This article explains how the Spanish Central Bank (henceforth BDE), after deploying its Public Key Infrastructure, approached the integration of PKI services into their corporate applications. With this objective in mind, all through the current year, it has been executed the deployment project of Service-oriented Architecture based on the Safelayer´s TrustedX product. The job has been carried out by the Computer Security Unit of the Information Systems and Entity Processes Department, with the collaboration of Indra.
By Miguel Ángel Peña Piñón, from Banco de España and Manuel Ruiz Camacho from Indra Sistemas
Published at "Revista Dintel" December 2009
The need to provide the Bank of Spain with a Computer System capable to issue cryptografic card-based digital certificates for its internal users, led this entity to develop a corporate Public Key Infrastructure during the year 2004.
Such project was called PKIBDE and its objectives, besides the issuing of 3 digital certificates per user (for Authentication, Electronic Signature and Encoding, respectively) included Card-based elementary functions, e.g. the session starting at the work place, the remote access to the net using this device, the Electronic Signature and e-mail and office automation encoding.
In addition, due to the BDE relation with different external entities, the project also included the configuration of the Validation Authority (VA) from PKI in order to report about the status of such digital certificates of the Certification Services Provider (PSC’S) as Ceres-FNMT and the Electronic ID; a Certification policy was defined as well, which implemented the issuing of digital certificates for external users, exclusively for their relation with the Bank. Nevertheless, at the preliminary phases of the project, it was noticed the need to ease the integration of PKI into the Computer applications developed ad hoc at BDE. Jobs required by many of them had to be uncomplex, e.g. signing a form electronically at the user´s place, verifying a signature or extracting information out of a digital certificate. It was meant for saving the applications to have to cope with Data structures and specific Protocols of Public Key Technology such as X.509,CMS/PKCS#7, SMIME, OCSP, XadES, XML/DSIG, and so on. Along with this, there was an increasing demand of a web channel by the Bank´s vertical Departments, to include Electronic Signature and Authentication based on Certificates, through which net services were available. All this led the responsible people for the BDE Computer Security to start a second phase of the PKIBDE Project to meet these necessities. This phase has been developed all through the current year.
Requirements to cover the new project
As happens in many organisations, the Bank of Spain serves a wide range of technological environments (IBM z/OS, Microsoft Windows, IBM AIX,...), with several architectures of execution for applications (COBOL/DB2. .NET, J2EE, ...) Besides, such applications may be executed both on the BDE intranet and the Perimeter Nets to access the different Wide Area interconnected Nets (Internet, SwiftNet, Administrative Intranet).
Therefore, the previous study determined that the PKI integration could not be oriented to private developments for each platform susceptible of requiring short or middle-term PKI functionalities. We should better find a global solution with long-term visibility, funded on a Service-Oriented Architecture, aka SOA, so usual nowadays.
The fundamental requirements intended to be covered by the platform and deployed in this second phase were as follows:
- Electronic Signature at the client´s place, for Web Environments CMS/PKCS#7-format, with a capability of transparent choice for the Certificate user.
- Validation of Certificates issued by external PSC’s.
- Collection of the information contained in the Certificates (e.g.: ID, name, surname, etc.) independently from PSC.
- Verification of Electronic Signature on different formats ( XadES, XML-DSIG, PDF, SMIME,...).
- Generation of Corporate Electronic Signatures, centralised by a server.
- Differentiation between the PSC Application and types of accepted digital certificates.
Lastly, another necessity was met at the same time which, though not directly related to the integration of applications into PKI, was important in the global background of such infrastructure:
Development of a Net Application through which external entities could apply for a Certificate to PKIBDE, exclusively for their relation with the Bank.
Given the scope of the new project, it was decided to request a bidding, eventually granted to the corporation Indra Sistemas.
Infrastructural PKI Services
The solution deployed by Indra was based on Safelayer´s TrustedX Platform. TrustedX is a platform designed to enable the quick and efficient integration of Security Services (Authentication, Electronic Signature and Data Protection) into the applications. Its Service-Oriented Architecture (SOA) guarantees a higher flexibility and adaptability, as keeping the scalability properties, high availability and the managing facilities necessary for the management critical processes. A more detailed product analysis may be checked in the issue #70 of this publication, section Laboratory.
TrustedX Platform requires a number of minimum components that comprise the Common Management System (Configuration, Monitorization and Access Control of each Service component) and a number of minimum optional components provided by the PKI and Electronic Signature Security Services. Through the BDE deployment process, the following modules have been configured and deployed:
- TrustedX WS Authentication & Authorization (TwS-AA). Authentication and Authorization Service using mechanisms based on login/password and Digital Certificate (TSL/SSL) or through WS-Security (secure tokens in SOAP messages).
- TrustedX WS Entity Profiler (TWS-EP). Information Management Service unifying profiles of objective and/or entities: users, applications, web-services, policies, digital certificates, logs/auditory, etc.
- TrustedX WS Digital Signature Verification (TWS-DSV). Electronic Signature Verification Service (including the advanced or long-lived signatures) independently of the provider, the Certificate Verification Mechanism and the Signature Format.
The final solution deployment process has been developed into two different action lines. First, an analysis of the BDE needs has had to be done in order to properly define the different components of TrustedX. On the other side, it also took the analysis of the access mechanism of the applications to the services provided by the platform, due to the final Deployment Architecture.
TWS provides a high variety of Authentication mechanisms, from the anonymous or user/password-based, to the SSL/TLS or Digital Signature-based, either directly or using agents. Specifically, due to the determining factors of the Architecture of the Net DMZ- hosted servers, an agent of authoritative kind has been developed to be in charge of the authentication of the applications before TWS.
The TrustedX Validation and Verification Resources are provided by Web-services. In order to ease their consume by the applications, so they do not have to care about the specifically used Communication Channel, Indra has supplied a J2EE Interface that encapsulates the various types of possible requests, abstracting the channel.
However, it has been considered convenient to establish a Web-service Interface in the DMZ itself, to be used by the infrastructure elements existing in such web, demanding so.
Platform Configuration and Deployment
The first step to the TWS Configuration and Deployment is to clearly identify the possible actors in it. Esentially the Platform is sustained by the three-pillar definition. First, the User Entities, i.e, the entities that will consume the supplied services. On the other side, the Trust Entities, i.e., those entities belonging to a Public Key Infrastructure (CA’s, VA’s and TSAs). Lastly, both entity types are interrelated through policies and rules, which at the same time may be structured through Authentication, Authorization, Accounting, Digital Signature and Encoding Policies.
Inside the BDE, the User Entities have not been what is known as users, but as the applications. The various applications were initially meant to be differentiated through their PSC’s and Certificates, therefore a first rating and association of them has been done upon this criteria.
When it comes to define the Trust Entities, in its initial deployment, the BDE has accepted the use of Ceres-FNMT Certificates in its platform, either from natural person or artificial person, digital certificates issued by its own Corporate Certification Authority (CA), as well as the Electronic ID. Within the Trust Entities are also included the Validation Authorities (Vas) to be used, therefore the Vas for BDE, FNMT and the Ministry of Public Administration are configured for the Electronic ID Validation.
Once defined the different entities, follows the analysis of the applications´ necessities of Certificate and Signature Validation and Verification. TWS supports different signature formats, structured upon profiles, one of which is Validation of a Certificate Status.
The mechanism to make different entities (or groups of them) access the same basic services, though discriminating by Certificate type, has been reached through an adequate definition of Validation and Verification rules and policies.
On a rule level, it is posible to define the allowed CA’s in the rule application, its Validation mechanisms and the chosen format for the answered information. So, for instance, while the CERES-FNMT and ID Certificates will be validated exclusively using Vas, the Corporate Certificates will be first evaluated upon CRLs and secondly upon the Corporate VA.
Also on a rule level, it is specified the format for the output information. One of the most tedious jobs in Certificate Management is to handle the huge number of possibilities upon the PSC in use. Different extensions, policies, formats.....make an application wanting to handle a new Certificate type invest a lot of time and energy on fitting in.
TrustedX elegantly works this issue out using XSLT-style templates. Esentially, there are templates for OCSP Answer and Time Sealing formatting. It also allows to define additional information templates compiling all the necessary information. In the case of BDE, every PSC type has been given its own template, so it can be able to fill out a common data record for the applications, taking the information out of different attributes or extensions depending on the PSC. Thus an application will always handle an identical output XML, independently of the Certificate type.
Once defined the rules, they have been classified into different policies based upon criteria stated by the BDE. Once defined both actors and rules, there is only left to analyse them so the outcome can be the one desired, i.e., that a certain application, once authenticated, gets the Authorization, mainly based on its belonging to groups, to consume certain resources, applying a certain Validation or Verification policy.
Therefore, the main job of Indra Sistemas has been the design of an adequate Map of policies and rules allowing to give the currently necessary services, and letting the platform grow and evolve as new needs come up, whether it is through new service components (TWS-DS for the signature functionality in a server, TWS-DR for implementing the non-repudiation, etc), whether it is through new PSC´s with new requirements. The flexibility, scalability, easiness to integrate and simplicity of the TrustedX WS Platform provide the security of having available the members necessary for the adequate increase of the PKI-related infrastructural services deployed by BDE.
Through the deployment and integration of Safelayer´s TrustedX into the second phase of PKIBDE Project, the Bank of Spain has met the needs of Electronic Signature and Certificate Management, most wanted by its corporate applications, thus avoiding the short-term solutions.
It has opted for a Web Service-based architecture, with a Scalability capability of either resources or services, so the addition of new functionalities such as, for instance, long-lived signature or centralised encoding, will not be traumatic because of the deployed infrastructure.
With this project Indra is consolidating its experience on Deployment of Corporate Signature and Identification Solutions, in which area it accumulates an important number of successful experiences, like the projects designed for Mapfre, the Ministry of Economy and Finance, the Ministry of Agriculture, Fisheries and Food, the Nacional Statistics Institute, the Andalusian Autonomous Government or the Spanish Congress of Deputies, among others.