sealsign ckc management guide

ElevenPaths, radical and disruptive innovation in security solutions

[email protected] elevenpaths.com

SealSign CKC (Central Key Control) Management guide

mailto:[email protected]

SealSign CKC (Central Key Control)

Management guide V.3.2 – October 2016

2016 © Telefónica Digital España, S.L.U. All rights reserved. of 23

Table of content

1 Introduction ................................................................................................................ 3

2 Configuration Tasks ..................................................................................................... 4

2.1 Configuring Certificates in the SealSign DSS Server ................................................................. 4

2.2 Configuring Policies of Access to Central Key Control (Optional, only for Central Key Control Client) .............................................................................................................................................. 4

2.2.1 Opening the Administrative Template ....................................................................................... 4

2.2.2 Loading Administrative Templates ............................................................................................. 5

2.2.3 Configuring the Connection to the SealSign DSS Server (At Machine Level) ............................. 5

2.2.4 Configuring the Connection to the SealSign DSS Server (At User Level) .................................... 9

2.2.5 Configuring Other SealSign DSS Parameters (At Machine Level) ............................................. 12

2.2.6 Configuring Other SealSign DSS Parameters (At User Level) .................................................... 16

2.2.7 Configuring the Parameters of the Certificate Automatic Import (At Machine Level)............. 17

2.2.8 Configuring the Parameters of the Certificate Automatic Import (At User Level) ................... 18

3 Troubleshooting ......................................................................................................... 21

4 Resources .................................................................................................................. 22




1 Introduction

SealSign Central Key Control (CKC) is a software product developed entirely by ElevenPaths, designed to centrally control the use of electronic certificates in an organization. CKC is based on the management of the different certificate stores supported by the SealSign Digital Signature Services electronic signature platform.

One of the problems with the electronic signature process is the management of certificates and keys used to sign documents. To solve this, SealSign DSS provides a store of certificates and keys that are associated with rules of use within its configuration database. In addition, both in processes of signature in server and in processes of signature distributed in client, SealSign DSS can use certificates stored in external stores, in Windows certificate stores as well as in stores accessible through PKCS#11 modules.

With Central Key Control you can use certificates stored in the SealSign DSS server from client computers in a very transparent way through an engine based on rules of use with filtering options, as if these certificates were stored locally in each computer.

Moreover, CKC has the possibility of increasing the security of access to certificates by adding an extra authentication factor when using the certificates private key. The authentication extended support is based on the use of the SmartID Professional authentication platform, which can support chip cards, contact and contactless, as well as different biometric factors such as the use of fingerprints.

Finally, with Central Key Control you can configure both a list of processes, client computers and authorized users, and a list of URLs where the use of the private keys associated with platform certificates is allowed.




2 Configuration Tasks

Information about licensing is detailed in the document "SealSign - Licensing.pdf"

When using Central Key Control in an organization, the administrator must perform two fundamental tasks:

Configuring certificates and/or rules of use on the SealSign DSS server.

Configuring CKC client policies (Optional)

2.1 Configuring Certificates in the SealSign DSS Server

The Central Key Control storage and management system of certificates and permits is based on the functionality of SealSign DSS server certificates. Before a certificate can be used or shared through Central Key Control, the platform administrator must add the certificate or its reference to the SealSign DSS server.

The Centralized Key Management section of the SealSign DSS Management Guide details the tasks to be conducted to manage centralized access to certificates.

2.2 Configuring Policies of Access to Central Key Control (Optional, only for Central Key Control Client)

In order to apply and configure the parameters of access to CKC certificates through the Central Key Control client software, the Central Key Control installer copies a Windows administrative template that allows the administrator to perform this configuration. Furthermore, in environments where it is not possible or convenient to use administrative templates, any of these parameters can be configured through entries in the system registry.

The administrative template for configuring CKC, KeyControl.adm, is copied to the %Program Files%\Smart Access S.L\Central Key Control folder in the client computers.

2.2.1 Opening the Administrative Template You can follow these steps to open the administrative template in the group policies editor:

1. Open the Group Policies Editor. The group policies editor can be opened from multiple locations, depending on where you wish to apply the changes. For example, with the command line (gpedit.msc) for policies local to the machine, through the Administrator of Active Directory Users and Computers or by using the Group Policies Editor MMC complement.

2. Expand the policies chart on the left until you find the option needed:

a. Computer Configuration\Administrative Templates\SmartAccess\Central Key Control Parameters and User Configuration Administrative Templates\SmartAccess\ Central Key Control Parameters in Windows XP and Windows 2003.

http://es.slideshare.net/elevenpaths/sealsign-product-licenses




b. Computer Configuration\Administrative Templates\Classic Administrative Templates (ADM)\SmartAccess\Central Key Control Parameters and User Configuration\ Administrative Templates\Classic Administrative Templates (ADM)\ SmartAccess\ Central Key Control in Windows Vista and later.

2.2.2 Loading Administrative Templates If the administrative template is not preloaded in the Group Policies editor, it must be loaded following these steps:

1. Open the Group Policies Editor. The group policies editor can be opened from multiple locations, depending on where you wish to apply the changes. For example, with the command line (gpedit.msc) for policies local to the machine, through the Administrator of Active Directory Users and Computers or by using the Group Policies Editor MMC complement.

2. Right-click on the Administrative Templates node located under Computer Configuration, and select Add/Remove Templates.

3. Click on the Add button.

4. Select the template file (%Program files%\Smart Access S.L\Central Key Control\ KeyControl.adm) and click on Open.

5. Click on Close.

6. The template for the Central Key Control configuration will be available in the editor with the following paths:

a. Computer Configuration\Administrative Templates\SmartAccess\Central Key Control Parameters and User Configuration Administrative Templates\SmartAccess\ Central Key Control Parameters in Windows XP and Windows 2003.

b. Computer Configuration\Administrative Templates\Classic Administrative Templates (ADM)\SmartAccess\Central Key Control Parameters and User Configuration\ Administrative Templates\Classic Administrative Templates (ADM)\ SmartAccess\ Central Key Control in Windows Vista and later.

You can get further information on the loading and use of administrative templates on this article of the Windows knowledge database: http://support.microsoft.com/kb/816662/en.

2.2.3 Configuring the Connection to the SealSign DSS Server (At Machine Level)

2.2.3.1 URL of the Central Key Control Web Service It defines the URL for accessing the Central Key Control web service. Its value should be similar to this: http://sealsignserver/SealSignDSSKeyControl

SealSign Key Control Service URL

Template KeyControl.adm

Configuration Configure SealSign Connection Parameters

Registry Key HKLM\Software\Policies\SmartAccess\KeyControl\SealSignProvider

Property name SealSignKCServiceURL

Property type REG_SZ




2.2.3.2 URL of the SealSign Management Web Service It defines the URL for accessing the SealSign management web service. Its value should be similar to this: http://sealsignserver/SealSignDSSService.

SealSign DSS Administration Service URL




Property name SealSignDSSAdminServiceURL


2.2.3.3 User Account for the Connection to the SealSign Server The connection to the SealSign and CKC web services will be performed by default with the current user account. For those environments where it is desired or necessary to use a different account, it must be configured following this policy:

SealSign UserName




Property name SealSignUserName


2.2.3.4 User Password for the Connection to the SealSign Server The connection to the SealSign and CKC web services will be performed by default with the current user account. The alternative user password to access the server must be configured following this policy:

SealSign Password




Property name SealSignPassword





In an administrative template, the password will be saved in the log in clear text. That is why we have developed a tool called “GenerateAdmPassword” located in the SealSign CKC Client installation directory. This tool generates an encryption block from a plaintext key. The appearance of the tool is shown in the following figure. The content of the

“Encrypted Password” text field is what needs to be entered in the “SealSign Password” field of the administrative template.

2.2.3.5 User Domain for the Connection to the SealSign Server The connection to the SealSign and CKC web services will be performed by default with the current user account. The alternative user domain to access the server must be configured following this policy:

SealSign Domain




Property name SealSignDomain


2.2.3.6 Cache Timeout for the SealSign Certificates Password (Seconds)

The recommended value is between 30 and 60 seconds. This cache —since cryptographic operations on the Microsoft platform are not atomic, meaning they are not performed in a single

operation but divided into several independent operations— can transfer the centralized certificate password within calls to the SealSign server without continuously having to request it to the user. This policy only applies when a certificate is registered in SealSignDSS and is configured so that SealSign does not remember its password.

Password Cache Time (seconds)




Property name PasswordCacheTime





2.2.3.7 Open Timeout for the Connection to the SealSign Server With this policy you can configure the open timeout for the connection to the SealSign Server:

SealSign Open Timeout




Property name OpenTimeout

Property type REG_DWORD

Default value 5 seconds

2.2.3.8 Send Timeout to the SealSign Server With this policy you can configure the send timeout to the SealSign Server:

SealSign Send Timeout




Property name SendTimeout



2.2.3.9 Receive Timeout from the SealSign Server With this policy you can configure the receive timeout from the SealSign Server:

SealSign Receive Timeout




Property name ReceiveTimeout



Configuration of the connection parameters can be set at machine or user level. If both options are set, the parameters with higher preference are the ones configured at user level.




2.2.4 Configuring the Connection to the SealSign DSS Server (At User Level)

2.2.4.1 URL of the Central Key Control Web Service It defines the URL for accessing the Central Key Control web service. Its value should be similar to this: http://sealsignserver/SealSignDSSKeyControl

SealSign Key Control Service URL



Registry Key HKCU\Software\Policies\SmartAccess\KeyControl\SealSignProvider

Property name SealSignKCServiceURL


2.2.4.2 URL of the SealSign Management Web Service It defines the URL for accessing the SealSign Management web service. Its value should be similar to this: http://sealsignserver/SealSignDSSService

SealSign DSS Administration Service URL




Property name SealSignDSSAdminServiceURL


2.2.4.3 User Account for the Connection to the SealSign Server The connection to the SealSign and CKC web services will be performed by default with the current user account. For those environments where it is desired or necessary to use a different account, it must be configured following this policy:

SealSign UserName




Property name SealSignUserName


http://sealsignserver/SealSignDSSKeyControl

http://sealsignserver/SealSignDSSService




2.2.4.4 User Password for the Connection to the SealSign Server The connection to the SealSign and CKC web services will be performed by default with the current user account. The alternative user password to access the server must be configured following this policy:

SealSign Password




Property name SealSignPassword


In an administrative template, the password will be saved in the log in clear text. That is why we have developed a tool called “GenerateAdmPassword” located in the SealSign CKC Client installation directory. This tool generates an encryption block from a plaintext key. The appearance of the tool is shown in the following figure. The content of the

“Encrypted Password” text field is what needs to be entered in the “SealSign Password” field of the administrative template.

2.2.4.5 User Domain for the Connection to the SealSign Server The connection to the SealSign and CKC web services will be performed by default with the current user account. The alternative user password to access the server must be configured following this policy:

SealSign Domain




Property name SealSignDomain





2.2.4.6 Cache Timeout for SealSign Certificates Password (Seconds)

The recommended value is between 30 and 60 seconds. This cache —since cryptographic operations on the Microsoft platform are not atomic, meaning they are not performed in a single

operation but divided into several independent operations— can transfer the centralized certificate password within calls to the SealSign server without continuously having to request it to the user. This policy only applies when a certificate is registered in SealSignDSS and is configured so that SealSign does not remember its password.

Password Cache Time (seconds)




Property name PasswordCacheTime


2.2.4.7 Open Timeout for connection to the SealSign Server With this policy you can configure the open timeout for the connection to the SealSign Server:

SealSign Open Timeout




Property name OpenTimeout



2.2.4.8 Send Timeout to the SealSign Server With this policy you can configure the send timeout to the SealSign Server:

SealSign Send Timeout




Property name SendTimeout






2.2.4.9 Receive Timeout from the SealSign Server With this policy you can configure the receive timeout from the SealSign Server:

SealSign Receive Timeout




Property name ReceiveTimeout



Configuration of the connection parameters can be set at machine or user level. If both options are set, the parameters with higher preference are the ones configured at user level.

2.2.5 Configuring Other SealSign DSS Parameters (At Machine Level) 2.2.5.1 CKC Certificates Replication Delay This time determines the update interval that the CKC agent uses to perform operations of certificate replication to the client.

Replication Delay



Registry Key HKLM\Software\Policies\SmartAccess\KeyControl

Property name ReplicationDelay


Default value 5 minutes

2.2.5.2 Delay before Shutdown When the Central Key Control client is configured to run on demand (Execute KeyControlSrv at user session logon policy at 0), this policy sets out how long it takes for a process to die after the last operation.

Shutdown Delay (minutes)


Configuration Configure Central Key Control Parameters


Property name ShutdownDelay




Shutdown Delay (minutes)


Default value 1440 minutes

2.2.5.3 Delay before Shutdown Due to COM Classes Registration Errors By default, the executable in client that performs all operations against the SealSign server is a COM OOP component. When the Central Key Control client is configured to run on demand (Execute KeyControlSrv at user session logon policy at 0), this policy sets out how long it takes for a process to die after the last attempt to register the COM classes it contains.

Shutdown Delay in COM Classes register errors (seconds)




Property name ShutdownDelayRegisterCOMError



2.2.5.4 Running KeyControlSrv in Session Login By default, the executable in client that performs all operations against the SealSign server is a COM OOP component. This COM component runs on demand, therefore, when its tasks are finished, the process dies until it is required again.

Sometimes it is possible to detect COM errors on client computers that can lead to a malfunction of the Central Key Control client. For such cases, you can activate this policy to reduce the COM problems that impact on the Central Key Control client.

Execute KeyControlSrv at user session logon




Property name ExecuteSrvInInitSession


Default value 0

2.2.5.5 Asking for User Credentials This policy only applies if the Central Key Control client is integrated with SmartID Professional, a product by ElevenPaths. If this policy is activated, an additional protection factor (biometric or smartcard) is added to the use of the centralized certificate private key in the SealSign platform. Installation of the SmartID Professional Software in the client computer is a mandatory requirement.




Ask for user credential




Property name AskForUserCredential


Default value 0

2.2.5.6 Timeout for Credentials Cache This policy only applies if the Central Key Control client is integrated with SmartID Professional, a product by ElevenPaths. If this policy is activated, an additional protection factor (biometric or smartcard) is added to the use of the centralized certificate private key in the SealSign platform. Installation of the SmartID Professional Software in the client computer is a mandatory requirement.

This cache —since cryptographic operations on the Microsoft platform are not atomic, meaning

they are not performed in a single operation but divided into several independent operations— can transfer the SmartID Professional credential associated to a user within calls to the SealSign server without continuously having to request it to the user.

Credential Cache Time (seconds)




Property name CredentialCacheTime



2.2.5.7 Timeout for URL cache

This cache —since cryptographic operations on the Microsoft platform are not atomic, meaning

they are not performed in a single operation but divided into several independent operations— can transfer browser URL associated to the cryptographic operation within calls to the SealSign server without continuously having to request a new authentication to the user.

This policy only applies in the event of accessing the centralized private key using the Microsoft IE browser and when there is a rule of use with a filter through URL associated to

said private key.

Url Cache Time (seconds)






Url Cache Time (seconds)


Property name UrlCacheTime



2.2.5.8 Deleting orphan private keys By default in Microsoft Windows platforms, when a certificate is deleted from the certificate Store, its associated private key is not deleted. It is the way it was designed. You just need to enable this policy, which essentially clears the orphan private keys in the user store, in order to mitigate this potential security hole activated by the policy.

This key is for experimental use. If once applied, certificates behave strangely, for example, disappearing from the Store, please contact ElevenPaths’ Support.

Delete orphaned private keys


Configuración Configure Central Key Control Parameters


Property name DeleteOrphanedPrivateKeys


Default value 0

2.2.5.9 Enabling the certificates local inventory The Central Key Control client has the functionality of reporting the information to the SealSign server on certificates installed in the user Store (local certificates, not centralized). To enable this feature you just have to activate this policy.

Enable local certificates inventory




Property name EnableCertificateInventory


Default value 0

Configuration of the general parameters can be set at machine or user level. If both options are set, the parameters with higher preference are the ones configured at machine level.




2.2.6 Configuring Other SealSign DSS Parameters (At User Level)

2.2.6.1 Asking for user credentials This policy only applies if the Central Key Control client is integrated with SmartID Professional, a product by ElevenPaths. If this policy is activated, an additional protection factor (biometric or smartcard) is added to the use of the centralized certificate private key in the SealSign platform. Installation of the Software SmartID Professional installed in the client computer is a mandatory requirement.

Ask for user credential



Registry Key HKCU\Software\Policies\SmartAccess\KeyControl

Property name AskForUserCredential


Default value 0

2.2.6.2 Deleting orphan private keys By default in Microsoft Windows platforms, when a certificate is deleted from the certificate Store, its associated private key is not deleted. It is the way it was designed. You just need to enable this policy, which essentially clears the orphan private keys in the user store, in order to mitigate this potential security hole activated by the policy.

This key is for experimental use. If once applied, certificates behave strangely, for example, disappearing from the Store, please contact ElevenPaths’ Support.

Delete orphaned private keys




Property name DeleteOrphanedPrivateKeys


Default value 0

2.2.6.3 Enabling the certificate local inventory The Central Key Control client has the functionality of reporting the information to the SealSign server on certificates installed in the user Store (local certificates, not centralized). To enable this feature you just have to activate this policy.




Enable local certificates inventory




Property name EnableCertificateInventory


Default value 0

Configuration of the general parameters can be set at machine or user level. If both options are set, the parameters with higher preference are the ones configured at machine level.

2.2.7 Configuring the Parameters of the Certificate Automatic Import (At Machine Level)

2.2.7.1 Enable certificate automatic import In a way that is transparent to the user, the Central Key Control client can automatically import certificates from the local user store to the SealSign server (local certificates, no centralized). To enable this feature you just have to activate this policy.

Enable automatic import of local certificates


Configuration Configure Central Key Control AutoImport Parameters


Property name EnableAutomaticPFXImport


Default value 0

2.2.7.2 Overwriting local certificates In the event that the user has a centralized certificate assigned identical to a local certificate, this policy states what to do in relation to its visibility within the certificate store. If the policy is enabled, the local certificate will be ignored (access to it will not be possible) and only the centralized certificate will be used. Otherwise, two identical certificates will appear in the user certificate store, one local and one centralized, so you will be able to use either one or another.

Overwrite local certificates








Property name OverwriteLocalCertificates


Default value 0

2.2.7.3 Filtering by issuer This policy defines which certificate issuers are authorized to perform the automatic import of certificates. If you do not wish to automatically import all certificates from the user certificate store to SealSign, you can define this filter by issuer.

Issuer names (CN) are case sensitive. In the list, you must register the issuer CN. For example, in the case of the FNMT (“Fábrica Nacional de Moneda y Timbre”, National Mint and Stamp Factory), the CN would be “FNMT Class 2 CA”.

If issuer “*” is registered, every certificate in the user certificate store will be automatically imported to SealSign.

Issuer Filters



Registry Key HKLM\Software\Policies\SmartAccess\KeyControl\AutoImportIssuersFilter

Property name Issuer1…. IssuerN


Default value NA

Configuration of the autoimport parameters can be set at machine or user level. If both options are set, the parameters with higher preference are the ones configured at machine

level.

2.2.8 Configuring the Parameters of the Certificate Automatic Import (At User Level)

2.2.8.1 Enabling certificate automatic import In a way that is transparent to the user, the Central Key Control client can automatically import certificates from the local user store to the SealSign server (local certificates, no centralized). To enable this feature you just have to activate this policy.









Property name EnableAutomaticPFXImport


Default value 0

2.2.8.2 Overwriting local certificates In the event that the user has a centralized certificate assigned identical to a local certificate, this policy states what to do in relation to its visibility within the certificate store. If the policy is enabled, the local certificate will be ignored (access to it will not be possible) and only the centralized certificate will be used. Otherwise, two identical certificates will appear in the user certificate store, one local and one centralized, so you will be able to use either one or another.





Property name OverwriteLocalCertificates


Default value 0

2.2.8.3 Filtering by issuer This policy defines which certificate issuers are authorized to perform the automatic import of certificates. If you do not wish to automatically import all certificates from the user certificate store to SealSign, you can define this filter by issuer.

Issuer names (CN) are case sensitive. In the list, you must register the issuer CN. For example, in the case of the FNMT (“Fábrica Nacional de Moneda y Timbre”, National Mint and Stamp Factory), the CN would be “FNMT Class 2 CA”.

If issuer “*” is registered, every certificate in the user certificate store will be automatically imported to SealSign.

Issuer Filters



Registry Key HKCU\Software\Policies\SmartAccess\KeyControl\AutoImportIssuersFilter

Property name Issuer1…. IssuerN


Default value NA




Configuration of the autoimport parameters can be set at machine or user level. If both options are set, the parameters with higher preference are the ones configured at machine

level.




3 Troubleshooting

During the SealSign installation process, a specific log, called SealSign DSS, will be created in each server's event viewer. If an error occurs in server operations, in addition to being reported in the product audit, events will be included as they occur with the complete description of the error in the log created for this purpose.

Information about monitoring is detailed in the document "SealSign - Monitoring.pdf"

http://es.slideshare.net/elevenpaths/sealsign-monitoring-guide-include-dss-bss-ckc-y-dsr




4 Resources

For information about the different SealSign services available, please go to this address:

https://www.elevenpaths.com/es/tecnologia/sealsign/index.html

Also, on the ElevenPaths blog you can find interesting articles and innovations regarding this product.

You can find more information about Eleven Paths products on YouTube, on Vimeo and on Slideshare.

https://www.elevenpaths.com/es/tecnologia/sealsign/index.html

http://blog.elevenpaths.com/

https://www.youtube.com/user/ElevenPaths

http://vimeo.com/elevenpaths

http://www.slideshare.net/elevenpaths/




PUBLICATION

October 2016

At ElevenPaths we have our own way of thinking when we talk about security. Led by Chema Alonso, we are a team of experts who are passionate about their work, who are eager to redefine the industry and have great experience and knowledge about the security sector.

Security threats in technology evolve at an increasingly quicker and relentless pace. Thus, since June 2013, we have become a startup company within Telefónica aimed at working in an agile and dynamic way, transforming the concept of security and, consequently, staying a step ahead of our attackers.

Our head office is in Spain, but we can also be found in the UK, the USA, Brazil, Argentina and Colombia.

IF YOU WISH TO KNOW MORE ABOUT US, PLEASE CONTACT US AT:

elevenpaths.com Blog.elevenpaths.com @ElevenPaths Facebook.com/ElevenPaths YouTube.com/ElevenPaths

The information disclosed in this document is the property of Telefónica Digital España, S.L.U. (“TDE”) and/or any other entity within Telefónica Group and/or its licensors. TDE and/or any Telefonica Group entity or TDE’S licensors reserve all patent, copyright and other proprietary rights to this document, including all design, manufacturing, reproduction, use and sales rights thereto, except to the extent said rights are expressly granted to others. The information in this document is subject to change at any time, without notice.

Neither the whole nor any part of the information contained herein may be copied, distributed, adapted or reproduced in any material form except with the prior written consent of TDE.

This document is intended only to assist the reader in the use of the product or service described in the document. In consideration of receipt of this document, the recipient agrees to use such information for its own use and not for other use.

TDE shall not be liable for any loss or damage arising out from the use of the any information in this document or any error or omission in such information or any incorrect use of the product or service. The use of the product or service described in this document are regulated in accordance with the terms and conditions accepted by the reader.

TDE and its trademarks (or any other trademarks owned by Telefonica Group) are registered service marks.

sealsign ckc management guide

Technology