Saturday, November 6, 2010

PKI authentication and legacy web application

One of the most secure ways of user authentication- is the PKI authentication. A lot of modern systems support this method and everything works nice and smoothly (almost everything - details in the my next post). But, as usually, in real big enterprise you have a dilemma: you need the strongest authentication but you have a lot of legacy systems (or it takes ages to get changes in authentication method from vendor).
The best way (IMHO) to resolve this problem is to use mutual ssl on certificates.
SSL will terminate on reverse proxy server in front of your Business Application Server inside the high secure network zone . So, here the scheme:



It looks really easy, isn't it?
How it works:
1. Each user has his own certificate and private key. It could be located on smart card, token or inside OS key storage.
2. User's browser must be configured to use this certificate for authentication (It's easy - just import it in browser or point it to OS key storage)
3. User must connect to revers proxy server (ssl termination point) for getting access to Business Application Server.

4. Revers proxy server checks validity of user's certificate and some certificate's fields (if you need to restrict access to only some users groups) like OU, CN or "extended key usage" and establish mutual ssl connection.
5. Revers proxy server offloads ssl and make direct connection over http (or non-mutual ssl connection) to your business application server.
6. Business application server authenticate user and authorised them by user/password pair.

The key point of this scheme is the Revers Proxy Server with ssl offloading feature (May be the better name for it - Secure Application Gateway).
How this servers looks like?
1. Open Source:
Any *nix + Apache web server with mod_proxy and mod_ssl + some changes in Apache config for certificate verification.
2. Load balancer or Web Application firewall from your favorite vendor. I have tested this on F5 BigIP and everything works perfectly.

Almost forget. You will get a lot of users' web request logging possibilities during  implementation of this scheme. So you can easily control users' activity within business application server.

That's all folks. Stay secure.

39 comments:

  1. вы внедрили? или пока идеи? каков скоуп?

    ReplyDelete
  2. Оттестили на биллинге по полной программе. Все работает отлично. Теперь внедряем ввиде отказоустойчивого кластера.

    ReplyDelete
  3. I quite like reading an article that can make people think. Also, thanks for allowing for me to comment! custom aftermarket wheels

    ReplyDelete
  4. I really enjoy reading and also appreciate your work. עו"ד תאונות דרכים

    ReplyDelete
  5. Present day individuals no longer trust publicizing.smm panel

    ReplyDelete
  6. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. applicant tracking software

    ReplyDelete
  7. This article was written by a real thinking writer without a doubt. I agree many of the with the solid points made by the writer. I’ll be back day in and day for further new updates. Complete Alarm Systems

    ReplyDelete
  8. Excellent article. Very interesting to read. I really love to read such a nice article. Thanks! keep rocking. satta king online

    ReplyDelete
  9. What a fantabulous post this has been. Never seen this kind of useful post. I am grateful to you and expect more number of posts like these. Thank you very much. 420 Mail Order USA

    ReplyDelete
  10. What a fantabulous post this has been. Never seen this kind of useful post. I am grateful to you and expect more number of posts like these. Thank you very much. nationwide thc vape shipping

    ReplyDelete
  11. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. buy cheap marijuana online

    ReplyDelete
  12. Thanks for a wonderful share. Your article has proved your hard work and experience you have got in this field. Brilliant .i love it reading. THC Vape Pen

    ReplyDelete
  13. Im no expert, but I believe you just made an excellent point. You certainly fully understand what youre speaking about, and I can truly get behind that. wholesale vape cartridges

    ReplyDelete
  14. I just want to let you know that I just check out your site and I find it very interesting and informative.. [url=https://www.piccosalesbuds.com/product/high-thc-cannabis-oil-sale/]buy thc oil[/url]

    ReplyDelete
  15. I'd like a person's location. It really is better than notice everybody explain in words inside the life blood as well as legibility about this topic required region are often easily discovered. buy real weed online cheap

    ReplyDelete
  16. A number of dissertation websites on the internet for those who purchase needless to say publicised as part of your page. buy weed online uk

    ReplyDelete
  17. Fantastic blog! Do you have any tips and hints for aspiring writers? I’m planning to start my own website soon but I’m a little lost on everything. Would you propose starting with a free platform like WordPress or go for a paid option? There are so many options out there that I’m completely overwhelmed .. Any suggestions? Many thanks! http://www.totali3atop.ru/

    ReplyDelete
  18. Thanks for picking out the time to discuss this, I feel great about it and love studying more on this topic. It is extremely helpful for me. Thanks for such a valuable help again. Ципрофлоксацин

    ReplyDelete
  19. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. https://toyotarav4.ru/

    ReplyDelete
  20. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. best Miami Audi Dealer

    ReplyDelete
  21. Hi, I log on to your new stuff like every week. Your humoristic style is witty, keep it up Click here where to buy xanax online

    ReplyDelete
  22. With no responsibility to anybody, Bitcoins are genuinely extraordinary. Bitcoins are sovereign with their unmistakable principles, and aren't imprinted in a surreptitious way by any bank however mined. bitcoin mixer

    ReplyDelete
  23. I have a hard time describing my thoughts on content, but I really felt I should here. Your article is really great. I like the way you wrote this information.
    buy smartbud cans online

    ReplyDelete
  24. Awesome and interesting article. Great things you've always shared with us. Thanks. Just continue composing this kind of post. Buy Marijuana Online

    ReplyDelete
  25. Thank you again for all the knowledge you distribute,Good post. I was very interested in the article, it's quite inspiring I should admit. I like visiting you site since I always come across interesting articles like this one.Great Job, I greatly appreciate that.Do Keep sharing! Regards, Order Weed Online

    ReplyDelete
  26. I know your expertise on this. I must say we should have an online discussion on this. Writing only comments will close the discussion straight away! And will restrict the benefits from this information. thc vape juice for sale

    ReplyDelete
  27. I am happy to find this post very useful for me, as it contains lot of information. I always prefer to read the quality content and this thing I found in you post. Thanks for sharing. 420 mail order

    ReplyDelete
  28. I really impressed after read this because of some quality work and informative thoughts . I just wanna say thanks for the writer and wish you all the best for coming!. 420 mail order

    ReplyDelete
  29. An fascinating discussion is value comment. I think that it is best to write extra on this matter, it won’t be a taboo topic however generally people are not enough to talk on such topics. To the next. Cheers vape pen cartridges wholesale

    ReplyDelete
  30. I was very impressed by this post, this site has always been pleasant news Thank you very much for such an interesting post, and I meet them more often then I visited this site www.ccskcloudsecurity.com

    ReplyDelete
  31. That is really nice to hear. thank you for the update and good luck. birrificio artigianale

    ReplyDelete
  32. That is really nice to hear. thank you for the update and good luck. catalogo calzature steve madden

    ReplyDelete
  33. Thank you for taking the time to publish this information very useful! occhiali da vista carrera

    ReplyDelete
  34. This is a great inspiring article.I am pretty much pleased with your good work.You put really very helpful information. Keep it up. Keep blogging. Looking to reading your next post. situs slot online

    ReplyDelete
  35. Took me time to read all the comments, but I really enjoyed the article. It proved to be Very helpful to me and I am sure to all the commenters here! It’s always nice when you can not only be informed, but also entertained! شحن من كندا الى مصر

    ReplyDelete
  36. Interesting and amazing how your post is! It Is Useful and helpful for me That I like it very much, and I am looking forward to Hearing from your next.. bahis siteleri listesi

    ReplyDelete
  37. Interesting and amazing how your post is! It Is Useful and helpful for me That I like it very much, and I am looking forward to Hearing from your next.. bahis siteleri listesi

    ReplyDelete
  38. Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work! satta king

    ReplyDelete
  39. Do they have involvement with the website admin's industry? Webdesign

    ReplyDelete