ScorpionSting Absent Member.
Absent Member.
1174 views

PKI HSM

Anyone looked into, or even using, a HSM appliance for eDirectory & IDM's CA & certs?

Apparently we're getting the Thales appliance(s) to build a "PKI infrastructure with a single CA" and I've been asked about having all our "stuff" (NetIQ) using it...basically the org wants to snoop all encrypted traffic on the network.

Visit my Website for links to Cool Solution articles.
Labels (1)
0 Likes
5 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: PKI HSM

No, but a few things to consider.

Most things do not use eDirectory certificates, so just having
eDirectory's CA be minted from something else will not help with trust
directly. I'm sure you know this, but figured I would point it out for
others who find this thread in the future. Every client that will trust
any certificate will need to explicitly trust either that cert (does not
scale) or the CA of that certificate, but that means that CA must be
pushed out to all clients (again, scaling is often painful, especially in
our BYOD world). You can do all of this without buying anything fancy;
the openssl command on every server in the world can create a CA as easily
as anything and for free, and the steps to deploy that certificate are
identical to any hardware-based paid-for certificate. HSMs may do more,
but before we get into that let's chat some more.

Second, just because you own the CA does not mean you own the certificates
the CA signs. A CA should typically not ever see the private key, though
I suppose if you control the process in-house you could mandate those for
whom you sign also give you the Private Key for the various certificates,
though that's a terrible procedure from a security perspective. In the
case of HSMs, sometimes they do handle everything about crypto (referring
to SSL termination), but I am not sure how that would work with eDirectory
or IDM. eDir/IDM must have the certificates, including the private key,
within eDirectory in order to use those for encryption/decryption. As a
result the next bit applies.

Third, even if you have those private keys, everything, including
eDirectory, is moving to, or has already moved to, ephemeral ciphersuites,
like ECDHE, which means that new asymmetric keys are generated on the fly,
giving Perfect Forward Secrecy (PFS) per connection, meaning you need more
than the private key to decrypt the connection. That's not impossible
either, but if you can do that ever, you can do that without bothering
with anything CA-related. I suppose you could disable the stronger
ciphersuites but it's bad for security (ironic since the justification for
decryption is often "security") and bound to cause problems with all kinds
of applications.

I suppose more details may help us understand the business case, but I do
not see how this fits in in a functional and cost-effective manner with
things that care about security properly unless you are a CA and managing
so many keys that you need this kind of machine to generate them fast
enough to be a CA.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: PKI HSM

Thankfully, someone else is tasked with Policies and Processes around the PKI infrastructure, and is fully aware of the issues with the CA in an environment that allow BYOD (even though this is limited - but all traffic goes through BlueCoat which they're going to man-in-the-middle, so BYOD will see cert errors).

We're a government agency that provides full range of IT services to departments, so there is a need for a centralised government PKI infrastructure to meet security requirements. Managing it = not my problem 😄

One of the "edicts" is that only 1 CA will exist in the entire environment...unless there is a valid technical exception...so they're questioning the CA's in all our eDir instances (15 odd)...

Visit my Website for links to Cool Solution articles.
0 Likes
Knowledge Partner
Knowledge Partner

Re: PKI HSM

ScorpionSting wrote:

> One of the "edicts" is that only 1 CA will exist in the entire
> environment...unless there is a valid technical exception...so they're
> questioning the CA's in all our eDir instances (15 odd)...


Well, you can use certs signed by other CAs for most services around Edir.
LDAP, iManager, iMonitor, EMBox etc. I think you can also replace the server
certs with something external, but I'm not sure if that is enough to make the
internal Edir CA completely obsolete. But you can replace the self-signed CA in
Edir with a Sub-CA signed by your HSM-based root CA as well, so there's only
one root and a CRL entry for that root CA would be able to nicely stop all
operations everywhere... 😉

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: PKI HSM

Thanks.

They're also against Intermediates. They'd rather an "exception CA" than an Intermediate.

Think I'll just take the easy way out and say the eDir CA is "required for normal operation" and just use the external for things like iManager and iMonitor, but leave all IDM stuff with the CA......we've got far too many RL's to go and update the CA cert on (not being lazy of course - LOL)

Visit my Website for links to Cool Solution articles.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: PKI HSM

On 10/22/2017 03:54 PM, ScorpionSting wrote:
>
> They're also against Intermediates. They'd rather an "exception CA" than
> an Intermediate.
>
> Think I'll just take the easy way out and say the eDir CA is "required
> for normal operation" and just use the external for things like iManager
> and iMonitor, but leave all IDM stuff with the CA......we've got far too
> many RL's to go and update the CA cert on (not being lazy of course -
> LOL)


If I were you (but still being as ornery as I am) I would probably still
make sure they understand that owning a CA does not, at all, mean you can
decrypt all traffic from that CA. More to their point or old belief
system, if they believe that having possession of a Private Key magically
means they can decrypt all traffic used in a connection making use of that
private key, they area also wrong. It is pretty rare for up to date
software to use non-Perfect Forward Secrecy ciphersuites, except as a last
resort (if those are still enabled), and that basically means forcing your
clients to use ancient versions of Firefox or Chrome (versions that are
the better part of a decade old), which is psychotic. If they are being
sold a HSM solution for anything that has to do with capturing all data,
they're being misled.

That's about all, though. May they spend their money however they see fit.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.