web interface: sort descriptions like the form fields in get_info, cert_search

[openxpki.git] / www.openxpki.org / trunk / htdocs / news / story-20070126.html

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
  <head>
    <title>OpenXPKI Project - Success story</title>
<link rel="stylesheet" title="default" href="../css/openxpki.css" type="text/css" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
  

  </head>
  <body>
    <div id="page">

      <div id="header">
        <a href="..">
  <img src="../images/openxpki_logo.png"
     alt="OpenXPKI Project"/>
</a>

      </div> <!-- header -->

      <div id="navi">
        <div class="menu">
                  <div class="menu_item"><a href="..">Home</a></div>
        <div class="menu_item"><a href="../features/index.html">Features</a></div>
        <div class="menu_item"><a href="../secadvs/index.html">Security Advisories</a></div>
        <div class="menu_item"><a href="index.html">News</a></div>
        <div class="menu_item"><a href="../docs/index.html">Documentation</a></div>
        <div class="menu_item"><a href="../support/index.html">Support</a></div>
        <div class="menu_item"><a href="../download/index.html">Download</a></div>
        <div class="menu_item"><a href="http://wiki.openxpki.org">Wiki</a></div>
        <div class="menu_item"><a href="../resources/index.html">Resources</a></div>
        <div class="menu_item"><a href="../foundation/index.html">Foundation</a></div>
        <div class="menu_item"><a href="../legacy/index.html">OpenCA Legacy</a></div>
        <div class="w3c">
          <a href="http://sourceforge.net"><img src="http://sflogo.sourceforge.net/sflogo.php?group_id=150124&amp;type=1" width="88" height="31" alt="SourceForge.net Logo" /></a>
        </div>
        <div class="w3c">
          <a href="http://validator.w3.org/check?uri=http://www.openxpki.org/news/story-20070126.html"><img class="noborder" src="../images/valid-xhtml10.png" alt="Valid XHTML 1.0!" height="31" width="88" /></a>
        </div>
        <div class="w3c">
          <a href="http://www.masonhq.com/"><img class="noborder" src="../images/built-with-white1.png" alt="Built with Mason" height="31" width="88" /></a>
        </div>


        </div> <!-- menu -->
      </div> <!-- navi -->

      <div id="content">

<h2>Success story: SmartCard personalization self-service application</h2>
<p>
The first production deployment of OpenXPKI was performed on Friday,
2007-01-26 by <a href="http://www.cynops.de/">Cynops GmbH</a> for
a customer.
</p>
<p>
In the current implementation phase OpenXPKI is solely used for  
one single purpose - it implements a self-service application for  
SmartCard personalization.
</p>

<h4>System environment</h4>
<p>
SuSE Linux SLES 8, Oracle 9, nCipher nC1002W/nC3022W/nC4032W HSM,  
Apache 1.3, RSA Access Manager, RSA SID-800 tokens
</p>

<h4>Authentication</h4>
<p>
For user authentication a RSA token based Web 
Single-Sign-On solution implemented with RSA ClearTrust (now called RSA  
Access Manager) is used. The web server configuration looks very much like a  
basic authentication in front of the web application, and it also  
sets some environment variables that the application can evaluate to  
obtain login user information.
</p>

<h4>Authorization</h4>
<p>
The OpenXPKI authorization configuration for users is using an  
"External Static" that only calls /bin/true and sets the role "User".  
(The actual authentication is performed by the authentication module  
configured in the web server config.)
</p>

<p>
RA and CA operator authentication also works via the SSO mechanism.  
However, the logged in user can pick "RA Operator" or "CA Operator"  
instead of "User". The configuration is again "External Static" but  
in this case it calls a shell script which checks the authenticated  
user name against LDAP groups that list acceptable RA/CA operators.
If authorized, the user gets the corresponding role for the rest of  
the session.
</p>

<h4>SmartCard personalization</h4>
<p>
The application uses the SmardCard Personalization workflow  
as shipped in rev 709.
A User can either login normally to the application and pick  
"Personalize SmartCard" from the top level menu. However, using  
mod_rewrite a rewrite rule for https://servername/token was
configured to a deep link into the application. It directly starts the  
personalization workflow and hides the user menu.
</p>
<p>
The workflow queries user data from an LDAP directory and stores the  
required fields in the workflow instance context.
The user is then prompted to insert a SmartCard token. If the correct  
Crypto Service Provider is installed (and the user is using MS  
IE...), a key pair is generated on the token. The browser sends the  
CSR to OpenXPKI which inserts the CSR into the workflow.
</p>
<p>
The HSM-protected CA key is usually always online, so certificate  
issuance can happen right away. The personalization workflow forks a  
certificate issuance workflow and waits for its completion. Once the  
certificate is issued the workflow continues and instructs IE to  
install the certificate on the user's token.
</p>
<p>
In this installations two certificates per user are created, and both are  
requested and installed in the same session. Due to the low speed of  
the used SmartCard tokens the full personalization process takes  
about 4 minutes.
</p>

      </div> <!-- content -->

      <div id="footer">
        Last modified by svysh on Mon Jan 26 10:36:25 UTC 2009
 (based on rev. 1361). &copy; 2005 - 2008  OpenXPKI Foundation


      </div> <!-- footer -->

    </div> <!-- page -->
  </body>
</html>