Learning Center
Plans & pricing Sign in
Sign Out

ICM LRA Training Manual - PowerPoint


									Government of Canada
Internal Credential Management
Public Key Infrastructure

LRA Training Manual

Version: 4.0

Internal Credential Management

•   ICM is a PKI based credential management service
    for internal government business that issues and
    manages unique digital credentials to individuals,
    applications and devices.

     What is PKI?

The combination of protocols, technologies, infrastructure, services
policies and people that define how an organization maintains,
distributes, creates, and validates public keys and associated

 •    ICM Service Provider (PWGSC)
 •    ICM Client Organizations
 •    Key Management Centre (KMC)
 •    Online Registration and Credential Administration (ORCA)
 •    myKEY
 •    National LRA Coordinator
 •    Local Registration Authority (LRA)
 •    Certificate Authority

      What are PKI Keys?

          Private Key                              Public Key

• Protected by owner                  • Distributed freely and openly
• Kept in physical possession of      • Kept in public certificate key
  owner                                 directory servers
• Used to decrypt messages            • Used to encrypt messages
• Used to sign messages               • Used to verify signatures

                        Key Types
                       • Personal Keys
                       • Device/Application Keys
                       • Group Keys

Security and PKI

•   Security Elements
•   Password Rules
•   Securing My Credential

PKI and Security

   Confidentiality                                      Access Control

                                                            Ensures that only
      Protection against                                   authorized users or
                                                         processes are permitted
    unauthorized disclosure
        of information                                      to access a given

                              Ensures information
                              arrives to its intended
                              destination as it was

  Authentication                    originated

                                                         Ensures that users cannot
   Ensures originator is                                  deny a transaction that
    properly identified                                   they were involved with

Strong Password Rules

•   A minimum of 8 characters
•   Must contain one uppercase letter
•   Must contain one lowercase letter
•   Must contain one digit
•   Can contain special characters such as & * % $ #
•   Should not contain too many instances of the
    same character
•   Cannot contain a major sub-string of the user
    profile name (Profile name can be anything - only
    you will see it)

 Securing My Credential

 The Credential is protected by security rules
 The Credential is protected with a strong password
 The user protects the password by not divulging it
 The user protects the Credential by storing it in a secure
 The user protects the Credential by activating it

What is ORCA?

•   The Online Registration and Credential Administration (ORCA)
    solution will provide ICM clients with the ability to issue and
    manage ID-based Public Key Infrastructure (PKI) certificates
    (myKEY) in an online session.
•   ORCA is an enhancement of the current manual LRA processes.
•   During it’s initial release, ORCA will only be available to
    employees listed in the Regional Pay System.
•   In it’s first release ORCA will facilitate both creations and
•   Other credential requests for Contractors, Devices and Groups
    will be handled using the current manual processes.
•   ORCA will be rolled out to Departments in a phased approach
    beginning this year.
•   LRAs will be contacted internally by their organization when
    ORCA is deployed in their area.

What is myKEY?

•   “myKEY” has several aliases such as PKI Key, ID-
    based Certificate, Entrust Profile or PKI Certificate.
•   As part of introducing ORCA, ICM has branded the
    product with the name “myKEY”.
•   “myKEY” has all of the same functionalities as the
    current PKI Key.

What is myKEY used for?

•   To securely transfer files
•   To securely store information
•   To digitally sign documents and financial
•   To securely access remote networks
•   To authenticate to secured applications

What is an LRA?

•   A Local Registration Authority (LRA) is the person
    who performs PKI Credential issuance duties on
    behalf of their organization.

What is a Guarantor?

    On behalf of the LRA, a Guarantor is responsible and
           accountable to identify and authenticate
                   applicants/subscribers by:
•   Meeting with the applicant
•   Viewing 2 valid pieces of identification, 1 with a photo,
    both with signatures and valid expiry dates.
•   Return application form to the LRA
•   A Guarantor can be a Manager/Supervisor or
A Guarantor is not required to have a PKI certificate.
The LRA is responsible for identifying and documenting
   which person of authority (supervisor, manager) acts
   as the Guarantor on their behalf.

What is a “Third Party”?

•   A Third Party is an ICM subscriber, with active PKI
    keys, who agrees to securely transfer an
    Authorization Code from the LRA to the applicant
    or subscriber.

   Putting it all together

               Certificate              Cross-
               Authority                Certificatio
                                  PKI   n                        Desks
LRAs/ORCA                   Key Mgmt Services
                                                        Web Services
            Processes and
                                   Directory Services

LRA Responsibilities
•   Each LRA must read the LRA Obligations document and sign the
    Appointment Certificate, acknowledging that they have read
    and understood their obligations
•   An LRA must respect the obligations imposed in accordance
    with the processes identified in this document
•   Identify and authenticate applicants by viewing 2 pieces of ID,
    1 with a photo, both with signatures and valid expiration dates.
    (Drivers license, Government ID, Passport)
•   Direct applicants to read the PKI “Terms of Use” that are
    attached to the application form.
•   Verify, sign and submit requests to Key Management Centre
•   In submitting a subscriber request form to KMC, the LRA
    certifies that the subscriber has been authenticated in
    accordance with the processes identified in this document
•   Distribute Authorization Code in accordance with the processes
    identified in this document
•   Notify subscribers of certificate revocation

                                                           continued …

LRA Responsibilities

•   Ensure all Contractor and Term Certificates are kept active or are revoked
    when contract or term ends.
•   Work with “Guarantors” and “Third Parties” in the Identification and
    Authentication of individuals and the release of the Authorization Codes.
•   Identify a back-up LRA to your subscribers in the event that you will be
•   Notify the LRA Coordinator when you are no longer taking care of the LRA
    responsibilities and identify your replacement (form available on the ICM
•   Maintaining records of your LRA functions is not required however, should
    you wish to maintain records, note that physical and electronic storage
    should be secured as up to Protected B.
           Physical storage by locked container appropriate for up to
              Protected B sensitivity (e.g. locked filling cabinet).
           Electronic storage kept only in encrypted format on the
•   All transaction records must be destroyed using a commercially available
    paper shredder producing a strip-cut to a maximum width of 3/8" (10mm).

myKEY - Request Processes

•   myKEY – LRA Request
•   myKEY – Authorization Code Delivery Method
•   myKEY – ORCA Request
•   myKEY Recovery – initiated by a Manager or
    Legal Authority
•   myKEY Revocation
•   myKEY Distinguished Name Change

     myKEY – LRA Request (new and recovery)
1.    Applicant and/or LRA completes section 1 to 4 of the ICM Request Form.
2.    LRA completes section 5 and 6 of the form (and where indicated on External
      Subscriber Application and Change Request).
3.    LRA physically or digitally signs the form and sends it to the KMC.
      •    By fax;
      •    By email, once scanned and encrypted; or
      •    By email, once completed electronically and encrypted
4.    KMC verifies the LRA signature and processes the request.
5.    KMC sends the encrypted Authorization Code to the LRA and the Reference
      Number to the applicant.
6.    The LRA or Guarantor authenticates the applicant by verifying 2 pieces of
      identification, one with a picture, both with signatures and valid expiry
7.    The LRA or Third Party provides the Authorization Code to the applicant.

myKEY – Authorization Code Delivery Method

1. The LRA provides the Authorization Code to the
   subscriber using one of the following approved
   methods: Face to Face, Registered Mail, Courier,
   Guarantor or Third Party Trust method.
2. The LRA provides the Authorization Code to the
   Guarantor or Third Party using one of the following
   approved methods: Registered Mail, Courier, or
   Encrypted Mail method.
3. The Guarantor or Third Party provides the
   Authorization Code to the subscriber using one of the
   following approved methods: Face to Face, Registered
   Mail or Courier.

myKEY - ORCA Request (new and recovery)

•   ORCA will be available through a web link where
    applicants can self-perform myKEY creations and
•   LRAs will be contacted internally by their
    organization when ORCA is deployed in their area.

myKEY – Recovery by a Manager / Legal Authority

There may be a requirement where an organization
needs to recover a subscriber’s myKEY on an urgent
basis. Such as:
 • Access is required to corporate data after an
    employee leaves the organization, or
 • A department or criminal investigation is in progress.
If this situation were to occur, the LRA opens a ticket
with the PWGSC Operations Service Desk to be processed

myKEY - Revocation

1.   Subscriber / Manager / LRA encounters a myKEY revocation
     scenario e.g.:
      a. Cessation of operation (e.g. myKEY is no longer required by
      b. subscriber’s termination of employment
      c. myKEY compromise or suspected compromise
2.   Subscriber / Manager contacts an LRA to request a key revocation.
     If the subscriber’s LRA is not available, the request is immediately
     re-directed to another LRA or to the PWGSC Operations Service
3.   LRA completes the Request Form and sends it to the KMC either by
     fax or by encrypted e-mail to the KMC requesting revocation.
4.   KMC revokes the subscriber’s credential. The subscriber can no
     longer use myKEY.
5.   KMC sends by email confirmation of the revocation to the LRA.
6.   The LRA informs the user.

myKEY – Distinguished Name Change

•   LRA indicates on the request form the subscriber’s
    current information.
•   LRA indicates on the request form the subscriber’s
    new information.
•   LRA sends the form to the KMC either by fax or
•   KMC notifies the subscriber of the changes and
    CCs the LRA.

ICM Forms

•   ICM Subscriber Application Request Form / Change
•   ICM Device/Group/Application Credential Request
    Form / Change Request
•   ICM External Subscriber Application Form
•   ICM External Subscriber Change Request Form

Trouble Shooting Tips
     Your Departmental Help Desk is your first point of contact
                           for assistance.

 Password Problem
 •     Ensure the CAPS LOCK button has not been engaged.
 •     Was the password typed with a French keyboard?
 •     Has the user deleted all old profiles from the media/drives?
 •     A password cannot be reset by the KMC (Key Recovery is
 Communication Errors
 •     Have you downloaded a new ENTRUST.INI file from the ICM
       website? (not applicable to ESP users)
 •     Ensure that two way communication is allowed via your
       departmental firewall. The Entrust.INI file indicates the ports
       and IP's required to be identified.
 •     Is the network cable properly connected to the PC/Laptop?
 •     Were there communication errors while initiating the keys?

Incident Escalation Process
    Your departmental Help Desk Support is your first point of
                      contact for assistance.

•     Incidents not resolved internally can be reported to the
      PWGSC Operations Service Desk
        7/24
        (613) 738-7782
•     Theservice desk agent will inquire as to:
        Requestor name
        Department
        Telephone number
        Solution urgency
        Type of problem (communication, password, key
        Problem description
        Error codes
•     You will be given an Incident Record (IR) number, which you
      should record and keep until the incident is resolved.

Contact List

•   ICM Website
•   Key Management Centre (KMC)
      Monday - Friday
      7:00 - 16:00 ET
      Fax: (613) 946-9133
      E-mail:
      Group Key for Encryption of forms/e-mails:
                  Group, PKI OPS
•   National LRA Coordinator
•   PWGSC Operations Service Desk
      7/24
      (613) 738-7782

To top