Mastertitelformat bearbeiten Australia Centerlink (CSIC) Project

Marco Smeja, cv cryptovision

CTST 2009

PAGE 2

Centrelink

Australian Government Statutory Agency

assisting people to become self-sufficient and supporting those in need

reports to the ministery for Human Services

Founded in 1997

29,000 employees

Who is Centrelink?

PAGE 3

Marco Smeja, cv cryptovision

director at cv cryptovision

focus on Identity Management and PKI

former Novell employee

involved in the Centrelink CSIC project

cv cryptovision: German company specialised on crypto, Smartcards and PKI

Who am I?

PAGE 4

1. The challenge

2. The solution

3. Lessons learned

Agenda

PAGE 5

Centrelink IT infrastructure

Centrelink …

operates one of the largest transaction databases in Australia

uses Novell eDirectory & IDM as primary directory and identity management solution

has 29,000 users

operates 42,000 workstations

has high security requirements

Centrelink IT

PAGE 6

Centrelink Staff Identification Card (CSIC)

29,000 employees need physical access

29,000 employees and 42,000 workstations need access to IT infrastructure

using passwords was not considered secure enough

Centrelink decided to set up a company card

Card Management System (CMS) was provided by ActivIdentity

CSIC

The Centrelink Staff Identification Card (CSIC) was born

PAGE 7

CSIC applications

Applications

Smart-card-protected Windows login

Smart-card-protected PC login with Novell Client

Smart-card-protected VPN login

CSIC

A PKI became necessary

PAGE 8

CSIC Project edirectory

user

user

PC

PC

VPN Server

eDirectory Tree

Meta-Directory

CSIC architecture without PKI and CMS

eDirectory Tree

PAGE 9

1. The challenge

2. The solution

3. Lessons learned

Agenda

Lotus Notes, LDAP

SAP HR,Peoplesoft

Siemens DirX,Microsoft ADS

IDMConnector

CA Engine

PKIntegrated Administration

IDMConnector

LDAPAdmin. Console

PKI Applications

OCSP, SCEP

Directory orDatabase

cv act PKIntegrated

PAGE 10

PKIneeds qualified

user data

IDMprovisions user data and

improves its quality

PKIntegratedobtains user data and commands

within IDM processes

How cv act PKIntegrated profits from IDM

PAGE 11

PKIneeds administration, registration and

workflow capabilities

IDMoffers administration, registration

and workflow capabilities

PKIntegrateduses state of the art IDM technologies

How cv act PKIntegrated profits from IDM

PAGE 12

PKIneeds an administration and

user interface

IDM typically features sophisticated

administration and user interfaces

PKIntegratedextends existing interfaces

with SnapIns

How cv act PKIntegrated profits from IDM

PAGE 13

PKIneeds a certificate repository

Directory or Databasecan be used as repository

PKIntegrateduses standard Directories or

Databases as certificate repositories

How cv act PKIntegrated profits from IDM

PAGE 14

PAGE 15

Integrated PKI solution

PAGE 16

user PCserver

Centrelink CA

Centrelink Root CA

Centrelink PKI hierarchy

PAGE 17

CSICProjecteDirectory

Card Management System

user

user

PC

PC

smart card

smart card

VPN Server

Meta-Directory

CA server

HSM

Root CA server

Centrelink PKI components

ActivIdentity CMS and cv act PKIntegrated are connected via the AI credential provider

eDirectory Tree

eDirectory Tree

PAGE 18

PAGE 19

PAGE 20

Certificate types

User certificate types:

Authentication certificates

Short-lived authentication certificates

Server certificates

CA certificate types:

CA certificate

CA self-signed certificate

Root CA (self-signed) certificate

Certificates

PAGE 21

Certificates

Company ProfileSEITE 22 2009

PAGE 23

1. The challenge

2. The solution

3. Lessons learned

Agenda

PAGE 24

Conclusions

Budget for PKI is usually low Budget for PKI is usually low

PKI should be a feature of the identity management

Integrated PKI is ideal solutionIntegrated PKI is ideal solution

Centrelink is a typical example for a large-scale PKI projectCentrelink is a typical example for a large-scale PKI project

Mastertitelformat bearbeiten

More information is available on www.cryptovision.com

© cv cryptovision GmbH 2009