B2b web Service Guidelines V2 rsvz enterprise Architecture


Appendix Certificate Request



Download 0.95 Mb.
Page13/14
Date02.05.2018
Size0.95 Mb.
#47313
1   ...   6   7   8   9   10   11   12   13   14

Appendix

  1. Certificate Request

The B2B systems at RSVZ and the Social Insurance Funds (SIFs) run on a predefined server infrastructure.


Organizations are advised to design this infrastructure for high-availability. One part of this design is to set-up a cluster of B2B servers.

RSVZ offers a high-available and fault tolerant server infrastructure in which each B2B server has been assigned a separate server certificate. These X.509 certificates contain the same Subject Distinguished Name - as they are considered a single endpoint to the outside world.
For establishing communication with partners, all servers of a given B2B environment use the same client certificate. This certificate identifies the B2B system as a whole. Partners use this X.509 certificate to authenticate and authorize the B2B system that initiated the request.
As part of a typical SSL setup, we can distinguish two types of certificates:


  • Server

  • Application (Client)



      1. Server certificate


Each server on which the SSL connection is terminated MUST be assigned a server certificate.

Depending on the network topology within the organization, this can be the server hosting the B2B application or a (reverse) proxy server that shields the B2B system.


The certificate(s) will be assigned to the server(s) on which the SSL connection is terminated.
When establishing the Subject Distinguished Name (Subject DN) that must be supplied when requesting server certificates, the following principles should be applied:
CN : Common Name
This must be the Fully Qualified Domain Name (FQDN) with which the Social Insurance Fund wants to expose its server(s) to RSVZ (or other partners).
eg. “b2b.steuntelkander.be” for the production environment of Steunt-Elkander.
This attribute MUST have an indication of the environment, if the certificate is not destined for the production environment.
eg. “b2b-tst.steuntelkander.be” for the test environment of Steunt-Elkander.
RFC2396 states that a hostname is a sequence of “domains labels” that are separated by a dot. Each domain label moet start and end with an alpfanumeric character, and may also contain a hyphen.
O : Organization
The name of the Social Insurance Fund is mentioned here.
eg. Acerta.
OU : Organizational Unit
This attribute holds the company number of the Social Insurance Fund.
eg. 0416377646 for Acerta.
C : Country code
The country code of the Social Insurance Fund as defined in ISO-3166:

http://www.iso.org/iso/country_codes/iso_3166_code_lists.htm


eg. BE for Belgium.

For its B2B platform, RSVZ has established the following Subject distinguished names:


production environment
CN = b2b.rsvz-inasti.fgov.be

O = RSVZ/INASTI

OU = 0208044709

C = BE
acceptance environment


CN = b2b-acc.rsvz-inasti.fgov.be

O = RSVZ/INASTI

OU = 0208044709

C = BE
test environment


CN = b2b-tst.rsvz-inasti.fgov.be

O = RSVZ/INASTI

OU = 0208044709

C = BE

      1. Client certificate


When a Social Insurance Fund initates communication with RSVZ, it MUST use a client certificate to confirm its identity.
SIFs that are currently using a server certificate when initiating communication MUST obtain a client certificate – and use it to initiate communication with RSVZ - when their server certificate is up for renewal.
The distinguished name for the subject of that client certificate MUST contain the following attributes:
CN : Common Name
This attribute MUST contain the name of the system – with an indication of the environment, if the certificate is not destined for the production environment - that will exchange messages with RSVZ.
eg. Ventouris (test) for the Ventouris application in the test environment.
When a central system (gateway or esb) is used to exchange messages with partners, a single certificate SHOULD be used that identifies this gateway instead of using a separate certificate for each backend application.
O : Organization
The name of the Social Insurance Fund is mentioned here.

eg. Acerta.


OU : Organizational Unit
This attribute holds the company number of the Social Insurance Fund.
eg. 0416377646 for Acerta.
C : Country code
The country code of the Social Insurance Fund as defined in ISO-3166:

http://www.iso.org/iso/country_codes/iso_3166_code_lists.htm


eg. BE for Belgium.
For its B2B platform, RSVZ has established the following Subject distinguished names:
production environment
CN = B2B

O = RSVZ/INASTI

OU = 0208044709

C = BE
acceptance environment


CN = B2B (acceptance)

O = RSVZ/INASTI

OU = 0208044709

C = BE
test environment


CN = B2B (test)

O = RSVZ/INASTI

OU = 0208044709

C = BE

      1. Key Length


In cryptography, the key size determines how hard it is to crack a block of encrypted data. When deciding upon the key length one must consider two tradeoffs:


  • Long keys provide more security

  • Short keys provide greater efficiency in terms of time required to encrypt/decrypt data

RSA acknowledges that 1024-bit keys are likely to become crackable before 2010, while 2048-bit keys are deemed sufficient until at least 2030.


Therefore both RSVZ and the SIFs MUST use 2048-bit RSA keys.

      1. Procedure


To obtain certificates from Fedict, the following procedure must be executed by the Social Insurance Fund (SIF) for each certificate:


  1. Contact Fedict to obtain the Certificate Request Form (FedICT-PKI-RequestForm).

  2. Select the Certificate Type of the certificate that you want to obtain:

    • Application: client certificate (see 6.1.2)

    • Server: server certificate (see 6.1.1)

  3. Complete the Distinguished Name and Certificate Signing Request sections on that form.

  4. Enter the following text in the zone “Description what the certificate is used for”:

    • B2B communicatie RSZV - netwerk sociaal statuut der zelfstandigen

  5. Complete the requested information in the following boxes:

    • Federal Civil Servant authorizing the request (mandatory)

    • Technical Operator generating the request (optional)

  6. Send the form to ca@fedict.be.

  7. Finally, fax the signed form to Fedict: +32-2-212.96.94 (attn: CA SERVICES).

Repeat these steps for each certificate that you need.


Note that the certificate services offered by Fedict are free of charge for governmental institutions.
A Social Insurance Fund can request certificate from an alternate Certification Authority, but this should be done after consulting RSVZ. The guidelines with regards to the distinguished name remain in effect though.



    1. Download 0.95 Mb.

      Share with your friends:
1   ...   6   7   8   9   10   11   12   13   14



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy