JaCarta PKI and OpenVPN for Windows
This article describes how to configure two-factor authentication using smart cards and JaCarta PKI USB tokens based on Open.PN's X.509 digital certificates.
This solution allows you to opt out of user password authentication. The implementation of this solution is a fundamental reduction in the influence of the human factor on the security of the system.
OpenVPN is a free open source implementation of VPN technology for creating encrypted point-to-point channels or server-to-client clients between computers. It allows you to establish connections between computers behind a NAT-firewall, without the need to change their settings.
JaCarta PKI is a line of PKI tokens manufactured by Aladdin RD for strict user authentication in corporate systems, secure storage of key containers of software SKZI and digital certificates.
')
This instruction describes the process of setting up the simplest scenario of a VPN connection between a client and a server. The construction of complex networks in this manual is not considered.
JaCarta Single Client software is a software package designed to work with all models of tokens and JaCarta smart cards and eToken.
To be able to authenticate with OpenVPN using a digital certificate, it is necessary that the client and server have digital certificates issued by a trusted certificate authority. The client must trust the server certificate, and the server must trust the client certificate.
Violating the trust in a server or client certificate will make it impossible to establish a VPN connection.
Consider the process of issuing keys and certificates using the tools offered by OpenVPN itself.
Go to the easy-rsa directory, which is in the OpenVPN installation directory, and run init-config.bat. As a result of the work, a vars.bat file will be created, which must be edited to adapt to your environment:
set HOME =% ProgramFiles% \ OpenVPN \ easy-rsa - set the working directory
set KEY_CONFIG = openssl-1.0.0.cnf - set the Openssl configuration file
set KEY_DIR = keys - set the directory for storing keys
set KEY_SIZE = 1024 - set the key size
set KEY_COUNTRY = US - specify the country
set KEY_PROVINCE = CA - specify the area
set KEY_CITY = SanFrancisco - select a city
set KEY_ORG = OpenVPN - enter the name of the organization
set KEY_EMAIL=mail@host.domain - enter e-mail
set KEY_CN = changeme - specify the common name (common name)
set KEY_NAME = changeme - enter a name
set KEY_OU = changeme - specify the organization unit
Leave the following sections unchanged:
set PKCS11_MODULE_PATH = changeme - path to the pkcs module # 11
set PKCS11_PIN = 1234 - PIN code for the smart card
You need to generate keys for TLS. Create empty files to store indexes and serial numbers. To do this, run (runs once):
Generate the Trust Center key (run once). Run:
In the dialog, specify the name of the desired Certification Authority.
Generate a file for Diffie Hellman keys (only for the server, runs once).
Run:
Generate a private key and server certificate.
Run:
As a result, a key and certificate with the name of the machine (server) will be generated.
Now you need to create keys and certificates for client machines. Generate a PKCS # 12 file for each client machine.
To do this, run:
As a result, a PKCS # 12 file with the name of the client machine will be generated. It will need to be generated for each machine.
Edit your server configuration file, set the correct network settings.
Please note that you need to correctly specify the paths to the key and certificate files. Extract from the configuration file:
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS # 12 formatted key file
# (see āpkcs12ā directive in man page).
ca C: \ PATH_K_CERTIFICATE_AIDENT_CENTER_CONTOR \ ca.crt
cert C: \ PATH_K_SERTIFICATU_SERVER \ server.crt
key C: \ PATH_K_KEY_SERVER \ server.key
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh2048.pem 2048
dh C: \ PAT_K_FIt_Diffie-Hellman \ dh1024.pem
Install the JaCarta Single Client and JaCarta SecurLogon software from the official website of Aladdin RD.
JaCarta SecurLogon is a software solution that provides a simple and fast transition from regular passwords to two-factor authentication when logging into Microsoft Windows and accessing network resources using the JaCarta token.
Select the āPKIā tab and initialize the token.
Key initialization will delete all data on it. If the key has the information you need, including keys and certificates for other systems, do not initialize the key.
Using the JaCarta Single Client PC, import the PKCS # 12 file previously generated for the client to the token. The keys and certificate will appear on the token, they can be seen in the āJaCarta Single Clientā window. Install the certificate from the token in the personal storage of the computer.
Copy the sha1 fingerprint of the personal certificate, it will be required for further configuration.
You will also need the Certificate of the Certificate Authority obtained during server setup. Install the certificate in the Trusted Root Certificate Authorities Store, and save it locally.
Edit your client configuration file, set the correct network settings.
In the cryptoapicert field, enter the thumbprint of the user's certificate.
In the ca field, specify the path to the Certificate Authority certificate.
Extract from the configuration file:
# SSL / TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt / .key file pair
# for each client. A single ca
# file can be used for all clients.
cryptoapicert "THUMB: 81 0d d6 b7 .... PRINTING CLIENT CERTIFICATE Ā»
ca C: \ WAY TO CERTIFICATE CERTIFICATE CENTER \ ca.crt
Run OpenVPN on the server and client.
If the configuration is correct, you will be asked to enter a PIN to the token, and the VPN connection will be established successfully.
The most popular way to generate keys and issue certificates is to use the Certification Authority, for example, based on the Microsoft Certification Authority. To configure OpenVPN, this method of generating keys and issuing a certificate is also suitable.
For the server, generate keys and a server authentication certificate on the Trust Center, export them to a PKCS # 12 file.
In the settings of the server side of OpenVPN, instead of cert and key, you must specify pkcs12:
ca C: \ PATH_K_CERTIFICATE_AIDENT_CENTER_CONTOR \ ca.crt
pkcs12 C: \ PATH_K_CERTIFICATU_SERVER \ server.p12
The ca root certificate must be a Certificate Authority certificate.
Setting up templates for issuing keys and certificates for a token is described in the instructions for the JaCarta Single Client and JaCarta SecurLogon. For the client, generate keys and a client authentication certificate on the Trust Center. In this case, importing the pkcs # 12 file to the token is not required. The rest of the client side settings are done in the same way.
This solution allows you to opt out of user password authentication. The implementation of this solution is a fundamental reduction in the influence of the human factor on the security of the system.
About OpenVPN
OpenVPN is a free open source implementation of VPN technology for creating encrypted point-to-point channels or server-to-client clients between computers. It allows you to establish connections between computers behind a NAT-firewall, without the need to change their settings.
About JaCarta PKI
JaCarta PKI is a line of PKI tokens manufactured by Aladdin RD for strict user authentication in corporate systems, secure storage of key containers of software SKZI and digital certificates.
')
Setting progress
Demo stand description
- Server - Microsoft Windows Server 2012, OpenVPN.
- Client - Microsoft Windows 8.1 with the installed JaCarta Single Client driver version 2.9 or higher, OpenVPN .
This instruction describes the process of setting up the simplest scenario of a VPN connection between a client and a server. The construction of complex networks in this manual is not considered.
JaCarta Single Client software is a software package designed to work with all models of tokens and JaCarta smart cards and eToken.
Server Tuning
To be able to authenticate with OpenVPN using a digital certificate, it is necessary that the client and server have digital certificates issued by a trusted certificate authority. The client must trust the server certificate, and the server must trust the client certificate.
Violating the trust in a server or client certificate will make it impossible to establish a VPN connection.
Consider the process of issuing keys and certificates using the tools offered by OpenVPN itself.
Go to the easy-rsa directory, which is in the OpenVPN installation directory, and run init-config.bat. As a result of the work, a vars.bat file will be created, which must be edited to adapt to your environment:
set HOME =% ProgramFiles% \ OpenVPN \ easy-rsa - set the working directory
set KEY_CONFIG = openssl-1.0.0.cnf - set the Openssl configuration file
set KEY_DIR = keys - set the directory for storing keys
set KEY_SIZE = 1024 - set the key size
set KEY_COUNTRY = US - specify the country
set KEY_PROVINCE = CA - specify the area
set KEY_CITY = SanFrancisco - select a city
set KEY_ORG = OpenVPN - enter the name of the organization
set KEY_EMAIL=mail@host.domain - enter e-mail
set KEY_CN = changeme - specify the common name (common name)
set KEY_NAME = changeme - enter a name
set KEY_OU = changeme - specify the organization unit
Leave the following sections unchanged:
set PKCS11_MODULE_PATH = changeme - path to the pkcs module # 11
set PKCS11_PIN = 1234 - PIN code for the smart card
You need to generate keys for TLS. Create empty files to store indexes and serial numbers. To do this, run (runs once):
- vars.bat;
- clean-all.bat.
Generate the Trust Center key (run once). Run:
- vars.bat;
- build-ca.bat.
In the dialog, specify the name of the desired Certification Authority.
Generate a file for Diffie Hellman keys (only for the server, runs once).
Run:
- vars.bat;
- build-dh.bat.
Generate a private key and server certificate.
Run:
- vars.bat;
- build-key-server.bat <machine name>.
As a result, a key and certificate with the name of the machine (server) will be generated.
Now you need to create keys and certificates for client machines. Generate a PKCS # 12 file for each client machine.
To do this, run:
- vars.bat;
- build-key-pkcs12.bat <machine name>.
As a result, a PKCS # 12 file with the name of the client machine will be generated. It will need to be generated for each machine.
Edit your server configuration file, set the correct network settings.
Please note that you need to correctly specify the paths to the key and certificate files. Extract from the configuration file:
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS # 12 formatted key file
# (see āpkcs12ā directive in man page).
ca C: \ PATH_K_CERTIFICATE_AIDENT_CENTER_CONTOR \ ca.crt
cert C: \ PATH_K_SERTIFICATU_SERVER \ server.crt
key C: \ PATH_K_KEY_SERVER \ server.key
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh2048.pem 2048
dh C: \ PAT_K_FIt_Diffie-Hellman \ dh1024.pem
Client Setup
Install the JaCarta Single Client and JaCarta SecurLogon software from the official website of Aladdin RD.
JaCarta SecurLogon is a software solution that provides a simple and fast transition from regular passwords to two-factor authentication when logging into Microsoft Windows and accessing network resources using the JaCarta token.
Select the āPKIā tab and initialize the token.
Key initialization will delete all data on it. If the key has the information you need, including keys and certificates for other systems, do not initialize the key.
Using the JaCarta Single Client PC, import the PKCS # 12 file previously generated for the client to the token. The keys and certificate will appear on the token, they can be seen in the āJaCarta Single Clientā window. Install the certificate from the token in the personal storage of the computer.
Copy the sha1 fingerprint of the personal certificate, it will be required for further configuration.
You will also need the Certificate of the Certificate Authority obtained during server setup. Install the certificate in the Trusted Root Certificate Authorities Store, and save it locally.
Edit your client configuration file, set the correct network settings.
In the cryptoapicert field, enter the thumbprint of the user's certificate.
In the ca field, specify the path to the Certificate Authority certificate.
Extract from the configuration file:
# SSL / TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt / .key file pair
# for each client. A single ca
# file can be used for all clients.
cryptoapicert "THUMB: 81 0d d6 b7 .... PRINTING CLIENT CERTIFICATE Ā»
ca C: \ WAY TO CERTIFICATE CERTIFICATE CENTER \ ca.crt
Check
Run OpenVPN on the server and client.
If the configuration is correct, you will be asked to enter a PIN to the token, and the VPN connection will be established successfully.
Other ways to get keys and certificates
The most popular way to generate keys and issue certificates is to use the Certification Authority, for example, based on the Microsoft Certification Authority. To configure OpenVPN, this method of generating keys and issuing a certificate is also suitable.
For the server, generate keys and a server authentication certificate on the Trust Center, export them to a PKCS # 12 file.
In the settings of the server side of OpenVPN, instead of cert and key, you must specify pkcs12:
ca C: \ PATH_K_CERTIFICATE_AIDENT_CENTER_CONTOR \ ca.crt
pkcs12 C: \ PATH_K_CERTIFICATU_SERVER \ server.p12
The ca root certificate must be a Certificate Authority certificate.
Setting up templates for issuing keys and certificates for a token is described in the instructions for the JaCarta Single Client and JaCarta SecurLogon. For the client, generate keys and a client authentication certificate on the Trust Center. In this case, importing the pkcs # 12 file to the token is not required. The rest of the client side settings are done in the same way.
Source: https://habr.com/ru/post/329880/
All Articles