Equinux VPN Tracker 8.1.1 Uživatelský manuál stáhnout pdf (Strana 74)

Certificates and Smart Cards

This chapter describes how VPN Tracker can be integrated

into a PKI (Public Key Infrastructure) using digital certificates

or smart cards.

Getting Started

To use certificates with VPN Tracker, you will need certificates and a VPN

gateway that can authenticate users through X.509 certificates (RSA signa-

tures).

Obtaining Certificates

If you have an existing Public Key Infrastructure (PKI) that uses certificates:

‣

Certificates (and private keys for the client/user certificates) need to be

available in a format supported by the OS X keychain. If your users already

have their certificates in their OS X keychain, there’s nothing that needs to

be done.

If you have an existing Public Key Infrastructure (PKI) that uses smart cards:

‣

Software is required to make your smart card certificates available in OS X

through the keychain. If you have already installed your vendor’s driver or

software, you can easily determine if it satisfies this requirement by check-

ing if your smart card appears as a keychain in the OS X Keychain Access

application (Applications > Utilities > Keychain Access)

‣

If your vendor does not provide the necessary software, there may be a

third party solution available

If you do not have an existing Public Key Infrastructure (PKI) in place:

‣

Use the Certificate Assistant built into the OS X Keychain Access application

to create certificates (Keychain Access > Certificate Assistant). Some VPN

gateways also can create and export certificates.

VPN Gateway Prerequisites

‣

Your VPN gateway must support the use of authentication based on digital

certificates (X.509 certificates)

‣

Configure your VPN gateway for certificate-based authentication. Refer to

your vendor’s documentation for details.

What about Tokens?

We are using the term “smart card” to describe both an actual smart card

that is placed into a card reader, and a USB token with a non-removable

smart card chip that plugs directly into your Mac. From VPN Tracker’s per-

spective, there is no difference if the smart card chip is accessed through a

card reader, or built into a USB token.

There is also a another type of token on the market: These tokens generate

a one-time code (e.g. RSA SecurID). When using such tokens, the VPN gate-

way usually request the code through Extended Authentication (XAUTH). To

use such tokens in VPN Tracker, simply set up your VPN gateway according

to your vendor’s instructions and enable XAUTH in VPN Tracker.

Certificate Management in OS X

To use certificates with VPN Tracker, the certificates must be

available in a keychain. This chapter therefore will first cover

the basics of certificate management using the keychain on

OS X, before showing how to include certificates in VPN

Tracker.

In OS X, certificates (and their private keys) are stored in keychains. Keychains

are managed using the Keychain Access application (found in Applications >

Utilities).

A keychain protects the private key by only permitting access if the keychain

has been unlocked using the appropriate password. Also, if applications at-

tempt to access a private key in a keychain for the first time, the user is asked

to permit access, even if the keychain is unlocked. By default, a user has a sin-

gle keychain, the login keychain, protected with their password. It is possible

to change the login keychain’s password to a different one, and to create ad-

ditional keychains.

1 2 ... 69 70 71 72 73 74 75 76 77 78 79 ... 82 83

Komentáře k této Příručce

Žádné komentáře

Equinux VPN Tracker 8.1.1 Uživatelský manuál Strana 74

Komentáře k této Příručce

Související produkty a manuály pro Software Equinux VPN Tracker 8.1.1