Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Sv translation
languageen_US

Purpose

The QR-CERT v5.0 software has been designed as a set of PKI (Public Key Infrastructure) components designed to support the process of issuing and managing digital certificates (X.509, CVC) and support processes with particular focus on subscribers’ cards personalization.

The components included in the software allow to provide, among others, services such as:

  • creating certificate profiles and CRLs,
  • creating CAs and establishing their hierarchy,
  • creating certificate and CRL issuing policies,
  • receiving and registering requests for issuing a certificate,
  • issuing certificates,
  • managing certificates,
  • suspending and revoking certificates,
  • publication of certificates and CRLs to indicated repositories
  • providing OCSP responses (in accordance with RFC 2560, RFC 6960, RFC 5912)
  • issuing timestamps (in accordance with RFC 3161)

Architecture

The QR-CERT system works in a client-server architecture in the so-called "rich client” technology. The software package consists of software modules cooperating with each other.

Central server modules (CA-ENGINE, CAO‑GATEWAY, CA‑PUBLISHER, OCSP-SERVER, TS-SERVER, LOG-SERVER) are run locally on the server, and client applications, such as QR-CERT Operator, QR-CERT Log Viewer and QR-CARD Manager – on the management (access) station or stations. The QR-CERT can be run on AIX, HP-UX, Linux and Windows Server. Servers can be run in a virtualized environments: VMWare, Hyper-V, Oracle VM Server or KVM. Management stations are running the Windows operating systems.

The role of modules and functions carried out by them are divided and arranged in such a way as to allow the solution to be scaled in terms of performance and capacity. This can be accomplished by dispersing modules to physically different servers in systems and increasing availability through the use of a reliability cluster. An additional benefit of this solution is simplifying the maintenance procedures.

Typical work involving the operation of the system and system administration roles provided for the QR-CERT system (Administrator, Auditor, Operator) is carried out using the functionalities provided by the application QR-CERT Operator.

The main repository of data storage solutions and configuration of the modules of the central relational database is organized using the PostgreSQL, Oracle or Microsoft SQL Server software.

CA-ENGINE, CAO GATEWAY and CA-PUBLISHER modules communicate with the database during normal operation. In order to access the database they have to authenticate to their individual database accounts based on individual database user names and passwords. The solution uses approach involving the allocation of database accounts to software modules, and the user accounts are implemented by application layer of the QR-CERT software package based on the data contained in the database.

Within the central system for all types of modules (CA-ENGINE, CAO-GATEWAY and CA-PUBLISHER) there is one common central security register handled by the LOG-SERVER module.

Modules of the QR-CERT system are organized in such a way that all the safety mechanisms for connection during communication at the network layer with external hardware platforms, QR-CERT modules or other software modules were carried out only by the QR-CERT software package. The modules of the QR-CERT system that can put network connections together with the external environment (e.g. remote repositories or the QR-CERT Operator application) are: CAO‑GATEWAY and CA‑PUBLISHER.

Modules

CA-ENGINE
Anchor
ca-engine
ca-engine

The CA-ENGINE module acts as a key element of the system related to the certification of public keys and supports only the basic functions of the certification authority (CA) consisting in accepting pre-approved requests:

  • issuing a certificate
  • certificate suspension
  • certificate revocation
  • generating a full CRL
  • generating a delta CRL

and scheduling according to the pre-set configuration of automatically generating complete CRLs and delta CRLs.

The result of the application operation is the creation of certificates or CRLs, depending on the request. The application, depending on the policies related to the demand for certain situations, additionally sends requests to publish a certificate or CRL to the CA-PUBLISHER module.

Key features of the module include:

  • The module is intended for installation in a safe environment on the central server side of the CA,
  • The configuration of basic module parameters are set using a text editor,
  • The configuration of functional module parameters is set using QR-CERT Operator the CAO-GATEWAY,
  • The module cooperates with the hardware security module (HSM) that hold the CAs keys,
  • The module supports the message queue of received commands: certificate issuing, certificate revocation, suspension of the certificate, issuing a CRL, etc.
  • The module supports the output message queue containing the following data: certificates, CRLs, error messages, etc.
  • The module performs verification, authentication, and authorization of messages received
  • The module generates certificates in accordance with the indicated policy of issuing certificates
  • The module generates CRLs in accordance with the defined CRL issuing policy
  • The module records audit events using the LOG-SERVER module

CAO-GATEWAY
Anchor
cao-gateway
cao-gateway

The CAO-GATEWAY module is designed for terminating connections established by the application QR-CERT Operator, through which users work interactively with the system. The module performs all security functions at the interface between the client application QR-CERT Operator and the central part of the solution and QR-CERT API.

Key features of the module include:

  • The module is intended for installation in a safe environment on the central server side of the CA,
  • The configuration of the module is done using a text editor,
  • The module operates for connecting systems users to the system,
  • A single CAO-GATEWAY module enables parallel work of multiple users connecting to the application QR-CERT Operator installed at various access stations.
  • The module is responsible for authentication of the user using the application QR-CERT Operator, granting access to functions and functionalities to authorized users in accordance with pre-set permissions and registration of events occurring during operation in the relevant system logs.
  • The module is involved in setting up an individual, secure, and encrypted channel with the application QR-CERT Operator and after setting it up it provides protection of the confidentiality of transmitted data between these elements.
  • The module records audit events using the LOG-SERVER module.
  • The module can operate in high-availability (HA) mode

CA-PUBLISHER
Anchor
ca-publisher
ca-publisher

The CA-PUBLISHER module initiates a connection to the remote repositories and publishes objects such as digital certificates and CRL to them.

Key features of the module include:

  • The module is intended for installation in a safe environment on the central server side of the CA,
  • The configuration of basic module parameters is set using an external text editor,
  • The configuration of functional module parameters is set using the application QR-CERT Operator,
  • The module is responsible for the distribution and publication of CRLs and subscribers’ certificates in accordance with the pre-set configuration to pre-set locations. The distribution is carried out on the basis of orders transmitted by the queue organized within the database.
  • The module records audit events using the LOG-SERVER module.
  • The module, depending on the configuration, enables the publication of CRLs or certificates to the following types of repositories:
    • Local file system,
    • E-mail (with support for S/MIME standard),
    • Remote FTP server (ftp and sftp),
    • The remote server for LDAP directory services,
    • Remote CGI script triggered via HTTP (http and https)

OCSP-SERVER
Anchor
ocsp-server
ocsp-server

OCSP-SERVER module allowing to generate in real time responses to the request for the certificate status. The module provides OCSP responses of type BasicOCSPResponse in accordance with RFC 2560, RFC 6960, RFC 5912.

Key features of the module include:

  • The module is intended for installation in the demilitarized zone (DMZ) in a secure environment on the central server side of the CA,
  • The configuration parameters of the module is set using an external text editor,
  • The module cooperates with the hardware security module (HSM) that hold the CAs keys,
  • The module can provide a response based on available CRL or directly from the records in the database.,
  • The module can operate in high-availability (HA) mode,
  • The module can provide a response with certificate revocation reason included.

TS-SERVER
Anchor
ts-server
ts-server

TS-SERVER module allowing to generate timestamps. Tags generated by the module are compliant with RFC 3161.

Key features of the module include:

  • The module is intended for installation in the demilitarized zone (DMZ) in a secure environment on the central server side of the CA,
  • The configuration parameters of the module is set using an external text editor,
  • The module cooperates with the hardware security module (HSM) that hold the CAs keys,
  • The module can operate in high-availability (HA) mode

LOG-SERVER
Anchor
log-server
log-server

The LOG-SERVER is a module that serves as a central logs collection and management subsystem (events records) for the audit purposes. The module is responsible for the chronological record of events generated by all modules of the QR-CERT software.

The module is designed to record audit events generated by the CA-ENGINE, CAO-GATEWAY, and CA-PUBLISHER modules.

  • The module is intended for installation in a safe environment on the central server side of the CA,
  • The configuration of basic module parameters is set using an external text editor,
  • The module works with hardware cryptographic modules that hold the keys for log signing,
  • The module is responsible for logging events in the relevant event logs (security log, activity log).

The module is responsible for safeguarding the confidentiality and integrity of the security registry which contains information about all security events that have been recorded in the PKI system. 

Scroll Ignore
Panel
bgColor#F1F1F1
titleBGColor#F7F7F7
titleOn this page

Table of Contents
excludeSearch documentation

Search documentation

Livesearch
placeholderSearched phrase
typepage