Saturday, November 6, 2010

PKI authentication and legacy web application

One of the most secure ways of user authentication- is the PKI authentication. A lot of modern systems support this method and everything works nice and smoothly (almost everything - details in the my next post). But, as usually, in real big enterprise you have a dilemma: you need the strongest authentication but you have a lot of legacy systems (or it takes ages to get changes in authentication method from vendor).
The best way (IMHO) to resolve this problem is to use mutual ssl on certificates.
SSL will terminate on reverse proxy server in front of your Business Application Server inside the high secure network zone . So, here the scheme:

It looks really easy, isn't it?
How it works:
1. Each user has his own certificate and private key. It could be located on smart card, token or inside OS key storage.
2. User's browser must be configured to use this certificate for authentication (It's easy - just import it in browser or point it to OS key storage)
3. User must connect to revers proxy server (ssl termination point) for getting access to Business Application Server.

4. Revers proxy server checks validity of user's certificate and some certificate's fields (if you need to restrict access to only some users groups) like OU, CN or "extended key usage" and establish mutual ssl connection.
5. Revers proxy server offloads ssl and make direct connection over http (or non-mutual ssl connection) to your business application server.
6. Business application server authenticate user and authorised them by user/password pair.

The key point of this scheme is the Revers Proxy Server with ssl offloading feature (May be the better name for it - Secure Application Gateway).
How this servers looks like?
1. Open Source:
Any *nix + Apache web server with mod_proxy and mod_ssl + some changes in Apache config for certificate verification.
2. Load balancer or Web Application firewall from your favorite vendor. I have tested this on F5 BigIP and everything works perfectly.

Almost forget. You will get a lot of users' web request logging possibilities during  implementation of this scheme. So you can easily control users' activity within business application server.

That's all folks. Stay secure.


  1. вы внедрили? или пока идеи? каков скоуп?

  2. Оттестили на биллинге по полной программе. Все работает отлично. Теперь внедряем ввиде отказоустойчивого кластера.


  4. The main Social Media Marketing and web design systems like Deal with guide, Integra and Flicker will be your best choices. Start with one and obtain an understanding for what results you’ll see, or go with a few a get the name on the market quickly!

  5. Nice information, valuable and excellent design, as share good stuff with good ideas and concepts, lots of great information and inspiration, both of which I need, thanks to offer such a helpful information here. security guards

  6. It’s very informative and you are obviously very knowledgeable in this area. You have opened my eyes to varying views on this topic with interesting and solid content.
    Actually I read it yesterday but I had some thoughts about it and today I wanted to read it again because it is very well written.
    I was just browsing through the internet looking for some information and came across your blog. I am impressed by the information that you have on this blog. It shows how well you understand this subject. Bookmarked this page, will come back for more.
    Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I’ll be subscribing to your feed and I hope you post again soon.
    Its as if you had a great grasp on the subject matter, but you forgot to include your readers. Perhaps you should think about this from more than one angle.
    Going to graduate school was a positive decision for me. I enjoyed the coursework, the presentations, the fellow students, and the professors. And since my company reimbursed 100% of the tuition, the only cost that I had to pay on my own was for books and supplies. Otherwise, I received a free master’s degree. All that I had to invest was my time.
    Good to become visiting your weblog again, it has been months for me. Nicely this article that i've been waited for so long. I will need this post to total my assignment in the college, and it has exact same topic together with your write-up. Thanks, good share.
    Three are usually cheap Ralph Lauren available for sale each and every time you wish to buy.
    They're produced by the very best degree developers who will be distinguished for your polo dress creating. You'll find polo Ron Lauren inside exclusive array which include particular classes for men, women.
    A good blog always comes-up with new and exciting information and while reading I have feel that this blog is really have all those quality that qualify a blog to be a one.
    I wanted to leave a little comment to support you and wish you a good continuation. Wishing you the best of luck for all your blogging efforts.
    Really impressed! Everything is very open and very clear clarification of issues. It contains truly facts. Your website is very valuable. Thanks for sharing.
    It's late finding this act. At least, it's a thing to be familiar with that there are such events exist. I agree with your Blog and I will be back to inspect it more in the future so please keep up your act.
    This post is very simple to read and appreciate without leaving any details out. Great work!
    You completed certain reliable points there. I did a search on the subject and found nearly all persons will agree with your blog.

  7. Very efficiently written information. It will be beneficial to anybody who utilizes it, including me. Keep up the good work. For sure i will check out more posts. This site seems to get a good amount of visitors. creazione software torino

  8. I imagine that it is best to compose additional on this issue,
    application security testing

  9. This is really nice to read content of this blog. A is very extensive and vast knowledgeable platform has been given by this blog. I really appreciate this blog to has such kind of educational knowledge.line official account

  10. If you are looking for more information about flat rate locksmith Las Vegas check that right away. peter web designer

  11. Thanks for your post. I’ve been thinking about writing a very comparable post over the last couple of weeks, I’ll probably keep it short and sweet and link to this instead if thats cool. Thanks.
    web design namibia

  12. I am jovial you take pride in what you write.It makes you stand way out from many other writers that can not push high-quality content like you. κατασκευη eshop

  13. That is why selling advertising campaigns marketing so that you could invaluable explore previous advertisment. Quite simply to jot down stronger set that fit this description.