ADSS RA Server

Features

ADSS RA Server provides a sophisticated Registration Authority capability for registering users and devices for certificate service. It covers both initial enrolment and revocation request handling. Once approved by the RA system the requests are digitally signed by the RA and forwarded to the CA for final processing. ADSS RA Server has been implemented fully in Java EE for multi-platform support, performance and high-availability. ADSS RA Server is the marketing name for ADSS Server when licensed for RA services only.

The following highlights just some of its main features.

RA specific features

  • Device registration & certification
    Issuing X.509 certificates to devices (routers, firewalls, switches, mobile devices, web servers, DBMS etc.) can be managed via multiple interfaces including the widely-recognised SCEP standard interface and PKCS#10/CSR where key generation is on the device. For server-side key generation and certification, the RA Service API can be used to deliver PKCS#12/PFX files. Face-to-face registration and certification processes are also possible whereby RA operator(s) generate device certificates and provide them manually to device administrator(s) for import into devices.
  • End-user certification through browsers
    Human end-users can be registered through a standard Internet browser. The registration HTML forms can be locally designed, meeting the local language and branding needs of the customer. The ADSS Go>Sign Service and applet is used to generate the keys locally on the client-side either in the browser keystore or any locally attached smart cards/tokens (accessed via Windows CAPI/CNG or PKCS#11 interface). Separately face-to-face registration processes for end-users are also supported.
  • Business application integration
    Often business applications are the point where end-users are registered before being allowed to access business services. As such it is often business applications which need to request certificate services on behalf of their end-users. To achieve this an RA Web Service API is provided in both .NET and Java as part of the ADSS Client SDK. This API allows business applications to easily make certificate enrolment and revocation calls to the RA in a secure and authenticated manner. In addition to the web service interface, an optimised HTTP-based IETF CMC (Certificate Management over CMS) interface is also provided.
  • RA profiles & categories
    Multiple RA profiles can be configured to handle different types of end-entities, key-lengths/algorithms, name formats, certificate validity periods, approval processes etc. Profile categories can also be set-up which makes it much easier to manage large numbers of devices or end-users in different groups, offices, projects, divisions or organisations by using separate RA Operators to handle different Profile Categories.
  • Detailed dashboards
    The admin interface provides detailed tables showing requests received, which ones were approved/rejected by the RA system and for the approved the resulting certificates that were issued by the back-end CAs. These tables can be sorted, searched and filtered to easily trace a particular request and determine its current status.
  • Human-readable transaction viewers
    All RA request/response transactions are securely logged in the ADSS RA Server database. To support administrators review of these transactions, viewers are provided which automatically convert the RA binary/XML transactions into human-readable form, thus allowing easy analysis of reported trust issues or interoperability checking.
  • RA authentication
    All requests sent to the back-end CA(s) are signed by the ADSS RA Server to enable the CA to authenticate the requests. In a similar way business applications which integrate with the ADSS RA Server are also authenticated and their authorisation to access particular RA profiles is validated.

Security & management

  • Hardware Security Module (HSM) support
    FIPS and Common Criteria certified HSMs from SafeNet, Thales and Utimaco can be used to stored and protect all cryptographic keys. Support for other PKCS#11 compliant HSMs can also be provided if required. HSMs can be network, PCIe or USB connected. One or more HSMs, smart cards or USB tokens can be connected to ADSS Server. Another key feature of ADSS Server is the sophisticated auto-reconnect feature that prevents a network issue requiring operator intervention to reconnect a network HSM!
  • Strong crypto algorithm support
    Support for the common cryptographic algorithms is provided including SHA1, SHA-2 (SHA-256, SHA-384, SHA-512), RSA keys up to 4096 bits and ECDSA up to 521 bits.
  • Strong operator authentication
    ADSS Server operators are authenticated using certificates over a mutually authenticated TLS/SSL sessions. The operator's private key and certificates can be on a hardware token for strong multi-factor authentication. ADSS Server performs full certificate validation, including revocation checking, before allowing operators to login to the console.
  • Role based access control
    ADSS Server enables multiple operator roles to be defined. Each operator registered within the system is assigned a role. The role-based access control system enables very fine control over specific service modules that an operator can see and whether they have read, write, edit or delete capability for specific areas of functionality.
  • Dual control
    ADSS Server implements dual control in a flexible and practical way, i.e. dual control can be applied selectively to the important aspects of functionality that are considered most sensitive (such as key generation, policy change etc). When used, an operator's actions are queued for a Security Officer role-holder to review and then approve or reject the action.
  • Business application client authentication and separation
    Business applications are authenticated using TLS/SSL client certificates that are pre-registered in ADSS Server. The application’s access to specific profiles and/or keys is checked as part of the ADSS Server authorisation process when service requests are received.
  • Secure logging with automatic integrity checking
    Cryptographic tamper-resistant logs are provided for all service transaction logs that contain details of requests and responses, all operator activity logs and all system event logs. Advanced reporting, reviewing including searching and filtering of log records is provided. All database log records are cryptographically protected to prevent record modification, deletions or additions.
  • Automatic system integrity checking
    All ADSS Server configurations and settings held in the database are cryptographically protected to prevent record modification, deletion or addition. The system automatically checks these records at pre-defined intervals or on demand to ensure system integrity. A detailed report is produced for any issues that are found.
  • Operator and system management alerting
    Selected system operators can be alerted when certain event conditions occur using email or SMS messages. Management systems can be alerted using SNMP messages or via Syslog (log4j) messages.
  • Easy to install, manage and upgrade
    ADSS Server is feature rich to minimise IT operations time. The simple installation wizard, the automatic checking of system integrity and auto-archiving and alerting ensure the system runs without daily operator involvement. The detailed transaction logs and detailed request/response viewers reduce support desk time in resolving operational issues. ADSS CA Server is also able to run an automatic upgrade process for its settings and data to run the latest version of software.
  • Auto-archiving
    To prevent database bloating ADSS Server can be configured to automatically archive database log records. As the archive log files are created and written to disk, they are digitally signed to provide authentication and integrity. The archived files can later be imported, verified and viewed within the transaction log viewer.
  • NTP time monitoring
    ADSS Server features an optional NTP Time Monitor service that regularly checks the operating system time and compares this with one or more configured NTP time servers to detect unacceptable time drift or IT operational errors. Configured time thresholds allow ADSS Server operators to be alerted to time issues and ultimately all trust services can also be stopped automatically.

Request Info

Submit

Sales Inquiries:
+44 (0)800 772 0 442

15

+
Years of Digital Signature
Innovation