Appendix B Authentication in ACS 5.3

EAP-TLS

Credentials Distribution

All certificates are kept in the ACS database which is distributed and shared between all ACS nodes. The ACS server certificates are associated and designated for a specific node, which uses that specific certificate.

Public certificates are distributed along with the private keys and the protected private key passwords by using the ACS distributed mechanism. ACS implements a method of protection to prevent a private-key to be used by other servers other than the one to which the private-key is designated to. This protection mechanism applies only to encrypted private-keys.

The PKI policy for private keys is that private keys are not supposed to be usable by other entities which are not associated with the ACS server to which they are designated to. ACS supports cryptographic protection of the private-keys to prevent possible use outside of the ACS server machine to which they are designated to.

Hardware Replacement and Certificates

When hardware fails, a new node is used for replacing a malfunctioning node. The malfunctioning node's certificates are removed from the distributed database of the primary server, and the new node's certificates are then being passed to the primary to be associated with the newly replaced node.

This process of certificate changing is conducted as part of the hardware replacement process when the new node registered to the domain, The certificate distribution is based on the server’s IP address.

Securing the Cryptographic Sensitive Material

There are several types of PKI-related keys that are stored in the ACS database. These keys have different cryptographic storage requirements that must comply to SEC-RCV-CRED-2 which is part of the Cisco security baseline. These requirements include:

Public keys that usually reside in a certificate may be stored plain open as they are used to pass on the clear text to clients and contain only public keys.

Private keys must be stored encrypted as PKCS#12 by using a relatively strong password.

The password for the PKCS#12 private-keys must be stored in the ACS database. Since the ACS database is encrypted, this does not pose a serious security concern. ACS 5.3 distributes the entire database between all the ACS servers.

ACS encrypts the private-key passwords by using a password that exists only for the machine, thus preventing possible use of the private-keys by other machines. The private-key password key is maintained in /opt/CSCOacs/config/prikeypwd.key on the ACS file-system.

Other certificate repositories such as the tomcat key-store should have the same properties as the ACS database. Private-keys are encrypted by a password that is kept secured in the database.

 

User Guide for Cisco Secure Access Control System 5.3

B-12

OL-24201-01

Page 592
Image 592
Cisco Systems OL-24201-01 manual Credentials Distribution, Securing the Cryptographic Sensitive Material