Belgium is not only known for its excellent beers and Belgian fries, but also because it is one of the few countries with a public PKI implementation used by all citizens. Several government and private organizations use the Belgian electronic identity card (eID) and the Belgian PKI day to day bases. Applications range from (electronic tax reporting) Tax-on-Web in the National Register up to chat sites based eID.
In this post we will describe how to use Netscaler to work with Belgium eID (Smard) card with SSL offloading. With this, not only Netscaler is handling SSL connections, but also discharging eID authentication certificates.
Each eID has an SSL certificate that can be used to authenticate uniquely citizens in a context based web application. Belgium has its own certification authorities (of Belgium Root CA) and intermediate CAs for government institutions (of GovernmentCA) and for all its citizens (of CitizenCA). CA this structure is an absolute must for a PKI desgined to deal with more than 11 million.
Goal
The goal is to automatically have users connecting authenticate using their eID with SSL. Netscaler verify user's certificate has not expired and has not been revoked. After establishing a successful connection, it sends the user certificate information (Client Certificate Subject) in a standard HTTP header to the internal Web application. The web application can completely rely on the information submitted on the condition because the subject of the certificate contains a unique national registration number for every citizen.
Configuration
The full code is attached (Full configuration.txt). The following simply explains the basic configuration.
first make sure that all CA certificates are downloaded to Citizen Netscaler. You can download manually all files in the CA CRT Belgian repository or use the attached get_ca.sh loop script that will do this for you.
- Download get_ca.sh script
- rename the script to get_ca.sh.txt get_ca.sh
- Copy to / nsconfig / ssl (using SFTP / SCP client like WinSCP)
- Open a shell prompt (type "shell" in the Netscaler CLI)
-
root @ ns-demo # cd / nsconfig / ssl root @ ns -demo # chmod 755 get_ca.sh
- You will see a lot of downloads happen and the withdrawal of 404'ed pages. At the end of all certificates are downloaded to the Netscaler.
We also need the remainder of the certificate chain. Download the Root CA signed the Belgian page Root CA repository and GlobalSign Root CA here. copy them to / nsconfig / ssl well.
Now, the certificates must be imported into the Netscaler configuration (see ns.conf.txt attached to all orders), enter CLI commands Netscaler.
add ssl Certkey be-root-CA2 -cert belgiumrs2.crt -inform DER add ssl Certkey be-root-CA -cert belgiumrs.crt -inform DER add GlobalSign SSL Certkey-root-CA -cert GlobalSign- root- ca.crt.cer -inform PEM add ssl Certkey be citizen-CA-0601 -cert "/nsconfig/ssl/citizen0601.crt" DER -inform ...
Then we must involve links between certificates (link GlobalSign CA to the root certification authority root CA Citizen CA):
ssl link Certkey-be-root-root-CA2 GlobalSign CA ssl link Certkey be-root-CA GlobalSign CA-root- link ssl Certkey be citizen-CA-0601-be-root CA ssl link Certkey be citizen-CA-0602-CA-root is ...
Create the OCSP responder, that we can verify that the certificate eID has not yet expired. Fortunately, all CAs use the same mail. You can choose to implement caching and batch OCSP requests as well to gain some extra performance, please review the NS-TrafficMgmt-Guide.pdf in the Netscaler documentation about it.
add ssl ocspResponder eid-OCSP -url "http://ocsp.eid.belgium.be:80/" -batchingDelay 0 -trustResponder
it is clear that we need resources and a vserver to effectively serve applications:
add debian server 70 192.168.2.70 192.168.2.71 add debian-71 server add svc_http_debian-70 Service debian-70 HTTP 80 -gslb NONE -maxClient 0 - maxReq 0 -cip of -usip DISABLED NO YES -useproxyport -sP OFF -cltTimeout -svrTimeout 180 360 - CKA -TCPB NO NO YES -CMP add svc_http_debian-71 debian-71 80 Service HTTP -gslb NONE -maxClient -maxReq 0 0 -cip -usip DISABLED NO YES -useproxyport -sP OFF -cltTimeout -svrTimeout 180 360 -CKA -TCPB NO NO YES bind -CMP monitor http svc_http_debian lb-70 lb bind monitor http svc_http_debian add 71-lb vserver vs_demo_eid SSL 192.168.1.0 443 -persistenceType NONE -cltTimeout 180 lb vserver bind vs_demo_eid svc_http_debian-70 bind lb vserver vs_demo_eid svc_http_debian-71
Then we associate the SSL server certificate to this SSL vserver. I used one of my own CA, in production environments you use one signed by a public authority or in this case: each institution of the Belgian government may have their certificate signing requests signed by the CA for free Government by contacting the registration authority FedICT
add ssl Certkey -cert local ca-citrix "/ nsconfig. /ssl/citrix.local.crt" add ssl Certkey protected citrix local -cert "/ nsconfig / ssl / protected.citrix.local.crt /nsconfig/ssl/protected.citrix.local.key "key" "- somekey passcrypt link ssl Certkey protected local ca-local citrix citrix bind ssl vserver vs_demo_eid -certkeyName local citrix protected
Last step for working authentication is having to activate the client certificate authentication for vserver vs_demo_eid involved and add any CA in the process.
set ssl vserver vs_demo_eid -clientAuth ENABLED mandatory bind ssl vserver -clientCert vs_deb_eid -certkeyName be-root-CA-CA -ocspCheck mandatory bind ssl vserver vs_deb_eid -certkeyName be-root- CA2-CA -ocspCheck mandatory bind ssl vserver vs_demo_eid -certkeyName be citizen-CA-0601-CA -ocspCheck mandatory bind ssl vserver vs_demo_eid -certkeyName be citizen-CA-0602-CA -ocspCheck mandatory bind ssl vserver vs_demo_eid -certkeyName BE- citizen-CA-0603-CA compulsory -ocspCheck ... bind ssl vserver vs_demo_eid -certkeyName be-CA-2006-CA citizen -ocspCheck mandatory bind ssl vserver vs_demo_eid -certkeyName be citizen-CA-2007-CA -ocspCheck mandatory bind ssl vserver vs_demo_eid -certkeyName be citizen-CA-2008 - CA compulsory -ocspCheck
now, we are ready to test authentication by accessing our vserver of vs_demo_eid in a browser with the eID software installed (see here if you don 't have the eID software again). We should now be prompted to select the certificate of our citizens and enter the PIN code
After authentication we should see the default Web page :.
But now, to top it all, we also want our backend webapplication of who logged so we can use it to view their personal information, to associate with the correct records in our database, and so on.
to do this, we add a rewrite policy to inject custom HTTP header X-eID-Object. So each application of this authenticated user will have this head.
add rewrite action rw_ins_http_eidheader insert_http_header X-eID-Purpose CLIENT.SSL.CLIENT_CERT.SUBJECT add rewriting policy pol_rw_insert_eid_header_to_server true rw_ins_http_eidheader bind lb vserver vs_demo_eid -policyName pol_rw_insert_eid_header_to_server -priority request -gotoPriorityExpression 100 END
, and then we have a web application (or CGI script as eid_head.pl script attached) that reads information from the header, we have the following result:
serialNumber is what the national registration number awarded only every Belgian citizen.
This again shows how NetScaler Rocks by offloading SSL traffic and authentication.
of 20th update of January 2014:
Thank Lieven Van de Walle, here is an update on the latest certificate chains (applicable in 2014). The new Root-CA are now signed by CyberTrust Root CA and not the GlobalSign Root CA. This means that you will need to import more CA and bind certain CA differently:
Link ssl Certkey-be-root-root-CA4 Cybertrust CA ssl link Certkey be-root-root-CA3 Cybertrust ssl-CA Certkey link be-root-CA2 Cybertrust-root-CA ssl link Certkey be-root-CA GlobalSign-root-CA
And of course adjust the bindings vserver:
bind ssl vserver vs_demo_eid -certkeyName GlobalSign root-CA-CA--ocspCheck mandatory bind ssl vserver vs_demo_eid -certkeyName Cybertrust-root-CA-CA compulsory -ocspCheck
be aware that this will not be the only setting update root CA. You will need to regularly check all CA and subordinated and import accordingly as over time more and more will be added CA (and old have expired and invalid).
0 Komentar