| Administrator's Guide Red Hat Certificate System |
| Previous |
Contents |
Index |
Next |
Chapter 7
Token Management System
To support the use of smart cards and similar hardware tokens that store certificates and related data, CS includes a Token Management System. This consists of the three components introduced in this chapter, which are integrated with the rest of CS:
- Token Processing Service (TPS) acts as a Registration Authority for requests from the Enterprise Secure Client.
- Token Key Service (TKS) manages the master key(s) required set up a secure communication channel between the TPS and the client.
- Enterprise Security Client (ESC) is a plug-in for client software such as browsers and email applications. It supports the use of tokens with user's computers.
This chapter briefly introduces these three components. For more details, see the HTML document "Setting Up a Token Key Infrastructure," available on the CS CD.
Token Processing Service
The Token Processing Service (TPS) is a CS component that acts as a Registration Authority for authenticating and processing enrollment requests, PIN reset requests, and formatting requests from the Enterprise Secure Client (ESC).
TPS is designed to communicate with tokens that conform to Global Platform's Open Platform Specification.
TPS communicates over SSL with various CS backend components (including Certificate Manager, Token Key Service, and Data Recovery Manager) to fulfill user's requests.
TPS also interacts with the token database, an LDAP server that stores information about individual tokens.
Token Key Service
The Token Key Service (TKS) is a CS component that manages the master key(s) and the transport key(s) required to generate and distribute keys for hardware tokens. TKS provides the security between tokens and TPS, where the security relies upon the relationship between the master key and the token keys. TPS communicates with TKS over SSL using client authentication.
Functions provided by TKS include:
- Helps establish a secure channel (signed and encrypted) between the token and TPS.
- Provides proof of presence of the security token during enrollment.
- Supports key changeover when the master key changes on TKS. Tokens with older keys will get new token keys.
Because of the sensitivity of the data that TKS manages, TKS should be set up behind the firewall with restricted access.
Enterprise Security Client
The Enterprise Security Client (ESC) is the CS component that provides the user-facing portion of the Token Management System. The end user can be issued security tokens containing certificates and keys required for signing, encryption, and other cryptographic functions. To make use of the tokens, TPS must be able to recognize and communicate with them. ESC provides the means by which tokens can be taken through the enrollment process.
ESC is a Win32 program that communicates over an SSL HTTP channel to the back end of TPS. It makes use of a web browser container to provide a simple, customizable HTML-based UI. The native functionality of the tokens is exposed through Javascript functions called from the HTML UI. After a token is properly enrolled, popular web browsers such as those from the Mozilla organization can be configured to recognize the token and use it for security operations.
ESC provides the following capabilities:
- Allows the user to enroll security tokens so they are recognized by TPS.
- Allows the user to maintain the security token through its life cycle. For example, ESC makes it possible to re-enroll a token with TPS.
- Provides support for two types of tokens. The UserKey type allows the use of the key on a token to identify a specific individual. The simpler DeviceKey can be used only to identify the key itself, without verifying an individual's identity.
- Provides information about the current status of the token or tokens being managed.
| Previous |
Contents |
Index |
Next |