bug Doing Business with Boeing
Doing Business Home
 
Closespc
LDAP Proxy Service

Encrypted Email
The LDAP Proxy Service
Note: The LDAP Proxy service is currently under development. Program code and documentation are in continuing revision.
Service Overview
The LDAP Proxy service is part of an email encryption architecture designed to facilitate the exchange of encrypted email between Boeing email users and non-Boeing partners through the use of X.509 personal certificates and certificate revocation lists (CRL). The LDAP Proxy part of this architecture accepts an email address and searches remote LDAP servers for an X.509 public certificate belonging to the person who matches the email address. This certificate is returned to the requester and is used by the requester's email program to encrypt email to be sent to the owner of the certificate.

In addition, the LDAP Proxy can be used to find and return certificate revocation lists. An LDAP client program uses the CRL to confirm that the public certificates they have just fetched have not been revoked by the certificate issuer.

The use of X.509 certificates and CRLs allow disparate email programs, such as Microsoft's Outlook and Netscape's Communicator, to exchange encrypted email.

Email Encryption
Boeing uses the Public Key Infrastructure (PKI) for exchange of encrypted email. Under this scheme, each user has two encryption keys; a public key that allows encryption and a private key which allows decryption. These keys are contained in the user's public and private X.509 user certificates. Anyone who has a copy of a user's public certificate can encrypt email that only the certificate's owner can decrypt using their private certificate. The LDAP Proxy service is designed to facilitate the location and exchange of these public certificates.

Proxy Operation
The LDAP Proxy listens on the standard LDAP port (389) for LDAP queries from either inside or outside of the Boeing internet. These queries can be made from any type of LDAP client but will typically come from an addressbook client or email program. The LDAP Proxy is designed to process two types of LDAP queries: requests for public certificates and requests for certificate revocation lists (CRL).

Certificate Retrieval
Requests for public certificates must have a search filter containing a valid email address. The email address is used by the LDAP Proxy to search a locally maintained list of Boeing and non-Boeing LDAP servers (See "LDAP Server Lists" below). These servers provide employee information for the companies and organizations that own the server. If the LDAP Proxy finds an LDAP server in the list that services the requested email address, an LDAP query is made to that server using the email address as a search key. If employee information is available for that email address, the LDAP Proxy collects the common name of the employee and their public certificate (if available) and returns these items to the original requester. Once the requester's email program has the public certificate, it can send encrypted email to the owner of that certificate.

ldap-map

CRL Retrieval
Requests for CRLs must contain two pieces of information: the CRL attribute name of "CertificateRevocationList", and a base DN which defines the location of the CRL on the CRL server. An example of a base DN is ou=netscape,ou=certservers,o=Boeing,c=US . This base DN is compared with base DNs listed in the locally maintained CRL server list (See "LDAP Server Lists" below). If a match is found, a CRL request is send by the LDAP Proxy to the matched LDAP server specifying the base DN as the location of the CRL on that server. The Proxy will fetch one or more CRLs from the CRL server and return them to the requesting client.

LDAP Proxy Software

The LDAP Proxy software is made up of two components. The OpenLDAP "slapd" daemon is used as the LDAP front-end process and a locally written facility called "getcert" is used as back-end process to slapd. The front-end process listens on LDAP port 389 and establishes LDAP sessions with remote LDAP clients. When the front-end receives an LDAP query from the remote client, the LDAP search parameters are handed to the back-end process getcert. Getcert then pulls the email filter from the search criteria and uses it to search the local LDAP server list, query the appropriate remote LDAP servers found in the server list, and return any results back to the front-end process. The slapd front-end then hands the data to the remote LDAP client and terminates the LDAP session.
spc
The ldap_proxy has been tested on Sun Solaris 8 & 9, RedHat Linux 8 & 9, and SuSE Linux 9 servers. In theory, it can be compiled and run on any UNIX system that is capable of running OpenLDAP. Instructions for building the LDAP Proxy from source code are included with the LDAP Proxy source code distribution.
spc
The LDAP Proxy uses a three number version notation to identify the release version. The major version is the left hand number and is incremented only after the source code has undergone a major revision or major rewrite. The middle number is the minor version number and is incremented when new functionality or features are added to the code base. The right hand number is the patch level and is incremented whenever changes are made to the code base but no new functionality is added. If no patches or other changes are made to the code since the minor version was released, no patch level number is listed (i.e., version 2.5 rather than 2.5.0).

LDAP Proxy Web Interface
A web interface to the LDAP Proxy is being developed. This web page will allow certificate lookups to be made through a web server. The web interface is made up of a web page and a corresponding CGI program. The web page allows the user to specify the email address of the person you want the public certificate(s) for, and the type of certificate (i.e., the certificate issuer). The web page will invoke the CGI program which will perform the LDAP search using the LDAP Proxy Service.
spc
This interface has two primary advantages over client-based LDAP queries. First, it allows access to the LDAP Proxy through firewalls that may be blocking LDAP ports which would prevent the user from doing email client-based LDAP queries to that Proxy. This assumes, of course, that the firewall is not also blocking the HTTP port (80). Secondly, the web interface will (hopefully) provide an easier means of getting public X.509 certificates imported into various email clients.
spc
The web interface is currently configured to help load certificates into the Mozilla on UNIX/Linux, and Internet Explorer web browsers. Once the certificates are loaded into Mozilla, the built-in Mozilla Communicator and standalone Thunderbird email clients have access to the certificates for use in email encryption and digital signing. Also, the Outlook and Outlook Express email clients have access to the public certificates once they are loaded into Internet Explorer.
spc
For use by other types of PKI enabled clients, options are available to have the certificates returned by the web interface in several formats. These certificates can then be saved to files and imported into a PKI client application using the client's certificate import procedure.
LDAP Proxy Web Interface
A web interface to the LDAP Proxy is being developed. This web page will allow certificate lookups to be made through a web server. The web interface is made up of a web page and a corresponding CGI program. The web page allows the user to specify the email address of the person you want the public certificate(s) for, and the type of certificate (i.e., the certificate issuer). The web page will invoke the CGI program which will perform the LDAP search using the LDAP Proxy Service.
This interface has two primary advantages over client-based LDAP queries. First, it allows access to the LDAP Proxy through firewalls that may be blocking LDAP ports which would prevent the user from doing email client-based LDAP queries to that Proxy. This assumes, of course, that the firewall is not also blocking the HTTP port (80). Secondly, the web interface will (hopefully) provide an easier means of getting public X.509 certificates imported into various email clients.
The web interface is currently configured to help load certificates into the Mozilla on UNIX/Linux, and Internet Explorer web browsers. Once the certificates are loaded into Mozilla, the built-in Mozilla Communicator and standalone Thunderbird email clients have access to the certificates for use in email encryption and digital signing. Also, the Outlook and Outlook Express email clients have access to the public certificates once they are loaded into Internet Explorer.
For use by other types of PKI enabled clients, options are available to have the certificates returned by the web interface in several formats. These certificates can then be saved to files and imported into a PKI client application using the client's certificate import procedure.

Download the LDAP Proxy
The LDAP Proxy is an open source application distributed under the provisions of the GNU General Public License. Pre-compiled LDAP Proxy install kits and source code is available from the SourceForge.net site.

LDAP Proxy Team

Contact: Boeing LDAP Proxy Team

Last Update: Oct. 31, 2007
 
Close

Site Terms | Privacy Policy | Contact Us
Copyright ©2010 The Boeing Company - All rights reserved Security Agreement