Building Trusted Networks (Manthang)

Chuyn SCNA
Xy Dng Mng Tin Cy

Building Trusted Networks
Mn Thng | manvanthang@gmail.com http://manthang.wordpress.com
HCM, 05/2012
Trong chuyn ny, chng ta s c n li v vn dng kin thc ca nhiu chuyn trc ca kha hc SCNA trong vic xy dng v trin khai mt mng tin cy. Ta cng i qua cc bc ci t v cu hnh hai mng nh Windows v Linux c s dng chng ch s m bo an ton cho cc phin truyn thng nh duyt web, gi email.
Mc lc
Danh sch hnh _______________________________________________________________________ 2 Danh sch bng_______________________________________________________________________ 3 Li ni u____________________________________________________________________________ 4
1.
Gii thiu v mng tin cy ______________________________________________________ 5 1.1 1.2 S cn thit ca mng tin cy ________________________________________________ 5 Cc yu cu v thnh phn ca mng tin cy _________________________________ 7
2.
C bn v h tng kha cng khai _____________________________________________ 10 1.3 1.4 Cc thnh phn ca PKI _____________________________________________________ 10 Cc kin trc trin khai PKI __________________________________________________ 11
3.
Xy dng v trin khai mt mng tin cy _____________________________________ 14 1.5 M hnh v yu cu chun b ________________________________________________ 14
1.6 Cc bc thc hin _________________________________________________________ 16 1.6.1 Xy dng Windows Domain ______________________________________________ 16

Bc 1-1: To domain u tin trong mt forest mi_____________________________________ 16 Bc 1-2: Cu hnh DNS __________________________________________________________________ 17 Bc 1-3: Ci t Enterprise Root CA _____________________________________________________ 18
1.6.2 Cu hnh Enterprise CA ___________________________________________________ 19

Bc 2-1: Cu hnh Enterprise Root CA ___________________________________________________ 19 Bc 2-2: Cu hnh Certificate Template _________________________________________________ 20 Bc 2-3: Chnh sa Default GPO ________________________________________________________ 21 Bc 2-4: To cc user trong domain _____________________________________________________ 23 Bc 2-5: Cu hnh ng nhp vi smartcard ____________________________________________ 24 Bc 2-6: Tham gia Domain ______________________________________________________________ 25 Bc 2-7: Ci t Enterprise Subordinate CA _____________________________________________ 25 Bc 2-8: Cu hnh Enterprise Subordinate CA ___________________________________________ 26 Bc 2-9: Ci t RA______________________________________________________________________ 28 Mn Thng | manvanthang@gmail.com
Bc 9-10: Ci t IIS v to mt website ________________________________________________ 29 Bc 2-11: Cu hnh SSL cho website_____________________________________________________ 30
1.6.3 Thit lp Linux CA ________________________________________________________ 34

Bc 3-1: Ci t EJBCA __________________________________________________________________ 34 Bc 3-2: To v cp chng ch cho my trm Linux _____________________________________ 38
1.6.4 To Cross Trust ___________________________________________________________ 40

Bc 4-1: Trusting Linux Root CA _________________________________________________________ 40 Bc 4-2: Trusting Windows Root CA _____________________________________________________ 42 Bc 4-3: Kim tra trust___________________________________________________________________ 44
1.6.5 Bo mt email ____________________________________________________________ 44

Bc 5-1: Ci t v cu hnh mail server Mdeamon _____________________________________ 44 Bc 5-2: Cu hnh cc email client ______________________________________________________ 45
4. 5.
Tng kt ________________________________________________________________________ 45 Ti liu tham kho _____________________________________________________________ 45
DANH SCH HNH

Hnh 1 Cc lp phng th ngoi vi ca mng .............................................................................................. 5 Hnh 2 M hnh mng Extranet in hnh........................................................................................................ 6 Hnh 3 Kin trc Single CA....................................................................................................................................... 11 Hnh 4 Kin trc Hierarchical PKI ......................................................................................................................... 12 Hnh 5 Kin trc Mesh PKI........................................................................................................................................ 13 Hnh 6 M hnh trin khai mng tin cy......................................................................................................... 15 Hnh 7 To domain u tin trong mt forest mi ................................................................................ 17 Hnh 8 To cc A record ............................................................................................................................................ 17 Hnh 9 Ci t Enterprise Root CA ..................................................................................................................... 18 Hnh 10 Thm mi cc Certificate Template ............................................................................................... 19 Hnh 11 Thit lp CRL publication interval ................................................................................................... 20 Hnh 12 Cu hnh Certificate Template ........................................................................................................... 21 Hnh 13 Chnh default GPO my tnh trong domain t ng xin v nhn chng ch ......................................................................................................................................................................................................... 22
Mn Thng | manvanthang@gmail.com
Hnh 14 Chnh default GPO t ng kha my tnh khi ngi dng rt smartcard 22 Hnh 15 To cc domain user ................................................................................................................................ 23 Hnh 16 Thit lp khi ngi dng ng nhp phi c smartcard................................................. 24 Hnh 17 Thc hin join cc my vo domain .............................................................................................. 25 Hnh 18 Ci t Enterprise Subordinate CA ................................................................................................. 26 Hnh 19 Cu hnh Enterprise Subordinate CA............................................................................................. 27 Hnh 20 Ci t RA ........................................................................................................................................................ 28 Hnh 21 To mt website.......................................................................................................................................... 30 Hnh 22 To mt file yu cu cp chng ch cho website ................................................................. 31 Hnh 23 Gi yu cu cp v ti v chng ch cho website................................................................. 32 Hnh 24 Ci t chng ch SSL cho website................................................................................................. 32 Hnh 25 Bt buc ngi dng truy cp webiste qua SSL ................................................................... 33 Hnh 26 Kim tra vic truy cp website qua SSL....................................................................................... 34 Hnh 27 Ci t EJBCA ................................................................................................................................................ 36 Hnh 28 Import client certificate vo trnh duyt web .......................................................................... 37 Hnh 29 Trang ch qun l EJBCA sau khi ci t xong....................................................................... 37 Hnh 30 To end entity trong EJBCA................................................................................................................. 38 Hnh 31 Ti v chng ch cho my trm Linux ........................................................................................... 39 Hnh 32 Import chng ch ca my trm Linux vo trnh duyt web......................................... 40 Hnh 33 Ti v my Windows chng ch ca Linux Root CA............................................................ 41 Hnh 34 Import chng ch ca Linux Root CA trong Default GPO ............................................... 41 Hnh 35 Kim tra cc my Windows trong domain tin cy chng ch ca Linux Root CA .................................................................................................................................................................................................. 42 Hnh 36 Export chng ch ca Windows Root CA ................................................................................... 43 Hnh 37 Import chng ch ca Windows Root CA................................................................................... 43
DANH SCH BNG

Bng 1 Yu cu chun b trin khai ................................................................................................................... 15
LI NI U y l chuyn cui cng trong lot chuyn ca gio trnh SCNA, n l s tng hp cc kin thc c gii thiu trong cc nhm trc. Ni dung ca chuyn ny ch yu i thng vo vic xy dng v trin khai mt mi trng tin cy gia hai mng nh l Windows v Linux. Nhng trc tin ta cn tm hiu li cc kha cnh ca mng tin cy bao gm: n l g? n c cn thit khng? Cc thnh phn ca n? Sau kin thc c bn v h tng kha cng khai (PKI) l h thng cung cp cc dch v cho mng tin cy cng s c cp. Phn cui cng s trnh by cc bc ci t v cu hnh mt mng tin cy da trn mt m hnh vi cc yu cu c th.
CM N C gng v thnh qu ny xin dnh ti ngi thn thng nht, Yel PA. Cuppy Security, manthang
1. GII THIU V MNG TIN CY

1.1 S cn thit ca mng tin cy
Nhiu nm trc y v c by gi, vn cn nhiu ngi c khi nim cha y v chun xc v an ton mng. H cho l ch cn mua v mt sn phn firewall no , thay i mt vi cu hnh cho n v coi nh mng ca h tr nn an ton. Nu t chc ca h quan tm nhiu hn n bo mt mng, mt h thng pht hin/ngn chn xm nhp (IDS/IPS) cng vi h thng anti-virus s c trin khai thm. Cc thnh phn (IDS/IPS, firewall, antivirus) cng nhau to nn mt h thng bo v vng chc cho ngoi vi ca mng. Mc d vy chng vn l cha p ng cc yu cu kt ni an ton cho mt th gii mng phc tp nh ngy nay.
Hnh 1 Cc lp phng th ngoi vi ca mng An ton mng ngy nay c th c nh ngha nh l vic m bo an ton (bao gm s b mt, tnh ton vn v sn sng) cho cc phin truyn thng trn mng v bo v ngoi vi ca mng. Khi m cc mng bn ngoi thng khng ng tin cy th cc cng c v k thut trn vn rt quan trng nhng chng ch c th gip kim sot, sng lc cc lu lng mng vo v ra mng ni b ca t chc. Di y, chng ta s xem xt nhng thch thc v mc tiu m thc t mt doanh nghip ngy nay thng gp phi t thy c vic phng th ngoi vi cho mng thi l cha . Doanh nghip c nhiu khch hng cc chu lc, t nc, vng min khc nhau. Mi khch hng cn c kh nng trao i thng tin vi doanh nghip mt cch nhanh nht c th. Mt cch t c iu ny l cung cp cho h mt kt ni trc tip vo
mng doanh nghip. iu ny c ngha rng cc khch hng cng nh cc nh cung cp, i tc cn truy cp ti cc thng tin khng ch dng cng khai, nh website, m cn l cc thng tin dng b mt ca doanh nghip. Nhng thng tin b mt ny c lu tr bn trong h thng mng ca doanh nghip thay v nm trn cc my ch cng cng nh webserver.
Hnh 2 M hnh mng Extranet in hnh n y ta cn t ra cc cu hi: nhng ngi dng bn ngoi t chc c th l nhng ai v lm sao tin cy c cc knh truyn thng ca h? Cc knh truyn thng tin cy, an ton lun l mt yu cu cn thit. V vy m cn c c ch m bo khng ai c th c trm c nhng thng tin b mt trn knh truyn. V cng cn c bin php chc rng khng ai c th gi dng l mt ngi dng c quyn truy cp hp php vo mng ca t chc. Gii quyt c cc cu hi trn chnh l ta hnh thnh c ci gi l mng tin cy ri. Tm li, mng tin cy cn t c cc mc tiu sau: C kh nng thit lp c cc knh truyn thng an ton gia 2 im u cui bt k, nh gia cc nhn vin, khch hng v i tc. C kh nng nhn dng c bt k yu cu kt ni, truy cp no l hp l hay khng hp l. C kh nng xc thc ngi dng, thit b.
1.2 Cc yu cu v thnh phn ca mng tin cy

Khi thc hin chuyn dch t mt mng hng phng th sang mng tin cy th cn p ng mt vi dch v/yu cu bo mt thit yu sau: Nhn dng Xc thc Cp php Bo mt Ton vn Khng th chi t
Nu khng c kh nng m bo tt c cc dch v trn vn hnh chnh xc trong mng th khng th thit lp c mt mng tin cy mt cch y . Cn trong cc mng hng phng th th ch trng ti cc dch v sau m thi: b mt, ton vn v xc thc. Di y s bn thm v 6 dch v trn. Nhn dng (Identification) l bc u tin trong qu trnh xc thc, mt i tng s cung cp mt vi d liu dng nhn dng n (nh tn ngi dng, mt khu, m PIN, vn tay,) cho dch v xc thc. Xc thc (Authentication) l qu trnh xc nh xem ai hoc th g c thc s l ngi (hoc l th) m n tuyn b hay khng. Hay ni cch khc, y l vic xc minh nhn dng ca mt ngi, mt thit b, mt chng trnh no . Cp php (Authorization) l qu trnh xc nh xem i tng ( c xc thc) c php lm nhng g. Bc ny thng xy ra sau bc xc thc trn. Bo mt (Confidentiality) l vic m bo tnh b mt, ch nhng ngi c cp php mi c th c c thng tin mang tnh ring t. Ton vn (Integrity) l vic m bo tnh chnh xc v tin cy ca thng tin, v bt k s thay i tri php no ti thng tin s c pht hin v ngn chn. Chng chi t (Non-repudiation) l vic m bo rng i tng gi i thng ip khng th ph nhn vic gi v ngc li, i tng nhn c thng ip cng khng th ph nhn l cha bit n thng ip . trin khai nhng dch v trn th cn ti cc cng ngh ct li sau:
Mt m Chng thc mnh Ch k s Chng ch s
Cc cng ngh ny gn kt vi nhau cng xy dng nn mt mng tin cy. Mt m y l thnh phn c vai tr rt quan trng, l tri tim ca bt c mng tin cy no. N gip m bo bo mt v ton vn cho cc thng ip, cng nh nhn dng v xc thc cc i tng tham gia vo phin truyn thng. V c bn, mt m c phn lm 2 loi chnh: m ha i xng v m ha bt i xng. Loi m ha i xng thng c gi l mt m kha b mt v c hai bn u s dng cng mt kha m ha v gii m thng tin. Cc thut ton m ha i xng ph bin nh 3DES, AES, RC5. Cn loi m ha bt i xng cn c gi l mt m kha cng khai v cn s dng mt cp kha m ha v gii m. Nu m ha bng kha th nht (gi l kha cng khai) th ch c th gii m bng kha th hai (gi l kha b mt) v ngc li. DSA, RSA, Diffie-Hellman l v d v cc thut ton m ha bt i xng ni ting. Ngoi ra trong mt m cn c k thut bm mt chiu (one-way hash) l mt hm nhn vo mt thng ip c chiu di bt k v to ra mt chui c chiu di c nh c gi l gi tr bm. V d, gi tr m gii thut bm MD5 to ra lun l 128-bit, vi SHA-1 l 160-bit. Hm bm mt chiu lm vic m khng cn s dng bt k kha no v c bit, t kt qu bm cui cng th rt kh (thng khng th) ln ngc li thng ip gc ban u. N thng c dng kim tra tnh ton vn ca thng ip, tp tin. Chng thc mnh tha mn yu cu ny, h thng chng thc cn phi s dng t nht 2 trong 3 yu t sau: Th m bn bit (something you know): mt khu hoc m PIN l v d in hnh cho phng thc chng thc ph bin nht ny. Cch ny th r tin, d trin khai nhng c nhc im l nu ai bit c b mt ny th h c th t c quyn truy cp vo h thng.
Th m bn c (something you have): v d cho phng thc chng thc ny l th ATM, th thng minh, th truy cp, ph hiu v.v Hn ch ca cch ny l nhng vt c th b mt hoc nh cp v b ai lm dng truy cp tri php vo h thng. c im duy nht trn c th bn (something you are): l cch nhn din da trn thuc tnh vt l duy nht ca mt ngi nh vng mc mt, du vn tay. Phng php chng thc ny hiu qu v kh gi mo hay sao chp nhng li mc tin trin khai. Cc phng php chng thc 2 yu t (two-factor authentication) trong thc t thng thy nh s kt hp gia mt khu vi th truy cp hoc th thng minh vi sinh trc hc mang li s tin cy, an ton hn ch l s dng tn ngi dng v mt khu ng nhp vo h thng. Cc k thut trong mt m cng c ng dng rng ri vo cc phng thc xc thc nh Kerberos, RADIUS, CHAP, NTLM, v.v Ch k s c to ra s dng kt hp gia hm bm v mt m kha cng khai m bo tnh ton vn, gip xc thc ngun gc ca thng ip v ng thi bn gi khng th chi t vic to ra thng ip . N l mt gi tr bm ca thng ip c m ha bng kha b mt ca bn gi ri c nh km vi thng ip gc. Bn nhn s dng kha cng khai ca bn gi gii m phn ch k ra c gi tr bm ca thng ip ri i chiu vi gi tr m n thu c t vic thc hin li hm bm trn thng ip gc. Nu hai gi tr ging nhau th bn nhn c th tin cy c rng thng ip khng b thay i v n ch c gi t bn s hu kha cng khai trn. Chng ch s L mt tp tin gip chc chn rng kha cng khai thuc v mt thc th no nh ngi dng, t chc, my tnh v iu ny c xc minh bi mt bn th ba ng tin cy thng gi l CA (Certificate Authorities). Chng ch s cha cc thng tin nhn dng v thc th nh tn, a ch, kha cng khai (cng nhiu thng tin khc) v c k s bi kha b mt ca CA. Cui cng, tt c 6 dch v v 4 cng ngh ni trn c cung cp v trin khai bi mt h tng kha cng khai (Public Key Infrastructure - PKI) lm nn tng cho cc mng tin cy m chng ta s cng tm hiu trong phn 2 ca chuyn ny.
2. C BN V H TNG KHA CNG KHAI

Da trn nn tng ca mt m kha cng khai, PKI l mt h thng bao gm phn mm, dch v, chun nh dng, giao thc, quy trnh, chnh sch gip m bo an ton, tin cy cho cc phin truyn thng. PKI p ng cc yu cu v xc thc, bo mt, ton vn, chng chi t cho cc thng ip c trao i.
1.3 Cc thnh phn ca PKI

Ngoi cc thnh phn c bn c cp phn 1 l chng ch s, ch k s v mt m. PKI cn c to nn bi cc thnh phn chc nng chuyn bit sau: Certificate Authority Registration Authority Certificate Repository v Archive Security Server PKI-enabled applications v PKI users
Certificate Authority (CA): l mt bn th c tin cy c trch nhim to, qun l, phn phi, lu tr v thu hi cc chng ch s. CA s nhn cc yu cu cp chng ch s v ch cp cho nhng ai xc minh c nhn dng ca h. Registration Authority (RA): ng vai tr trung gian gia CA v ngi dng. Khi ngi dng cn chng ch s mi, h gi yu cu ti RA v RA s xc nhn tt c cc thng tin nhn dng cn thit trc khi chuyn tip yu cu ti CA CA thc hin to v k s ln chng ch ri gi v cho RA hoc gi trc tip cho ngi dng. Certificate Repository v Archive: c 2 kho cha quan trng trong kin trc ca PKI. u tin l kho cng khai lu tr v phn phi cc chng ch v CRL (cha danh sch cc chng ch khng cn hiu lc). Ci th 2 l mt c s d liu c CA dng sao lu cc kha hin ang s dng v lu tr cc kha ht hn, kho ny cn c bo v an ton nh chnh CA. Security Server: l mt my ch cung cp cc dch v qun l tp trung tt c cc ti khon ngi dng, cc chnh sch bo mt chng ch s, cc mi quan h tin cy (trusted relationship) gia cc CA trong PKI, lp bo co v nhiu dch v khc.
10
PKI-enabled applications v PKI users: bao gm cc ngi dng s dng cc dch v ca PKI v cc phn mm c h tr ci t v s dng cc chng ch s nh cc trnh duyt web, cc ng dng email chy pha my khch.
1.4 Cc kin trc trin khai PKI

Ty vo cc yu cu, quy m v kh nng ca tng t chc m c th chn trin khai mt trong 3 m hnh PKI ph bin sau: Hierarchical PKI Mesh PKI Single CA
Single CA
Hnh 3 Kin trc Single CA y l m hnh PKI c bn nht ph hp vi cc t chc nh trong ch c mt CA cung cp dch v cho ton h thng v tt c ngi dng t s tin cy vo CA ny. Mi thc th mun tham gia vo PKI v xin cp chng ch u phi thng qua CA duy nht ny. M hnh ny d thit k v trin khai nhng cng c cc hn ch ring. Th nht l kh nng co gin khi quy m t chc c m rng, ch mt CA th kh m qun l v p ng tt cc dch v. Hn ch th hai l CA ny s l im chu li duy nht, nu n ngng hot ng th dch v b ngng tr. Cui cng, nu n b xm hi th nguy hi ti tin cy ca ton b h thng v tt c cc chng ch s phi c cp li mt khi CA ny c phc hi. Trust List Nu c nhiu CA n l trong t chc nhng li khng c cc trust relationship gia cc CA c to ra th bng cch s dng trust list ngi dng vn c th tng tc vi tt c cc CA. Lc ny cc ngi dng s duy tr mt danh sch cc CA m h tin cy. Cc CA mi v sau c th d dng c thm vo danh sch. Phng thc ny tuy n gin nhng cng s tn thi gian cp nht ht cc CA cho mt lng ln ngi dng,
11
mt khc nu mt CA no b tha hip th khng c mt h thng cnh bo no bo cho nhng ngi dng m tin cy CA bit c s c ny. Hierarchical PKI y l m hnh PKI c p dng rng ri trong cc t chc ln. C mt CA nm cp trn cng gi l root CA, tt c cc CA cn li l cc Subordinate CA (gi tt l sub. CA) v hot ng bn di root CA. Ngoi tr root CA th cc CA cn li trong u c duy nht mt CA khc l cp trn ca n. H thng tn min DNS trn Internet cng c cu trc tng t m hnh ny.
Hnh 4 Kin trc Hierarchical PKI Tt c cc thc th (nh ngi dng, my tnh) trong t chc u phi tin cy cng mt root CA. Sau cc trust relationship c thit lp gia cc sub. CA v cp trn ca chng thng qua vic CA cp trn s cp cc chng ch cho cc sub. CA ngay bn di n. Lu , root CA khng trc tip cp chng ch s cho cc thc th m chng s c cp bi cc sub. CA. Cc CA mi c th c thm ngay di root CA hoc cc sub. CA cp thp hn ph hp vi s thay i trong cu trc ca t chc. S c cc mc tn thng khc nhau nu mt CA no trong m hnh ny b xm hi. Trng hp mt sub. CA b tha hip th CA cp trn ca n s thu hi chng ch cp cho n v ch khi sub. CA c khi phc th n mi c th cp li cc chng ch mi cho ngi dng ca n. Cui cng, CA cp trn s cp li cho n mt chng ch mi.
12
Nu root CA b xm hi th l mt vn hon ton khc, ton b h thng PKI s chu nh hng. Khi tt c cc thc th cn c thng bo v s c v cho n khi root CA c phc hi v cc chng ch mi c cp li th khng mt phin truyn thng no l an ton c. V th, cng nh single CA, root CA phi c bo v an ton mc cao nht m bo iu khng xy ra v thm ch root CA c th trng thi offline b tt v khng c kt ni vo mng. Mesh PKI Ni ln nh mt s thay th chnh cho m hnh Hierarchical PKI truyn thng, thit k ca Mesh PKI ging vi kin trc Web-of-Trust trong khng c mt CA no lm root CA v cc CA s c vai tr ngang nhau trong vic cung cp dch v. Tt c ngi dng trong mng li c th tin cy ch mt CA bt k, khng nht thit hai hay nhiu ngi dng phi cng tin mt CA no v ngi dng tin cy CA no th s nhn chng ch do CA cp.
Hnh 5 Kin trc Mesh PKI Cc CA trong m hnh ny sau s cp cc chng ch cho nhau. Khi hai CA cp chng ch cho nhau th mt s tin cy hai chiu c thit lp gia hai CA . Cc CA mi c th c thm vo bng cch to cc mi tin cy hai chiu gia chng vi cc CA cn li trong mng li. V khng c mt CA duy nht lm cp cao nht nn s tn hi khi tn cng vo m hnh ny c khc so vi hai m hnh trc . H thng PKI khng th b nh sp khi ch mt CA b tha hip. Cc CA cn li s thu hi chng ch m chng cp cho CA b xm hi v ch khi CA khi phc hot ng th n mi c kh nng cp mi cc chng ch cho ngi dng ri thit lp trust vi cc CA cn li trong mng li.
13
Trn y l tng quan cc vn trong PKI, cn nhiu ni dung khc v h tng ny m khng tin cp do s vt ra khi trng tm ca chuyn . phn tip theo s trnh by vic xy dng v trin khai mt mi trng tin cy gia hai mng nh Windows v Linux gip cc my trm trao i thng tin mt cch an ton.
3. XY DNG V TRIN KHAI MT MNG TIN CY

y l phn tng hp v p dng cc kin thc t cc chuyn trc nh Cryptography and Data Security, Secure Email, Planning A Trusted Network, v.v Chng ta s tng bc xy dng hai mng nh l Windows v Linux, c hai u cn ti cc chng ch s nu mun truy cp ti nguyn hay trao i thng ip. Sau s thit lp tin cy cho (cross-trust) gia hai mng ny v cu hnh mt my ch email cho php cc my trm hai mng truyn nhn email trong mt mi trng an ton. Di y l cc mc tiu c th: Trin khai cc CA trong c 2 mng Windows v Linux Cu hnh cu trc phn cp CA trn Windows Cu hnh CA trn Linux Thit lp cross-trust gia cc CA trong mng Windows v Linux Trin khai v cu hnh email server v cc email client trao i email an ton gia 2 mng Windows v Linux
1.5 M hnh v yu cu chun b

t c cc mc tiu trn, trong bi thc hnh ny cn chun b 7 my. M hnh mng logic v cc yu cu chun b cho tng my nh sau:
14
Hnh 6 M hnh trin khai mng tin cy
Tn my tnh RootCA
Tn y
Domai n
a ch IP 10.0.10.1 / 8 10.0.10.2 / 8 10.0.10.3 / 8 10.0.10.4 / 8 10.0.20.1 / 8 10.0.30.1 / 8 10.0.30.2 / 8
H iu hnh Windows Server 2003 Windows Server 2003 Windows Server 2003 Windows XP
Vai tr Domain Controller, DNS server, Root CA Subordinate CA Registration Authority My trm
rootca.uit.vm
SubCA RA WinClient1 DMZW LinRootCA LinClient1
subca.uit.vm ra.uit.vm winclient1.uit.v m dmzw.uit.vm linrootca.uit.vm linclient1.uit.vm uit.vm
Windows SSL Website Server 2003 Email Server Ubuntu Root CA Server 10.10 Ubuntu My trm 11.10
Bng 1 Yu cu chun b trin khai

15
1.6 Cc bc thc hin

1.6.1 Xy dng Windows Domain Trong phn ny, ta s to mt Windows domain (uit.vm) c tch hp DNS. Sau , cu hnh cho cc my khng tham gia vo Windows domain ny gm LinRootCA, LinClient1, DMZW cng nm trong DNS namespace l uit.vm. Windows domain uit.vm s c mt domain controller l my Root CA v 3 member server l cc my SubCA, RA, DMZW cng vi mt client l my WinClient1. Hai my Linux l LinRootCA v LinClient1 cng s tham gia vo DNS domain ca uit.vm, v th tn y ca chng ln lt l linrootca.uit.vm v linclient1.uit.vm. Cho mc ch th nghim nn y gi nh rng c 7 my u cng lp mng l 10.x.x.x / 255.0.0.0. Phin bn h iu hnh chy cng nh vai tr ca tng my c lit k bng trn. Bc 1-1: To domain u tin trong mt forest mi Thc hin ti my RootCA 1 2 3 ng nhp bng ti khon qun tr. Thit lp Preferred DNS Server l a ch IP ca chnh n (10.0.10.1). Vo Start | Run, chy lnh dcpromo khi chy trnh ci t Active Directory. Sau lm theo cc hng dn ci t my RootCA lm Domain Controller cho mt domain mi (uit.vm) trong mt forest mi. 4 Khi ng li my hon tt.
16
Hnh 7 To domain u tin trong mt forest mi Bc 1-2: Cu hnh DNS Thc hin ti my RootCA 1 2 3 4 5 Vo Administrative Tools | DNS. To mt Reverse Lookup Zone cho domain uit.vm. Bt ty chn Allow Dynamic Updates cho c 2 zone Forward v Reverse. To cc A record v PTR record cho cc my LinRootCA, DMZW, LinClient1. S dng lnh nslookup kim tra hot ng ca DNS.
Hnh 8 To cc A record
17
Ci t CA K tip ta s b sung vo domain mt thnh phn quan trng l Enterprise Root CA. Ti giai on ny, gi nh l cc chnh sch cn thit cho hot ng ca PKI c to v chp thun, v cc my ch quan trng trong h tng c kin ton bo mt. Bc 1-3: Ci t Enterprise Root CA Thc hin ti my RootCA 1 2 3 To mt th mc C:\labcerts lu tr chng ch s v thng tin v cc CA ngi dng trong mng c th c c. Vo Add Remove Programs v chy Add/Remove Windows Components ri chn ci t gi Certificate Services. Lm theo cc hng dn, lu chn ty chn Enterprise Root CA, t CA name l UIT Root CA, ch nh mc Store Configuration Information In A Shared Folder l ng dn C:\labcerts v gi nguyn mc nh cc ty chn 4 cn li. Ch cho qu trnh ci t hon tt.
Hnh 9 Ci t Enterprise Root CA
18
1.6.2 Cu hnh Enterprise CA Trong phn ny, ta s cu hnh cho Enterprise Root CA bao gm: CRL publication interval: khong thi gian m sau CA s cp nht danh sch cc chng ch khng cn hiu lc (CRL). Certificate template: cc mu chng ch c to sn. Default GPO: thit lp cc my tham gia vo domain t ng nhn c chng ch Domain user: to cc ti khon ngi dng Hierarchical PKI: to cu trc CA phn cp vi s c mt ca mt Sub. CA v mt RA.
Bc 2-1: Cu hnh Enterprise Root CA Thc hin ti my RootCA 1 2 3 4 Vo Administrative Tools | Certification Authority. M rng nhnh UIT Root CA v nhn phi chut ln mc Certificate Templates ri chn New | Certificate Template to Issue Trong ca s Enable Certificate Templates, chn 2 ci l Smartcard User v Enrollment Agent ri nhn OK. Tr li ca s Certificate Authority, nhn phi chut ln mc Revoked Certificates v chn Properties. Sau i mc CRL publication interval l 5 1 gi. Nhn OK. ng ca s CA MMC hon tt.
Hnh 10 Thm mi cc Certificate Template
19
Hnh 11 Thit lp CRL publication interval Certificate Templates Cc chng ch mu c Microsoft xy dng sn v ta va kch hot thm 2 loi chng ch (Smartcard User v Enrollment Agent) bc trn. Tuy nhin, ngi dng hay my tnh c th nhn c cc chng ch da trn nhng mu chng ch th cc i tng cn c c cc quyn read v enroll thch hp. Bc 2-2: Cu hnh Certificate Template Thc hin ti my RootCA 1 2 3 4 Vo Administrative Tools | Active Directory Users and Computers. Trong domain uit.vm, to 1 group tn Enrollers, gi nguyn mc Group scope l Global v mc Group type l Security. Vo Administrative Tools | Active Directory Sites and Services. Nhn phi chut ln domain uit.vm v chn View | Show Services Node. Sau duyt n mc Services | Public Key Services | Certificate Templates. 5 khung bn phi s hin ra danh sch cc chng ch mu, nhn p vo dng Enrollment Agent. Ti ca s Properties mi hin ra, chn tab Security, ri nhn Add v thm vo group Enrollers (va to trn) v gn 6 7 thm quyn enroll cho nhm ny (ngoi quyn read c chn sn). Lm tng t nh bc 5 cho mu chng ch Smartcard User. ng ht ca s MMC hon tt.
20
Hnh 12 Cu hnh Certificate Template Group Policy Objects (GPO) Thng qua GPO cc my nh domain controller, domain member c th t ng nhn v cc chng ch ca chng khi chng tham gia (join) vo domain. Cng nh GPO m ta c th iu khin vic mt my s phn ng nh th no nu th thng minh (smartcard) ca mt ngi dng ng nhp no b rt ra khi thit b c th. Bc 2-3: Chnh sa Default GPO Thc hin ti my RootCA 1 2 3 M Active Directory Users and Computers. Nhn phi chut ln domain uit.vm v chn Properties. Ca s mi hin ra, chn tab Group Policy ri chn Default Domain Policy v nhn Edit. Ca s GPO Editor hin ra, duyt n nhnh Computer Configuration | Windows Settings | Security Settings | Public Key Polices | Automatic Certificate Requests Settings. khung bn phi, nhn phi chut v chn New | Automatic Certificate Request. 4 Mt ca s mi hin ra, nhn Next. Trong danh sch Certificate templates, chn Computer ri nhn Next v cui cng nhn Finish. Sau , lm tng t i vi mu chng ch dnh cho Domain Controller.
21
Tr li ca s GPO Editor, duyt n nhnh Computer Configuration | Windows Settings | Security Settings | Security Options. khung bn phi, nhn p chut vo dng Interactive logon: Smart card removal behavior.
6 7
ca s mi hin ra, nh du kim vo mc Define this policy setting v chn Lock Workstation v nhn OK. ng ht ca s hon tt.
Hnh 13 Chnh default GPO my tnh trong domain t ng xin v nhn chng ch
Hnh 14 Chnh default GPO t ng kha my tnh khi ngi dng rt smartcard
22
End Entities Ngi dng Trong phn ny, ta s to v cu hnh cho cc domain user - l cc thc th u cui (end entity) trong ton b cu trc phn cp CA m s tham gia vo h tng PKI. Bc 2-4: To cc user trong domain Thc hin ti my RootCA 1 2 M Active Directory Users and Computers. To mi 5 user c Logon name l: enroller1, winuser1, winuser2, winuser3, winuser4 v tt c u thuc nhm Domain Users, ring ti khon enroller1 cn nm trong nhm Enrollers.
Hnh 15 To cc domain user ng nhp vi smartcard Vi mu chng ch Smartcard User cng vi cc quyn hn c cu hnh hp l th mt CA c th cp chng ch c lu trong smartcard cho ngi dng. Sau n c th c dng ng nhp, bo mt cho email, hay m ha h thng file bng EFS. Vic yu cu ngi dng phi c smartcard ng nhp vo domain l mt bin php chng thc mnh (gm 2 yu t l mt khu v smartcard) gip tng cng tin cy cho mng.
23
Bc 2-5: Cu hnh ng nhp vi smartcard Thc hin ti my RootCA 1 2 3 M Active Directory Users and Computers. Nhn p vo ti khon winuser1 m ca s Properties ca n. Ti tab General, mc E-mail l winuser1@uit.vm. Ti tab Dial-in, chn Allow access cho mc Remote Access Permission. Qua tab Account, bn di danh sch Account options chn mc Smart card is required for 4 interactive logon, sau nhn OK. Lm tng t t bc 2 v 3 cho ti khon winuser2.
Hnh 16 Thit lp khi ngi dng ng nhp phi c smartcard End Entities My tnh bc 2-3, ta cu hnh GPO cc my tnh (gm c domain controller) trong mng s t ng nhn c cc chng ch khi chng thc hin tham gia vo domain. By gi, ta s cu hnh cc my ang nm trong Workgroup tham gia domain. Sau vo CA kim tra xem cc my nhn c chng ch hay cha.
24
Bc 2-6: Tham gia Domain Thc hin ti cc my RA, SubCA, Winclient1 v DMZW 1 2 3 4 ng nhp bng ti khon qun tr. Thit lp Preferred DNS Server l a ch IP ca my RootCA (10.0.10.1). Thc hin vic join my vo domain uit.vm (s dng ti khon Administrator trn my RootCA). Khi ng li my hon tt.
Hnh 17 Thc hin join cc my vo domain To cu trc phn cp CA Trong phn ny ta s to cu trc phn cp theo m hnh Hierarchical PKI cho domain uit.vm. Vi my rootca.uit.vm lm Root CA, my subca.uit.vm lm Subordinate CA v my ra.uit.vm lm RA. Bc 2-7: Ci t Enterprise Subordinate CA Thc hin ti my SubCA 1 2 3 ng nhp vo domain uit.vm bng ti khon thuc c 2 nhm Enterprise Admins v Domain Admins ( y l ti khon Administrator). To mt th mc ti C:\labcert. M Add/Remove Windows Components v ci t gi Certificate Services.
25
Lm theo cc hng dn, lu chn ty chn Enterprise Subordinate CA, t CA name l UIT Sub CA, ch nh mc Store Configuration Information In A Shared Folder l ng dn C:\labcerts, Parent CA l my RootCA v gi nguyn mc nh cc ty chn cn li.
Ch cho qu trnh ci t hon tt.
Hnh 18 Ci t Enterprise Subordinate CA Cu hnh Subordinate CA Cc Sub. CA trong cu trc phn cp khng nht thit phi c cu hnh ging vi Root CA v thc ra, n c s khc bit nh thi hn hiu lc ca chng ch m n cp lun nh hn ca Root CA v iu ny c th c kim sot ti Root CA. Bc 2-8: Cu hnh Enterprise Subordinate CA Thc hin ti my SubCA 1 2 3 4 ng nhp vo domain vi ti khon qun tr. Vo Administrative Tools | Certification Authority. M rng nhnh UIT Sub CA v nhn phi chut ln mc Certificate Templates ri chn New | Certificate Template to Issue. Trong ca s Enable Certificate Templates, chn 2 ci l Smartcard User v Enrollment Agent ri nhn OK.
26
Tr li ca s Certificate Authority, nhn phi chut ln mc Revoked Certificates v chn Properties. Sau i mc CRL publication interval l 1 gi. Nhn OK. Nhn chut phi ln UIT Sub CA v chn Properties. Trn tab General, nhn nt View Certificate xem cc thng tin cha trong chng ch ca my SubCA. Xc nhn rng thi hn hiu lc (Valid from to ) ca n nh hn so vi chng ch ca Root CA.
6 7
ng ht cc ca s hon tt.
Hnh 19 Cu hnh Enterprise Subordinate CA Ci t RA Cc chc nng ca RA th n gin hn l CA, n khng c quyn to hoc qun l cc chng ch m n gin lm trung gian gia cc end entity v CA. N nhn v chuyn tip cc yu cu ti cho CA. Sau n nhn phn hi t CA v gi tr li li cho end entity. C th coi RA l client-side ca CA v trong Windows n cng c nhc ti nh l Web Enrollment Support.
27
Bc 2-9: Ci t RA Thc hin ti my RA 1 2 ng nhp vo domain bng ti khon qun tr. M Add/Remove Windows Components v chn ci gi Application Server (chn ci lun thnh phn ASP.NET). Sau ci tip gi Certificate Services (lu , nhn Details v ch chn ci mc Certificate Services Web Enrollment Support). 3 4 Lm theo hng dn ca trnh ci t, lu Browse n mc UIT Sub CA RA s lm trung gian gia my SubCA v cc end entity. Ch cho qu trnh ci t hon tt.
Hnh 20 Ci t RA SSL Website K tip, ta s to v cu hnh mt webiste c s dng SSL. iu ny gip m bo an ton cho ngi dng v CA thc hin qu trnh yu cu v cp chng ch qua giao din web. y c th s dng default Website (t ng c to ra khi ci IIS) tuy nhin vic ci t CA t virtual directory ca n ngay di default Website. V th, ta cn to mt website thay th v cu hnh cc thuc tnh ca n h tr SSL khng lm nh hng ti ci t ca default Website.
28
Bc 9-10: Ci t IIS v to mt website Thc hin ti my DMZW 1 2 3 ng nhp vo domain bng ti khon qun tr. M Add/Remove Windows Components v chn ci t gi Application Server. To mt th mc ti C:\inetpub\sslweb, trong to mt file sslweb.html c ni dung sau: <html> <head> <title> A simple SSL site </title> </head> <body> <H1> This is a secure website </H1> <P> This site is protected via SSL. </P> </body> </html> 4 5 Vo Administrative Tools | IIS Manager. Nhn phi chut ln Default Web Site v chn Stop. To mi mt website c cc ci t sau: 6 Mc Web Site Description: sslweb Gi nguyn cc thit lp IP address v listening port Mc Web site home directory page: C:\inetpub\sslweb Gi nguyn cc thit lp access permission Chn file sslweb.html lm trang ch ca website
Th truy cp vo a ch http://dmzw.uit.vm v xc nhn ni dung file sslweb.html c hin th. Lu , nu gp thng bo xc thc th ng nhp bng ti khon qun tr domain hoc nu mun b qua vic xc thc th vo Properties ca website, qua tab Directory Security, mc Authentication and access control nhn Edit, sau b chn mc Integrated Windows authentication.
29
Hnh 21 To mt website Bc 2-11: Cu hnh SSL cho website Thc hin trn nhiu my tnh 1 2 3 Trong IIS Manager, thc hin Stop vi website sslweb. Trong Properties ca sslweb, chn tab Directory Security v ti mc Secure communications nhn Server Certificate. Trnh ci t hin ra, ln lt chn hoc thit lp nh sau: 4 Nhn Create A New Certificate Nhn Prepare The Request Now, But Send It Later Name l sslweb, Bit Length l 1024 Organization l DMZW Sites, Organizational Unit l sslweb Common Name l sslweb.dmzw.uit.vm Country l Vietnam, State l Ho Chi Minh, City l Bien Hoa File cha ni dung yu cu cp chng ch tn l sslwebreq.txt c lu C:\ M file C:\sslwebreq.txt v copy ton b ni dung trong .
30
Hnh 22 To mt file yu cu cp chng ch cho website 5 6 Truy cp vo a ch http://ra.uit.vm/certsrv (s dng ti khon qun tr domain nu c hi xc thc). Ti giao din Microsoft Certificate Services -- UIT Sub CA, ln lt chn la hoc thit lp nh sau: Nhn Request a certificate Nhn Submit an advanced certificate request Nhn Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file,... Paste ni dung ca file sslwebreq.txt vo khung Saved Request v mc Certificate Template chn Web Server ri nhn Submit. Chn DER Encoded v nhn Download CA certificate. Lu file ti C:\sslwebcert.cer
31
Hnh 23 Gi yu cu cp v ti v chng ch cho website 7 Vo Properties ca website sslweb, quay li mc Secure communications, nhn Server Certificate ri ln lt: Chn Process The Pending Request And Install The Certificate Chn chng ch va ti v nm C:\sslwebcert.cer
Hnh 24 Ci t chng ch SSL cho website

32
Di Secure Communications, nhn Edit ri nh du vo mc Require Secure Channel v Require 128-bit Encryption.
Hnh 25 Bt buc ngi dng truy cp webiste qua SSL 9 10 11 Qua tab Web Site v nhp 443 vo SSL Port. Nhn OK. Thc hin Start vi website sslweb. T my DMZW hoc 1 my khc trong mng, truy cp vo a ch http://dmzw.uit.vm. Ta s nhn c thng bo l trang ny bt buc phi truy cp qua HTTPS. 12 Thay bng a ch https://dmzw.uit.vm. Ta s thy Security Alert thng bo l Common name (trng Subject) trong chng ch l sslweb.dmzw.uit.vm khng khp vi tn min trong a ch l dmzw.uit.vm. Chn Proceed tip tc truy cp.
33
Hnh 26 Kim tra vic truy cp website qua SSL 1.6.3 Thit lp Linux CA Trong phn ny, trin khai h tng PKI CA trn nn Linux ta s s dng phn mm m ngun m EJBCA thay cho trong sch l cng c CAtool qu c v khng cn c h tr. Gii thiu c xy dng trn nn cng ngh JEE, EJBCA l mt PKI CA mnh m, n nh, hiu sut cao v c lp nn tng, p ng nhu cu trin khai mt h tng PKI y cho cc t chc va v ln. Tham kho thm cc tnh nng ca n ti a ch http://www.ejbca.org/features.html Mi thng tin, ti liu cn thit s dng n c ti trang ch http://www.ejbca.org/, sau y l cc bc ci t v cu hnh. Bc 3-1: Ci t EJBCA Thc hin ti my LinRootCA
34
1 2 3
ng nhp vi ti khon root. M mt ca s Termnial l ejbca. Copy 2 b ci l jboss-5.1.0.GA-jdk6.zip (JBoss Application Server) v ejbca_4_0_9.zip (EJBCA) vo th mc /root. a ch ti v 2 gi ny l:
http://ncu.dl.sourceforge.net/project/ejbca/ejbca4/ejbca_4_0_9/ejbca_4_0_9.zip http://nchc.dl.sourceforge.net/project/jboss/JBoss/JBoss-5.1.0.GA/jboss-5.1.0.GAjdk6.zip 4 Ci t cc gi phn mm cn thit bng lnh #apt-get install openjdk-6-jdk ant ant-optional unzip ntp (lu , cn c kt ni Internet ti cc gi ny v). 5 Gii nn 2 b ci trn #unzip jboss-5.1.0.GA-jdk6.zip #unzip ejbca_4_0_9.zip 6 Cu hnh EJBCA c th tm thy JBoss #echo "appserver.home=/home/user/jboss-5.1.0.GA" >> ejbca_4_0_9/conf/ejbca.properties 7 Build v deploy EJBCA cho JBoss #cd ejbca_4_0_9 #ant bootstrap 8 M mt ca s Termnial mi l jboss v khi chy JBoss #jboss-5.1.0.GA/bin/run.sh 9 Tr li ca s ejbca v chy lnh sau khi to CA #ant install Ti y, khi c hi cung cp cc thng s, ta nhp vo nh sau: CA name: Linux Root CA CN=LinRootCA, O=UIT, C=VN httpsserver hostname: linrootca.uit.vm
35
Hnh 27 Ci t EJBCA V chp nhn tt c cc ci t mc nh cn li. Sau , chy tip lnh: #ant deploya 10 Tr li ca s jboss v khi ng li JBoss #ctrl-c #jboss-5.1.0.GA/bin/run.sh 11 Client certificate dng xc thc ngi dng SuperAdmin khi truy cp vo trang qun tr EJBCA l file nm /home/root/ejbca_4_0_9/p12/superadmin.p12. Ta s Import n vo trnh duyt web vi mt khu bo v y l ejbca.
36
Hnh 28 Import client certificate vo trnh duyt web 12 Truy cp vo a ch https://linrootca.uit.vm:8443/ejbca kim tra vic ci t EJBCA thnh cng.
Hnh 29 Trang ch qun l EJBCA sau khi ci t xong
37
Bc 3-2: To v cp chng ch cho my trm Linux Thc hin ti my LinClient1 1 2 3 Truy cp vo a ch https://linrootca.uit.vm:8443/ejbca. Ti nhm
Miscellaneous, chn Administration. Ti nhm RA Functions, chn Add End Entity. Khung bn phi, nhp vo cc thng tin sau: End entity profile: EMPTY Username: linclient1 Password: thangmv90 Email address: linclient1@uit.vm CN, Common name: LinClient1 O, Organization: UIT C, Country: VN Certificate profile: ENDUSER CA: Linux Root CA Token: P12 file
Ri nhn Add
Hnh 30 To end entity trong EJBCA

38
4 5 6
Chn Public Web tr v trang ch ca EJBCA. Ti mc Enroll, chn Create Browse Certificate, khung bn phi ng nhp vi Username l linclient1 v Password l thangmv90. Ti trang EJBCA Token Certificate Enrollment, mc Options chn: Key length: 1024 bits (hoc cao hn nu mun). Certificate profile: ENDUSER. Ri nhn OK. Sau lu chng ch (file c tn linclient1.p12) ti Desktop.
Hnh 31 Ti v chng ch cho my trm Linux 7 Thc hin Import chng ch va ti v trn vo trnh duyt vi, vi mt khu bo v l thangmv90.
39
Hnh 32 Import chng ch ca my trm Linux vo trnh duyt web 1.6.4 To Cross Trust Mi trng mng tin cy yu cu cc loi mng khc nhau phi c kh nng tin cy ln nhau. Trong phn ny, ta s to cross trust cho 2 mng l Windows v Linux Root CA mng ny s tin cy Root CA mng kia. Bc 4-1: Trusting Linux Root CA Thc hin ti my RootCA 1 2 3 4 ng nhp vo domain vi quyn qun tr M trnh duyt web Internet Explorer v thc hin nh bc 11 ca mc Bc 3-1 import client certificate dng truy cp vo trang qun tr ca EJBCA. Truy cp vo a ch https://linrootca.uit.vm:8443/ejbca, mc Retrieve ta nhn vo Fetch CA certificates. Ti trang Fetch CA & OCSP certificates, nhn vo Download to Internet Explorer ri chn lu chng ch v my. Th m th s thy chng ch ny ca Linux Root CA cha c tin cy. Gi ta s ci n vo kho Trusted Root Certification Authorities ca Windows.
40
Hnh 33 Ti v my Windows chng ch ca Linux Root CA 5 M Default GPO ca domain uit.vm v duyt ti nhnh Computer Configuration | Windows Settings | Security Settings | Public Key Polices | Trusted Root Certification Authorities. 6 Nhn chut phi chn Import ri lm theo hng dn. cp nht ngay GPO ny ti tt c cc my trong domain chng cng tin tng Linux Root CA, ta vo Start | Run v chy lnh gpupdate /force.
Hnh 34 Import chng ch ca Linux Root CA trong Default GPO

41
Th sao chp chng ch ca LinuxRootCA qua my WinClient1 v m n, ta s thy chng ch ny c tin cy.
Hnh 35 Kim tra cc my Windows trong domain tin cy chng ch ca Linux Root CA
Bc 4-2: Trusting Windows Root CA Thc hin trn 2 my LinRootCA v RootCA 1 Ti my RootCA, vo Certificates MMC, duyt ti nhnh Trusted Root Certification Authorities v thc hin Export chng ch ca UIT Root CA. Sau sao chp n sang my LinRootCA.
42
Hnh 36 Export chng ch ca Windows Root CA 2 3 Ti my LinRootCA, truy cp vo trang qun l ca EJBCA v vo mc Administration. Di mc CA Functions, vo Edit Certificate Authorities ri nhn nt Import CA certificate Sau tm n chng ch ca Windows Root CA trn v thc hin Import.
Hnh 37 Import chng ch ca Windows Root CA
43
Kim tra trust Trong phn ny ta s t my trm Linux kt ni ti SSL website to bc 9-10. ln truy cp u th c cnh bo Security Alert do chng ch ca Sub. CA cp cho webserver cha c tin cy. Sau ta s cu hnh trnh duyt web trn my Linux tin tng Sub. CA v kim tra vic truy cp sun s trong ln th 2. Bc 4-3: Kim tra trust Thc hin ti my LinClient1 1 2 3 4 5 Truy cp vo a ch http://dmzw.uit.vm v nhn c thng bo l bt buc phi dng HTTPS Truy cp li bng https://dmzw.uit.vm th nhn c cnh bo i vi website ny do chng ch ca Sub. CA cha c tin cy. Kt ni n http://ra.uit.vm v thc hin ti v v import chng ch ca UIT Sub CA vo trnh duyt. Sau kt ni li n https://dmzw.uit.vm v chp nhn Security Warning do subject trong chng ch khng khp vi domain trong a ch. Gi c th truy cp an ton ti SSL website.
1.6.5 Bo mt email Trong phn ny ta s thc hin ci t v cu hnh mt mail server cung cp dch v th in t cho cc my trm trong c 2 mng Windows v Linux. y, cc ngi dng s phi s dng chng ch s nhn c t cc CA m bo vic trao i email c an ton, tc l c th xc nhn ngi gi l ai cng nh l ni dung th u c m ha. Trin khai mail server Ta s ci t phn mm Mdeamon (phin bn min ph) chy trn my DMZW th nghim trong m hnh ny. Sau ta cng s cu hnh cc ti khon ngi dng trn y. Cui cng ta s thit lp trong cc email client trn Windows v Linux ngi dng c th s dng ch k s v m ha cho email. Bc 5-1: Ci t v cu hnh mail server Mdeamon Thc hin trn my DMZW (ng nhp vo mi trng local vi quyn admin)
44
Ci t Mdeamon vi domain name l uit.vm v IMAP/POP3 server l dmzw.uit.vm (chi tit cc bc c trong video) To 2 ti khon email cho mng Linux l linuser1@uit.vm v winuser3@uit.vm
Bc 5-2: Cu hnh cc email client Thc hin trn my WinClient1 1 ng nhp vo domain bng ti khon winuser3 (v trn winuser1 v winuser2 khi ng nhp phi c smartcard nn khng c iu kin th 2 3 nghim vi 2 ti khon ny). Chy chng trnh Outlook Express v thit lp ti khon email
winuser3@uit.vm kt ni ti mail server l dmzw.uit.vm. Gi yu cu v nhn chng ch s t Sub. CA cho ti khon email ca winuser3. Thc hin trn my LinClient1 1 2 Chy chng trnh Thunderbird v thit lp ti khon email linuser1@uit.vm kt ni ti mail server l dmzw.uit.vm Import public key ca winuser3 vo Thunderbird.
Thc hin trao i email c ch k v m ha gia 2 ti khon ny. (Chi tit cc bc vui lng tham kho video minh ha).
4. TNG KT
Trong chuyn ny, chng ta c n li v vn dng kin thc ca nhiu chuyn trc trong vic xy dng v trin khai mt mng tin cy. Ta cng tm hiu xy dng c 2 mng nh Windows v Linux m c s dng chng ch s m bo an ton cho cc phin truyn thng nh duyt web, gi email.
5. TI LIU THAM KHO

Gio trnh SCNA Enterprise Solutions Study Guide, NXB Element K, nm 2004. --- --Mn Thng | manvanthang@gmail.com
45

Building Trusted Networks (Manthang)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Building Trusted Networks (Manthang)

Uploaded by

Copyright:

Available Formats

Chuyn SCNA

Xy Dng Mng Tin Cy

Mn Thng | manvanthang@gmail.com http://manthang.wordpress.com

Building Trusted Networks

1.6 Cc bc thc hin _________________________________________________________ 16 1.6.1 Xy dng Windows Domain ______________________________________________ 16

1.6.2 Cu hnh Enterprise CA ___________________________________________________ 19

Building Trusted Networks

Bc 9-10: Ci t IIS v to mt website ________________________________________________ 29 Bc 2-11: Cu hnh SSL cho website_____________________________________________________ 30

1.6.3 Thit lp Linux CA ________________________________________________________ 34

1.6.4 To Cross Trust ___________________________________________________________ 40

1.6.5 Bo mt email ____________________________________________________________ 44

Tng kt ________________________________________________________________________ 45 Ti liu tham kho _____________________________________________________________ 45

DANH SCH HNH

Building Trusted Networks

DANH SCH BNG

Building Trusted Networks

Building Trusted Networks

1. GII THIU V MNG TIN CY

Building Trusted Networks

Building Trusted Networks

1.2 Cc yu cu v thnh phn ca mng tin cy

Building Trusted Networks

Mt m Chng thc mnh Ch k s Chng ch s

Building Trusted Networks

Building Trusted Networks

2. C BN V H TNG KHA CNG KHAI

1.3 Cc thnh phn ca PKI

Building Trusted Networks

1.4 Cc kin trc trin khai PKI

Building Trusted Networks

Building Trusted Networks

Building Trusted Networks

3. XY DNG V TRIN KHAI MT MNG TIN CY

1.5 M hnh v yu cu chun b

Building Trusted Networks

Hnh 6 M hnh trin khai mng tin cy

a ch IP 10.0.10.1 / 8 10.0.10.2 / 8 10.0.10.3 / 8 10.0.10.4 / 8 10.0.20.1 / 8 10.0.30.1 / 8 10.0.30.2 / 8

SubCA RA WinClient1 DMZW LinRootCA LinClient1

subca.uit.vm ra.uit.vm winclient1.uit.v m dmzw.uit.vm linrootca.uit.vm linclient1.uit.vm uit.vm

Bng 1 Yu cu chun b trin khai

Building Trusted Networks

1.6 Cc bc thc hin

Building Trusted Networks

Building Trusted Networks

Hnh 9 Ci t Enterprise Root CA

Building Trusted Networks

Hnh 10 Thm mi cc Certificate Template

Building Trusted Networks

Building Trusted Networks

Building Trusted Networks

Building Trusted Networks

Building Trusted Networks

Building Trusted Networks

Building Trusted Networks

Ch cho qu trnh ci t hon tt.

Building Trusted Networks

Building Trusted Networks

Building Trusted Networks

Building Trusted Networks

Building Trusted Networks

Building Trusted Networks

Hnh 24 Ci t chng ch SSL cho website

Building Trusted Networks

Building Trusted Networks

1.6 Cc bc thc hin ___________ 16 1.6.1 Xy dng Windows Domain 16

Bc 9-10: Ci t IIS v to mt website 29 Bc 2-11: Cu hnh SSL cho website_____ 30

Tng kt ____________ 45 Ti liu tham kho _ 45