Entrust TruePass

Product Portfolio Architecture

The Entrust TruePass™ architecture is divided into multiple parts, or Web tiers. In typical deployments, there will be firewalls placed in between these Web tiers, creating an area in between the two firewalls called the DMZ or “De-militarized Zone.“ It is called a DMZ because it serves as a separation between outside, un-trusted sources (the Internet) and an organization's back-end systems and data.

Users are able to enroll for a digital ID through a Web page delivered by the Entrust Authority™ Self-Administration Server. Based on entering information known by both the user and the organization providing the identity, users can automatically enroll for a digital ID to use with the Entrust TruePass software. Once a user has been enrolled, Entrust TruePass has the ability to store and access digital IDs in different secure locations. These include:

Roaming Entrust Profile
Desktop Entrust Profile
Windows digital ID store
Smart card or token through the Windows security framework

These different locations allow organizations to deploy and support their end users in a model that suits them best.

Roaming Entrust Profile: When trying to access a protected Web page, the user is re-directed to an identification page, where the Entrust TruePass applet is transparently downloaded to the user’s Web browser. Users are able to identify themselves through this Web page, and then have their digital ID securely downloaded to the browser’s memory (they are never written to the physical disk). All communication with the Web server while using the Entrust TruePass solution is protected using 128-bit SSL. Roaming Entrust Profile authentication may be augmented with requirements for outside authorization services, such as an option provide by Entrust that leverages a users existing phone number for out-of-band delivery of a one-time pass-code. This pass-code would be an additional ‘factor’ of authentication for a user logging into Entrust TruePass.

Desktop Entrust Profile: Entrust TruePass allows organizations to leverage the same digital ID as used for other Entrust and Entrust Ready applications on the desktop. This enables customers to deploy and use the powerful capabilities provided by the Entrust Entelligence™ product family-and the many Entrust Ready applications certified by Entrust-and also leverage the same digital ID with Entrust TruePass for their Web security needs.

Windows Digital ID store: Entrust TruePass users may also store their digital ID in the Windows digital ID store. This is achieved through integration with the Windows security framework. Digital IDs stored in the Windows digital ID store are protected through Windows built-in security mechanisms, including the ability to automatically time out and lock a user’s workstation with a password-protected screensaver. Through this integration with the Windows security framework, users are also empowered to use the native capabilities of the Internet Explorer browser with the Entrust digital ID stored in the Windows digital ID store.

Smart Cards and tokens: Although Entrust TruePass is a “zero-footprint” web application, it has the ability to access and use digital IDs that are stored on smart cards and tokens including Entrust USB Tokens. This enhanced level of security provides a strong second factor level of authentication for users, allowing organizations to translate their sensitive business process to a web environment with confidence in who will be accessing them. This is in addition to the ability to use random number tokens with Entrust TruePass as an alternative method of providing strong two factor authentication.

The Entrust Authority™ Self-Administration Server allows users to automatically enroll for a digital ID . In conjunction with a standard Web server, the Self-Administration Server allows users to visit a Web page, enter information that is known by themselves and the deploying organization, and automatically have a digital ID generated. This server can also be configured to allow users to reset their own passwords, removing a significant administrative burden from the technical support organization.

The Entrust TruePass Session Validation Module is a Web server plug-in or filter that acts as the gatekeeper to protected web resources. It is installed on Web server and provides services such as session cookie issuance upon logon, and cookie renewal at configurable times.

In addition, in a typical deployment configuration the application server is separated from the Web server, which requires an additional connector to be installed in order to link the Web server to the back-end application server.

The Entrust Authority Self-Administration Server also has a third tier component that links the enrollment and password reset capabilities to back-end data sources. Typically, this is placed in the third tier due to the sensitive nature of the information used to identify users.

Entrust TruePass services are deployed on powerful Web application servers, using their built-in ability to support application logic such as the Entrust TruePass Java servlets. These application servers may also be used to provide additional applications and transaction processing for use in an Entrust TruePass signature process. By deploying on these powerful servers, the Entrust TruePass solution is able to leverage their native ability to scale and provide load balancing within a Web solution.

The other required Entrust Authority components are the Entrust Authority™ Security Manager and the Entrust Authority™ Roaming Server. The Security Manager securely stores the CA private key, issues certificates for users and devices, and publishes user and application certificate revocation lists to enable trustworthy communications. The Roaming Server allows users to log in and work in a secured manner from any location without having to carry their digital IDs, providing trusted users access to information anytime.

Finally, there is a requirement for a standard X.500/LDAP directory or Microsoft Active Directory to store encrypted user information and published certificate revocation lists from the Entrust Authority Security Manager.

Architecture Diagram