Certificate Retrieval from OpenLDAP The X.509 attribute Parsing Server (XPS)

Slides:



Advertisements
Similar presentations
Indications in green = Live content Indications in white = Edit in master Indications in blue = Locked elements Indications in black = Optional elements.
Advertisements

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
IS 1181 IS 118 Introduction to Development Tools VB Chapter 06.
Tutorial 6 & 7 Symbol Table
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
LDAP LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL PRESENTATION BY ALAKESH APURVA DHAN AND ASH.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Unity Connection 7.0 Directory Integration TOI Manoj Agrawal
Configuring Active Directory Certificate Services Lesson 13.
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
1 © 2001, Cisco Systems, Inc. All rights reserved. Voice Connector Features Voic Interoperability – 4.0(5) Voice Connector features Rahul Singh.
Conceptual Architecture of PostgreSQL PopSQL Andrew Heard, Daniel Basilio, Eril Berkok, Julia Canella, Mark Fischer, Misiu Godfrey.
Chapter 61 Chapter 6 Index Structures for Files. Chapter 62 Indexes Indexes are additional auxiliary access structures with typically provide either faster.
Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.
What’s New in VRS? GUGM May 15, 2008 Presenter: Kelly P. Robinson GIL Service Georgia State University
23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr Michel Jouvin
Lesson 11-Locating, Printing, and Archiving User Files.
Copyright © 2007, Oracle. All rights reserved. Managing Concurrent Requests.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1 Tutorial 13 Validating Documents with DTDs Working with Document Type Definitions.
Chapter 8 Cookies And Security JavaScript, Third Edition.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
1 COMP 3438 – Part II-Lecture 1: Overview of Compiler Design Dr. Zili Shao Department of Computing The Hong Kong Polytechnic Univ.
Advanced AutoEntry Using Resume Parsing with Version 9 of PcHunter/Tempus Fugit Advanced AutoEntry © 2008 Micro J Systems, Inc.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
Linux Operations and Administration
LDAP Items
Oracle Data Integrator Procedures, Advanced Workflows.
Indexed and Relative File Processing
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
1 Compiler Construction (CS-636) Muhammad Bilal Bashir UIIT, Rawalpindi.
FLEX Fast Lexical Analyzer EECS Introduction Flex is a lexical analysis (scanner) generator. Flex is provided with a user input file or Standard.
Unit-1 Introduction Prepared by: Prof. Harish I Rathod
Integrating security services with the automatic processing of content TERENA 2001 Antalya, May 2001 Francesco Gennai, Marina Buzzi Istituto.
Windows 2000 Certificate Authority By Saunders Roesser.
Accessing Remote Datasets using the DAP protocol through the netCDF interface. Dr. Dennis Heimbigner Unidata netCDF Workshop August 3-4, 2009.
Built-in Data Structures in Python An Introduction.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Early Childhood Outcomes Indicator 7 Data Collection Application Review.
Oracle 11g: SQL Chapter 4 Constraints.
Chapter 4 Constraints Oracle 10g: SQL. Oracle 10g: SQL 2 Objectives Explain the purpose of constraints in a table Distinguish among PRIMARY KEY, FOREIGN.
26 July 2007IETF 69 PKIX1 Use of WebDAV for Certificate Publishing and Revocation
ESA UNCLASSIFIED – For Official Use Workshop #23 Pasadena, USA 25 rd March 2015 Sam Cooper Common services update (part 2)
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Creating and Managing Digital Certificates Chapter Eleven.
29 October 2001Terena TF-LSD1 Certificate Retrieval With OpenLDAP David Chadwick.
Some Technical Issues in PKI Deployment David Chadwick
15 May 2001© 2001 University of Salford1 Deficiencies in LDAP when used to support Public Key Infrastructures David W Chadwick
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
LDAP (Lightweight Directory Access Protocol)
LDAP- Protocol and Applications. Role of LDAP Allow clients to access a directory service Directories hold hierarchical structured information Clients.
Introduction to Active Directory
Hyperion Artifact Life Cycle Management Agenda  Overview  Demo  Tips & Tricks  Takeaways  Queries.
T U T O R I A L  2009 Pearson Education, Inc. All rights reserved Address Book Application Introducing Database Programming.
LDAP for PKI Problems Cannot search for particular certificates or CRLs Cannot retrieve particular certificates or CRLs.
1 Public Key Infrastructure Dr. Rocky K. C. Chang 25 February, 2002.
Aggregator Stage : Definition : Aggregator classifies data rows from a single input link into groups and calculates totals or other aggregate functions.
Configuring MQ Connections and Handlers for MQ adapter 6.5 July 2008.
How to Create eInvoices in SCP-RR Training Presentation for Supply Chain Platform: Rolls-Royce January 2016.
FILES AND EXCEPTIONS Topics Introduction to File Input and Output Using Loops to Process Files Processing Records Exceptions.
1 Directory Services  What is a Directory Service?  Directory Services model  Directory Services naming model  X.500 and LDAP  Implementations of.
LDAP PKI and PMI Schemas
Scripts & Functions Scripts and functions are contained in .m-files
Transparent Data Encryption (TDE)
Topics Introduction to File Input and Output
Quattor Advanced Tutorial, LAL
Topics Introduction to File Input and Output
How to install and manage exchange server 2010 OP Saklani.
Presentation transcript:

Certificate Retrieval from OpenLDAP The X.509 attribute Parsing Server (XPS)

The Problem PKI clients cannot search for specific X.509 attributes stored in LDAP directories, e.g. –Find the encryption PKC for the person whose address is –Find the CRLs issued by OU=MyCA, O=MyOrg, C=US after 9am, 20March 2003 –Find the AC for David Chadwick that contains the role attribute PKI clients currently can only store and retrieve X.509 attributes, by knowing the Distinguished Name of the entry they are held in – but often the clients do NOT know the DN of the entry

The Current Workaround PKI vendors such as Entrust, suggest that the PKI/LDAP administrator extracts the address of the PKC subject from the SubjectAltName field, and store this in an attribute in the same entry as the PKC, and then the PKI client searches the LDAP server for the address and asks for the PKC to be returned from the same entry

Automating and Extending the Workaround - Attribute Extraction A front end X.509 attribute Parsing Server (XPS) parses the X.509 attribute to be stored, and breaks it up into a set of LDAP attributes that use existing LDAP syntaxes XPS then creates a new entry for the X.509 attribute in the LDAP server, which comprises the original X.509 attribute and the set of extracted attributes The LDAP server adds the extracted attributes to its indexes, using existing mechanisms The PKI administrative client (i.e. the CA) talks to the new XPS server instead of the LDAP server PKI retrieval clients search the LDAP server for the extracted attributes and ask for the X.509 attribute to be returned (as now)

Attribute Extraction LDAP directory CA/AA Search for Att 1.. Att i Return X.509 attribute XPS server Att1, Att2…Att n + [ ]

The DIT Structure PKCs and ACs are held in child entries CRLs are held in child subtrees dc=myorg dc=com ou=people cn=my entry Encryption PKC Signing PKC AC containing roles ou=My CA dc=myorg dc=com CRL CRL entries

Naming the X.509 attribute entries CRL entries are named with the x509crlThisUpdate attribute CRL revoked certificate entries may be named in one of 3 ways –x509serialNumber+x509issuer –x509isssuerSerial –x509serialNumber Certificate Entries may be named in one of 3 ways –x509serialNumber+x509issuer –x509isssuerSerial –x509serialNumber

The XPS Configuration File XPS config options are held in slapd.conf between the global configuration directives and the backend definitions –All config keywords are case sensitive. Default values in red EnableXPS[yes|no] –If no, all other XPS config options are ignored ldapurl[NULL| ] –XPS can act in standalone mode or combined mode pkcTypes[userCertificate, userCertificate;binary, cACertificate, cACertificate;binary] –Lists the incoming public key attribute types to be trapped acTypes[attributeCertificateAttribute, attributeCertificateAttribute;binary] –Lists the incoming attribute certificate types to be trapped crlTypes[certificateRevocationList;binary, etc.] –Lists the incoming CRL attribute types to be trapped

XPS Configuration Options (cont) DuplicateAttribute[yes|no] –Indicates if X.509 attribute should be stored in parent entry as well RevokedCertificateEntries[yes|no] –Indicates if subtree of entries should be created, default no RevokedRDNformat [x509serialNumber+x509issuer| x509isssuerSerial | x509serialNumber] –Only applies if RevokedCertificateEntries is yes CertRDNformat[x509serialNumber+x509issuer | x509isssuerSerial | x509serialNumber] –The RDN of the newly created certificate entries Walpath[path] –Where to store the WAL files. The default path if this parameter is missing, is /usr/local/var/xps/wals/

XPS Config options (cont) XPSerrorlog[path/filename] –The default file is /usr/local/var/xps/error.log INCLUDE [x509attrtypes.txt] –A file holding the mappings between ASN.1 type references and their equivalent LDAP attribute types. Each line should be in the format: define_attr ASN.ref LDAPattType e.g. define_attr certificate.tbsCertificate.signature.algorithm x509signatureAlgorithm Only the LDAP attributes specified in this file will be stored in the X.509 attribute entries created by XPS

Parsing the Incoming X.509 Attributes When any of the attributes in the 3 lists from the config file are encountered, one of the following routines is called –x509AC_2_mods() - converts an Attribute Certificate into a list of Modifications –x509CRL_2_mods() - converts a Certificate Revocation List into a list of Modifications –x509PKC_2_mods() - converts a Public Key Certificate into a list of Modifications These routines are automatically created by an ASN.1 compiler we have written

The ASN.1 Compiler Built using the compiler generator tools flex and bison. Flex is based on UNIX lex and builds a lexical analyzer which is used to process the text input to the complier ASN.1 built-in type keywords used by flex are contained in input file asn1.lex Output from the lexical analyzer is a sequence of tokens and corresponding values that are used by the compiler The compiler is built using the tool bison, a compiler generator based on UNIX tool yacc The definitions for the compiler are contained in input file asn1.y Bison does not automatically generate parse trees and output code. These must be added to the definition file, in the form of embedded actions, to build a parse tree, and also a code generator. After the input has been scanned and a parse tree built, the code generator walks this tree and translates this into output code. Compiler is called with two arguments: name of file containing X.509 attribute ASN.1 type definition, and file to receive generated C code

The WAL XPS is acting as a transaction server, since one incoming request creates a set of outgoing requests to the backend LDAP server Therefore we need a Write Ahead Log One WAL file is opened per incoming operation Before any change is made to the backend LDAP server, this change is written to the WAL in LDIF format –Add entry, only the DN is stored in the WAL –Remove entry, the entire entry is read and the contents stored in the WAL –fflush() is called after every write to the WAL When the last backend operation has completed successfully the WAL is deleted

WAL File names Must be unique Filename is wal.log –E.g. walKHWIHfdsafJG420ghdlT4YG.log Ascii chars are created using a 128 bit MD5 hash of the DN of the LDAP entry to be modified –lutil_MD5Init(), lutil_MD5Update(), and lutil_MD5Final() functions This provides concurrency control as well

Recovery When XPS first starts, if a WAL file is found, then a recovery log is opened (XPSrecovery.log) The WAL is opened, marked “recovery in progress” and each record is acted upon –If it’s a DN, the entry is deleted –If it’s an entry, the entry is added If successful the record is deleted. If it fails the record is left there Each action is written to the log file, along with a success or fail status If recovery fails, the LDAP administrator will have to tidy up manually using the log file and WALs

Operation of XPS If EnableXPS is No, all operations bypass it and given to OpenLDAP If EnableXPS is Yes, then Bind, Unbind, Compare, ModDN, Abandon, and Search bypass it and are given to OpenLDAP If Enable XPS is Yes, ADD, DELETE, and MODIFY Requests are trapped and acted upon as follows

Add Request First check if request contains any X.509 attributes, if not, pass straight to OpenLDAP Call appropriate x509***_2_mods() function for each trapped X.509 attribute Mods are turned into slap_mods2entry() DN of parent and child entries are added to WAL If duplicateAttribute is false, the X.509 attributes will be removed from the parent entry be->be_add )() is called for the parent entry If successful, be->be_add )() is repeated for each child entry If any error, OpenLDAP is rolled back and error returned Finally, the WAL is deleted.

Delete Request Full subtree search from DN of entry-to-be-deleted is issued, with filter of object class present, requesting * + If no entries returned, Delete either passed to OpenLDAP If all entries except base are of object class x509base, Delete will be processed, else it is passed to OpenLDAP If a returned entry has the hasSubordinates operational attribute = FALSE, the entry will be saved in the WAL using Entry2wal() and then deleted from the directory using (be->be_delete )() If hasSubordinates is TRUE, the entry is held pending until all the FALSE ones are processed, then it is processed Once all entries have been deleted, the WAL is deleted If any delete fails, the deleted entries are restored and an error sent to the user.

Modify Request (Add) XPS first checks if there are any X.509 attributes in the modifications. If there are none then request is passed to internal server or referral is returned Processing now depends upon type of modification For Add, a list of modifications for each X.509 attribute is created using appropriate x509***_2_mods() The DNs of all the children and grandchildren are added to the WAL The entries and child entries are then added to the directory. Move to next modification

Modify Request (Delete) If the modification is delete, do a 1-level Search from the to-be-modified entry for the attribute type (or value) to-be-deleted. Store returned entries in the WAL If CRL revoked entries are present, do a 1-level Search from each returned CRL entry and store these in the WAL. Then delete them from the directory. Delete initial returned entries from the directory If any errors, then add all the deleted entries back into the directory Move to next modification

Modify Request (finish) Replace is equivalent to delete the attribute and add the listed values Once the set of modifications have been completed successfully, the original Modify request has its X.509 attributes removed (if duplicates is false) and it is sent to the directory (unless there are no attributes left) As the Modify is atomic, it does not need to be written to the WAL. If it succeeds, delete the WAL, if it fails, then re-apply the changes recorded in the WAL

Governing Internet Drafts Gietz, P., Klasen, N. "An LDAPv3 Schema for X.509 Certificates",, March, 2003 Chadwick, D.W., Sahalayev, M. V. "Internet X.509 Public Key Infrastructure - LDAP Schema for X.509 Attribute Certificates",, February 2003 Chadwick, D.W., Sahalayev, M. V. "Internet X.509 Public Key Infrastructure - LDAP Schema for X.509 CRLs",, February 2003

Attribute Extraction Pros Cons Existing LDAP servers do not need to be modified Supports indexing servers based on fields within PKI attributes Supports enhanced matching (searching on multiple fields within a single PKI attribute) XPS has been built into OpenLDAP, and can either front end an existing LDAP server or be a combined XPS/LDAP server PKI clients need less modification, and might just need re-configuring with the new attribute types The European and US academic community chose this solution Storage requirements in the LDAP server are doubled [or tripled] Adding new X.509 attribute syntaxes or new certificate or CRL extensions means the XPS code has to be recompiled and rebuilt Cant search on multiple X.509 attributes, or an X.509 attribute and other attributes in the user’s entry (needs families of entries) CAs and clients have different views of the DIT