User authentication with ECOS CERTIFICATE AUTHORITY APPLIANCE
As a PKI, ECOS CERTIFICATE AUTHORITY APPLIANCE is characterized by its versatility and easy handling. It combines all required services in one system and can be implemented easily, quickly and budget-friendly into the existing IT infrastructure through several interfaces.
Issue, extend and revoke certificates
Issue, extend and revoke certificates
The basic function of any PKI is to issue, extend and withdraw certificates. ECOS CERTIFICATE AUTHORITY APPLIANCE (CAA) allows to set up multilevel, hierarchically organized CAs and Sub CAs. Different business units or clients can thus be attributed respective root CAs. It also allows to model complex organizational hierarchies in the certificate administration. The certificates to be issued are freely parameterizable in content, key length or signature algorithm and can be provided by ECOS CAA in all common formats. Certificate extensions are effected automatically on the basis of predefined criteria or on demand while the administrator keeps detailed track at any time of certificate durations and pending extensions. When employees leave the company and in other cases, certificates can be withdrawn manually or automatically, for example by deleting the respective user account in Active Directory (AD).
Information on suspended certificates will be provided directly by the certificate revocation list (CRL).
Alternatively, the status of any certificate can be checked directly per Online Certificate Status Protocol (OCSP) through the service provided by ECOS CAA.
There are various mechanisms for automatic certificate extension on servers, VPN gateways or terminal devices such as PCs, tablets and smartphones. For all devices supporting these procedures, issued certificates can be made available for collection on an LDAP server.
For VoIP phones and mobile devices, certificates can be distributed by SCEP (Simple Certificate Enrollment Protocol). Windows devices and users will be rolled out via AD distribution or a separate certificate distribution tool, which can also operate independently from Active Directory.
It is also possible to roll out certificates and smart cards through the administration interface. The private key will then be generated directly on the smart card.
The successful introduction of a new PKI depends significantly on the implementation possibilities offered by the existing IT infrastructure. ECOS CAA is able to gather the relevant information for certificate creation through a connection to AD or any other metadirectory – for example for a particular group of users, servers or devices. If required, the certificates are directly written back to AD in order to distribute them.
ECOS CAA allows a seamless implementation into an already existing PKI. For example, the CAA can be operated as sub CA on an existing root CA or act as a root CA for single sub CAs when pooling business units. Through the integrated HTTP API, all processes can be controlled remotely by appropriate scripts. Thus, creation and distribution of certificates can be fully automatized through a software deployment tool. ECOS CERTIFICATE APPLIANCE is delivered as virtual appliance for VMware, Microsoft Hyper-V and other virtualization solutions.
For user and device authentication in LAN or WLAN according to IEEE 802.1X, ECOS CAA provides an own, integrated Radius server which, for example, allows a secure authentication of mobile devices at the WLAN access point.
In addition to certificate administration ECOS CAA also offers a separate module to generate and verify one-time passwords (OTP). Not only does it support hardware tokens, but also software tokens (app) for iOS, Android and Windows Phone
Moreover, one-time passwords can be send by SMS to the user’s respective mobile phone number as specified in AD. The one-time password is verified by the integrated Radius server.
ECOS CAA can be operated through a web-based administration interface. The different roles and permissions, from helpdesk staff to IT management, can be accurately modelled through a granular permission assignment
ECOS CERTIFICATE APPLIANCE provides by default a large range of reports offering administrators the best possible overview of certificates that have been issued for particular users, servers or devices, when they have been issued and if they have expired or are pending for renewal.
The system administrator will be informed of pending certificate extensions per e-mail by an automatic notification system according to predefined and customized criteria.
The report filter, which is part of ECOS CAA, allows a flexible access to all data available. Once generated, reports can be saved and provided to other entitled staff.
Individual design options ensure that reports will always meet the complex company requirements for auditing.
Depending on the scenario, ECOS CERTIFICATE APPLIANCE can also be operated in a high-availability cluster to ensure that in case of a system failure and a subsequent breakdown of the Radius or OCSP server users will still be able to log in. Multiple CAAs can be set up across different locations to ensure optimal server response times.
Technical data and functions
- Issue of own certificates and administration of external certificates
- Support of several root and sub CAs
- Administration and provision of certificates in LDAP
- Certificate storage and issue directly on smart cards or USB tokens
- Authentication by certificate or OTP
- Integrated one-time password module (OTP) for SafeNet® eToken NG-OTP or eToken PASS
- Authentication through RADIUS
- Authentication through LDAP
- Directory synchronization for users and certificates with Microsoft® ADS, Novell® eDirectory, Siemens® DirX, CA® eTrust, SUN® Directory, LDAP and other directories
- Extensive smart card and token lifecycle management
- Finely structured rights management
- OCSP supported
- SHA-2 supported
- Administration by web interface
- Separate web frontend (HTTPS) for end users to personalize and manage smart cards or tokens
- Various high availability possibilities
Tel: +49 (6133) 939-200