Professional Documents
Culture Documents
Building Trusted Networks (Manthang)
Building Trusted Networks (Manthang)
HCM, 05/2012
Trong chuyn ny, chng ta s c n li v vn dng kin thc ca nhiu chuyn trc ca kha hc SCNA trong vic xy dng v trin khai mt mng tin cy. Ta cng i qua cc bc ci t v cu hnh hai mng nh Windows v Linux c s dng chng ch s m bo an ton cho cc phin truyn thng nh duyt web, gi email.
Mc lc
Danh sch hnh _______________________________________________________________________ 2 Danh sch bng_______________________________________________________________________ 3 Li ni u____________________________________________________________________________ 4
1.
Gii thiu v mng tin cy ______________________________________________________ 5 1.1 1.2 S cn thit ca mng tin cy ________________________________________________ 5 Cc yu cu v thnh phn ca mng tin cy _________________________________ 7
2.
C bn v h tng kha cng khai _____________________________________________ 10 1.3 1.4 Cc thnh phn ca PKI _____________________________________________________ 10 Cc kin trc trin khai PKI __________________________________________________ 11
3.
Xy dng v trin khai mt mng tin cy _____________________________________ 14 1.5 M hnh v yu cu chun b ________________________________________________ 14
4. 5.
Hnh 14 Chnh default GPO t ng kha my tnh khi ngi dng rt smartcard 22 Hnh 15 To cc domain user ................................................................................................................................ 23 Hnh 16 Thit lp khi ngi dng ng nhp phi c smartcard................................................. 24 Hnh 17 Thc hin join cc my vo domain .............................................................................................. 25 Hnh 18 Ci t Enterprise Subordinate CA ................................................................................................. 26 Hnh 19 Cu hnh Enterprise Subordinate CA............................................................................................. 27 Hnh 20 Ci t RA ........................................................................................................................................................ 28 Hnh 21 To mt website.......................................................................................................................................... 30 Hnh 22 To mt file yu cu cp chng ch cho website ................................................................. 31 Hnh 23 Gi yu cu cp v ti v chng ch cho website................................................................. 32 Hnh 24 Ci t chng ch SSL cho website................................................................................................. 32 Hnh 25 Bt buc ngi dng truy cp webiste qua SSL ................................................................... 33 Hnh 26 Kim tra vic truy cp website qua SSL....................................................................................... 34 Hnh 27 Ci t EJBCA ................................................................................................................................................ 36 Hnh 28 Import client certificate vo trnh duyt web .......................................................................... 37 Hnh 29 Trang ch qun l EJBCA sau khi ci t xong....................................................................... 37 Hnh 30 To end entity trong EJBCA................................................................................................................. 38 Hnh 31 Ti v chng ch cho my trm Linux ........................................................................................... 39 Hnh 32 Import chng ch ca my trm Linux vo trnh duyt web......................................... 40 Hnh 33 Ti v my Windows chng ch ca Linux Root CA............................................................ 41 Hnh 34 Import chng ch ca Linux Root CA trong Default GPO ............................................... 41 Hnh 35 Kim tra cc my Windows trong domain tin cy chng ch ca Linux Root CA .................................................................................................................................................................................................. 42 Hnh 36 Export chng ch ca Windows Root CA ................................................................................... 43 Hnh 37 Import chng ch ca Windows Root CA................................................................................... 43
Mn Thng | manvanthang@gmail.com
LI NI U y l chuyn cui cng trong lot chuyn ca gio trnh SCNA, n l s tng hp cc kin thc c gii thiu trong cc nhm trc. Ni dung ca chuyn ny ch yu i thng vo vic xy dng v trin khai mt mi trng tin cy gia hai mng nh l Windows v Linux. Nhng trc tin ta cn tm hiu li cc kha cnh ca mng tin cy bao gm: n l g? n c cn thit khng? Cc thnh phn ca n? Sau kin thc c bn v h tng kha cng khai (PKI) l h thng cung cp cc dch v cho mng tin cy cng s c cp. Phn cui cng s trnh by cc bc ci t v cu hnh mt mng tin cy da trn mt m hnh vi cc yu cu c th.
CM N C gng v thnh qu ny xin dnh ti ngi thn thng nht, Yel PA. Cuppy Security, manthang
Mn Thng | manvanthang@gmail.com
Hnh 1 Cc lp phng th ngoi vi ca mng An ton mng ngy nay c th c nh ngha nh l vic m bo an ton (bao gm s b mt, tnh ton vn v sn sng) cho cc phin truyn thng trn mng v bo v ngoi vi ca mng. Khi m cc mng bn ngoi thng khng ng tin cy th cc cng c v k thut trn vn rt quan trng nhng chng ch c th gip kim sot, sng lc cc lu lng mng vo v ra mng ni b ca t chc. Di y, chng ta s xem xt nhng thch thc v mc tiu m thc t mt doanh nghip ngy nay thng gp phi t thy c vic phng th ngoi vi cho mng thi l cha . Doanh nghip c nhiu khch hng cc chu lc, t nc, vng min khc nhau. Mi khch hng cn c kh nng trao i thng tin vi doanh nghip mt cch nhanh nht c th. Mt cch t c iu ny l cung cp cho h mt kt ni trc tip vo
Mn Thng | manvanthang@gmail.com
mng doanh nghip. iu ny c ngha rng cc khch hng cng nh cc nh cung cp, i tc cn truy cp ti cc thng tin khng ch dng cng khai, nh website, m cn l cc thng tin dng b mt ca doanh nghip. Nhng thng tin b mt ny c lu tr bn trong h thng mng ca doanh nghip thay v nm trn cc my ch cng cng nh webserver.
Hnh 2 M hnh mng Extranet in hnh n y ta cn t ra cc cu hi: nhng ngi dng bn ngoi t chc c th l nhng ai v lm sao tin cy c cc knh truyn thng ca h? Cc knh truyn thng tin cy, an ton lun l mt yu cu cn thit. V vy m cn c c ch m bo khng ai c th c trm c nhng thng tin b mt trn knh truyn. V cng cn c bin php chc rng khng ai c th gi dng l mt ngi dng c quyn truy cp hp php vo mng ca t chc. Gii quyt c cc cu hi trn chnh l ta hnh thnh c ci gi l mng tin cy ri. Tm li, mng tin cy cn t c cc mc tiu sau: C kh nng thit lp c cc knh truyn thng an ton gia 2 im u cui bt k, nh gia cc nhn vin, khch hng v i tc. C kh nng nhn dng c bt k yu cu kt ni, truy cp no l hp l hay khng hp l. C kh nng xc thc ngi dng, thit b.
Mn Thng | manvanthang@gmail.com
Nu khng c kh nng m bo tt c cc dch v trn vn hnh chnh xc trong mng th khng th thit lp c mt mng tin cy mt cch y . Cn trong cc mng hng phng th th ch trng ti cc dch v sau m thi: b mt, ton vn v xc thc. Di y s bn thm v 6 dch v trn. Nhn dng (Identification) l bc u tin trong qu trnh xc thc, mt i tng s cung cp mt vi d liu dng nhn dng n (nh tn ngi dng, mt khu, m PIN, vn tay,) cho dch v xc thc. Xc thc (Authentication) l qu trnh xc nh xem ai hoc th g c thc s l ngi (hoc l th) m n tuyn b hay khng. Hay ni cch khc, y l vic xc minh nhn dng ca mt ngi, mt thit b, mt chng trnh no . Cp php (Authorization) l qu trnh xc nh xem i tng ( c xc thc) c php lm nhng g. Bc ny thng xy ra sau bc xc thc trn. Bo mt (Confidentiality) l vic m bo tnh b mt, ch nhng ngi c cp php mi c th c c thng tin mang tnh ring t. Ton vn (Integrity) l vic m bo tnh chnh xc v tin cy ca thng tin, v bt k s thay i tri php no ti thng tin s c pht hin v ngn chn. Chng chi t (Non-repudiation) l vic m bo rng i tng gi i thng ip khng th ph nhn vic gi v ngc li, i tng nhn c thng ip cng khng th ph nhn l cha bit n thng ip . trin khai nhng dch v trn th cn ti cc cng ngh ct li sau:
Mn Thng | manvanthang@gmail.com
Cc cng ngh ny gn kt vi nhau cng xy dng nn mt mng tin cy. Mt m y l thnh phn c vai tr rt quan trng, l tri tim ca bt c mng tin cy no. N gip m bo bo mt v ton vn cho cc thng ip, cng nh nhn dng v xc thc cc i tng tham gia vo phin truyn thng. V c bn, mt m c phn lm 2 loi chnh: m ha i xng v m ha bt i xng. Loi m ha i xng thng c gi l mt m kha b mt v c hai bn u s dng cng mt kha m ha v gii m thng tin. Cc thut ton m ha i xng ph bin nh 3DES, AES, RC5. Cn loi m ha bt i xng cn c gi l mt m kha cng khai v cn s dng mt cp kha m ha v gii m. Nu m ha bng kha th nht (gi l kha cng khai) th ch c th gii m bng kha th hai (gi l kha b mt) v ngc li. DSA, RSA, Diffie-Hellman l v d v cc thut ton m ha bt i xng ni ting. Ngoi ra trong mt m cn c k thut bm mt chiu (one-way hash) l mt hm nhn vo mt thng ip c chiu di bt k v to ra mt chui c chiu di c nh c gi l gi tr bm. V d, gi tr m gii thut bm MD5 to ra lun l 128-bit, vi SHA-1 l 160-bit. Hm bm mt chiu lm vic m khng cn s dng bt k kha no v c bit, t kt qu bm cui cng th rt kh (thng khng th) ln ngc li thng ip gc ban u. N thng c dng kim tra tnh ton vn ca thng ip, tp tin. Chng thc mnh tha mn yu cu ny, h thng chng thc cn phi s dng t nht 2 trong 3 yu t sau: Th m bn bit (something you know): mt khu hoc m PIN l v d in hnh cho phng thc chng thc ph bin nht ny. Cch ny th r tin, d trin khai nhng c nhc im l nu ai bit c b mt ny th h c th t c quyn truy cp vo h thng.
Mn Thng | manvanthang@gmail.com
Th m bn c (something you have): v d cho phng thc chng thc ny l th ATM, th thng minh, th truy cp, ph hiu v.v Hn ch ca cch ny l nhng vt c th b mt hoc nh cp v b ai lm dng truy cp tri php vo h thng. c im duy nht trn c th bn (something you are): l cch nhn din da trn thuc tnh vt l duy nht ca mt ngi nh vng mc mt, du vn tay. Phng php chng thc ny hiu qu v kh gi mo hay sao chp nhng li mc tin trin khai. Cc phng php chng thc 2 yu t (two-factor authentication) trong thc t thng thy nh s kt hp gia mt khu vi th truy cp hoc th thng minh vi sinh trc hc mang li s tin cy, an ton hn ch l s dng tn ngi dng v mt khu ng nhp vo h thng. Cc k thut trong mt m cng c ng dng rng ri vo cc phng thc xc thc nh Kerberos, RADIUS, CHAP, NTLM, v.v Ch k s c to ra s dng kt hp gia hm bm v mt m kha cng khai m bo tnh ton vn, gip xc thc ngun gc ca thng ip v ng thi bn gi khng th chi t vic to ra thng ip . N l mt gi tr bm ca thng ip c m ha bng kha b mt ca bn gi ri c nh km vi thng ip gc. Bn nhn s dng kha cng khai ca bn gi gii m phn ch k ra c gi tr bm ca thng ip ri i chiu vi gi tr m n thu c t vic thc hin li hm bm trn thng ip gc. Nu hai gi tr ging nhau th bn nhn c th tin cy c rng thng ip khng b thay i v n ch c gi t bn s hu kha cng khai trn. Chng ch s L mt tp tin gip chc chn rng kha cng khai thuc v mt thc th no nh ngi dng, t chc, my tnh v iu ny c xc minh bi mt bn th ba ng tin cy thng gi l CA (Certificate Authorities). Chng ch s cha cc thng tin nhn dng v thc th nh tn, a ch, kha cng khai (cng nhiu thng tin khc) v c k s bi kha b mt ca CA. Cui cng, tt c 6 dch v v 4 cng ngh ni trn c cung cp v trin khai bi mt h tng kha cng khai (Public Key Infrastructure - PKI) lm nn tng cho cc mng tin cy m chng ta s cng tm hiu trong phn 2 ca chuyn ny.
Mn Thng | manvanthang@gmail.com
Certificate Authority (CA): l mt bn th c tin cy c trch nhim to, qun l, phn phi, lu tr v thu hi cc chng ch s. CA s nhn cc yu cu cp chng ch s v ch cp cho nhng ai xc minh c nhn dng ca h. Registration Authority (RA): ng vai tr trung gian gia CA v ngi dng. Khi ngi dng cn chng ch s mi, h gi yu cu ti RA v RA s xc nhn tt c cc thng tin nhn dng cn thit trc khi chuyn tip yu cu ti CA CA thc hin to v k s ln chng ch ri gi v cho RA hoc gi trc tip cho ngi dng. Certificate Repository v Archive: c 2 kho cha quan trng trong kin trc ca PKI. u tin l kho cng khai lu tr v phn phi cc chng ch v CRL (cha danh sch cc chng ch khng cn hiu lc). Ci th 2 l mt c s d liu c CA dng sao lu cc kha hin ang s dng v lu tr cc kha ht hn, kho ny cn c bo v an ton nh chnh CA. Security Server: l mt my ch cung cp cc dch v qun l tp trung tt c cc ti khon ngi dng, cc chnh sch bo mt chng ch s, cc mi quan h tin cy (trusted relationship) gia cc CA trong PKI, lp bo co v nhiu dch v khc.
Mn Thng | manvanthang@gmail.com
10
PKI-enabled applications v PKI users: bao gm cc ngi dng s dng cc dch v ca PKI v cc phn mm c h tr ci t v s dng cc chng ch s nh cc trnh duyt web, cc ng dng email chy pha my khch.
Single CA
Hnh 3 Kin trc Single CA y l m hnh PKI c bn nht ph hp vi cc t chc nh trong ch c mt CA cung cp dch v cho ton h thng v tt c ngi dng t s tin cy vo CA ny. Mi thc th mun tham gia vo PKI v xin cp chng ch u phi thng qua CA duy nht ny. M hnh ny d thit k v trin khai nhng cng c cc hn ch ring. Th nht l kh nng co gin khi quy m t chc c m rng, ch mt CA th kh m qun l v p ng tt cc dch v. Hn ch th hai l CA ny s l im chu li duy nht, nu n ngng hot ng th dch v b ngng tr. Cui cng, nu n b xm hi th nguy hi ti tin cy ca ton b h thng v tt c cc chng ch s phi c cp li mt khi CA ny c phc hi. Trust List Nu c nhiu CA n l trong t chc nhng li khng c cc trust relationship gia cc CA c to ra th bng cch s dng trust list ngi dng vn c th tng tc vi tt c cc CA. Lc ny cc ngi dng s duy tr mt danh sch cc CA m h tin cy. Cc CA mi v sau c th d dng c thm vo danh sch. Phng thc ny tuy n gin nhng cng s tn thi gian cp nht ht cc CA cho mt lng ln ngi dng,
Mn Thng | manvanthang@gmail.com
11
mt khc nu mt CA no b tha hip th khng c mt h thng cnh bo no bo cho nhng ngi dng m tin cy CA bit c s c ny. Hierarchical PKI y l m hnh PKI c p dng rng ri trong cc t chc ln. C mt CA nm cp trn cng gi l root CA, tt c cc CA cn li l cc Subordinate CA (gi tt l sub. CA) v hot ng bn di root CA. Ngoi tr root CA th cc CA cn li trong u c duy nht mt CA khc l cp trn ca n. H thng tn min DNS trn Internet cng c cu trc tng t m hnh ny.
Hnh 4 Kin trc Hierarchical PKI Tt c cc thc th (nh ngi dng, my tnh) trong t chc u phi tin cy cng mt root CA. Sau cc trust relationship c thit lp gia cc sub. CA v cp trn ca chng thng qua vic CA cp trn s cp cc chng ch cho cc sub. CA ngay bn di n. Lu , root CA khng trc tip cp chng ch s cho cc thc th m chng s c cp bi cc sub. CA. Cc CA mi c th c thm ngay di root CA hoc cc sub. CA cp thp hn ph hp vi s thay i trong cu trc ca t chc. S c cc mc tn thng khc nhau nu mt CA no trong m hnh ny b xm hi. Trng hp mt sub. CA b tha hip th CA cp trn ca n s thu hi chng ch cp cho n v ch khi sub. CA c khi phc th n mi c th cp li cc chng ch mi cho ngi dng ca n. Cui cng, CA cp trn s cp li cho n mt chng ch mi.
Mn Thng | manvanthang@gmail.com
12
Nu root CA b xm hi th l mt vn hon ton khc, ton b h thng PKI s chu nh hng. Khi tt c cc thc th cn c thng bo v s c v cho n khi root CA c phc hi v cc chng ch mi c cp li th khng mt phin truyn thng no l an ton c. V th, cng nh single CA, root CA phi c bo v an ton mc cao nht m bo iu khng xy ra v thm ch root CA c th trng thi offline b tt v khng c kt ni vo mng. Mesh PKI Ni ln nh mt s thay th chnh cho m hnh Hierarchical PKI truyn thng, thit k ca Mesh PKI ging vi kin trc Web-of-Trust trong khng c mt CA no lm root CA v cc CA s c vai tr ngang nhau trong vic cung cp dch v. Tt c ngi dng trong mng li c th tin cy ch mt CA bt k, khng nht thit hai hay nhiu ngi dng phi cng tin mt CA no v ngi dng tin cy CA no th s nhn chng ch do CA cp.
Hnh 5 Kin trc Mesh PKI Cc CA trong m hnh ny sau s cp cc chng ch cho nhau. Khi hai CA cp chng ch cho nhau th mt s tin cy hai chiu c thit lp gia hai CA . Cc CA mi c th c thm vo bng cch to cc mi tin cy hai chiu gia chng vi cc CA cn li trong mng li. V khng c mt CA duy nht lm cp cao nht nn s tn hi khi tn cng vo m hnh ny c khc so vi hai m hnh trc . H thng PKI khng th b nh sp khi ch mt CA b tha hip. Cc CA cn li s thu hi chng ch m chng cp cho CA b xm hi v ch khi CA khi phc hot ng th n mi c kh nng cp mi cc chng ch cho ngi dng ri thit lp trust vi cc CA cn li trong mng li.
Mn Thng | manvanthang@gmail.com
13
Trn y l tng quan cc vn trong PKI, cn nhiu ni dung khc v h tng ny m khng tin cp do s vt ra khi trng tm ca chuyn . phn tip theo s trnh by vic xy dng v trin khai mt mi trng tin cy gia hai mng nh Windows v Linux gip cc my trm trao i thng tin mt cch an ton.
Mn Thng | manvanthang@gmail.com
14
Tn my tnh RootCA
Tn y
Domai n
H iu hnh Windows Server 2003 Windows Server 2003 Windows Server 2003 Windows XP
Vai tr Domain Controller, DNS server, Root CA Subordinate CA Registration Authority My trm
rootca.uit.vm
Windows SSL Website Server 2003 Email Server Ubuntu Root CA Server 10.10 Ubuntu My trm 11.10
15
Mn Thng | manvanthang@gmail.com
16
Hnh 7 To domain u tin trong mt forest mi Bc 1-2: Cu hnh DNS Thc hin ti my RootCA 1 2 3 4 5 Vo Administrative Tools | DNS. To mt Reverse Lookup Zone cho domain uit.vm. Bt ty chn Allow Dynamic Updates cho c 2 zone Forward v Reverse. To cc A record v PTR record cho cc my LinRootCA, DMZW, LinClient1. S dng lnh nslookup kim tra hot ng ca DNS.
Hnh 8 To cc A record
Mn Thng | manvanthang@gmail.com
17
Ci t CA K tip ta s b sung vo domain mt thnh phn quan trng l Enterprise Root CA. Ti giai on ny, gi nh l cc chnh sch cn thit cho hot ng ca PKI c to v chp thun, v cc my ch quan trng trong h tng c kin ton bo mt. Bc 1-3: Ci t Enterprise Root CA Thc hin ti my RootCA 1 2 3 To mt th mc C:\labcerts lu tr chng ch s v thng tin v cc CA ngi dng trong mng c th c c. Vo Add Remove Programs v chy Add/Remove Windows Components ri chn ci t gi Certificate Services. Lm theo cc hng dn, lu chn ty chn Enterprise Root CA, t CA name l UIT Root CA, ch nh mc Store Configuration Information In A Shared Folder l ng dn C:\labcerts v gi nguyn mc nh cc ty chn 4 cn li. Ch cho qu trnh ci t hon tt.
Mn Thng | manvanthang@gmail.com
18
1.6.2 Cu hnh Enterprise CA Trong phn ny, ta s cu hnh cho Enterprise Root CA bao gm: CRL publication interval: khong thi gian m sau CA s cp nht danh sch cc chng ch khng cn hiu lc (CRL). Certificate template: cc mu chng ch c to sn. Default GPO: thit lp cc my tham gia vo domain t ng nhn c chng ch Domain user: to cc ti khon ngi dng Hierarchical PKI: to cu trc CA phn cp vi s c mt ca mt Sub. CA v mt RA.
Bc 2-1: Cu hnh Enterprise Root CA Thc hin ti my RootCA 1 2 3 4 Vo Administrative Tools | Certification Authority. M rng nhnh UIT Root CA v nhn phi chut ln mc Certificate Templates ri chn New | Certificate Template to Issue Trong ca s Enable Certificate Templates, chn 2 ci l Smartcard User v Enrollment Agent ri nhn OK. Tr li ca s Certificate Authority, nhn phi chut ln mc Revoked Certificates v chn Properties. Sau i mc CRL publication interval l 5 1 gi. Nhn OK. ng ca s CA MMC hon tt.
Mn Thng | manvanthang@gmail.com
19
Hnh 11 Thit lp CRL publication interval Certificate Templates Cc chng ch mu c Microsoft xy dng sn v ta va kch hot thm 2 loi chng ch (Smartcard User v Enrollment Agent) bc trn. Tuy nhin, ngi dng hay my tnh c th nhn c cc chng ch da trn nhng mu chng ch th cc i tng cn c c cc quyn read v enroll thch hp. Bc 2-2: Cu hnh Certificate Template Thc hin ti my RootCA 1 2 3 4 Vo Administrative Tools | Active Directory Users and Computers. Trong domain uit.vm, to 1 group tn Enrollers, gi nguyn mc Group scope l Global v mc Group type l Security. Vo Administrative Tools | Active Directory Sites and Services. Nhn phi chut ln domain uit.vm v chn View | Show Services Node. Sau duyt n mc Services | Public Key Services | Certificate Templates. 5 khung bn phi s hin ra danh sch cc chng ch mu, nhn p vo dng Enrollment Agent. Ti ca s Properties mi hin ra, chn tab Security, ri nhn Add v thm vo group Enrollers (va to trn) v gn 6 7 thm quyn enroll cho nhm ny (ngoi quyn read c chn sn). Lm tng t nh bc 5 cho mu chng ch Smartcard User. ng ht ca s MMC hon tt.
Mn Thng | manvanthang@gmail.com
20
Hnh 12 Cu hnh Certificate Template Group Policy Objects (GPO) Thng qua GPO cc my nh domain controller, domain member c th t ng nhn v cc chng ch ca chng khi chng tham gia (join) vo domain. Cng nh GPO m ta c th iu khin vic mt my s phn ng nh th no nu th thng minh (smartcard) ca mt ngi dng ng nhp no b rt ra khi thit b c th. Bc 2-3: Chnh sa Default GPO Thc hin ti my RootCA 1 2 3 M Active Directory Users and Computers. Nhn phi chut ln domain uit.vm v chn Properties. Ca s mi hin ra, chn tab Group Policy ri chn Default Domain Policy v nhn Edit. Ca s GPO Editor hin ra, duyt n nhnh Computer Configuration | Windows Settings | Security Settings | Public Key Polices | Automatic Certificate Requests Settings. khung bn phi, nhn phi chut v chn New | Automatic Certificate Request. 4 Mt ca s mi hin ra, nhn Next. Trong danh sch Certificate templates, chn Computer ri nhn Next v cui cng nhn Finish. Sau , lm tng t i vi mu chng ch dnh cho Domain Controller.
Mn Thng | manvanthang@gmail.com
21
Tr li ca s GPO Editor, duyt n nhnh Computer Configuration | Windows Settings | Security Settings | Security Options. khung bn phi, nhn p chut vo dng Interactive logon: Smart card removal behavior.
6 7
ca s mi hin ra, nh du kim vo mc Define this policy setting v chn Lock Workstation v nhn OK. ng ht ca s hon tt.
Hnh 13 Chnh default GPO my tnh trong domain t ng xin v nhn chng ch
Hnh 14 Chnh default GPO t ng kha my tnh khi ngi dng rt smartcard
Mn Thng | manvanthang@gmail.com
22
End Entities Ngi dng Trong phn ny, ta s to v cu hnh cho cc domain user - l cc thc th u cui (end entity) trong ton b cu trc phn cp CA m s tham gia vo h tng PKI. Bc 2-4: To cc user trong domain Thc hin ti my RootCA 1 2 M Active Directory Users and Computers. To mi 5 user c Logon name l: enroller1, winuser1, winuser2, winuser3, winuser4 v tt c u thuc nhm Domain Users, ring ti khon enroller1 cn nm trong nhm Enrollers.
Hnh 15 To cc domain user ng nhp vi smartcard Vi mu chng ch Smartcard User cng vi cc quyn hn c cu hnh hp l th mt CA c th cp chng ch c lu trong smartcard cho ngi dng. Sau n c th c dng ng nhp, bo mt cho email, hay m ha h thng file bng EFS. Vic yu cu ngi dng phi c smartcard ng nhp vo domain l mt bin php chng thc mnh (gm 2 yu t l mt khu v smartcard) gip tng cng tin cy cho mng.
Mn Thng | manvanthang@gmail.com
23
Bc 2-5: Cu hnh ng nhp vi smartcard Thc hin ti my RootCA 1 2 3 M Active Directory Users and Computers. Nhn p vo ti khon winuser1 m ca s Properties ca n. Ti tab General, mc E-mail l winuser1@uit.vm. Ti tab Dial-in, chn Allow access cho mc Remote Access Permission. Qua tab Account, bn di danh sch Account options chn mc Smart card is required for 4 interactive logon, sau nhn OK. Lm tng t t bc 2 v 3 cho ti khon winuser2.
Hnh 16 Thit lp khi ngi dng ng nhp phi c smartcard End Entities My tnh bc 2-3, ta cu hnh GPO cc my tnh (gm c domain controller) trong mng s t ng nhn c cc chng ch khi chng thc hin tham gia vo domain. By gi, ta s cu hnh cc my ang nm trong Workgroup tham gia domain. Sau vo CA kim tra xem cc my nhn c chng ch hay cha.
Mn Thng | manvanthang@gmail.com
24
Bc 2-6: Tham gia Domain Thc hin ti cc my RA, SubCA, Winclient1 v DMZW 1 2 3 4 ng nhp bng ti khon qun tr. Thit lp Preferred DNS Server l a ch IP ca my RootCA (10.0.10.1). Thc hin vic join my vo domain uit.vm (s dng ti khon Administrator trn my RootCA). Khi ng li my hon tt.
Hnh 17 Thc hin join cc my vo domain To cu trc phn cp CA Trong phn ny ta s to cu trc phn cp theo m hnh Hierarchical PKI cho domain uit.vm. Vi my rootca.uit.vm lm Root CA, my subca.uit.vm lm Subordinate CA v my ra.uit.vm lm RA. Bc 2-7: Ci t Enterprise Subordinate CA Thc hin ti my SubCA 1 2 3 ng nhp vo domain uit.vm bng ti khon thuc c 2 nhm Enterprise Admins v Domain Admins ( y l ti khon Administrator). To mt th mc ti C:\labcert. M Add/Remove Windows Components v ci t gi Certificate Services.
Mn Thng | manvanthang@gmail.com
25
Lm theo cc hng dn, lu chn ty chn Enterprise Subordinate CA, t CA name l UIT Sub CA, ch nh mc Store Configuration Information In A Shared Folder l ng dn C:\labcerts, Parent CA l my RootCA v gi nguyn mc nh cc ty chn cn li.
Hnh 18 Ci t Enterprise Subordinate CA Cu hnh Subordinate CA Cc Sub. CA trong cu trc phn cp khng nht thit phi c cu hnh ging vi Root CA v thc ra, n c s khc bit nh thi hn hiu lc ca chng ch m n cp lun nh hn ca Root CA v iu ny c th c kim sot ti Root CA. Bc 2-8: Cu hnh Enterprise Subordinate CA Thc hin ti my SubCA 1 2 3 4 ng nhp vo domain vi ti khon qun tr. Vo Administrative Tools | Certification Authority. M rng nhnh UIT Sub CA v nhn phi chut ln mc Certificate Templates ri chn New | Certificate Template to Issue. Trong ca s Enable Certificate Templates, chn 2 ci l Smartcard User v Enrollment Agent ri nhn OK.
Mn Thng | manvanthang@gmail.com
26
Tr li ca s Certificate Authority, nhn phi chut ln mc Revoked Certificates v chn Properties. Sau i mc CRL publication interval l 1 gi. Nhn OK. Nhn chut phi ln UIT Sub CA v chn Properties. Trn tab General, nhn nt View Certificate xem cc thng tin cha trong chng ch ca my SubCA. Xc nhn rng thi hn hiu lc (Valid from to ) ca n nh hn so vi chng ch ca Root CA.
6 7
ng ht cc ca s hon tt.
Hnh 19 Cu hnh Enterprise Subordinate CA Ci t RA Cc chc nng ca RA th n gin hn l CA, n khng c quyn to hoc qun l cc chng ch m n gin lm trung gian gia cc end entity v CA. N nhn v chuyn tip cc yu cu ti cho CA. Sau n nhn phn hi t CA v gi tr li li cho end entity. C th coi RA l client-side ca CA v trong Windows n cng c nhc ti nh l Web Enrollment Support.
Mn Thng | manvanthang@gmail.com
27
Bc 2-9: Ci t RA Thc hin ti my RA 1 2 ng nhp vo domain bng ti khon qun tr. M Add/Remove Windows Components v chn ci gi Application Server (chn ci lun thnh phn ASP.NET). Sau ci tip gi Certificate Services (lu , nhn Details v ch chn ci mc Certificate Services Web Enrollment Support). 3 4 Lm theo hng dn ca trnh ci t, lu Browse n mc UIT Sub CA RA s lm trung gian gia my SubCA v cc end entity. Ch cho qu trnh ci t hon tt.
Hnh 20 Ci t RA SSL Website K tip, ta s to v cu hnh mt webiste c s dng SSL. iu ny gip m bo an ton cho ngi dng v CA thc hin qu trnh yu cu v cp chng ch qua giao din web. y c th s dng default Website (t ng c to ra khi ci IIS) tuy nhin vic ci t CA t virtual directory ca n ngay di default Website. V th, ta cn to mt website thay th v cu hnh cc thuc tnh ca n h tr SSL khng lm nh hng ti ci t ca default Website.
Mn Thng | manvanthang@gmail.com
28
Bc 9-10: Ci t IIS v to mt website Thc hin ti my DMZW 1 2 3 ng nhp vo domain bng ti khon qun tr. M Add/Remove Windows Components v chn ci t gi Application Server. To mt th mc ti C:\inetpub\sslweb, trong to mt file sslweb.html c ni dung sau: <html> <head> <title> A simple SSL site </title> </head> <body> <H1> This is a secure website </H1> <P> This site is protected via SSL. </P> </body> </html> 4 5 Vo Administrative Tools | IIS Manager. Nhn phi chut ln Default Web Site v chn Stop. To mi mt website c cc ci t sau: 6 Mc Web Site Description: sslweb Gi nguyn cc thit lp IP address v listening port Mc Web site home directory page: C:\inetpub\sslweb Gi nguyn cc thit lp access permission Chn file sslweb.html lm trang ch ca website
Th truy cp vo a ch http://dmzw.uit.vm v xc nhn ni dung file sslweb.html c hin th. Lu , nu gp thng bo xc thc th ng nhp bng ti khon qun tr domain hoc nu mun b qua vic xc thc th vo Properties ca website, qua tab Directory Security, mc Authentication and access control nhn Edit, sau b chn mc Integrated Windows authentication.
Mn Thng | manvanthang@gmail.com
29
Hnh 21 To mt website Bc 2-11: Cu hnh SSL cho website Thc hin trn nhiu my tnh 1 2 3 Trong IIS Manager, thc hin Stop vi website sslweb. Trong Properties ca sslweb, chn tab Directory Security v ti mc Secure communications nhn Server Certificate. Trnh ci t hin ra, ln lt chn hoc thit lp nh sau: 4 Nhn Create A New Certificate Nhn Prepare The Request Now, But Send It Later Name l sslweb, Bit Length l 1024 Organization l DMZW Sites, Organizational Unit l sslweb Common Name l sslweb.dmzw.uit.vm Country l Vietnam, State l Ho Chi Minh, City l Bien Hoa File cha ni dung yu cu cp chng ch tn l sslwebreq.txt c lu C:\ M file C:\sslwebreq.txt v copy ton b ni dung trong .
Mn Thng | manvanthang@gmail.com
30
Hnh 22 To mt file yu cu cp chng ch cho website 5 6 Truy cp vo a ch http://ra.uit.vm/certsrv (s dng ti khon qun tr domain nu c hi xc thc). Ti giao din Microsoft Certificate Services -- UIT Sub CA, ln lt chn la hoc thit lp nh sau: Nhn Request a certificate Nhn Submit an advanced certificate request Nhn Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file,... Paste ni dung ca file sslwebreq.txt vo khung Saved Request v mc Certificate Template chn Web Server ri nhn Submit. Chn DER Encoded v nhn Download CA certificate. Lu file ti C:\sslwebcert.cer
Mn Thng | manvanthang@gmail.com
31
Hnh 23 Gi yu cu cp v ti v chng ch cho website 7 Vo Properties ca website sslweb, quay li mc Secure communications, nhn Server Certificate ri ln lt: Chn Process The Pending Request And Install The Certificate Chn chng ch va ti v nm C:\sslwebcert.cer
32
Di Secure Communications, nhn Edit ri nh du vo mc Require Secure Channel v Require 128-bit Encryption.
Hnh 25 Bt buc ngi dng truy cp webiste qua SSL 9 10 11 Qua tab Web Site v nhp 443 vo SSL Port. Nhn OK. Thc hin Start vi website sslweb. T my DMZW hoc 1 my khc trong mng, truy cp vo a ch http://dmzw.uit.vm. Ta s nhn c thng bo l trang ny bt buc phi truy cp qua HTTPS. 12 Thay bng a ch https://dmzw.uit.vm. Ta s thy Security Alert thng bo l Common name (trng Subject) trong chng ch l sslweb.dmzw.uit.vm khng khp vi tn min trong a ch l dmzw.uit.vm. Chn Proceed tip tc truy cp.
Mn Thng | manvanthang@gmail.com
33
Hnh 26 Kim tra vic truy cp website qua SSL 1.6.3 Thit lp Linux CA Trong phn ny, trin khai h tng PKI CA trn nn Linux ta s s dng phn mm m ngun m EJBCA thay cho trong sch l cng c CAtool qu c v khng cn c h tr. Gii thiu c xy dng trn nn cng ngh JEE, EJBCA l mt PKI CA mnh m, n nh, hiu sut cao v c lp nn tng, p ng nhu cu trin khai mt h tng PKI y cho cc t chc va v ln. Tham kho thm cc tnh nng ca n ti a ch http://www.ejbca.org/features.html Mi thng tin, ti liu cn thit s dng n c ti trang ch http://www.ejbca.org/, sau y l cc bc ci t v cu hnh. Bc 3-1: Ci t EJBCA Thc hin ti my LinRootCA
Mn Thng | manvanthang@gmail.com
34
1 2 3
ng nhp vi ti khon root. M mt ca s Termnial l ejbca. Copy 2 b ci l jboss-5.1.0.GA-jdk6.zip (JBoss Application Server) v ejbca_4_0_9.zip (EJBCA) vo th mc /root. a ch ti v 2 gi ny l:
http://ncu.dl.sourceforge.net/project/ejbca/ejbca4/ejbca_4_0_9/ejbca_4_0_9.zip http://nchc.dl.sourceforge.net/project/jboss/JBoss/JBoss-5.1.0.GA/jboss-5.1.0.GAjdk6.zip 4 Ci t cc gi phn mm cn thit bng lnh #apt-get install openjdk-6-jdk ant ant-optional unzip ntp (lu , cn c kt ni Internet ti cc gi ny v). 5 Gii nn 2 b ci trn #unzip jboss-5.1.0.GA-jdk6.zip #unzip ejbca_4_0_9.zip 6 Cu hnh EJBCA c th tm thy JBoss #echo "appserver.home=/home/user/jboss-5.1.0.GA" >> ejbca_4_0_9/conf/ejbca.properties 7 Build v deploy EJBCA cho JBoss #cd ejbca_4_0_9 #ant bootstrap 8 M mt ca s Termnial mi l jboss v khi chy JBoss #jboss-5.1.0.GA/bin/run.sh 9 Tr li ca s ejbca v chy lnh sau khi to CA #ant install Ti y, khi c hi cung cp cc thng s, ta nhp vo nh sau: CA name: Linux Root CA CN=LinRootCA, O=UIT, C=VN httpsserver hostname: linrootca.uit.vm
Mn Thng | manvanthang@gmail.com
35
Hnh 27 Ci t EJBCA V chp nhn tt c cc ci t mc nh cn li. Sau , chy tip lnh: #ant deploya 10 Tr li ca s jboss v khi ng li JBoss #ctrl-c #jboss-5.1.0.GA/bin/run.sh 11 Client certificate dng xc thc ngi dng SuperAdmin khi truy cp vo trang qun tr EJBCA l file nm /home/root/ejbca_4_0_9/p12/superadmin.p12. Ta s Import n vo trnh duyt web vi mt khu bo v y l ejbca.
Mn Thng | manvanthang@gmail.com
36
Hnh 28 Import client certificate vo trnh duyt web 12 Truy cp vo a ch https://linrootca.uit.vm:8443/ejbca kim tra vic ci t EJBCA thnh cng.
Mn Thng | manvanthang@gmail.com
37
Bc 3-2: To v cp chng ch cho my trm Linux Thc hin ti my LinClient1 1 2 3 Truy cp vo a ch https://linrootca.uit.vm:8443/ejbca. Ti nhm
Miscellaneous, chn Administration. Ti nhm RA Functions, chn Add End Entity. Khung bn phi, nhp vo cc thng tin sau: End entity profile: EMPTY Username: linclient1 Password: thangmv90 Email address: linclient1@uit.vm CN, Common name: LinClient1 O, Organization: UIT C, Country: VN Certificate profile: ENDUSER CA: Linux Root CA Token: P12 file
Ri nhn Add
38
4 5 6
Chn Public Web tr v trang ch ca EJBCA. Ti mc Enroll, chn Create Browse Certificate, khung bn phi ng nhp vi Username l linclient1 v Password l thangmv90. Ti trang EJBCA Token Certificate Enrollment, mc Options chn: Key length: 1024 bits (hoc cao hn nu mun). Certificate profile: ENDUSER. Ri nhn OK. Sau lu chng ch (file c tn linclient1.p12) ti Desktop.
Hnh 31 Ti v chng ch cho my trm Linux 7 Thc hin Import chng ch va ti v trn vo trnh duyt vi, vi mt khu bo v l thangmv90.
Mn Thng | manvanthang@gmail.com
39
Hnh 32 Import chng ch ca my trm Linux vo trnh duyt web 1.6.4 To Cross Trust Mi trng mng tin cy yu cu cc loi mng khc nhau phi c kh nng tin cy ln nhau. Trong phn ny, ta s to cross trust cho 2 mng l Windows v Linux Root CA mng ny s tin cy Root CA mng kia. Bc 4-1: Trusting Linux Root CA Thc hin ti my RootCA 1 2 3 4 ng nhp vo domain vi quyn qun tr M trnh duyt web Internet Explorer v thc hin nh bc 11 ca mc Bc 3-1 import client certificate dng truy cp vo trang qun tr ca EJBCA. Truy cp vo a ch https://linrootca.uit.vm:8443/ejbca, mc Retrieve ta nhn vo Fetch CA certificates. Ti trang Fetch CA & OCSP certificates, nhn vo Download to Internet Explorer ri chn lu chng ch v my. Th m th s thy chng ch ny ca Linux Root CA cha c tin cy. Gi ta s ci n vo kho Trusted Root Certification Authorities ca Windows.
Mn Thng | manvanthang@gmail.com
40
Hnh 33 Ti v my Windows chng ch ca Linux Root CA 5 M Default GPO ca domain uit.vm v duyt ti nhnh Computer Configuration | Windows Settings | Security Settings | Public Key Polices | Trusted Root Certification Authorities. 6 Nhn chut phi chn Import ri lm theo hng dn. cp nht ngay GPO ny ti tt c cc my trong domain chng cng tin tng Linux Root CA, ta vo Start | Run v chy lnh gpupdate /force.
41
Th sao chp chng ch ca LinuxRootCA qua my WinClient1 v m n, ta s thy chng ch ny c tin cy.
Hnh 35 Kim tra cc my Windows trong domain tin cy chng ch ca Linux Root CA
Bc 4-2: Trusting Windows Root CA Thc hin trn 2 my LinRootCA v RootCA 1 Ti my RootCA, vo Certificates MMC, duyt ti nhnh Trusted Root Certification Authorities v thc hin Export chng ch ca UIT Root CA. Sau sao chp n sang my LinRootCA.
Mn Thng | manvanthang@gmail.com
42
Hnh 36 Export chng ch ca Windows Root CA 2 3 Ti my LinRootCA, truy cp vo trang qun l ca EJBCA v vo mc Administration. Di mc CA Functions, vo Edit Certificate Authorities ri nhn nt Import CA certificate Sau tm n chng ch ca Windows Root CA trn v thc hin Import.
Mn Thng | manvanthang@gmail.com
43
Kim tra trust Trong phn ny ta s t my trm Linux kt ni ti SSL website to bc 9-10. ln truy cp u th c cnh bo Security Alert do chng ch ca Sub. CA cp cho webserver cha c tin cy. Sau ta s cu hnh trnh duyt web trn my Linux tin tng Sub. CA v kim tra vic truy cp sun s trong ln th 2. Bc 4-3: Kim tra trust Thc hin ti my LinClient1 1 2 3 4 5 Truy cp vo a ch http://dmzw.uit.vm v nhn c thng bo l bt buc phi dng HTTPS Truy cp li bng https://dmzw.uit.vm th nhn c cnh bo i vi website ny do chng ch ca Sub. CA cha c tin cy. Kt ni n http://ra.uit.vm v thc hin ti v v import chng ch ca UIT Sub CA vo trnh duyt. Sau kt ni li n https://dmzw.uit.vm v chp nhn Security Warning do subject trong chng ch khng khp vi domain trong a ch. Gi c th truy cp an ton ti SSL website.
1.6.5 Bo mt email Trong phn ny ta s thc hin ci t v cu hnh mt mail server cung cp dch v th in t cho cc my trm trong c 2 mng Windows v Linux. y, cc ngi dng s phi s dng chng ch s nhn c t cc CA m bo vic trao i email c an ton, tc l c th xc nhn ngi gi l ai cng nh l ni dung th u c m ha. Trin khai mail server Ta s ci t phn mm Mdeamon (phin bn min ph) chy trn my DMZW th nghim trong m hnh ny. Sau ta cng s cu hnh cc ti khon ngi dng trn y. Cui cng ta s thit lp trong cc email client trn Windows v Linux ngi dng c th s dng ch k s v m ha cho email. Bc 5-1: Ci t v cu hnh mail server Mdeamon Thc hin trn my DMZW (ng nhp vo mi trng local vi quyn admin)
Mn Thng | manvanthang@gmail.com
44
Ci t Mdeamon vi domain name l uit.vm v IMAP/POP3 server l dmzw.uit.vm (chi tit cc bc c trong video) To 2 ti khon email cho mng Linux l linuser1@uit.vm v winuser3@uit.vm
Bc 5-2: Cu hnh cc email client Thc hin trn my WinClient1 1 ng nhp vo domain bng ti khon winuser3 (v trn winuser1 v winuser2 khi ng nhp phi c smartcard nn khng c iu kin th 2 3 nghim vi 2 ti khon ny). Chy chng trnh Outlook Express v thit lp ti khon email
winuser3@uit.vm kt ni ti mail server l dmzw.uit.vm. Gi yu cu v nhn chng ch s t Sub. CA cho ti khon email ca winuser3. Thc hin trn my LinClient1 1 2 Chy chng trnh Thunderbird v thit lp ti khon email linuser1@uit.vm kt ni ti mail server l dmzw.uit.vm Import public key ca winuser3 vo Thunderbird.
Thc hin trao i email c ch k v m ha gia 2 ti khon ny. (Chi tit cc bc vui lng tham kho video minh ha).
4. TNG KT
Trong chuyn ny, chng ta c n li v vn dng kin thc ca nhiu chuyn trc trong vic xy dng v trin khai mt mng tin cy. Ta cng tm hiu xy dng c 2 mng nh Windows v Linux m c s dng chng ch s m bo an ton cho cc phin truyn thng nh duyt web, gi email.
45