IDnomic ID PKI Suite

Digital identity platform

ID ManageID Trust ID Connect

• ID CA manages certificate authorities (CAs) and generates certificates

• Offline CA generates a root CA in a secure environment

• TSP generates trusted timestamps

• ID RA manages the identities of objects and machines

• CMS manages users’ identities

• OCSP validates the certificate’s status online

• Connection modules of the Credential Management System (CMS)

• Automation protocols available on ID RA

ID PKI suite – Key Advantages

*Available soon, contact us for more information

• A modular, upgradeable multi-tier architecture that facilitates deployment and integration while providing a customer-oriented web interface.

• Web services that simplify integration into your company’s current or future environment.

• Scalable solution for mission-critical environments of all sizes.

• Produces and administrates millions of certificates to better serve large-scale IoT deployments.

• Components are installed on your organization’s premises or deployed from the IDnomic cloud.

• Manages cryptographic devices (HSMs, smart cards, tokens).

• Compatible with certificate management protocols (SCEP, EST etc.).

• Complies with eIDAS, French RGS, EAL4+ Common Criteria (CC) and SecNumCloud*.

Efficient and flexible

Compatible and compliant

Establishing a trusted environment is crucial to cope with today’s cybersecurity threats. ID PKI, the digital identity platform by IDnomic, helps you protect digital data transfers and manage credentials stored in any type of cryptographic device, while meeting the highest criteria when it comes to security, quality and robustness.

The suite offers three functional and technological components to optimize operations and achieve a high level of performance, each component playing an important role in the delivery and management of digital identities.

Modular, interoperable and scalable

ID Trust

ID Manage

ID Connect

ID Trust

ID Manage

ID Connect

ID Trust

ID Manage

ID Connect

02

ID PKI Suite, IDnomic’s digital identity platform

Funtionalities

• Creation of partitions to divide resources (CA, certificate profiles, etc.)

• CA lifecycle management

• Creation and revocation of digital certificates by CAs

• Definition of certificate profile

• Signature services required for certification

• Automatic creation of certificate revocation list (CRLs) in X509 CRL V2 format

• Publication of certificates and associated CRLs in an LDAP directory

• Records all functional and technical events involving platform activity and guarantees log integrity (logs are signed and chained)

• Possible to combine the key-pair generation center with the key back-up service (key escrow) for certificate recovery via ID RA, in the event of loss

• Reporting module

• Multi-tenant architecture

Certificate Authority Module: ID CA

ID CA is a trust entity that enables secure, centralized management (creation, organization and maintenance) of Certificate Authority lifecycles and the production of digital certificates. ID CA guarantees certificate integrity and the authenticity of the data contained in the certificates that are issued.

Key features

• X.509 V3 certificate profile management

• Database server environments: Oracle and PostgreSQL

• Certificate requests: PKCS#10 and CSR

• Signature algorithms: RSA (1024 - 4096), RSA PKCS#1 v1.5, RSA PSS PKCS#1 v2.1 and ECDSA (192-521)

• HSMs supported: SafeNet, nShield, Trustway Proteccio and Utimaco CryptoServer. Interface with the HSM via the IDnomic HSS module (PKCS#11)

• Server environments: Red Hat Enterprise, SUSE Linux Enterprise Server, CentOS, JDK 1.8, Apache Tomcat and Apache httpd

• Connectors: Web service, XML over HTTPs

• Hashing algorithms: SHA-2, SHA-256 MGF1, SHA-384 MGF1 and SHA-512 MGF1

• Compliant with eIDAS and RGS

• EAL4+ Common Criteria evaluation*

ID Trust, the cornerstone of IDnomic’s solution range, generates and manages digital identities thanks to a robust technical baseline that meets the highest standards in terms of performance and functionality.

*Available soon, contact us for more information

Certificate authority creation module

IDnomic’s CA creation module lets you connect to an HSM to securely generate a key pair and self-signed CA certificate during a key ceremony.

• Supports 4096-bit key pair generation for the RSA algorithm or P-256 ECDSA key pair generation in compliance with the FIPS 186-2 standard (signing of CAs and certificates).

• Generates a self-signed CA certificate in the ISO 7816 format, signature with the SHA-256 hashing function for the RSA algorithm.

Timestamp module

The IDnomic timestamp module lets you issue signed tokens. Combining a digital signature system with a time source, this service can be used to attest to a document’s existence at a specific moment in time. Responses are signed using cryptographic equipment featuring an interface compliant with the PKCS#11 standard.

• Compliant with eIDAS, French RGS and RFC3161.

03Digital identity platform

ID Trust

Registration authority module for objects and machines: ID RA

ID RA is a Registration Authority in charge of checking the credentials of a certificate requester. It also offers an easy way to manage the workflow of certificates.

Funtionalities

• Configuration of certificate lifecycles making it possible to define the associated strategy

• Definition of roles and users per configuration

• Definition of personalized workflows

• Management of certificate lifecycles based on profile (certificate requests are approved or denied based on workflow, enrollment, suspension, renewal and revocation)

• Request enrollment and validation (automatic or manual) and distribution of digital certificates to the network’s active components

• Searches for and retrieves certificates

• Audits each action performed in the system

• Seamless integration of computers and network devices present in a Microsoft Windows environment via IDnomic’s Auto Enrollment Proxy (AEP)

Key features

• Web Service connector to facilitate integration with legacy systems and enable external entities to perform certificate operations

• Database server environments: Oracle and PostgreSQL

• HSMs supported: SafeNet, nShield, Trustway Proteccio and Utimaco CryptoServer

• Server environments: Red Hat Enterprise, SUSE Linux Enterprise Server, CentOS, JDK 1.8, Apache Tomcat and Apache httpd

ID Manage, the component that controls identities, steers all IDnomic technology and ensures that each request for digital identity proof is legitimate.

Online certificate validation module - Online Certificate Status Protocol (OCSP)

IDnomic’s OCSP module lets you centralize certificate validation by providing real-time information on a certificate’s status. It optimizes network performance and efficiently manages large volumes of requests.

• Can be configured to request authenticated access to every single call to the platform (SSL/TLS), via a client certificate.

• Depending on the need, and to ensure up-to-date information is available to the responder, the OCSP service can implement different mechanisms to check the status of the certificate (white list or black list).

• If one or more certificates are frequently requested, high-capacity operation can be set up via a secure dedicated cache or a cache in the cloud.

• Compliant with French RGS, eIDAS, RFC2560 and RFC6960.

04

ID Manage

Credential management system module for users: CMS

The CMS enables complete management of user certificate lifecycles and facilitates the global administration of cryptographic media, providing administrators with a single and secure system to manage all user identities. The CMS covers all security needs and integrates with third party software solutions such as mobile device management (MDM) and Single Sign-on (SSO).

Funtionalities

• Certificate enrollment, creation of specific containers for each application

• Pre and post-issuance of smart cards and the associated secrets: PIN, PUK and activation codes

• Batch enrollment of certificates and per request in self-care service mode: unlocking of card, change of PIN code

• Comprehensive graphical and electric smart card personalization

• Device enrollment management procedures: self-enrollment, badge office, pre-personalization, distribution and assignment to holders

• Device management procedures: generation of temporary replacement cards, declaration of device loss or theft, automatic migration or renewal of cryptographic content, device recycling and remote unlocking

• Cross-cutting services: logging, notification, publication, audit and rights management

• Thin client to assist users in their everyday operations (card initialization, assignment, change of PIN code, remote unlocking of locked card, secret recovery, etc.) both online and offline

Key features

• HSMs supported: SafeNet, nShield, Trustway Proteccio, Utimaco CryptoServer, AWS Cloud HSM, Banksys DEP and AEP Networks Keyper (FIPS mode supported)

• Server environments: Red Hat Enterprise, SUSE Linux Enterprise Server and CentOS

• Smart cards, tokens and middleware:

• Smart Cards readers: SafeNet Reader CT1100, SafeNet Reader K1100, Gemalto PC PIN Pad Reader, Gemalto PC Twin Reader, Gemalto USB Shell Token v2, Omnikey 3121, Omnikey 3821 and SCM SCR3310

• Mobile device management (MDM): Intune, airwatch, MobileIron, Blackberry, IBM MaasS360 and Jamf*

• Third party applications: Avencis SSOX, Dogtag Certificate System, EJBCA, Evidian SSOWatch, Microsoft Certificate Services and VeriSign Managed PKI

• Smart Card printers: Evolis and Fargo

• Vasco DIGIPASS KEY and AET SafeSign middleware

• G&D STARCOS and Cryptovision middleware

• Gemalto Classic TPC with IDGo 300, Gemalto Net v2+, SafeNet eToken 5300, IDPrime .Net and IDPrime MD 830, 830B FIPS 140-2 Level 2 ,840, 840B, 940, 3810 and 3840 with SafeNet Authentication Client middleware

• Gemalto SafeNet eToken 4100/5100/5105 (eToken PRO) and SafeNet Authentication Client

• Gemalto SafeNet eToken 5110/5110+ FIPS and SafeNet Authentication Client

• Gemalto and IDEMIA cards with IAS-ECC middleware

• IDEMIA Morpho ypsID, Em ccid and ypsID middleware

• IDEMIA Oberthur ID-One Cosmo and AWP middleware

• JCOP3 P60 and NXP Athena middleware

05Digital identity platform

*Available soon, contact us for more information

ID Connect delivers digital identities to trusted users, machines and objects thanks to a broader set of modules and features. ID Connect also supports the protocols that help simplify certificate management.

Credential management system modules

• Smart Guard: Management of digital identity lifecycles stored in cryptographic devices such as USB tokens or smart cards. Covers the full range of operational and support needs for a very large number of potential users

• Mobile Guard: Remote management of digital identities stored on smartphones and tablets. Mobile Guard interfaces with Mobile Device Management (MDM) tools that control the fleet of mobile devices and enforce security policies such as the use of certificates

• Virtual Guard: Management of digital identities stored in virtual smart cards residing on Trusted Platform Modules (TPMs) which are natively installed in most hardware available on the market

• Soft Guard: Management of digital identities stored on the Windows key store to improve the user experience. Soft Guard lets you enroll several certificates through a single operation

• Bio Guard: Management of digital identities based on multi-factor authentication. The PIN code is replaced by finger vein recognition using a specific reader and middleware

Automation modules available in ID RA

• Simple Certificate Enrollment Protocol (SCEP) support for certificate-based authentication of network components (routers, VPN concentrators)

• Enrollment over Secure Transport (EST) protocol support for easy certificate management

• Automatic Certificate Management Environment (ACME) protocol support allows web servers to simply and automatically retrieve certificates*

• Certificate Management Protocol (CMP) support for obtaining certificates*

• WCCE / CMC protocol support to enable automatic certification of devices in a Microsoft Windows environment. ID RA implements this protocol through IDnomic’s Auto-Enrollment Proxy (AEP)

*Available soon, contact us for more information

06

ID Connect

*Available soon, contact us for more information

SoftGuard

BioGuard

VirtualGuard

SmartGuard

BatchEnrollment

Security Agent User

Security Agent

BadgeO�ice

Application

HSM

Credential Management System (CMS)

AuditorAdministrator

RA O�icers

Reportingmodule

Web auditinterface

RegistrationEntity (RE)

AEP

End user MicrosoftEquipment SCEP native EST, ACME, CMP*

SCEP agent

SCEPconnector Web Services Automation

connectors

Web auditinterface

Registration Authority (ID RA)

CertificateAuthority (ID CA)

Self-Enrollment

Client CMSinterface

Web Services

Self-CareWeb Portal

Assistanceweb interface

Administrationinterface

Web auditinterface

User Assistance Administrator Auditor

LDAP/AD directoryMobileGuard

07Digital identity platform

CT

_19

1017

_RY

_J30

21_B

_ID

PK

ISU

ITE

For more information: XXXX@atos.net

About AtosAtos is a global leader in digital transformation with over 110,000 employees in 73 countries and annual revenue of over € 11 billion. European number one in Cloud, Cybersecurity and High-Performance Computing, the Group provides end-to-end Orchestrated Hybrid Cloud, Big Data, Business Applications and Digital Workplace solutions. The group is the Worldwide Information Technology Partner for the Olympic & Paralympic Games and operates under the brands Atos, Atos Syntel, and Unify. Atos is a SE (Societas Europaea), listed on the CAC40 Paris stock index.

The purpose of Atos is to help design the future of the information technology space. Its expertise and services support the development of knowledge, education as well as multicultural and pluralistic approaches to research that contribute to scientific and technological excellence. Across the world, the group enables its customers, employees and collaborators, and members of societies at large to live, work and develop sustainably and confidently in the information technology space.

Atos, the Atos logo, Atos Syntel and Unify are registered trademarks of the Atos group. October 2019 © Copyright 2019, Atos S.E. Confidential information owned by Atos, to be used by the recipient only. This document, or any part of it, may not be reproduced, copied, circulated and/or distributed nor quoted without prior written approval from Atos.

Find out more about us atos.net/idnomic atos.net/careers

Let’s start a discussion together

Brochure