Managing Servers with Netscape Console: FORTEZZA

Complete Contents
Introduction
Chapter 1 Introducing Netscape Console
Chapter 2 The Netscape Server Family Setup Program
Chapter 3 Using Netscape Console
Chapter 4 User and Group Administration
Chapter 5 Using SSL
Chapter 6 Delegating Server Administration
Chapter 7 Using SNMP to Monitor Services
Chapter 8 Administration Server Basics
Chapter 9 Administration Server Configuration
Appendix A Distinguished Name Attributes and Syntax
Appendix B Administration Server Command Line Tools
Appendix C FORTEZZA
Appendix D Introduction to Public-Key Cryptography
Appendix E Introduction to SSL

Managing Servers with Netscape Console: FORTEZZA

Appendix C FORTEZZA

FORTEZZA is a cryptographic system that combines the use of hardware-based tokens and software-based algorithms to secure web-based information exchange. The US government developed FORTEZZA to manage sensitive but unclassified information.

How It Works

FORTEZZA provides a higher level of security than typical encryption systems because it requires three elements:

A Crypto Card

FORTEZZA encryption algorithms

FORTEZZA key management.

First, the US government provides your department or agency access to a Certificate Authority Workstation (CAW). The workstation itself may or may not be located at your worksite. A Certificate Authority (CA) representing your department or agency operates the CAW. The CA may be a security office or other designee who establishes, authenticates, and programs FORTEZZA Crypto Cards. A FORTEZZA Crypto Card is a PCMCIA card that has been activated and issued by the CA. The CA also maintains and revokes user keys and certificates as necessary.

Information System (IS) administrators install FORTEZZA software and card readers on some or all of your enterprise servers, and then card readers are installed on your users' computers or workstations. Netscape FORTEZZA products are designed to operate properly with any PCMCIA-compliant card reader that is supported by the Litronic device driver.

Each enterprise user must request and obtain a FORTEZZA Crypto Card from a CA.

Typically, a user who wants to access a FORTEZZA-secured server plugs the FORTEZZA Crypto Card into the PCMCIA reader. By inserting the card and typing in the Personal Identification Number (PIN), the user tells the client to

load all of the CA certificates on the card into memory

trust the CA certificates provided on the card

if requested, use the keys on the card for client authentication

How FORTEZZA Crypto Cards are Certified

The US government established the Policy Approval Authority (PAA), a regulating body, to ensure that only valid users are given authenticated FORTEZZA cards.

The PAA delegates its authority to Policy Creation Authorities (PCAs). These are groups that may represent a branch of the government or a large corporation. PCAs in turn delegate authority to Certification Authorities (CAs).

Certification Authorities are the individual who actually verify users' key information. CAs program, activate, and issue cards to government employees and to individuals who conduct business with the government. A single CA might handle the encryption needs of a small company, a single department in a large company, or a department in a government agency.

FORTEZZA Keys, Certificates, and Encryption

The CA programs FORTEZZA Crypto Cards with any combination of encryption and key management approaches. Some of these are described briefly here. For more information about how keys, certificates, and encryption work in general, see Appendix D, "Introduction to Public-Key Cryptography," and Appendix E, "Introduction to SSL," in this manual.

Encryption Algorithms

SKIPJACK. Data encryption and decryption algorithms typically used with the SSL protocol.

SSL Protocol. Symmetric encryption nested within public-key encryption and authenticated through the use of certificates.

RC4 Encryption. A kind of 128-bit software encryption. Servers use this kind of encryption to optimize performance.

NULL encryption. Typically used when providing only access control or when using pre-encrypted fields.

Key Management

Certificate revocation list (CRL). A list, provided by the CA, of all revoked certificates.

Compromised key list (CKL). A list of key information about users who have compromised keys. The CA also provides this list.

Enabling FORTEZZA

To set up FORTEZZA, use the Certificate Setup Wizard as described in "Obtaining and Installing a Certificate" on page 69. Be sure to indicate FORTEZZA when appropriate:

When prompted to request or install a certificate, be sure to indicate that you're using FORTEZZA. Because your certificate information comes from the Crypto Card manufacturer with the certificate installed, you can bypass those steps in the wizard.

When prompted to choose ciphers, be sure to choose FORTEZZA ciphers.

If you're going to use both internal and external SSL tokens, use the Certificate Setup Wizard two times. During the first use, select the Internal token. During the second use, indicate the External (FORTEZZA) token.

Note. Each Netscape server that supports FORTEZZA may have its own setup options and requirements. See the Administrator's Guide for your server for related information.

©Copyright 1999 Netscape Communications Corporation