EJBCA AT THE HEART OF A TRUST CENTER F.Koray ATSAN Trust Center Project manager F.Koray ATSAN Trust Center Project manager Simetri Software A.Ş. Tel: Fax:

2 Outline Simetri Software Introduction Simetri Software Introduction Simetri Trust Center Overview Simetri Trust Center Overview Legal Requiremtns Legal Requiremtns Technical Requirements Technical Requirements Selection of a PKI System Selection of a PKI System EJBCA Components at the Trust Center EJBCA Components at the Trust Center Integrating SimSign Server with EJBCA Integrating SimSign Server with EJBCA

3 Simetri Software in Brief According to 2006 figures Simetri Software is the 2 nd largest company in Turkey in the first 500 IT company in MIS sector According to 2006 figures Simetri Software is the 2 nd largest company in Turkey in the first 500 IT company in MIS sector Provides products and services to Ministry of Internal Affairs, Ministry of Industry and Commerce, İstanbul Chamber of Commerce and other large organisations Provides products and services to Ministry of Internal Affairs, Ministry of Industry and Commerce, İstanbul Chamber of Commerce and other large organisations Its various applications run in 81 cities and 931 counties with users. Its various applications run in 81 cities and 931 counties with users. Provides products and services to its customers with 100+ software engineers. Provides products and services to its customers with 100+ software engineers.

4 Simetri Trust Center Overview Recently (for over 4 years) Simetri is focused at the information security area. Recently (for over 4 years) Simetri is focused at the information security area. It provides a Trust Center service for its customer which satisfied the legal requirements and became a Legal CSP in Turkey It provides a Trust Center service for its customer which satisfied the legal requirements and became a Legal CSP in Turkey It has gained TS-ISO ISMS accreditation for its Trust Center as part of the legal requirements. It has gained TS-ISO ISMS accreditation for its Trust Center as part of the legal requirements.

5 What is a Trust Center anyway ? A Trust Center is the premises where Digital ID s are issued and managed A Trust Center is the premises where Digital ID s are issued and managed It has to be reliable (againts ID and credentials theft) It has to be reliable (againts ID and credentials theft) Administratively and Administratively and Technically Technically and maintain trust at all times We assume we provide the administrative reliability by managing and maintaining our ISMS system We assume we provide the administrative reliability by managing and maintaining our ISMS system How about the technical reliability and requirements ? How about the technical reliability and requirements ?

6 Legal Requirements Compliancy with e-signature legislations (Law and Regulations) Compliancy with e-signature legislations (Law and Regulations) Product Selection Requirements (EAL4+, FIPS and etc. For smartcards, HSMs and such) Product Selection Requirements (EAL4+, FIPS and etc. For smartcards, HSMs and such) ISMS TS ISO ISMS TS ISO Business Continuity Plan Business Continuity Plan CP and CPS and etc. CP and CPS and etc. Compliancy with ETSI TS & CERN CWA (Dual two factor authentication, roles and their duties ) Compliancy with ETSI TS & CERN CWA (Dual two factor authentication, roles and their duties )

7 Technical Requirements Selection of a PKI System Selection of a PKI System One of the most ciritical decisions in the process : One of the most ciritical decisions in the process : Must be reliable Must be reliable Flexible Flexible Cost effective Cost effective Secure Secure

8 Technical Requirements Evaluated several products : Evaluated several products : OpenCA OpenCA Windows 2003 CA Server Windows 2003 CA Server A US Origin CA A US Origin CA and EJBCA and EJBCA

9 Technical Requirements Why did we select EJBCA ? Why did we select EJBCA ? Flexibility and customizability : Flexibility and customizability : Flexible Administration Flexible Administration Adding new profiles is easy Adding new profiles is easy Customizing is easy Customizing is easy Secondary Services Support (More complete solution) Secondary Services Support (More complete solution) OCSP Server OCSP Server TSA TSA Directory Service Integration Directory Service Integration External RA External RA HSM Support HSM Support

10 Technical Challenges Surpassed Multilanguage support (Xdoclet, certificate encoding) Multilanguage support (Xdoclet, certificate encoding) Custom certificate field requirements (Serial Number, Subject Directory Attributes and such ) Custom certificate field requirements (Serial Number, Subject Directory Attributes and such ) TSA and OCSP hardware (smartcard) support TSA and OCSP hardware (smartcard) support Internal RA Approval Mechanism in order to achieve dual authentication Internal RA Approval Mechanism in order to achieve dual authentication

11 EJBCA Components at the Trust Center Root CA Directory (LDAP) EU CA TSA EU OCSP Server Sub CAs RAs EU External RA

12 SIM SignServer Workflow and EJBCA integration Web Web Application Client Application System Users Document Signed and TimeStamped Document Signed Doc Verification Internet User Signed Document Sharing

13 Solutions at the speed of thought… Thank you