Saturday, November 6, 2010

PKI authentication and legacy web application

One of the most secure ways of user authentication- is the PKI authentication. A lot of modern systems support this method and everything works nice and smoothly (almost everything - details in the my next post). But, as usually, in real big enterprise you have a dilemma: you need the strongest authentication but you have a lot of legacy systems (or it takes ages to get changes in authentication method from vendor).
The best way (IMHO) to resolve this problem is to use mutual ssl on certificates.
SSL will terminate on reverse proxy server in front of your Business Application Server inside the high secure network zone . So, here the scheme:



It looks really easy, isn't it?
How it works:
1. Each user has his own certificate and private key. It could be located on smart card, token or inside OS key storage.
2. User's browser must be configured to use this certificate for authentication (It's easy - just import it in browser or point it to OS key storage)
3. User must connect to revers proxy server (ssl termination point) for getting access to Business Application Server.

4. Revers proxy server checks validity of user's certificate and some certificate's fields (if you need to restrict access to only some users groups) like OU, CN or "extended key usage" and establish mutual ssl connection.
5. Revers proxy server offloads ssl and make direct connection over http (or non-mutual ssl connection) to your business application server.
6. Business application server authenticate user and authorised them by user/password pair.

The key point of this scheme is the Revers Proxy Server with ssl offloading feature (May be the better name for it - Secure Application Gateway).
How this servers looks like?
1. Open Source:
Any *nix + Apache web server with mod_proxy and mod_ssl + some changes in Apache config for certificate verification.
2. Load balancer or Web Application firewall from your favorite vendor. I have tested this on F5 BigIP and everything works perfectly.

Almost forget. You will get a lot of users' web request logging possibilities during  implementation of this scheme. So you can easily control users' activity within business application server.

That's all folks. Stay secure.

20 comments:

  1. вы внедрили? или пока идеи? каков скоуп?

    ReplyDelete
  2. Оттестили на биллинге по полной программе. Все работает отлично. Теперь внедряем ввиде отказоустойчивого кластера.

    ReplyDelete
  3. I quite like reading an article that can make people think. Also, thanks for allowing for me to comment! custom aftermarket wheels

    ReplyDelete
  4. I really enjoy reading and also appreciate your work. עו"ד תאונות דרכים

    ReplyDelete
  5. Present day individuals no longer trust publicizing.smm panel

    ReplyDelete
  6. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. applicant tracking software

    ReplyDelete
  7. This article was written by a real thinking writer without a doubt. I agree many of the with the solid points made by the writer. I’ll be back day in and day for further new updates. Complete Alarm Systems

    ReplyDelete
  8. Excellent article. Very interesting to read. I really love to read such a nice article. Thanks! keep rocking. satta king online

    ReplyDelete
  9. What a fantabulous post this has been. Never seen this kind of useful post. I am grateful to you and expect more number of posts like these. Thank you very much. 420 Mail Order USA

    ReplyDelete
  10. What a fantabulous post this has been. Never seen this kind of useful post. I am grateful to you and expect more number of posts like these. Thank you very much. nationwide thc vape shipping

    ReplyDelete
  11. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. buy cheap marijuana online

    ReplyDelete
  12. Thanks for a wonderful share. Your article has proved your hard work and experience you have got in this field. Brilliant .i love it reading. THC Vape Pen

    ReplyDelete
  13. Im no expert, but I believe you just made an excellent point. You certainly fully understand what youre speaking about, and I can truly get behind that. wholesale vape cartridges

    ReplyDelete
  14. I just want to let you know that I just check out your site and I find it very interesting and informative.. [url=https://www.piccosalesbuds.com/product/high-thc-cannabis-oil-sale/]buy thc oil[/url]

    ReplyDelete
  15. I'd like a person's location. It really is better than notice everybody explain in words inside the life blood as well as legibility about this topic required region are often easily discovered. buy real weed online cheap

    ReplyDelete
  16. A number of dissertation websites on the internet for those who purchase needless to say publicised as part of your page. buy weed online uk

    ReplyDelete
  17. Fantastic blog! Do you have any tips and hints for aspiring writers? I’m planning to start my own website soon but I’m a little lost on everything. Would you propose starting with a free platform like WordPress or go for a paid option? There are so many options out there that I’m completely overwhelmed .. Any suggestions? Many thanks! http://www.totali3atop.ru/

    ReplyDelete
  18. Thanks for picking out the time to discuss this, I feel great about it and love studying more on this topic. It is extremely helpful for me. Thanks for such a valuable help again. Ципрофлоксацин

    ReplyDelete
  19. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. https://toyotarav4.ru/

    ReplyDelete
  20. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. best Miami Audi Dealer

    ReplyDelete