000021731 - How secure is a Keon Certificate Authority OneStep API connection?

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021731
Applies ToKeon Certificate Authority OneStep 6.5.1
Keon Certificate Authority 6.5.1
Microsoft Windows 2000 Server SP3
Secure Socket Layer (SSL)
IssueHow secure is a Keon Certificate Authority OneStep API connection?
Can Keon Certificate Authority SSL connection be sniffed?
ResolutionRSA Keon Certificate Authority OneStep talks to the secure KCA port (e.g. 636) using the SSL-LDAP protocol. A SSL secure tunnel is created between OneStep and the KCA. Once the transaction is completed, this tunnel is closed. Thus, there are also no issues where most firewalls drop inactive connections after a set period of time.

For KCA to respond, you must possess the right bindDN, bindPW, and SSL certificate. The SSL certificate identifies the sort the operations the requestor can perform as these are governed by the LDAP ACL rules. When you approve a KCA SSL certificate for OneStep or KRA, part of the process is setting the LDAP ACL to limit what that certificate can do.

As far as OneStep is concerned, the SSL certificate entitles the application to send certificate requests to KCA, and these requests can only be signed by whichever jurisdiction was configured for the OneStep SSL certificate.

The network traffic on a port can be sniffed but the data traffic is encrypted, and it is as secure as the session key and key size negotiated to encrypt the data.
Legacy Article IDa24774