This final part of our series on PKI security in large scale web applications looks at how eValidate was able to accommodate the unique, high performance demands of the DOD EMALL.
Powered by Partnet eValidate, DOD EMALL is now fully CAC-enabled, and public key access is configured for all Federal Bridge customers. This was accomplished with zero impact to system performance and availability, and in accordance with the strict DOD operating standards.
eValidate’s internal CRL application was implemented to validate regular DOD Common Access Cards. The application automatically retrieves, compiles, and indexes CRLs from a host of trusted CAs into a dedicated file system within the DOD EMALL login module. The file system is available throughout the load-balanced cluster, allowing user CACs to be checked against the indexed file system from any node within the system. eValidate’s internal server-side CRL application provides virtually seamless login and certificate-revocation processing— transparent to users and without impact to system performance and availability.
While an efficient certificate revocation method for regular DOD users, the internal CRL application was not a practical solution for validating the external certificates (i.e., VeriSign, IdenTrust, etc.) used by DOD’s Federal and commercial partners. Instead, eValidate’s OSCP web service was enabled for these user groups.
Using standard HTTP, the login module transmits an encoded OCSP query to a corresponding OCSP responder for each external public key presented (i.e.,LincPass, HSPD-12 cards). The OCSP responder checks the public key’s digital certificate and returns the revocation status to DOD EMALL in real-time. The Federal Bridge user is then granted or denied access, as appropriate.
Too many simultaneous OCSP queries can undermine network performance, however, which is why Partnet configured this solution for Federal Bridge users—representing only a small fraction of the DOD EMALL user base. As use of PKI broadens and more external partners are brought into DOD EMALL’s user base, eValidate’s OCSP implementation can be scaled using client-side plug-ins (e.g., Tumbleweed) already approved by the Joint Interoperability Test Command (JITC), or by locally caching certification-revocation data.
Partnet eValidate can be applied to any large-scale system using a loadbalanced, clustered architecture. eValidate is also highly configurable to meet the unique system requirements and operating conditions of diverse applications and network environments.
As PKI continues to expand within federal, DOD, and commercial enterprises, the need for large-scale, high-volume web applications to balance the complex security/performance equation will become more acute. eValidate picks up where standard, commercial products fall short—providing optimized performance and networking, while ensuring the robust security environment that federal and DOD agencies depend on to meet their day-to-day needs and fulfill mission objectives.
Simply put, eValidate is the smart PKI-solution for the federal government.