Bit4ID SmartCMS - Resources is the synergy of the most advanced PKI building blocks that Bit4ID ... including EJBCA, ... Bit4ID SmartCMS RA Server has a simple and effective way to

  • View

  • Download

Embed Size (px)

Text of Bit4ID SmartCMS - Resources is the synergy of the most advanced PKI building blocks that Bit4ID ......

  • 1

    Bit4ID SmartCMS

    Credential Management System

    Enterprise Public Key Infrastructure

  • 2


    Bit4ID has successfully developed many Enterprise Public Key Infrastructures. With over 10 million

    of enrolled users, ranging from state official to physicians, from train drivers to business owners,

    our systems are key components for many organizations and central state bodies, offering an

    unparalleled flexibility and exceptional integration with existing infrastructures and business

    procedures, delivering value to our users across the entire life-cycle of digital certificates.

    This white paper presents the architecture and the main features of Bit4ID SmartCMS -

    Credentital Management System a top-notch Enterprise Public Key Infrastructure System

    designed and developed by Bit4ID.

    SmartCMS is the synergy of the most advanced PKI building blocks that Bit4ID has improved to

    perfection bringing new features, a modularized architecture and playing as a cornerstone of

    our digital DNA architecture and vision.

    This paper shows how Bit4ID SmartCMS harmonizes the various elements of a PKI infrastructure

    and business processes and Bit4ID relevant skills in design and deployment of integrated and

    comprehensive solutions. A list of case histories concludes the document.

    Architecture and main features

    Bit4ID SmartCMS builds on Bit4IDs deep understanding of digital certificates technology,

    leveraging on more than 10 years of expertise in design and development of state of the art,

    highly successful, rock-solid solutions.

    Figure 1 depicts the modular architecture of Bit4ID SmartCMS core.

  • 3

    Figure 1: Bit4ID SmartCMS core architecture

    Bit4ID SmartCMS core components are grouped in three main areas. The two most important

    are the adapters, to make interaction with different external elements and the management

    functions. Last, aspects offering high-availability, logging and monitoring to other components.


    Bit4ID SmartCMS offers a lot of flexibility thanks to its modular architecture and the extensive

    use of adapters that allow it to work and interact with a wide range of different components

    and in many different scenarios.

    Smartcard and Token adapter. Bit4ID SmartCMS integrates with Smartcards and cryptographic

    USB Tokens developed both from Bit4ID or different manufacturers, including Oberthur, Athena,

    ST Microelectronics, G&D, Gemalto. The adapter is based on our universal middleware that

    could be easily extended to manage any PKCS#11 compliant smartcard or cryptographic USB


  • 4

    Certification Authority adapter. Our adapter is able to talk with any PKCS#10 compliant

    certification authority, including EJBCA, Verizon Unicert and Entrust. Bit4ID SmartCMS could also

    deal with more than one CA at the same time: it is possible to choose programmatically which

    one to use according to business requirements.

    Authentication adapter. Systems operators could be authenticated with a Smartcard or USB

    Cryptographic Token enrolled by the system (via a bootstrap process, so the first enrolled

    Smartcard or Token is the one that the Bit4ID SmartCMS administrator will later use to

    authenticate), a username and password combination or a Single Sign On based on SAML


    Printer adapter. Bit4ID SmartCMS could talk with third party printing systems exporting data

    needed for smart card personalization, or could enable the enrollment officer to activate a

    single smart card with a smart card writer connected to a desktop system. If users are allowed

    to self-enroll, printing could be mediated via users browser and performed locally.

    Database adapter. User data needed for profiles could be retrieved from many different

    databases, including Microsoft Active Directory, LDAP systems, Oracle, MySQL, PostgreSQL.

    Secure element on Cloud. With the growing need for mobile authentication and digital

    signatures Bit4ID SmartCMS is has integrated a technology to generate, manage and use

    remote credentials stored on HSM at the Certification Authority premises.

    Management functions

    Smartcard and USB Cryptographic Token life-cycle management. This module manages the

    entire life-cycle of a Smartcard or USB Cryptographic Token. Smartcards or Tokens enters the

    system without the key pairs needed to operate as digital identity devices. Bit4ID SmartCMS

    could track them from this early stage, with stock control integration.

    During the enrollment phase, a key pair is generated by the Smartcard or Token and stored

    inside a digital certificate, but it is also possible to generate a key pair off the Smartcard or Token,

    if you need to keep a copy of it in a safe place to prevent key loss. As an example, if you need

    a certificate to encrypt files, key loss could be equivalent to files loss, as the original content of

    the files cannot longer decrypted. Bit4ID SmartCMS avoids this harmful situation by allowing the

    keeping of a copy of the key pair inside an HSM, where it could be retrieved later.

  • 5

    Smartcard or USB Cryptographic Token application management. Smartcards or Tokens could

    have Java applications on board to perform specialized functions (i.e. a fidelity program, an

    electronic wallet or a national services card like Italys CNS). This module allows managing the

    Java applications on board.

    Smart card printing and personalization. Smart card could be personalized not only with the on

    board certificates, but also in a graphical way, with some printed text and a visible photo of the

    cards owner, and in an electrical way, with an RFID chipset and a magnetic stripe. This module

    deals with all these different views of a smart card, ensuring that they are always aligned and

    correctly exported to the printing system.

    Printing systems range from a local device, like a smart card writer connected to the USB port of

    the enrollment officers desktop to a specialized printer that works in batch queues, or even a

    more sophisticated third party printing and production system.

    Certificate and key management. This module deals with the life-cycle of the certificates and

    keys along the Smartcards or Tokens life, allowing for renewal, revoke and cessation of them,

    communicating this information to the Certification Authority that manages the Certificates

    Revocation List and possibly implements the OCSP protocol. Users could be allowed to perform

    maintenance tasks like renewal or revocation (due to a card loss) via a web site or these

    functions could be mediated via a contact centre.

    User management. Users, registration officers and support staff are put inside a hierarchy with as

    many levels as needed. It is possible to have a simple, flat allocation or a multi-level, polycentric

    organization and anything in between.

    Operator rights and profiles management. Operations on the system are allowed by the

    definition of privileges that could be grouped in roles. Roles organization is flexible and entirely

    customizable to meet business requirements. A user could have different roles in different sites

    (as an example acting as an identification officer in one city and as an auditor in another city),

    to maximize operational flexibility and supporting segregation of duties.

    Certificates profiles management. Administrators could create certificates profiles or modify

    them by the addition or removal of attributes, with a web interface.

  • 6


    Bit4ID SmartCMS offers some foundational services to all of its components:

    High availability. This feature is based on Bit4ID high-availability solution that creates a virtual IP

    topology on top of physical nodes. If a node is temporarily unreachable, others nodes step in

    and deal with users requests as long as the offending node remains offline. The same

    component allows for load balancing, particularly useful in high-traffic sites.

    Logging. Every operation on the system could be logged in a database or a remote log

    management system. Searching between logs is done with an easy to use web interface that

    allows filters based on type of operation, author of operation or temporal interval. Logs could

    be stored remotely on a log server supporting Syslog and Syslog NG protocols; Bit4ID smartLOG

    appliance is supported natively.

    Auditing. It is possible to define an auditor role whose job is to be notified every time a critical

    operation happens in the system, so he/she cross check and searches the systems logs for

    relevant entries.

    Reporting. Many different reports could be generated and delivered to interested parties, like

    invoicing reports, stock status, statistics on users and certificates.

    Monitoring. Bit4ID SmartCMS RA Server has a simple and effective way to return its status to

    network monitoring systems, with an HTTP status page.

    Bit4ID strength points

    A successful PKI deployment is not only a matter of a single system but a result of an

    integration of technologies and legal, procedural and organizational requirements and


    Bit4ID has a strong expertise in all the main phases involved in a PKI deployment, as

    summarized in figure 2.

  • 7

    Figure 2: PKI deployment phases

    System design. In this


View more >