Upload
lenhan
View
230
Download
1
Embed Size (px)
Citation preview
2
Introduction
Bit4ID has successfully developed many Enterprise Public Key Infrastructures. With over 10 million
of enrolled users, ranging from state official to physicians, from train drivers to business owners,
our systems are key components for many organizations and central state bodies, offering an
unparalleled flexibility and exceptional integration with existing infrastructures and business
procedures, delivering value to our users across the entire life-cycle of digital certificates.
This white paper presents the architecture and the main features of Bit4ID SmartCMS -
Credentital Management System a top-notch Enterprise Public Key Infrastructure System
designed and developed by Bit4ID.
SmartCMS is the synergy of the most advanced PKI building blocks that Bit4ID has improved to
perfection bringing new features, a modularized architecture and playing as a cornerstone of
our digital DNA architecture and vision.
This paper shows how Bit4ID SmartCMS harmonizes the various elements of a PKI infrastructure
and business processes and Bit4ID relevant skills in design and deployment of integrated and
comprehensive solutions. A list of case histories concludes the document.
Architecture and main features
Bit4ID SmartCMS builds on Bit4ID’s deep understanding of digital certificates technology,
leveraging on more than 10 years of expertise in design and development of state of the art,
highly successful, rock-solid solutions.
Figure 1 depicts the modular architecture of Bit4ID SmartCMS core.
3
Figure 1: Bit4ID SmartCMS core architecture
Bit4ID SmartCMS core components are grouped in three main areas. The two most important
are the adapters, to make interaction with different external elements and the management
functions. Last, aspects offering high-availability, logging and monitoring to other components.
Adapters
Bit4ID SmartCMS offers a lot of flexibility thanks to its modular architecture and the extensive
use of adapters that allow it to work and interact with a wide range of different components
and in many different scenarios.
Smartcard and Token adapter. Bit4ID SmartCMS integrates with Smartcards and cryptographic
USB Tokens developed both from Bit4ID or different manufacturers, including Oberthur, Athena,
ST Microelectronics, G&D, Gemalto. The adapter is based on our universal middleware that
could be easily extended to manage any PKCS#11 compliant smartcard or cryptographic USB
token.
4
Certification Authority adapter. Our adapter is able to talk with any PKCS#10 compliant
certification authority, including EJBCA, Verizon Unicert and Entrust. Bit4ID SmartCMS could also
deal with more than one CA at the same time: it is possible to choose programmatically which
one to use according to business requirements.
Authentication adapter. System’s operators could be authenticated with a Smartcard or USB
Cryptographic Token enrolled by the system (via a bootstrap process, so the first enrolled
Smartcard or Token is the one that the Bit4ID SmartCMS administrator will later use to
authenticate), a username and password combination or a Single Sign On based on SAML
assertions.
Printer adapter. Bit4ID SmartCMS could talk with third party printing systems exporting data
needed for smart card personalization, or could enable the enrollment officer to activate a
single smart card with a smart card writer connected to a desktop system. If users are allowed
to self-enroll, printing could be mediated via user’s browser and performed locally.
Database adapter. User data needed for profiles could be retrieved from many different
databases, including Microsoft Active Directory, LDAP systems, Oracle, MySQL, PostgreSQL.
Secure element on Cloud. With the growing need for mobile authentication and digital
signatures Bit4ID SmartCMS is has integrated a technology to generate, manage and use
remote credentials stored on HSM at the Certification Authority premises.
Management functions
Smartcard and USB Cryptographic Token life-cycle management. This module manages the
entire life-cycle of a Smartcard or USB Cryptographic Token. Smartcards or Tokens enters the
system without the key pairs needed to operate as digital identity devices. Bit4ID SmartCMS
could track them from this early stage, with stock control integration.
During the enrollment phase, a key pair is generated by the Smartcard or Token and stored
inside a digital certificate, but it is also possible to generate a key pair off the Smartcard or Token,
if you need to keep a copy of it in a safe place to prevent key loss. As an example, if you need
a certificate to encrypt files, key loss could be equivalent to files’ loss, as the original content of
the files cannot longer decrypted. Bit4ID SmartCMS avoids this harmful situation by allowing the
keeping of a copy of the key pair inside an HSM, where it could be retrieved later.
5
Smartcard or USB Cryptographic Token application management. Smartcards or Tokens could
have Java applications on board to perform specialized functions (i.e. a fidelity program, an
electronic wallet or a national services card like Italy’s CNS). This module allows managing the
Java applications on board.
Smart card printing and personalization. Smart card could be personalized not only with the on
board certificates, but also in a graphical way, with some printed text and a visible photo of the
card’s owner, and in an electrical way, with an RFID chipset and a magnetic stripe. This module
deals with all these different views of a smart card, ensuring that they are always aligned and
correctly exported to the printing system.
Printing systems range from a local device, like a smart card writer connected to the USB port of
the enrollment officer’s desktop to a specialized printer that works in batch queues, or even a
more sophisticated third party printing and production system.
Certificate and key management. This module deals with the life-cycle of the certificates and
keys along the Smartcard’s or Token’s life, allowing for renewal, revoke and cessation of them,
communicating this information to the Certification Authority that manages the Certificate’s
Revocation List and possibly implements the OCSP protocol. Users could be allowed to perform
maintenance tasks like renewal or revocation (due to a card loss) via a web site or these
functions could be mediated via a contact centre.
User management. Users, registration officers and support staff are put inside a hierarchy with as
many levels as needed. It is possible to have a simple, flat allocation or a multi-level, polycentric
organization and anything in between.
Operator rights and profiles management. Operations on the system are allowed by the
definition of privileges that could be grouped in roles. Roles organization is flexible and entirely
customizable to meet business requirements. A user could have different roles in different sites
(as an example acting as an identification officer in one city and as an auditor in another city),
to maximize operational flexibility and supporting segregation of duties.
Certificates profiles management. Administrators could create certificates profiles or modify
them by the addition or removal of attributes, with a web interface.
6
Aspects
Bit4ID SmartCMS offers some foundational services to all of its components:
High availability. This feature is based on Bit4ID high-availability solution that creates a virtual IP
topology on top of physical nodes. If a node is temporarily unreachable, others nodes step in
and deal with users requests as long as the offending node remains offline. The same
component allows for load balancing, particularly useful in high-traffic sites.
Logging. Every operation on the system could be logged in a database or a remote log
management system. Searching between logs is done with an easy to use web interface that
allows filters based on type of operation, author of operation or temporal interval. Logs could
be stored remotely on a log server supporting Syslog and Syslog NG protocols; Bit4ID smartLOG
appliance is supported natively.
Auditing. It is possible to define an auditor role whose job is to be notified every time a critical
operation happens in the system, so he/she cross check and searches the system’s logs for
relevant entries.
Reporting. Many different reports could be generated and delivered to interested parties, like
invoicing reports, stock status, statistics on users and certificates.
Monitoring. Bit4ID SmartCMS RA Server has a simple and effective way to return its status to
network monitoring systems, with an HTTP status page.
Bit4ID strength points
A successful PKI deployment is not only a matter of a single system but a result of an
integration of technologies and legal, procedural and organizational requirements and
procedures.
Bit4ID has a strong expertise in all the main phases involved in a PKI deployment, as
summarized in figure 2.
7
Figure 2: PKI deployment phases
System design. In this initial phase, the main important questions to answer to are about the
users of the system and how to describe them in a useful manner for the relevant business
processes; defining the usage and scopes of the keys given to the users; reviewing of the
operational procedures needed for the infrastructure.
CA setup. This step delivers a root Certification Authority, usually hosted in a main site and one
or more backup sites, and the intermediate Certificate Authorities to which the SmartCMS
connects to. This is based partly on the result of the previous phase, partly in considering more
technological elements. After the physical deployment, a logical setup is done with a Key
Ceremony, where the systems are initialized with their key pairs and administration tokens.
SmartCMS setup. The SmartCMS needs a connection with the (intermediate) Certification
Authority, so requests could be correctly processed and authorized, as well as with the smart
card printing systems, which are chosen according to the expected traffic and other
organizational requirements like secrecy and economic values. These phases revolve around
the setup of the SmartCMS to achieve these goals.
8
Operations. As registration offices open and registration officers are ready to deal with user
requests, the system is progressively able to manage certificates in the entirety of their life-
cycle, from enrollment to revocation, renewal and cessation. In this phase is important to train
officers and operators; supporting help desk and field engineers with proper tools and
extensive system knowledge; keep a close eye on system’s performance with monitoring
functions. As a is SmartCMS usually tightly connected to other business systems, Bit4ID
SmartCMS RA Server has a full accessible API to allow for better integration.
For each of these phases, Bit4ID has develop a lot of expertise and a deep knowledge in how
to assist organizations in reaching fast a working system from an initial business view.
9
Italian Chambers of Commerce (CCIAA, Italy)
Operating since 2011, this system is quite successful, with millions of users that are business
owners, who need certificates to access e-government services and sign documents with
legal validity.
User data are retrieved from Italy’s national businesses registry.
This system talks with two different CAs, according to customers’ business rules, and its front-
end is powered with a cluster of application servers, for better response times and increased
availability.
Notable features:
• 1.2 million users
• 2.5 million certificates
• 20.000 registration officers
• 450 registration offices (for all the 107 provinces of Italy)
• Integration with two Certification Authorities (ARUBA PEC and Infocert)
• Face to face recognition of users with integrated handling of identity documents
• Stock control integration
• Payment modules with different payment options
• Invoicing reports
• Self-renewal of users certificate with a web site
• Barcode reading of smart card serial number for easiness of enrollment process
• High-availability front-end
10
College of Notaries (Notartel, Italy)
The italian council of notaries needed a complete solution to allow its associates getting digital
certificates relevant to their needs.
Bit4ID’s solution allows notaries to self-manage their enrollment: they can compose their
requests for different kinds of digital certificates and different key usages by accessing a
dedicated and protected web site. Users manage the initialization and setup of their smart
cards (key pair generation) from their web browsers, thanks to our UKC technology.
Certificates could be stored within the HSM and then accessed with an OTP (software or
hardware). Bit4ID developed the entire PKI infrastructure, integrating its services with the
Notartel systems.
Notable features:
• A complete PKI system with Certification Authority based on open source EJBCA CA
• Safenet HSM in High Availability configuration
• Key Ceremony designed and supervised by Bit4ID
• Many different authentication backends: smart card, username and password, Single
Sign On with SAML, grid card with secret codes
• Integration with Bit4ID Universal Key Chain as remote identity client
• API integration with Notartel business systems
• High availability front-end system
11
Consejo General de Colegios Oficiales de Médicos
(Spain)
This SmartCMS manages all physicians in Spain, organized in a three-level hierarchical
structure: national, local professional association, hospital.
Each physician is a member of a professional association (there are more than 50 of them in
Spain, one for each nation’s provinces) and as such could operate in one or more hospitals in
the corresponding area or choose to work as a general practitioner.
This SmartCMS is integrated with a third-party Certification Authority and retrieves physician’s
data from the different professional associations, acting as a central and unified platform for
managing physicians’ digital certificates all over the country.
Each user is enrolled with a smart card or a PKCS#12 software certificate, according to
specific needs.
Notable features:
• 65.000 users
• Integration with AC Camerfirma
• Strong auditing system
• Flexible integrated system for certificate templates creation, modification and removal
• Integrated workflow for printing paper contracts
• Powerful template system for emails and signed contracts
12
Consejo de la Judicatura (ECUADOR)
The Judicial Council of Ecuador requested a complete solution for country’s lawyers and
judges who need to identify themselves, sign and possibly encrypt sensitive documents. Bit4ID
developed the entire PKI infrastructure, including two Certification Authorities sites.
Notable features:
• 50.000 users
• Two sites: main and backup
• EJBCA Certification Authority with customization and improvements
• Alfresco Enterprise Content Management System Integration
• Auditing log
13
Trenitalia (Italy)
Trenitalia is the leading italian railway company. For security reasons, trains are equipped with
a tachograph that produces a digital log that must be signed by train’s drivers with a smart
card.
Bit4ID’s solution allows Trenitalia to enroll smart cards to its drivers, with a central back-end
system in charge of Trenitalia Human Resources division and two Registration Authorities. As of
2015, the system is operating for more than two years, following a previous implementation,
also developed by Bit4ID, that lasted for eight years.
Notable features:
• 30.000 users
• Integration with Baltimore Unicert CA (now Verizon Unicert)
• User base managed by Trenitalia Human Resources division, via web interface
• User data on Oracle database
• Publishing a Certificate Revocation List for suspended registration officer’s certificates
14
Buffetti (Italy)
Buffetti is the national chain for professional services to lawyers and accountant in Italy. Bit4ID
developed a solution that enables every shop to act as a Registration Authority. Customers
buy a kit that contains a digital token and then the sales assistants perform a registration. Bit4ID
central systems deals with the administrative workflow and, after successful review of the
signed contract, user could generate his/her certificates via local browser.
After key pair generation, the software for the desired business function (document signing,
authentication, enciphering) pops up automatically on the computer screen and an update
of it is performed in the background.
Notable features:
• 20.000 activated tokens
• 650 registration officers
• 450 shops acting as a Registration Authorities
• Different and competing Certification Authorities
• Pre-packaged digital identity kits coming in different flavors
• Digital token with a PKCS#12 key and on board, upgradable software stored in a
memory card
• Centralized back-office management system
• Flexible model, adapted to local municipalities
• Business stats
15
Macau Post (Macau)
Subsequently to the adoption of the EDS Law no. 5/2005 on Electronic Documents and
Signatures, Macao Post backed its support of the newly introduced law by allocating
significant financial resources to establish a Certification Service Provider named eSignTrust, in
full accordance with this law. The duties of eSignTrust is to provide authentication and identity
management services for individuals, organizations and government entities and to carry all
essential activities lay by the law, such as the identification of persons requesting Certificates,
issuing Certificates, using a system that guarantees the reliability of the services provided and
consequently the security of legal transactions.
Macao Post eSignTrust was the first Certification Service Provider to offer Time Stamping
Service. With the operation of Time Stamping Service, Internet transactions and electronic
documents can be time-stamped (electronically signed) with a trusted and accurate time
data.
Bit4ID is the trusted technological partner of eSignTrust providing a reliable and performing PKI
infrastructure for the issuance of millions of time stamps per year.
Notable features:
• Service level up to 99.998%
• 130 transactions executed per second over internet connection
• More than 10 million timestamps issued per year