PKI Security in MapServer using Apache FOSS4G2006 EPFL-UNIL • Lausanne • Switzerland Michael Smith Engineer Research & Development Center - Remote Sensing/GIS Center US Army Corps of Engineers, Hanover, NH michael.smith@erdc.usace.army.mil

About the Corps of Engineers 34,600 civilian and 650 military personnel USACE provides responsive engineering services to the nation Civil Works: Plan, design, build and operate water resources projects Navigation Flood Control Environmental Protection Disaster Response Design and manage the construction of military facilities for the Army and Air Force. Provide design and construction management support for other Defense and federal agencies.

Army Engineer Research and Development Center Alaska Projects Office European Research Office Anchorage Field Office Field Exposure Station Columbia River Fisheries Research Facility Cold Regions Research Engineering Laboratory The Dalles Research Facility Engineer Research and Development Center Disbursed Command of 7 unique technical laboratories at 4 locations Research facilities and activities around the country and the world Collecting Cosmic Dust in Antarctica Searching for insects in South America Advising NATO in Europe Headquartered in Vicksburg, Mississippi Eau Galle Laboratory Construction Engineering Research Laboratory Topographic Engineering Center Chemistry Quality Assurance Laboratory Field Research Facility Trotters Shoals Limnological Research Facility Big Black Test Facility Lewisville Aquatic Ecosystems Research Facility Coastal and Hydraulics Laboratory Environmental Laboratory Geotechnical and Structures Laboratory Information Technology Laboratory

RS/GIS Center Staff Skills & Background (32 Personnel) Hydraulic engineering Geomorphology Forestry Computer programming Image processing Geography Database management Signal processing Electrical engineering Ecology Economics Hydrology Meteorology Statistics Water resources engineering GIS enterprise applications Geospatial database organization and development GIS business practice applications development Image processing Sensor evaluation Spatial analysis Algorithm development/programming Emergency management Education and training Statistical analysis Watershed management

Business Requirements & Constraints Account/password management for thousands of users Support for PKI Infrastructure (DoD Common Access Card) Strictly Defined Roles and Access Formal Release/Version Control & Reporting Mechanism 24x7 Systems with Fail-Over/Disaster Recovery Replication to Secure Networks Support Data Calls & Data Snapshots Formal Software Development Process Distributed Development Teams

What is PKI - Public Key Infrastructure PKI is a framework that enables secure transactions to be performed on otherwise non-secure platforms (i.e., the Internet, etc.). PKI provides security through the use of a private and public cryptographic key pair. The private key is unique to the individual. This private key is issued by a trusted third party known as the certificate authority (CA). The public key is freely distributed to other users to be matched with the private key to authenticate the transaction.

More on PKI Two factor authentication Something you know Something you have Passphrase not sent over net, just decrypts private key Since private key sent over net, only use string encryption https (TLS, 128-bit ciphers etc)

PKI in the DoD = CAC (Common Access Cards) The CAC will serve as the user's PKI token, which means that the ICC located on the CAC will be used to store the user's private key identity These certificates are used to access PKI on card key generation services and applications

Basic Operation SSL used as the security/transport mechanism Server’s identity is verified browser root certificate User is authenticated by presenting a client certificate to the server Server verifies client by using a Certificate Authority (CA) root certificate

Part of Normal Apache Setup Can be placed in a <Location> tag to only affect specific locations Can be combined with Allow from/Deny from Can be combined with specific client requirements (a single department) SSLRequire Several environment variables can be populated by Client SSLOptions +StdEnvVars

Apache Setup 1) Point Apache to the Root CA SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca.crt 2) Set SSLVerifyClient require Set how deep to check for root CA SSLVerifyDepth n

SSL Environment Variables SSL_CLIENT_S_DN_CN The client supplied Common Name SMITH.MICHAEL.D.1140324104 SSL_CLIENT_S_DN_OU The client supplied Organizational Unit DoD SSL_CLIENT_S_V_END When the certificate expires Jul 19 23:59:59 2009 GMT

Additional Access Controls SSLRequire ( %{SSL_CIPHER} !~ m/^(exp | null)-/ \ and %{SSL_CLIENT_S_DN_OU} eq "DoD" )

Additional Access Controls FakeBasicAuth Passes SSL_CLIENT_S_DN_CN as basic authorization user name, sets password to “xxj31ZMTZzkVA” encrypted version of password Use standard .htaccess files to limit to certain subsets of users

If using ReverseProxy Make sure you add the SSL Environment variables explicitly to the headers RequestHeader set SSL_CLIENT_S_DN_CN %{SSL_CLIENT_S_DN_CN}e RequestHeader set SSL_CLIENT_S_DN_OU %{SSL_CLIENT_S_DN_OU}e RequestHeader set SSL_CLIENT_V_END %{SSL_CLIENT_V_END}e

Mapserver Integration Done at Environment or Cookie level for CGI or use Mapscript Only certain MapServer parameters accept variable substitution Available for DATA TILEINDEX CONNECTION FILTER Remember to set DATAPATTERN properly

MapServer Example DATA /data/%SSL_CLIENT_S_DN_OU%/nulldata.shp Status Default Unless Org name passed properly, map won’t draw Add error page to indicate security issue Use FILTER to display subsets of data to different groups

To Summarize: Basic Steps Get a CA certificate Set SSLCertificateFile to point to your CA Set SSLVerifyClient to require Set SSLRequire as necessary to limit access Limit access using FakeBasicAuth and / or Setting SSL Environement Variables and / or Setting Session ID variables Add variables to MapServer (as necessary)

Questions?

Apache Example SSLVerifyClient require SSLVerifyDepth 5 SSLOptions +StdEnvVars RequestHeader set REMOTE_HOST %{REMOTE_HOST}e RequestHeader set SSL_CLIENT_S_DN_CN %{SSL_CLIENT_S_DN_CN}e RequestHeader set SSL_CLIENT_S_DN_OU %{SSL_CLIENT_S_DN_OU}e RequestHeader set SSL_CLIENT_V_END %{SSL_CLIENT_V_END}e SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \ and %{SSL_CLIENT_S_DN_OU} eq "DoD" )