ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahu_5.4.0.1/rzahudcmpublicaccessscen.htm

206 lines
13 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Scenario: Use certificates for internal authentication" />
<meta name="abstract" content="In this scenario, you to learn how to use certificates as an authentication mechanism to protect and restrict which resources and applications that internal users can access on your internal servers." />
<meta name="description" content="In this scenario, you to learn how to use certificates as an authentication mechanism to protect and restrict which resources and applications that internal users can access on your internal servers." />
<meta name="DC.Relation" scheme="URI" content="rzahudcmscenariosoverview.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahustep1completeplanningworksheets2.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahustep2configurethehumanresourceshttpservertousessl.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahustep3createandoperatealocalca.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahustep4configureclientauthenticationforhumanresourceswebserver.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahustep5startthehumanresourceswebserverinsslmode.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahustep6haveusersinstallacopyofthelocalcacertificateintheirbrowser.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahustep7haveeachuserrequestacertificatefromthelocalca.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzahudcmpublicaccessscen" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Scenario: Use certificates for internal authentication </title>
</head>
<body>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<div class="nested0" id="rzahudcmpublicaccessscen"><a name="rzahudcmpublicaccessscen"><!-- --></a><h1 class="topictitle1">Scenario: Use certificates for internal authentication </h1>
<div><p>In this scenario, you to learn how to use certificates
as an authentication mechanism to protect and restrict which resources and
applications that internal users can access on your internal servers.</p>
<div class="section"><h4 class="sectionscenariobar">Situation</h4><p>You are
the network administrator for a company (MyCo, Inc.) whose human resource
department is concerned with such issues as legal matters and privacy of records.
Company employees have requested that they be able to access their personal
benefits and health care information online. The company has responded to
this request by creating an internal Web site to provide this information
to employees. You are responsible for administering this internal Web site,
which runs on the <span class="keyword">IBM<sup>®</sup> HTTP Server for i5/OS™</span>
(powered by Apache). </p>
<p>Because employees are located in two geographically
separate offices and some employees travel frequently, you are concerned about
keeping this information private as it travels across the Internet. Also,
you traditionally authenticate users by means of a user name and password
to limit access to company data. Because of the sensitive and private nature
of this data, you realize that limiting access to it based on password authentication
may not be sufficient. After all, people can share, forget, and even steal
passwords. </p>
<p>After some research, you decide that using digital certificates
can provide you with the security that you need. Using certificates allows
you to use Secure Sockets Layer (SSL) to protect the transmission of the data.
Additionally, you can use certificates instead of passwords to more securely
authenticate users and limit the human resource information that they can
access. </p>
<p>Therefore, you decide to set up a private Local Certificate
Authority (CA) and issue certificates to all employees and have the employees
associate their certificates with their <span class="keyword">iSeries™</span> user
profiles. This type of private certificate implementation allows you to more
tightly control access to sensitive data, as well as control the privacy of
the data by using SSL. Ultimately, by issuing certificates yourself, you have
increased the probability that your data remains secure and is accessible
only to specific individuals.</p>
</div>
<div class="section"><h4 class="sectionscenariobar">Scenario advantages</h4><p>This
scenario has the following advantages:</p>
<ul><li>Using digital certificates to configure SSL access to your human resource
Web server ensures that the information transmitted between the server and
client is protected and private.</li>
<li>Using digital certificates for client authentication provides a more secure
method of identifying authorized users. </li>
<li>Using <em>private</em> digital certificates to authenticate users to your
applications and data is a practical choice under these or similar conditions:
<ul><li>You require a high degree of security, especially in regards to authenticating
users.</li>
<li>You trust the individuals to whom you issue certificates.</li>
<li>Your users already have <span class="keyword">iSeries</span> user
profiles for controlling their access to applications and data.</li>
<li>You want to operate your own Certificate Authority (CA).</li>
</ul>
</li>
<li>Using private certificates for client authentication allows you to more
easily associate the certificate with the authorized user's <span class="keyword">iSeries</span> user
profile. This association of certificate with a user profile allows the HTTP
Server to determine the certificate owner's user profile during authentication.
The HTTP Server can then swap to it and run under that user profile or perform
actions for that user based on information in the user profile. </li>
</ul>
</div>
<div class="section"><h4 class="scenariobar">Objectives</h4><p>In this scenario,
MyCo, Inc. wants to use digital certificates to protect the sensitive personal
information that their internal human resources Web site provides to company
employees. The company also wants a more secure method of authenticating those
users who are allowed to access this Web site.</p>
<div class="p">The objectives of this
scenario are as follows: <ul><li>Company internal human resources Web site must use SSL to protect the
privacy of the data that it provides to users.</li>
<li>SSL configuration must be accomplished with private certificates from
an internal Local Certificate Authority (CA). </li>
<li>Authorized users must provide a valid certificate to access the human
resources Web site in SSL mode. </li>
</ul>
</div>
</div>
<div class="section"><h4 class="sectionscenariobar">Details</h4><p>The following
figure illustrates the network configuration for this scenario: </p>
<br /><img src="rzahu014.gif" alt="Fig. 2 SSL communications between&#xA;iSeries A and company external and internal clients (text description follows&#xA;figure)" /><br /><p>The figure illustrates the following information about
the situation for this scenario:</p>
<div class="p"><span class="uicontrol">Company public server
iSeries A</span><ul><li><span class="keyword">iSeries</span> A is the server
that hosts the company's rate calculating application. </li>
<li><span class="keyword">iSeries</span> A runs <span class="keyword">i5/OS</span> Version 5 Release 4 (V5R4).</li>
<li><span class="keyword">iSeries</span> A has Digital Certificate
Manager (<span class="keyword">i5/OS</span> option 34)
and <span class="keyword">IBM HTTP Server for i5/OS</span> (5722DG1)
installed and configured.</li>
<li><span class="keyword">iSeries</span> A runs the rate
calculating application, which is configured such that it: <ul><li>Requires SSL mode.</li>
<li>Uses a public certificate from a well-known Certificate Authority (CA)
to authenticate itself to initialize an SSL session.</li>
<li>Requires user authentication by user name and password. </li>
</ul>
</li>
<li><span class="keyword">iSeries</span> A presents its
certificate to initiate an SSL session when Clients B and C access the rate
calculating application.</li>
<li>After initializing the SSL session, <span class="keyword">iSeries</span> A
requests that Clients B and C provide a valid user name and password before
allowing access to the rate calculating application.</li>
</ul>
</div>
<div class="p"><span class="uicontrol">Agent client systems Client B and Client C</span> <ul><li>Clients B and C are independent agents who access the rate calculating
application. </li>
<li>Clients B and C client software has an installed copy of the well-known
CA certificate that issued the application certificate.</li>
<li>Clients B and C access the rate calculating application on <span class="keyword">iSeries</span> A,
which presents its certificate to their client software to authenticate its
identity and initiate an SSL session.</li>
<li>Client software on Clients B and C is configured to accept the certificate
from<span class="keyword">iSeries</span> A for the purpose
of initializing an SSL session.</li>
<li>After the SSL session begins, Clients B and C must provide a valid user
name and password before <span class="keyword">iSeries</span> A
grants access to the application. </li>
</ul>
</div>
</div>
<div class="section"><h4 class="scenariobar">Prerequisites and assumptions</h4><p>This
scenario depends on the following prerequisites and assumptions: </p>
<ul><li>The<span class="keyword">IBM HTTP Server for i5/OS</span> (powered
by Apache) runs the human resource application on <span class="keyword">iSeries</span> A.
This scenario does not provide specific instructions for configuring the HTTP
Server to use SSL. This scenario provides instructions for configuring and
managing the certificates that are necessary for any application to use SSL.</li>
<li>The HTTP Server provides the capability of requiring certificates for
client authentication. This scenario provides instructions for using Digital
Certificate Manager (DCM) to configure the certificate management requirements
for this scenario. However, this scenario does not provide the specific configuration
steps for configuring certificate client authentication for the HTTP Server. </li>
<li>The human resources HTTP Server on <span class="keyword">iSeries</span> A
already uses password authentication. </li>
<li><span class="keyword">iSeries</span> A meets the <a href="rzahurzahureqdcmrequirements.htm#rzahureq_dcm_requirements">requirements</a> for
installing and using Digital Certificate Manager (DCM).</li>
<li>No one has previously configured or used DCM on <span class="keyword">iSeries</span> A.</li>
<li>Whoever uses DCM to perform the tasks in this scenario must have *SECADM
and *ALLOBJ special authorities for their user profile.</li>
<li><span class="keyword">iSeries</span> A does not have
an IBM Cryptographic
Coprocessor installed. </li>
</ul>
</div>
<div class="section"><h4 class="scenariobar">Configuration tasks</h4></div>
</div>
<div>
<ol>
<li class="olchildlink"><a href="rzahustep1completeplanningworksheets2.htm">Complete planning work sheets</a><br />
</li>
<li class="olchildlink"><a href="rzahustep2configurethehumanresourceshttpservertousessl.htm">Configure the human resources HTTP Server to use SSL</a><br />
</li>
<li class="olchildlink"><a href="rzahustep3createandoperatealocalca.htm">Create and operate a Local CA</a><br />
</li>
<li class="olchildlink"><a href="rzahustep4configureclientauthenticationforhumanresourceswebserver.htm">Configure client authentication for human resources Web server</a><br />
</li>
<li class="olchildlink"><a href="rzahustep5startthehumanresourceswebserverinsslmode.htm">Start the human resources Web server in SSL mode</a><br />
</li>
<li class="olchildlink"><a href="rzahustep6haveusersinstallacopyofthelocalcacertificateintheirbrowser.htm">Have users install a copy of the Local CA certificate in their browser</a><br />
</li>
<li class="olchildlink"><a href="rzahustep7haveeachuserrequestacertificatefromthelocalca.htm">Have each user request a certificate from the Local CA</a><br />
</li>
</ol>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahudcmscenariosoverview.htm" title="Use this information to review two scenarios that illustrate typical certificate implementation schemes to help you plan your own certificate implementation as part of your iSeries security policy. Each scenario also provides all needed configuration tasks you must perform to employ the scenario as described.">DCM scenarios</a></div>
</div>
</div></div>
</body>
</html>