Sentry builds trust for e-business
Sentry 4.0
BUSINESS CASE
Sentry 4.0 provides increased trust and strong authentication for Internet transactions, enabling greater use of the Internet for critical communications.
TECHNOLOGY CASE
Sentry's platform-independent administration, "Xcertified" program, and Xcert Development Kit make PKI easier to deploy in any organization.
PROS
+ Platform-independent
+ Easy to administer
CONS
- No server support for Linux
COST
$15,000 for starter kit
PLATFORMS
Windows NT and Solaris
Xcert International Inc., Walnut Creek, Calif.; (925) 274-9300; www.xcert.com
THE MAJOR HURDLE in e-business today is establishing trust. In the past, you worked with specific people at another company: members of the sales team, technical support, customer service representatives, and so on. Today many of these functions are performed via the Internet with no person-to-person interaction. How do you ensure the parties are who they say they are?
The accepted technology standard for identifying people is PKI (public key infrastructure). But PKI solutions are often expensive, complex systems that are difficult to deploy, administer, and use. I'm happy to say that I have reviewed a product that greatly reduces the complexity in implementing PKI. Xcert International Sentry 4.0 gives you the opportunity to rapidly deploy large, usable PKI solutions that work easily in multivendor environments. I give this product an Excellent rating (for more on the topic of PKI interoperability, see related article).
Four parts to Sentry
Sentry 4.0 contains four major components: Sentry CA (for certificate authority), Sentry RA (for registration authority), WebSentry, and the Xcert Development Kit. Sentry CA issues and manages certificates. Sentry RA provides distributed enrollment servers. WebSentry plugs in to existing Web servers to authenticate users with digital certificates. Finally, the Xcert Development Kit enables developers to integrate applications with PKI through an API.
Sentry 4.0 contains many new features, some of which bring it up to speed with other PKI products on the market and others which put it a little ahead of everything else. As with other offerings such as Baltimore UniCert and Entrust, Sentry supports automatic vetting, autonotification of certificate requests, automatic certificate renewal, Online Certificate Status Protocol, external LDAP directories, cryptographic hardware for secure CA key storage (Sentry ships with the Luna CA key storage product), and logging of all PKI operations. Unlike other offerings, Sentry supports suspending a certificate, trusting another CA, cross-validation of non-Xcert end-entity certificates (an end-entity is an end-user or server, anything that uses a certificate for authentication), and out-of-the-box compatibility with numerous leading Internet and e-commerce products.
Most PKI offerings today give two choices for certificate status: active or revoked, meaning the certificate is either usable or invalid. Sentry gives you a third option, suspended, which is reversible and makes the certificate temporarily invalid. This is useful when someone goes on leave or trading partnerships are temporarily stopped.
With partnerships and mergers occurring daily, multivendor PKI environments are a common occurrence. Sentry 4.0 can work with other CA products to enable you to validate your CA with a non-Xcert CA and rearrange at will the trust relationships between multiple internal and external CAs. Additionally, Sentry CA can instantly cross-validate users regardless of who has certified the identity of the user. This flexibility makes it very easy to incorporate trading partners or new companies into an existing Sentry CA infrastructure.
A PKI must, by its nature, interact with other applications and products. Xcert tests and "Xcertifies" third-party products for out-of-the-box compatibility with Sentry CA, without the use of proprietary plug-ins or protocols. Out-of-the-box compatibility removes the need for integration projects, which are often expensive and resource-intensive. Xcertified products include, among many others, Peerlogic i500, Check Point VPN-1, and Aventail Extranet Center.
WebSentry is a plug-in for Web servers to enable certificate authentication to a Web site. WebSentry supports Microsoft Internet Information Server, Apache, and Netscape Web servers. WebSentry connects directly to Sentry CA through an LDAP-SSL (Secure Sockets Layer) connection and checks certificate status before each transaction occurs. This "zero-tolerance certificate revocation" method is different than most other approaches, which rely on CRLs (certificate revocation lists). CRLs are updated and distributed periodically. When a certificate is revoked there is a period when it is invalid, but this is not reflected in the CRL until the next update, leaving a window for the approval of invalid transaction requests. WebSentry's capability of providing real-time status checks directly from the CA prevents this problem.
I installed Sentry CA and Sentry RA on a Windows NT Server. The installation process took about 20 minutes for both components, and I was issuing certificates in no time. Each component installation had two parts: a set-up program to install the initial files and a Web interface to complete the configuration, generate keys, etc. A Unix installation would not be much different because the majority of the work is done through the platform-independent Web interface. I then installed WebSentry on a system running IIS and had my own self-signed SSL server running in about 30 minutes.Administration is provided through a Web server that comes with Sentry. All communication between users and CA or RA servers travels through encrypted tunnels created using SSL. The administration interface is a very clear, self-explanatory workbench, with sensitive CA operations separated from normal vetting operations. This provides easy administration in a distributed PKI environment because many vettors can be assigned enrollment operations throughout the company, thus maintaining the segregation of duties between enrollment and CA operations.
Sentry 4.0 is designed to provide trust on the Internet and to help secure e-commerce applications in a cost-effective, interoperable, scalable solution; Xcert guarantees Sentry CA's performance for 1 million users. This product excels at what it was designed to do, and I highly recommend it to any company looking to provide strong authentication for end-users or business partners via the Internet.