Filter
Top Products
B-12
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Appendix B Authentication in ACS 5.3
EAP-TLS
Credentials Distribution
All certificates are kept in the ACS database which is distributed and shared between all ACS nodes. The
ACS server certificates are associated and designated for a specific node, which uses that specific
certificate.
Public certificates are distributed along with the private keys and the protected private key passwords by
using the ACS distributed mechanism. ACS implements a method of protection to prevent a private-key
to be used by other servers other than the one to which the private-key is designated to. This protection
mechanism applies only to encrypted private-keys.
The PKI policy for private keys is that private keys are not supposed to be usable by other entities which
are not associated with the ACS server to which they are designated to. ACS supports cryptographic
protection of the private-keys to prevent possible use outside of the ACS server machine to which they
are designated to.
Hardware Replacement and Certificates
When hardware fails, a new node is used for replacing a malfunctioning node. The malfunctioning node's
certificates are removed from the distributed database of the primary server, and the new node's
certificates are then being passed to the primary to be associated with the newly replaced node.
This process of certificate changing is conducted as part of the hardware replacement process when the
new node registered to the domain, The certificate distribution is based on the server’s IP address.
Securing the Cryptographic Sensitive Material
There are several types of PKI-related keys that are stored in the ACS database. These keys have different
cryptographic storage requirements that must comply to SEC-RCV-CRED-2 which is part of the Cisco
security baseline. These requirements include:
• Public keys that usually reside in a certificate may be stored plain open as they are used to pass on
the clear text to clients and contain only public keys.
• Private keys must be stored encrypted as PKCS#12 by using a relatively strong password.
• The password for the PKCS#12 private-keys must be stored in the ACS database. Since the ACS
database is encrypted, this does not pose a serious security concern. ACS 5.3 distributes the entire
database between all the ACS servers.
ACS encrypts the private-key passwords by using a password that exists only for the machine, thus
preventing possible use of the private-keys by other machines. The private-key password key is
maintained in /opt/CSCOacs/config/prikeypwd.key on the ACS file-system.
Other certificate repositories such as the tomcat key-store should have the same properties as the ACS
database. Private-keys are encrypted by a password that is kept secured in the database.