User authentication with ECOS CERTIFICATE AUTHORITY APPLIANCE
ECOS CERTIFICATE AUTHORITY APPLIANCE (CAA) is a certificate, smart card and token management operable on VMware, Citrix XEN Server, Hyper-V or Oracle VirtualBox – for a flexible identity management.
The directory service provided by ECOS appliances allows a central and OS-independent certificate administration, as well as user authentication and synchronization for various requirements.
The LDAP-based appliance is synchronizable with the directory services of different manufacturers. The integrated certificate authority allows ECOS CERTIFICATE AUTHORITY APPLIANCE to create and administrate own certificates or to import and administrate external certificates. A convenient smart card and token lifecycle management, along with a RADIUS-based OTP system, achieve a wide range of authentication tasks, especially in heterogeneous environments.
ECOS CERTIFICATE AUTHORITY APPLIANCE allows to issue OS-independent certificates by one or more own root or sub CAs.
Token/smart card enrollment can be made in direct interaction with the Windows® Certificate Manager, thus cooperating with all smart cards and tokens which support the Microsoft® standard certificate interface (MS-CAPI) and PKCS#11 and are operable under Windows®.
The smart card or token personalization can be done via web browser on any PC anywhere. Both generating a certificate and initializing OTP tokens can be done in a few and easy steps. To simplify the token roll-out, end users can directly personalize their tokens. For this purpose, the administrator can individually customize the user web frontend so the user is restricted to the required options and guided through the entire installation process.
An appropriate programming API is available for mass enrollment.
Besides enrollment, the integrated lifecycle management also allows downstream procedures such as token replacement in case of loss and certificate revocation on particular smart cards or tokens.
All users are centrally stored in an LDAP directory accessible to the different IT components. Besides authentication at LDAP server, certificates and other user information can be made available by LDAP.
The PKI appliance helps synchronize users or certificates with various directory services such as Microsoft® Active Directory (ADS), Novell® eDirectory, Siemens® DirX, CA® eTrust, SUN® Directory and other LDAP-based directory services.
Furthermore, ECOS CERTIFICATE AUTHENTICATION APPLIANCE provides secure authentication via RADIUS for firewalls, VPN gateways, remote access routers, Unix/Windows servers and other components.
One-time passwords (OTP) can be issued in the PKI appliance either manually through the administration tool or with the help of eToken NG-OTP or eToken PASS (SafeNet®). OTPs are suitable for application areas in which it is not possible to install a software on a PC (e.g. cybercafé, external contractors) or for authentication at web interfaces when authentication can't be effected with certificates.
In the context of company-wide PKI solutions, failure safety and scalability are of utmost importance. ECOS CERTIFICATE AUTHORITY APPLIANCE (CAA) therefore offers the possibility to use parallel-connected and redundant devices with a high availability extension.
This allows load sharing on the one hand, ensuring uninterrupted operation in case of a device failure on the other as every system will be able to automatically and transparently assume the full functionality of the failed device.
ECOS CERTIFICATE AUTHORITY APPLIANCE can be administrated from any working station through a password or token-protected HTTPS connection with a web frontend.
Technical data and functions
- Issue of own certificates and administration of external certificates
- Support of several root and sub CAs
- Administration and provision of certificates in LDAP
- Certificate storage and issue directly on smart cards or USB tokens
- Authentication by certificate or OTP
- Integrated one-time password module (OTP) for SafeNet® eToken NG-OTP or eToken PASS
- Authentication through RADIUS
- Authentication through LDAP
- Directory synchronization for users and certificates with Microsoft® ADS, Novell® eDirectory, Siemens® DirX, CA® eTrust, SUN® Directory, LDAP and other directories
- Extensive smart card and token lifecycle management
- Finely structured rights management
- OCSP supported
- SHA-2 supported
- Administration by web interface
- Separate web frontend (HTTPS) for end users to personalize and manage smart cards or tokens
- Various high availability possibilities