PKI Training - Day3 - Advanced Cryptography 2

First Layer: License based Modules Second layer: Common Modules

Initially Key Manager generates the keys and then they are available to other modules.

ADSS CA Server: ADSS OCSP Services: ADSS TSA Service: RFC3161; Can generate and send notifications; Time Source is critical and may be used as dedicated business model

ADSS Server consists of following three services: Service: has 2 instances in HA Console: has 2 instances in HA Core: Has only 1 instance

Internal Audit Responsibility: Microsoft System Center generates an alert on SCOM dashboard. However, it is internal Auditor’s responsibility to identify the threats and incidents and take remedial actions.

Q: Are HSMs multi-tenant systems? Can these services be provided publicly? A: Partitions are available in the HSMs. However, the seller may need relevant license from OEM. and there would be need to build a wrapper to expose those services.

Running on Tomcat Server

  1. Trust Manager: This trust no-one by default. However, you can add trusted CAs.

3 CAs + 2 CAs Signing Service would require new instances and new licenses

  1. Access Control - Manage Roles: Controls the roles and information accessible to those roles are managed here. Default Roles:
  • Administrator
  • Security Officer
  • Auditor

Certificates for access Control Test Certificate or internal use certificates can not be generated by the production web-trusted servers.

  1. Global Settings:
  • NTP Time Monitoring: Local time is synchronized with NTP via Domain Controller. However, all VMs perform a cross check with the NTP to verify time. System may shutdown itself, incase there is a large skew from NTP.
  • OCSP monitor the whitelist of the CA (placed in a database) and read from it to update its own database.
  • Notification Settings:
  • System Alerts:
  • HA Settings:

Incident Management needs to manage the red and yellow level and investigate such issues.

  1. System Logs

#Second Topic