Keon Ready Implementation Guide - RSA
Keon Ready Implementation Guide - RSA
Keon Ready Implementation Guide - RSA
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
1. Partner Information<br />
<strong>Keon</strong> <strong>Ready</strong> <strong>Implementation</strong> <strong>Guide</strong><br />
<strong>Keon</strong> <strong>Ready</strong> <strong>Implementation</strong> <strong>Guide</strong><br />
Last Modified 6/16/00<br />
Partner Name Aventail<br />
Web Site http://www.aventail.com<br />
Product Name Aventail Extranet Center & Aventail Connect<br />
Version & Platform V3.21<br />
Product Description Aventail ExtraNet Center (AEC) is a management and<br />
security platform that allows you to collaborate over the<br />
Internet with your partners, suppliers, customers, and<br />
contractors—without losing control over privacy or<br />
ownership. With AEC, all external access to your<br />
internal resources is tightly controlled, so you can<br />
ensure that the right people access the right<br />
information.<br />
Aventail Connect is the secure client for 32-bit<br />
Windows applications. Aventail Connect, the client<br />
component of Aventail ExtraNet Center, is a secure<br />
proxy client based on SOCKS v5, the Internet<br />
Engineering Task Force (IETF) standard for<br />
authenticated firewall traversal. Aventail Connect<br />
delivers enhanced security and simplifies SOCKS<br />
deployment for users and network managers.<br />
Interaction with <strong>Keon</strong> <strong>Keon</strong> Certificate Server, <strong>Keon</strong> Desktop<br />
Product Category VPN<br />
2. Contact Information<br />
Pre-Sales Post-Sales<br />
Name Scott Stanton David Freedel<br />
E-mail sstanton@aventail.com dfreedel@aventail.com<br />
Phone 206-215-0061 206-215-0032<br />
Web http://www.aventail.com http://www.aventail.com/<br />
1
<strong>Keon</strong> <strong>Ready</strong> <strong>Implementation</strong> <strong>Guide</strong><br />
3. Product Requirements<br />
Browser-Based Access:<br />
•= Any browser that supports SSL v.3.0 like Microsoft Internet<br />
Explorer 3.0+ or Netscape Navigator 3.0+, etc.<br />
Client/Server-Based Access<br />
•= Microsoft Windows NT 4.0 SP 4 or later<br />
•= Microsoft Windows 95, 98<br />
•= Windows 2000 (Client only)<br />
•= Any Winsock 1.1 or 2.0-compliant application (Winsock 2<br />
preferred)<br />
4. Product Configuration<br />
4.1 Aventail Extranet Server<br />
First step to getting your SSL certificate into the Aventail Server is to use the Key Wizard utility.<br />
You are greeted with an information screen explaining some of the things you need.<br />
2
<strong>Keon</strong> <strong>Ready</strong> <strong>Implementation</strong> <strong>Guide</strong><br />
In the subsequent screen you must fill in the Organization & Organizational Unit information that<br />
corresponds to you particular installation of <strong>Keon</strong> Certificate Server.<br />
The locality attribute is optional for Aventail, but required for <strong>Keon</strong>. Please make sure you fill out<br />
this screen completely.<br />
3<br />
7
<strong>Keon</strong> <strong>Ready</strong> <strong>Implementation</strong> <strong>Guide</strong><br />
The next few screens need to be filled in with your specific choices.<br />
4
<strong>Keon</strong> <strong>Ready</strong> <strong>Implementation</strong> <strong>Guide</strong><br />
For key length, <strong>Keon</strong> Supports keys up to 1024 bits:<br />
Follow the remaining screens to generate your private key. You’ll then be shown where the<br />
certificate request is being saved. Note the locations of these files since you will need this<br />
information when enrolling for your server (SSL) certificate with <strong>Keon</strong>.<br />
5
<strong>Keon</strong> <strong>Ready</strong> <strong>Implementation</strong> <strong>Guide</strong><br />
An example of the contents of the certificate signing request:<br />
Use this CSR to enroll for a server certificate with the <strong>Keon</strong> Certificate Server.<br />
After you enroll for a certificate and the <strong>Keon</strong> Certificate Administrator has approved the<br />
certificate, you must re-run the key wizard. This time it will recognize that you have already<br />
generated a request. Click on the ‘yes’ button.<br />
Next select the request that corresponds with your server name and enter the password. After<br />
entering your password cut & paste the <strong>Keon</strong> e-mail response. Remember to only get the text<br />
between the BEGIN CERTIFICATE and END CERTIFICATE tags:<br />
6
<strong>Keon</strong> <strong>Ready</strong> <strong>Implementation</strong> <strong>Guide</strong><br />
You will also need to have the <strong>Keon</strong> Certificate Server root certificate available in a file. This<br />
screen tells the Extranet Server where to find it.<br />
7
<strong>Keon</strong> <strong>Ready</strong> <strong>Implementation</strong> <strong>Guide</strong><br />
Please note the location presented here. You will need this when configuring your SSL module in<br />
the Extranet Server.<br />
8
<strong>Keon</strong> <strong>Ready</strong> <strong>Implementation</strong> <strong>Guide</strong><br />
To setup your Extranet Server with your new certificate see the Aventail Administration <strong>Guide</strong> for<br />
configuring the SSL module & authentication policies. Note that the Extranet Server does not<br />
support CRL checking. The LDAP section is for setting up finding user certificates for<br />
authentication, an example is below.<br />
9
4.2 Aventail Connect Client<br />
<strong>Keon</strong> <strong>Ready</strong> <strong>Implementation</strong> <strong>Guide</strong><br />
SSL authentication, originally developed for secure Web communications, uses authentication<br />
certificates to identify authorized users. A certificate is essentially an electronic “statement”<br />
that verifies the integrity of a connection. Certificates can be stored in the PKCS #11compatible<br />
<strong>Keon</strong> Desktop.<br />
Aventail Connect will prompt for certificate information only when Aventail ExtraNet Server<br />
requests authentication from a client certificate. In such a case, Aventail Connect will<br />
automatically prompt you to select a client certificate to authenticate with. Choose Use a<br />
client certificate stored on a smartcard.<br />
Once you have chosen your certificate, you will be prompted for the pathname to the <strong>Keon</strong><br />
Desktop DLL in which your certificate resides. Typically, this will be c:\Program Files\<strong>RSA</strong><br />
Security\<strong>RSA</strong> <strong>Keon</strong> Desktop\system\domestic\sdpkcs11.dll.<br />
If you haven’t yet logged on to the <strong>Keon</strong> Desktop, you will be greeted with the following screen<br />
asking you to log in:<br />
10
<strong>Keon</strong> <strong>Ready</strong> <strong>Implementation</strong> <strong>Guide</strong><br />
Finally, Aventail Connect will ask you which certificate you would like to use from the <strong>Keon</strong><br />
Desktop.<br />
The certificate will then be sent to the Aventail server to authenticate the user and establish<br />
the VPN tunnel.<br />
11
5. Certification Checklist<br />
<strong>Keon</strong> <strong>Ready</strong> <strong>Implementation</strong> <strong>Guide</strong><br />
Version Tested: _<strong>Keon</strong> Desktop_v5.20__________ Date: _6/1/00________<br />
Test Case Personal Server IPSec ______<br />
PKCS#10 Enrollment via CSR:<br />
Generate PKCS#10 Request P<br />
Process PKCS#10 Request P<br />
Manual Enrollment:<br />
Request Certificate P<br />
Process Certificate Request P<br />
Import Certificate<br />
Import PKCS#7 Certificate<br />
Import via cut & paste P<br />
View & verify Certificate P P<br />
Install trusted root Certificate P P<br />
Certificate Usage<br />
Use certificate for authentication P P<br />
Use certificate for encryption P N/A<br />
<strong>Keon</strong> Desktop Support<br />
(if applicable)<br />
Import certificate via PKCS#12<br />
Access certificates via MS CSP N/A<br />
Access certificates via PKCS#11 P<br />
Revoked certificates enforced N/A<br />
LDAP Support (if applicable)<br />
Name lookup & certificate retrieval N/A P<br />
Revocation recognized via CRL N/A N/A<br />
� � �� � � � P=Pass X=Fail N/A=Non-available function<br />
12
6. Known Problems<br />
<strong>Keon</strong> <strong>Ready</strong> <strong>Implementation</strong> <strong>Guide</strong><br />
There is an incompatibility between the Aventail Connect client and <strong>Keon</strong><br />
Desktop, when the KDT is configured in non-standalone mode and <strong>Keon</strong><br />
Agent support is enabled. <strong>Keon</strong> Desktop does not support third party<br />
Layered Service Providers (LSPs). It is however possible, but unsupported,<br />
to configure the Desktop to co-exist with third-party LSPs. You can use the<br />
<strong>Keon</strong> Desktop utility ‘sockinst.exe’. To create a new LSP Chain:<br />
1.) Double click on ‘MW.w95.spi.tcp”<br />
2.) Double click on “AutoSocks LSP Dummy Entry”<br />
3.) Double click on “SDTSF”<br />
4.) Press on the button “Save Chain”<br />
5.) Move the newly created entry (chain) “SDTDF+AutoSocks LSP Dummy Entry On:<br />
MS.w95.spi..tcp” to the top of the list with the “Move UP” button.<br />
Repeat the above steps for UDP. (I.e. choose MS.w95.SPI.udp instead of MS.w95.spi.tcp)<br />
13