Saturday, November 6, 2010

PKI authentication and legacy web application

One of the most secure ways of user authentication- is the PKI authentication. A lot of modern systems support this method and everything works nice and smoothly (almost everything - details in the my next post). But, as usually, in real big enterprise you have a dilemma: you need the strongest authentication but you have a lot of legacy systems (or it takes ages to get changes in authentication method from vendor).
The best way (IMHO) to resolve this problem is to use mutual ssl on certificates.
SSL will terminate on reverse proxy server in front of your Business Application Server inside the high secure network zone . So, here the scheme:



It looks really easy, isn't it?
How it works:
1. Each user has his own certificate and private key. It could be located on smart card, token or inside OS key storage.
2. User's browser must be configured to use this certificate for authentication (It's easy - just import it in browser or point it to OS key storage)
3. User must connect to revers proxy server (ssl termination point) for getting access to Business Application Server.

4. Revers proxy server checks validity of user's certificate and some certificate's fields (if you need to restrict access to only some users groups) like OU, CN or "extended key usage" and establish mutual ssl connection.
5. Revers proxy server offloads ssl and make direct connection over http (or non-mutual ssl connection) to your business application server.
6. Business application server authenticate user and authorised them by user/password pair.

The key point of this scheme is the Revers Proxy Server with ssl offloading feature (May be the better name for it - Secure Application Gateway).
How this servers looks like?
1. Open Source:
Any *nix + Apache web server with mod_proxy and mod_ssl + some changes in Apache config for certificate verification.
2. Load balancer or Web Application firewall from your favorite vendor. I have tested this on F5 BigIP and everything works perfectly.

Almost forget. You will get a lot of users' web request logging possibilities during  implementation of this scheme. So you can easily control users' activity within business application server.

That's all folks. Stay secure.

22 comments:

  1. I am a new user of this site so here i saw multiple articles and posts posted by this site,I curious more interest in some of them hope you will give more information on this topics in your next articles. MONTOLA supporto GPS universale per auto

    ReplyDelete
  2. I just couldn't leave your website before telling you that I truly enjoyed the top quality info you present to your visitors? Will be back again frequently to check up on new posts. athletiktraining berlin

    ReplyDelete
  3. The worst part of it was that the software only worked intermittently and the data was not accurate. You obviously canot confront anyone about what you have discovered if the information is not right. USDA ORGANIC

    ReplyDelete
  4. Writing with style and getting good compliments on the article is quite hard, to be honest.But you've done it so calmly and with so cool feeling and you've nailed the job. This article is possessed with style and I am giving good compliment. Best! fire flap

    ReplyDelete
  5. Truly, this article is really one of the very best in the history of articles. I am a antique ’Article’ collector and I sometimes read some new articles if I find them interesting. And I found this one pretty fascinating and it should go into my collection. Very good work! Earings

    ReplyDelete
  6. Excellent Blog! I would like to thank for the efforts you have made in writing this post. I am hoping the same best work from you in the future as well. I wanted to thank you for this websites! Thanks for sharing. Great websites! Fahrradhelm und -kappen

    ReplyDelete
  7. Well we really like to visit this site, many useful information we can get here. SELF-CARE CARDS

    ReplyDelete
  8. I really enjoy simply reading all of your weblogs. Simply wanted to inform you that you have people like me who appreciate your work. Definitely a great post. Hats off to you! The information that you have provided is very helpful. best email hosting

    ReplyDelete
  9. With so many books and articles coming up to give gateway to make-money-online field and confusing reader even more on the actual way of earning money, how to make money blogging

    ReplyDelete
  10. Looking for best Baby Prams online for your kids use. Lots of people found this.

    ReplyDelete
  11. Staggering and trendy online business web architecture is only one of our specialities. https://www.sandeepmehta.co.in/affordable-seo-services-delhi/

    ReplyDelete
  12. In case you are zeroing in to a greater degree toward the visual depiction part of Web design.
    https://onohosting.com/

    ReplyDelete
  13. I recently came across your article and have been reading along. I want to express my admiration of your writing skill and ability to make readers read from the beginning to the end. I would like to read newer posts and to share my thoughts with you. pet loss

    ReplyDelete
  14. Going to graduate school was a positive decision for me. I enjoyed the coursework, the presentations, the fellow students, and the professors. And since my company reimbursed 100% of the tuition, the only cost that I had to pay on my own was for books and supplies. Otherwise, I received a free master’s degree. All that I had to invest was my time. women shoes

    ReplyDelete
  15. I recently came across your article and have been reading along. I want to express my admiration of your writing skill and ability to make readers read from the beginning to the end. I would like to read newer posts and to share my thoughts with you. baby clothes singapore

    ReplyDelete
  16. I value the blog article. Really looking forward to read more. Really Great.security guard company in singapore

    ReplyDelete
  17. How about we keep on moving on into 2021 social media patterns in showcasing with drawing in, development centered substance thoughts! such a good point

    ReplyDelete
  18. How about to make professional verified on tiktok account for show your talent on Internet.

    ReplyDelete
  19. I really loved reading your blog. It was very well authored and easy to understand. Unlike other blogs I have read which are really not that good.Thanks alot! https://www.go2college.ca/

    ReplyDelete
  20. MavericksMedia
    Most entrepreneurs don't have it in their spending plan to recruit a different promoting firm to chip away at website improvement (SEO), so it basic that your web designer have insight in SEO.

    ReplyDelete
  21. Social media generally is about commitment through sharing, which for business implies focusing on your item range, your articles, or your administrations at drawing in a likely client or customer base. small seo article rewriter

    ReplyDelete
  22. Wow great blog article. Really thank you! Awesome.best security guard agency

    ReplyDelete