Trust Management Appliance

The increasing digitalization blurs the lines between conventional IT, ICT and IoT. The ECOS TRUST MANAGEMENT APPLIANCE software combines the administration of certificates, symmetric keys and other secrets for all platforms in a single PKI and Key Management solution and thus provides a core component for today and tomorrow's requirements in securing IT, technology and infrastructure.

Overview ECOS Trust Management Appliance

Securing accesses or encrypting data and communication involves many areas across a company. In the office area, connecting mobile devices securely to WLAN, LAN desktops, Windows LogOn per smartcard, encrypting and signing e-mails, secure authentication at the VPN gateway, login for web applications or encryption of hard drives are certainly among the most frequent requirements.

Securing server processes and web servers, signing apps, macros and other software are important topics for IT. In manufacturing companies, engineering and product management are particularly concerned with the securing of accesses and communication encryption of non-IT devices. Using resource-efficient procedures is particularly important in this area due to the properties of devices such as actuators, sensors, counters, controls and medical implants, to name but a few.

How does the ECOS TRUST MANAGEMENT work?

Click on the + sign to learn more about the ECOS PKI and Key Management solution

  • Certificates, Keys, Secrets

    Certificates and the related asymmetric key pairs most often form the basis for a secure authentication. The ECOS TRUST MANAGEMENT APPLIANCE (TMA) helps to set up your own private-public key infrastructure (PKI) to create, extend and revoke certificates as well as import, administrate and use certificates of a public CA. The certificates to be issued are freely parametrizable regarding both their content and criteria such as key length or signature algorithm. All certificates can be made available through the TMA in all common formats, such as DER, PEM or container formats like PKCS#7 and PKCS#12.


    Secrets like passwords, access data and other protection-worthy information also require a secure storage. The TMA allows to store and manage them just as securely as certificates or keys.


    Symmetric keys are frequently used in areas where the administration of a certificate infrastructure would be too complex, e.g. for devices in the IoT and IIoT range, which often only have a low computing power and power supply. For administration within the TMA, it is irrelevant whether the keys were generated within the TMA or factory-set and then imported into the TMA.


    Details on revoked certificates are directly made available as Certificate Revocation List (CRL).


    Alternatively, the status of each certificate can be checked directly per Online Certificate Status Protocol (OCSP) using the service provided by the ECOS TRUST MANAGEMENT APPLIANCE.


    Lifecycle Management

    The ECOS TRUST MANAGEMENT APPLIANCE (TMA) offers all possibilities to set up, import, archive, retrieve or delete secrets. For better clarity and easier administration, freely definable metadata can be assigned manually or automatically.

    Concerning symmetric keys and in addition to the import feature, the TMA can also directly generate n-bit keys using high-quality randomness. Keys, just like secrets, can be enriched with metadata, exported and deleted if necessary.


    On top of this, certificates must be signed by a CA and contain further information, for example about validity. Apart from generating certificates, the associated asymmetric keys and having them signed by a CA, there are also processes for manual or automatic renewal. Certificates can be renewed automatically according to preset criteria or at the touch of a button. The administrator has a detailed overview of duration and pending renewals at any time. When employees leave the company or for other reasons, certificates can be revoked manually or automatically, for example by deleting the user account in the Active Directory (AD) or other directory services. The Active Reports listed in detail below play an important role.


    Information about revoked certificates is made available as Certificate Revocation List (CRL) for retrieval by other systems. Alternatively, the status of each certificate can be checked directly per Online Certificate Status Protocol (OCSP) by using the service provided by the TMA.


    The TMA allows to organize and classify certificates into different certificate categories such as user, web server or network authentication. Appropriate policies allow to define permissions for creating, renewing and revoking certificates in accordance with their respective security class.


    The same applies to the CA, which can be created, renewed or withdrawn within the TMA. The number of simultaneously used CA is not limited. They can be organized in parallel as different root-CAs, their sub-CAs or a mixture of both.

     

  • Lifecycle Management

    The ECOS TRUST MANAGEMENT APPLIANCE (TMA) offers all possibilities to set up, import, archive, retrieve or delete secrets. For better clarity and easier administration, freely definable metadata can be assigned manually or automatically.

    Concerning symmetric keys and in addition to the import feature, the TMA can also directly generate n-bit keys using high-quality randomness. Keys, just like secrets, can be enriched with metadata, exported and deleted if necessary.

    On top of this, certificates must be signed by a CA and contain further information, for example about validity. Apart from generating certificates, the associated asymmetric keys and having them signed by a CA, there are also processes for manual or automatic renewal. Certificates can be renewed automatically according to preset criteria or at the touch of a button. The administrator has a detailed overview of duration and pending renewals at any time. When employees leave the company or for other reasons, certificates can be revoked manually or automatically, for example by deleting the user account in the Active Directory (AD) or other directory services. The Active Reports listed in detail below play an important role.
    Information about revoked certificates is made available as Certificate Revocation List (CRL) for retrieval by other systems. Alternatively, the status of each certificate can be checked directly per Online Certificate Status Protocol (OCSP) by using the service provided by the TMA.

    The TMA allows to organize and classify certificates into different certificate categories such as user, web server or network authentication. Appropriate policies allow to define permissions for creating, renewing and revoking certificates in accordance with their respective security class.

    The same applies to the CA, which can be created, renewed or withdrawn within the TMA. The number of simultaneously used CA is not limited. They can be organized in parallel as different root-CAs, their sub-CAs or a mixture of both.

     

  • Distribution to Mobile Devices, IT and Non-IT Devices

    TMA Integration (en)

    There are various mechanisms for the distribution of certificates to different devices and systems with their respective operating systems.


    ECOS has developed a Windows service for the provisioning of Windows devices which is applied to the devices as part of the software deployment. ECOS provides the corresponding MSI file for this purpose. When the service gets in touch with the ECOS TRUST MANAGEMENT APPLIANCE, a certificate is generated after successful authentication according to the preset parameters and transmitted to the Windows device. The Windows service also monitors the certificate's validity and, if preset, requests a new one in time to ensure that it will always be renewed automatically unless withdrawn or revoked by the administrator.

    For the provisioning of Linux, Mac OS X, iOS and Android devices, as well as VPN gateways, routers, VoIP telephones and other ICT devices the TMA supports various protocols such as SCEP, CMC, EST and CMP. As described for Windows, the SCEP client, for example, will get its certificate from the TMA-integrated SCEP server and store it in the respective certificate store. As an alternative to software deployment tools, certificates can also be distributed by website download, by MDM or by sending profiles via e-mail.


    If the software deployment is based on customizable scripts, the distribution und renewal of certificates can also be automatized by the http API provided by the TMA.


    The TMA provides a directory synchronization for AD and other directory services. User data can thus be transferred to the TMA which issues the certificates and, unless distributed otherwise, writes them back to the AD for further distribution. This allows, for example, the complete remote control of the TMA via AD. Besides, the TMA contains its own LDAP server. Systems equipped with an LDAP interface can use it, for example, to request internal public keys for encrypting and signing data or documents.


    ECOS provides the Smartcard Enrollment Tool for refuelling smartcards. It is started as a Windows app in the administration interface or the Self Service Portal, without requiring any installation or configuration. To use different smartcards, depositing a middleware with PKCS#11 support on the TMA is sufficient. A local installation is thus no longer necessary. The Smartcard Enrollment Tool supports two different procedures to issue certificates on smartcards. If the certificates serve to secure accesses, the private key will be generated directly on the smartcard. As the key cannot leave the smartcard, it can never get into the wrong hands. If the certificates are required for purposes such as encrypting documents, it is recommended to generate the private key on the TMA and store it on the smartcard. If lost, a new smartcard with identical keys can be issued in order to regain access to encrypted documents.


    The ECOS Self Service Portal provides a range of wizards to help users apply for certificates and smartcards or issue, renew and block them according to their respective rights. The role and rights assignment allows to map the authorization and enrollment processes of a company within the TMA. Users can thus apply for certificates in their Self Service Portal and use them after approval, while all applications are listed, approved and signed in the Self Service Portal of the authorizing entity. Applicants and beneficiaries are informed about certificate applications and their respective status by e-mail notification. The Self Service Portal is provided as web-based service by the TMA and can be adapted freely by the administrator to the needs of the company.

  • Validation

    There are two methods to validate a certificate. If the query is to be made without a permanent online connection, it will be done using a CRL (Certificate Revocation List). This CRL lists all expired or recalled certificates and should therefore be updated at reasonable intervals. For this purpose, TMA provides a download option for CRLs by HTTP or HTTPS. If online availability is given, a real-time request through an OCSP server (Online Certificate Status Protocol) is recommended. This service is part of the TMA and can be operated cross-site and redundantly in master/slave mode.

  • Certificate Store

    In the simplest case, root certificates, CA keys and private keys can be stored on a secured hard drive. Under security aspects, however, the use of an HSM is recommendable. The ECOS TRUST MANAGEMENT APPLIANCE supports network connection of utimaco’s hardware security modules. The implementation of other manufacturers is possible on demand. As with smartcards, certificates can be generated directly on the HSM. E-mails and other documents or files can be signed directly within the HSM.

  • Integration into the Infrastructure

    The successful introduction of a new PKI Software depends significantly on the implementation options offered by the existing IT infrastructure.


    Coupling the ECOS TRUST MANAGEMENT APPLIANCE (TMA) with AD or another directory service allows to synchronize information on stored users or computers and largely automate related processes. When creating a new user in AD, the certificates required for Windows logon, hard drive- and e-mail encryption can thus be generated and written back to AD. A mapping table allows to define very granularly and neatly the procedures for single users, groups or roles. ECOS Self Service Portal users can employ their Windows credentials through AD synchronization for logging in to the portal.


    All functions of the TMA are remotely controllable through the HTTP API. For example, Linux deployment tools use the API to request, distribute and renew certificates for web servers. In the IoT area, production plants use the API to generate and retrieve keys for the devices to be manufactured. The counterpart for later communication decryption is automatically stored in the TMA.


    The TMA allows to build multilevel hierarchically structured root- and sub-CAs which can map the complex structures of corporations or organizations in the certificate management. This also includes the operation and central administration of any number of root-CAs and thus ensures a tenant-based separation of the different areas. For the operation of an autarkic site, the PKI issues a certificate request for a sub-CA, which will sign the root-CA and thus allow an independent certificate issuance. When integrated into an existing PKI and key management environment, the TMA can be operated both as root- and sub-CA.


    An import interface for the administration of public certificates is available for purposes such as signing e-mails, client authentication, server authentication or code signing. This interface allows to transfer information, certificates and keys from a previous PKI into the TMA.


    An SNMP interface is provided for the integration into an existing monitoring system. It allows querying parameters such as CPU load, memory usage, disk space or active processes and integrating them into existing monitoring processes.


    The TMA logs all system-relevant information to evaluate it in the integrated Active Reports or make it available through the aggregation tools of the integrated syslog interface.


    The TMA is delivered as virtual appliance for operation in VMware, Microsoft Hyper-V and other virtualization solutions. The operation on dedicated hardware or datacenter is also possible. An ISO image provides the specially-hardened ECOS Secure Linux operating system and all TMA components required for the easy installation of the TMA.

     

  • Authentication

    Besides certificates, OTP-based (One Time Password) procedures are often used alternatively or additionally for secure authentication. The ECOS TRUST MANAGEMENT APPLIANCE supports a wide range of marketable solutions with the integrated Radius server. Both time-based TOTP and event-based HOTP are supported.

    For user authentication by software token, the TMA supports common OTP apps for iOS, Android and Windows Phone, which are based on HOTP or TOPT. The linkage and synchronization between the RADIUS server and the app is performed through a QR code which the user scans by smartphone in the ECOS Self Service Portal. Additionally, classic OTP tokens can also be used for authentication.

    As a further option, the TMA offers to send one-time passwords (OTP) by SMS to a stored mobile phone number, which, for example, was taken over from the AD synchronization. For authentication, first user name and password, then the one-time password have to be entered. The SMS are sent through on-premise SMS gateway or another suitable online service.

    The authentication of mobile devices and PCs at WLAN or Ethernet switch conforms to IEEE 802.1.X standard. The access point or switch hereby forwards the certificate via RADIUS protocol to the TMA, which it has previously received from the device to be connected. After the successful validation by the RADIUS server, the network access is activated.

  • Administration

    The ECOS TRUST MANAGEMENT APPLIANCE is operated through a web-based admin interface. The different roles and rights, from helpdesk to IT management, can be set accurately with a granular assignment of rights. Thus, every user has a clear overview of the functions required for the respective range of tasks.

  • Active Reports

    The ECOS TRUST MANAGEMENT APPLIANCE (TMA) provides by default a wide range of reports, offering administrators the best possible overview of certificates applied for and issued, expired certificates and those due for renewal. The integrated report editor allows a flexible access to all relevant information regarding users, certificates, keys and login data. Extensive queries, filters, groupings and tagging help the administrator meet the complex requirements of IT and controlling. Once generated, reports can be stored and made available to other authorized persons.


    Active Reports allow admins and users to advise proactively about particular information and processes or to initiate predefined actions. For example, Active Reports can notify the administrator weekly by e-mail about pending certificate renewals or certificate requests by users. Notifications to the users themselves can be automated too, for example to invite them to renew their smartcard via Self Service Portal. Also automatable are escalation levels when the renewal wasn't made in time.


    Active Reports allow furthermore to access specific data within the certificates themselves. It is thus, for example, possible to use the validity date both in the e-mail itself and as a trigger for the e-mail dispatch.

  • High Availability of ECOS TMA

    ECOS TRUST MANAGEMENT APPLIANCE allows to operate RADIUS or OCSP servers in master/slave mode to grant user authentication in case of system failure.


    The ECOS HA module is optionally available to expand the TMA to a high-availability cluster, even across different locations. At the same time, the load balancing functionality of the HA module supports random scalability and the development of a high-performance PKI.

  • Certificate creation, renewal and revocation
  • Certificates, secrets and symmetric keys
  • Key length and signature algorithm freely configurable
  • Freely definable and assignable metadata
  • Automatic certificate renewal
  • Classification and structuring of certificates
  • Certificate distribution by LDAP, SCEP, CMC, CST, EST or Windows service
  • Refuelling or creation of certificates on the smartcard
  • Self Service Portal for users, helpdesk and admin
  • Safe storage in hardware security module
  • Coupling with AD and other metadirectories
  • Control of all functions by HTTP API
  • Multilevel root- and sub-CAs
  • Central administration of client-specific root-CAs
  • Integration into existing PKI as sub- or root-CA
  • Import interface for public and private certificates
  • SNMP interface for connection of a monitoring system
  • syslog interface for connection of an aggregation tool
  • Operation under VMware, Microsoft Hyper-V and other virtualization platforms or dedicated hardware
  • Preconfigured ISO image with ECOS Secure Linux and TMA
  • Certificate validation per CRL or OCSP
  • RADIUS server for authentication by IEEE 802.1X
  • Support of OTP tokens, software tokens and SMS
  • Granular rights assignment for admin interface
  • Predefined reports and integrated report editor
  • Automatic notification system through Active Reports
  • Cluster operation, also cross-site

International

Tel: +49 (6133) 939-200

Logo Made in Germany