• No results found

EMC Celerra Version 5.6 Technical Primer: Public Key Infrastructure Support

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "EMC Celerra Version 5.6 Technical Primer: Public Key Infrastructure Support"

Copied!
8
0
0

Loading.... (view fulltext now)

Download now ( 8 Page )

Full text

(1)

EMC Celerra Version 5.6 Technical Primer:

Public Key Infrastructure Support

Technology Concepts and Business Considerations

Abstract

Encryption plays an increasingly important role in IT infrastructure due to the impact of regulations and the risk of data security breaches. Many of these protocols use public key encryption (particularly those tools that are used for session-based encryption or authentication). This primer discusses improvements introduced in EMC® Celerra® Network Server version 5.6 that enable the use of public key encryption, such as its implementation of a public key infrastructure.

(2)

Copyright © 2009 EMC Corporation. All rights reserved.

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED

(3)

Table of Contents

Executive summary ... 4

Business problem ... 4 Technical problem... 4 Feature introduction ... 4 What’s new... 4

Introduction ... 5

Audience ... 5

Detailed overview... 5

Architecture ... 5 Limitations ... 7

Compatibility with earlier releases ... 8

Conclusion ... 8

References ... 8

(4)

Executive summary

Protecting sensitive information is one of the foremost concerns of customers today. With new threats to information security being discovered every day, encryption becomes critical to business. With encryption, however, comes the incremental burden of managing encryption keys and certificates. Public key

infrastructure (PKI) tools introduced in EMC® Celerra® Network Server version 5.6 help mitigate this task by eliminating the need to manage individual keys and certificates.

Business problem

Securing a wide variety of business data has become a modern day requirement for most businesses. For some, a breach in that security could have a substantially negative impact, including costly litigation, competitive exposure, or public embarrassment, and while the need for security is well understood, achieving a confident level of security is not so straightforward. Complex data centers, globally dispersed locations, and numerous technologies from many suppliers make realizing a secure environment a constant and costly challenge.

Technical problem

Encryption and authentication certificates are two widely used tools in improving data center security. While they are highly beneficial, both tools increase the burden on system administrators to actively manage and maintain them, and ensure their effectiveness.

Feature introduction

Celerra version 5.6 introduces PKI tools that help administrators manage encryption keys and certificates for a Data Mover and, to a more limited extent, for the Control Station. These tools ease the use of

encryption protocols such as SSL by providing a single, consistent interface that manages the required keys and certificates.

PKI tools provide the ability to: • Generate key sets

• Export certificate signing requests or sign persona certificates with the Control Station Certificate Authority (CA)

• Import signed certificates

• Store certificates using a “current” and “next” model • Import CA certificates

The Control Station can now serve as a CA and sign Control Station and Data Mover certificates. This is useful in customer environments where an enterprise-level or other external CA is not available. Also, the Celerra Manager SSL certificate is now automatically signed by the Control Station CA rather than being self-signed.

(5)

Introduction

This primer includes a discussion of the architecture of the new feature, and lists limitations and compatibility with earlier Celerra versions.

Audience

This white paper is intended for customers, including IT planners, storage architects, administrators, and others involved in evaluating, acquiring, managing, operating, or designing an EMC networked storage environment.

Detailed overview

Architecture

PKI is an architectural enhancement to Celerra. Consequently, its key and certificate management tools are available for any future features or enhancements that require encryption capabilities, providing a common management interface.

While this PKI functionality is largely Data Mover-based, there are some changes to the Control Station that are included in the current release. This is discussed on page 7.

PKI manages the following objects:

• Personas (Data Mover key and certificate pair) • External CA certificates

• Control Station CA key and certificate pair

A “persona” is a digital identity. It consists of a Data Mover private key and the associated Data Mover public key certificate signed by a CA. (Hereafter, this paper refers to the pairing of a private key and public key certificate as a “key/certificate pair.”) A persona is identified by a specific name when assigned to a Data Mover feature. In Celerra version 5.6, there is only one persona, called a “default.” Many Data Mover features may use a single persona to facilitate ease of use.

Data Mover key/certificate pairs within a persona are managed by using a “current-next” model. Each persona recognizes two slots for key/certificate pairs, “current” and “next.” The current key/certificate pair is the one that is valid and is being used actively. The next key/certificate pair is a key/certificate pair that replaces the current key/certificate pair when it reaches its start date. You can create and manage personas and certificates using either the Celerra Manager or the CLI. Figure 1 on page 6 shows the Celerra Manager Personas tab, which displays information about the current key/certificate pair, and information about the next key/certificate pair, if available.

A new key/certificate pair is always identified as the next key/certificate pair. It becomes the current key/certificate pair only when it becomes valid. Thus, it is possible for there to be a next key/certificate pair (which is not yet valid) but no current key/certificate pair. In this situation, the key and certificate requests fail until the next key/certificate pair becomes valid. The Data Mover’s system clock is used when determining key/certificate pair validity, and a 5-minute time skew is allowed.

(6)

Figure 1 Personas management using Celerra Manager

It is important to note that Data Mover private keys are not accessible from the Control Station; only the Data Mover can access these keys, which reside in the memory for as short a period of time as possible. (Data Mover private keys are encrypted when not in use.)

When a Data Mover feature needs to set up an SSL session, it notifies the SSL about the name of the persona to use, and the SSL code then uses the PKI API to retrieve the associated private key and public key certificate. When a public key certificate is received from the peer host (while negotiating an SSL session), the SSL code uses the PKI API to verify the certificate (by using a CA certificate). Thus, it is the PKI infrastructure that frees other Data Mover functionality (such as SSL) from having to maintain private keys, public key certificates, and CA certificates.

In addition to managing personas, the PKI infrastructure also manages CA certificates that belong to CAs imported into the Data Mover. Figure 2 on page 7 shows the Celerra Manager CA Certificates tab, which displays information about the currently available CA certificates.

CA certificates are used to validate the chain of trust for public key certificates that the Data Mover receives. For example, when setting up an authenticated SSL session, the client or server on the other end of the SSL session provides its public key certificate and a short message encrypted (signed) by its private key. The Data Mover uses the provided public key certificate to decrypt the message (verifying that the provided public key certificate does, in fact, belong to the computer that provided it.) The Data Mover also validates the chain of trust (found in the other computer’s public key certificate) by using the CA certificate to decrypt the signature of the other computer’s public key certificate.

(7)

Figure 2 CA certificate management using Celerra Manager In summary, PKI serves two primary purposes:

• Using the concept of a persona, it frees other Data Mover code from the need to manage private keys and associated public key certificates. The type of Data Mover applications that need this are those that act as secure servers (receive incoming SSL-based connection requests), as servers that offer server authentication, or as clients in a connection where the server on the other end requires client authentication.

• By managing imported CA certificates, it enables all Data Mover applications that must validate received certificates to use the same common pool of CA certificates. Without this common pool, the CA certificate would have to be provided directly to each application that needs it.

The current release also enhances the Control Station with the implementation of the Control Station CA and some CLI tools that enable CA certificate management. In the current release, only CLI commands are available to manage the Control Station CA. More information about this functionality can be found in the

EMC Celerra Security Configuration Guide.

Limitations

• In the current release, you cannot create and use customer personas. You can only populate the default persona with keys.

• Only 2048-bit and 4096-bit RSA keys are supported. You cannot use any other key types or lengths. • Only Privacy-enhanced Electronic Mail (PEM) encoding is supported for certificate requests. • Only PEM and Distinguished Encoding Rules (DER) encodings are supported for imported

certificates.

• Control Station CA certificate management is available only through the CLI. EMC Celerra Version 5.6 Technical Primer: Public Key Infrastructure Support

(8)

• You must identify expired key/certificate pairs manually. Key/certificate pairs are usually fairly long-lived (12 months is common), and therefore this is not expected to be a major issue.

• Certificate Revocation Lists (CRLs) are not supported in the current release. You must explicitly remove or replace certificates.

• Certificate requests and digital signatures are signed using SHA-1 with RSA encryption. No other signing mechanisms are supported in the current release. Most, if not all, CAs support this signing mechanism.

• Automatic certificate generation using Microsoft Certificate Authority is not available in the current release. However, Microsoft Certificate Authority can be used to sign manually generated certificate requests.

Compatibility with earlier releases

This functionality is contained within the Celerra on which it is configured, and it does not interact with other Celerras. Therefore, no compatibility concerns exist. Earlier releases use the authentication mechanisms supported in those releases.

Conclusion

The PKI functionality simplifies private and public key management. It does this by creating and managing digital identities called personas. It also optimizes the process of validating CA certificates by maintaining and managing a common pool of such certificates.

References

Name: EMC Celerra Security Configuration Guide

Type: Technical documentation

URL: See the Celerra Network Server Documentation CD Version 5.6. Also available on Powerlink®.

Audience: Customer Technical Depth: High

Name: Celerra Manager Online Help System

Type: Technical documentation (Help System)

URL: See the Celerra Network Server Documentation CD Version 5.6. Also available on Powerlink.

Audience: Customer Technical Depth: High

References

Download now ( PDF - 8 Page - 176.67 KB )

Related documents

Drawing Schilderbook

Als we de voorgaande hoofdstukken goed hebben bestudeerd en door veel oefenen de nodige vaardigheid hebben gekregen, moeten we nu in staat zijn, een vakkundige tekening te maken.

Diverse drivers of long-term pCO(2)increases across thirteen boreal lakes and streams

Percentage of signi ficant increase, decrease, or no change in dissolved organic carbon (DOC), temperature, water color/DOC, C:N, pH, water color, total phosphorus (TP) and catch-

Thematic Session Photonics for the Secure Society

potential photonics-related research and innovation topics as input to the Societal Challenges work programme or for joint programme activities.?. Aim of the

Combining an Alternating Sequential Filter (ASF) and Curvelet for Denoising Coronal MRI Images

The coronal MRI image of a patient containing the same four types of noises has been denoised using Curvelet transform and CASF algorithm and the PSNR value was obtained for

The Pareto principle of optimal inequality

Assuming time consistency of choices, we obtain a similar result: a Paretian social observer cannot be more inequality averse than another one after the initial period.. Section

Pour les citations, la version définitive de cet article est la version électronique :

They observed that after gingivectomy and root canal treatment with a calcium hydroxide-based material, both mature and immature teeth showed a considerable increase in the speed

Managing worn teeth with composites

Despite the increase in clinical crown height, a potential for pulpal exposure remains because tooth reduction is required to provide sufficient interocclusal space for crowns on

Cervical cancer in 2 women with a Mirena : a pitfall in the assessment of irregular bleeding

Proper evaluation of irregular vaginal bleeding, including cervical cytology, should be a prerequisite among all women opting for a Mirena ® and must be repeated in case of