here.
          For each Agent:
  2. Open the Modify Agent window.
  3. Select the Certificate tab.
  4. In the Certificate Lifetime box, enable (check) the “Do NOT Issue New
      Certificates After…” and enter today’s date and time. The time does not
      have to be exact.
          Before an Agent’s Certificate Expires:
  5. Be sure you issue new Keon certificates before the old certificates expire.
      If a Netlock Agent’s certificate expires, it will drop all security associations
      and block all secure communications. Secure communications will remain
      blocked until the Netlock Agent receives a valid certificate.

                       Keon Ready Implementation Guide

Keon CRLs

Using a debug version of the Netlock Manager, the author successfully parsed a
Keon CRL. See Additional Notes at the bottom of this paper for further details.

Keon-generated CRLs can be read using a debug version of the Netlock

Otherwise, the Netlock Manager rejects the CRL due to a possible format error in
the Keon CRL. A one-line change to the Netlock Manager code will allow it to
read the Keon CRL. Netlock and RSA engineers will work together to determine
the best solution to this problem for our mutual customers’ benefit.
Keon CRLs cannot be extracted directly from the Keon Server. Instead Netscape
directory software is used as an intermediary to extract the CRL information. At
Netlock, we have a batch file that performs the CRL extraction. The CRL
generation procedure will be described in a separate engineering note.

                              Keon Ready Implementation Guide

5. Certification Checklist

Keon Certificate Server Version: v5.5

Keon Security Server & Desktop Version: NA

Product Version Tested: 3.1                  Date: Tuesday, January 09, 2001

               Test Case                    Personal    Server    IPSec   ______

PKCS#10 Enrollment via CSR:
  Generate PKCS#10 Request                             Pass      Pass
  Process PKCS#10 Request                              Pass      Pass

Automated Enrollment:
  Request Certificate via CEP or CRS
  Process Certificate Request

Manual Enrollment:
  Request Certificate                                  Pass
  Process Certificate Request                          Pass

Import Certificate
   Import PKCS#7 Certificate
   Import PKCS#12 envelope
   Import via cut & paste                              Pass      Pass
   View & verify Certificate                           Pass      Pass
   Install trusted root Certificate

Certificate Usage
   Use certificate for authentication                  Pass      Pass
   Use certificate for encryption                      Pass      Pass

LDAP Support (if applicable)
   Name lookup & certificate retrieval                 Pass
   Revocation recognized via CRL

Keon Desktop Support
(if applicable)
   Import certificate via PKCS#12
   Access certificates via MS CSP
   Access certificates via PKCS#11
   Revoked certificates enforced

                     Keon Ready Implementation Guide

                                          P=Pass X=Fail N/A=Non-available function

7. Known Problems

  CRL Checking will be incorporated in the Point Release in January, 2001.


Shared By: