Saturday, November 6, 2010

PKI authentication and legacy web application

One of the most secure ways of user authentication- is the PKI authentication. A lot of modern systems support this method and everything works nice and smoothly (almost everything - details in the my next post). But, as usually, in real big enterprise you have a dilemma: you need the strongest authentication but you have a lot of legacy systems (or it takes ages to get changes in authentication method from vendor).
The best way (IMHO) to resolve this problem is to use mutual ssl on certificates.
SSL will terminate on reverse proxy server in front of your Business Application Server inside the high secure network zone . So, here the scheme:

It looks really easy, isn't it?
How it works:
1. Each user has his own certificate and private key. It could be located on smart card, token or inside OS key storage.
2. User's browser must be configured to use this certificate for authentication (It's easy - just import it in browser or point it to OS key storage)
3. User must connect to revers proxy server (ssl termination point) for getting access to Business Application Server.

4. Revers proxy server checks validity of user's certificate and some certificate's fields (if you need to restrict access to only some users groups) like OU, CN or "extended key usage" and establish mutual ssl connection.
5. Revers proxy server offloads ssl and make direct connection over http (or non-mutual ssl connection) to your business application server.
6. Business application server authenticate user and authorised them by user/password pair.

The key point of this scheme is the Revers Proxy Server with ssl offloading feature (May be the better name for it - Secure Application Gateway).
How this servers looks like?
1. Open Source:
Any *nix + Apache web server with mod_proxy and mod_ssl + some changes in Apache config for certificate verification.
2. Load balancer or Web Application firewall from your favorite vendor. I have tested this on F5 BigIP and everything works perfectly.

Almost forget. You will get a lot of users' web request logging possibilities during  implementation of this scheme. So you can easily control users' activity within business application server.

That's all folks. Stay secure.


  1. вы внедрили? или пока идеи? каков скоуп?

  2. Оттестили на биллинге по полной программе. Все работает отлично. Теперь внедряем ввиде отказоустойчивого кластера.


  4. The main Social Media Marketing and web design systems like Deal with guide, Integra and Flicker will be your best choices. Start with one and obtain an understanding for what results you’ll see, or go with a few a get the name on the market quickly!

  5. Nice information, valuable and excellent design, as share good stuff with good ideas and concepts, lots of great information and inspiration, both of which I need, thanks to offer such a helpful information here. security guards

  6. It’s very informative and you are obviously very knowledgeable in this area. You have opened my eyes to varying views on this topic with interesting and solid content.
    Actually I read it yesterday but I had some thoughts about it and today I wanted to read it again because it is very well written.
    I was just browsing through the internet looking for some information and came across your blog. I am impressed by the information that you have on this blog. It shows how well you understand this subject. Bookmarked this page, will come back for more.
    Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I’ll be subscribing to your feed and I hope you post again soon.
    Its as if you had a great grasp on the subject matter, but you forgot to include your readers. Perhaps you should think about this from more than one angle.
    Going to graduate school was a positive decision for me. I enjoyed the coursework, the presentations, the fellow students, and the professors. And since my company reimbursed 100% of the tuition, the only cost that I had to pay on my own was for books and supplies. Otherwise, I received a free master’s degree. All that I had to invest was my time.
    Good to become visiting your weblog again, it has been months for me. Nicely this article that i've been waited for so long. I will need this post to total my assignment in the college, and it has exact same topic together with your write-up. Thanks, good share.
    Three are usually cheap Ralph Lauren available for sale each and every time you wish to buy.
    They're produced by the very best degree developers who will be distinguished for your polo dress creating. You'll find polo Ron Lauren inside exclusive array which include particular classes for men, women.
    A good blog always comes-up with new and exciting information and while reading I have feel that this blog is really have all those quality that qualify a blog to be a one.
    I wanted to leave a little comment to support you and wish you a good continuation. Wishing you the best of luck for all your blogging efforts.
    Really impressed! Everything is very open and very clear clarification of issues. It contains truly facts. Your website is very valuable. Thanks for sharing.
    It's late finding this act. At least, it's a thing to be familiar with that there are such events exist. I agree with your Blog and I will be back to inspect it more in the future so please keep up your act.
    This post is very simple to read and appreciate without leaving any details out. Great work!
    You completed certain reliable points there. I did a search on the subject and found nearly all persons will agree with your blog.

  7. Very efficiently written information. It will be beneficial to anybody who utilizes it, including me. Keep up the good work. For sure i will check out more posts. This site seems to get a good amount of visitors. creazione software torino

  8. I imagine that it is best to compose additional on this issue,
    application security testing

  9. This is really nice to read content of this blog. A is very extensive and vast knowledgeable platform has been given by this blog. I really appreciate this blog to has such kind of educational knowledge.line official account

  10. If you are looking for more information about flat rate locksmith Las Vegas check that right away. peter web designer

  11. Thanks for your post. I’ve been thinking about writing a very comparable post over the last couple of weeks, I’ll probably keep it short and sweet and link to this instead if thats cool. Thanks.
    web design namibia

  12. I am jovial you take pride in what you write.It makes you stand way out from many other writers that can not push high-quality content like you. κατασκευη eshop

  13. That is why selling advertising campaigns marketing so that you could invaluable explore previous advertisment. Quite simply to jot down stronger set that fit this description.

  14. I am impressed. I don't think Ive met anyone who knows as much about this subject as you do. You are truly well informed and very intelligent. You wrote something that people could understand and made the subject intriguing for everyone. Really, great blog you have got here. Web Designing

  15. Positive site, where did u come up with the information on this posting? I'm pleased I discovered it though, ill be checking back soon to find out what additional posts you include. CCTV Security Installers

  16. I agree that there are lot of authentication as well as legacy web techniques available for which you will need proper guidance from experts of graphic design agency.

  17. I have read all the comments and suggestions posted by the visitors for this article are very fine,We will wait for your next article so only.Thanks! Digital marketing company

  18. This is also a very good post which I really enjoyed reading. It is not every day that I have the possibility to see something like this.. security agency birmingham

  19. Internet (WWW) is the arrangement of interlinked hypertext records containing content, pictures, sound, recordings, activity and then some.Webdesign

  20. Whoi, excellent, t wondered just how to cure icne. ind found your webstte by google, dtscovered todiy t'm i ltttle obvtous i greit deil. t’ve ilso idded RSS ind sive your webstte. keep us updited. website design company in Accra-Ghana

  21. When your website or blog goes live for the first time, it is exciting. That is until you realize no one but you and your. Web design

  22. I always replied to this blog post and its been a long time since I came into knowledge of this blog. One of my friend’s suggestion worked for me and I am still regular to read every post of this blog.White Monka

  23. creativity of writer is purely impressive. It has touched to the level of expertise with his writing. Everything is up to the mark. Written perfectly and I can use such information for my coming assignment.
    web design company fort worth

  24. I found this blog after a long time which is really helpful to let understand different approaches. I am going to adopt these new point to my career and thankful for this help.
    web development company toronto

  25. Really I enjoy your site with effective and useful information. It is included very nice post with a lot of our resources.thanks for share. i enjoy this post. costruzione siti internet torino