ACM Overview & Prerequisites

A new Accops Certificate Manager that provides lightweight, scalable certificate issuance and lifecycle management tailored for AD/LDAP-based VDI authentication scenarios.

Key Capabilities

• User Authentication Flow

  • On user login:

    • The system validates the account status with Active Directory / LDAP (e.g., disabled/locked accounts are rejected).

    • If AD/LDAP validation succeeds, the Certificate Manager validates user parameters embedded within the client certificate (e.g., username, UID, UPN).

    • On success, the user is granted access to the VDI environment.

• Certificate Lifecycle Management

  • During first login, the Certificate Manager issues a user-specific client certificate.

  • On subsequent logins:

    • The system can re-issue or regenerate the user certificate as needed, ensuring validity and freshness.

    • Revoked or expired certificates are seamlessly replaced, reducing user friction.

• Integration Simplifications

  • Offloads certificate issuance and lifecycle operations from Microsoft CA.

  • Eliminates CA bottlenecks in high-scale VDI environments.

  • Reduces certificate-related administrative maintenance.

Benefits:

• Performance: Eliminates dependency on Microsoft CA for high-volume session logins, reducing latency and system load.

• Scalability: Optimized for large-scale VDI deployments with dynamic session churn.

• Security: Enforces dual validation-first through AD/LDAP account status, then via certificate attributes.

• Maintainability: No need for constant CA maintenance and monitoring; lifecycle is handled seamlessly by the Certificate Manager."

1. Components Overview

1.1. MongoDB

• Primary Database

  • MongoDB will serve as the primary datastore for both the Certificate Manager and the Authorizer.

• Data Stored

  • Certificate metadata and encrypted private keys managed by the Certificate Manager

  • Tenant and service information managed by the Authorizer

• High-availability Deployment

  • A three-node replica set will be configured across three virtual machines

  • Each VM will host one Docker container; containers will join to form the replica set

  • Data volumes on the host machines will be mounted into the containers to ensure persistence across container restarts

• Important Node

  • MongoDB requires a CPU with AVX (Advanced Vector Extensions) support. Please ensure your VM or host machine has AVX-enabled CPUs before deploying MongoDB.

1.2. HashiCorp Vault

• Certificate Authority

  • Vault will function as the internal Certificate Authority (CA).

• Deployment Topology

  • Three standalone Vault instances will be deployed on separate hosts (no Raft cluster).

  • Running independent nodes maximizes throughput for cryptographic operations.

• Responsibilities

  • Generating and signing user certificates upon request from HyWorks

  • Encrypting and decrypting user private keys for secure storage in MongoDB

• Certificate generation properties

  • Key Type: RSA

  • Key Size: 2048

  • Hahsing Algo: sha256

1.3. Authorizer and Tenant Management Service

• Purpose

  • Secure all interactions between HyWorks and the Certificate Manager.

• Workflow

  1. Token Generation & Request Encryption (HyWorks):

     • Issues bearer tokens for API authentication

     • Encrypts payloads containing sensitive data (e.g., PFX password, user ID, UPN)

  2. Token Verification & Request Decryption (Certificate Manager):

     • Validates bearer tokens via the Authorizer

     • Decrypts incoming requests using the tenant's private key

1.4. Accops Certificate Manager

• Core Function

  • Generates and returns user certificates in PFX format upon authenticated request.

• Request Handling

  1. Authentication & Decryption

     • Verify bearer token via the Authorizer

     • Decrypt the request payload using tenants private key

  2. Certificate Lookup

     • If a valid, unexpired certificate exists in MongoDB:

       • Retrieve the certificate chain and public key from Vault

       • Fetch the encrypted private key from MongoDB and decrypt via Vault API

     • If no valid certificate exists:

       • Request a new certificate from Vault (includes public and private key)

       • Encrypt the private key and store it in MongoDB alongside certificate metadata

  3. PFX Generation

     • Package the public key, decrypted private key into a PFX file using the provided password from request

     • Return the PFX file in the API response

• Stickiness with Vault

  • We have 3 independent vault in 3 node cluster

1.5. Certificate Cleanup Service

• Function

  • Automatically removes expired certificates from both MongoDB and Vault.

• Process

  1. Delete expired certificate records from MongoDB.

  2. Invoke Vault's tidy API to clean up corresponding certificates, since Vault does not provide a dedicated "delete certificate" endpoint.

  3. This cleanup process triggers at every 15 minutes

1.6 Flow diagram

1.7 Deployment Diagram

2. Prerequisites

Before beginning, ensure each of the three Linux VMs meets the following:

1. Number of machines: 3 or more in odd numbers. ACM cluster works with minimum 3 nodes in configurations.

2. Operating System:

   1. Ubuntu 20.04+ with sudo privileges.

   2. RHEL 9.4+ with sudo privileges.

3. System Resources (per VM):

   • CPU: 8 cores minimum.

   • Memory: 16 GB RAM.

   • Disk: 200 GB free space for volumes, which will be used fo database storage and Vault certificate store..

4. Networking:

   • Recommended to have direct internet access. If direct internet access is not available, following URLs must be whitelisted:

     • On RHEL:

       • RHEL Packages Installation: *.redhat.com

       • Docker Installation and Image Pulling: *.docker.io, *.docker.com

       • HashiCorp Vault CLI Tool Installation: *.hashicorp.com

   • Hostnames must be resolvable via DNS or /etc/hosts. (All three ACM nodes must be able to resolve the hostnames of the other nodes.)

5. Time Sync: NTP or Chrony configured to prevent certificate/timestamp issues.

6. Software:

   • Docker Engine (v20.10+) installed.

   • Docker Compose plugin (v2.x) or standalone binary.

   • HashiCorp Vault CLI (v1.13.0+).

   • OpenSSL (v1.1.1+).

7. User Account: User account with sudo access to run the scripts and commands.

8. Ports requirements:

   • Ports reachable within cluster

     • 8200: For HashiCorp vault to access from Certificate Manager

     • 27017: Mongo DB HA Cluster and Database access from Certificate Manager, Authorizer and Tenant Service

   • Ports reachable from HyWorks or Load balancer

     • 4000: To access Authorizer API from HyWorks or Load balancer

     • 4001: To access Tenant Service API from HyWorks or Load balancer

     • 4002: To access Certificate Manager API from HyWorks or Load balancer

     • 8200: To access CRL of vaults Directory Server

9. CPU with AVX Support

   • MongoDB requires a CPU with AVX (Advanced Vector Extensions) support. Please ensure your VM or host machine has AVX-enabled CPUs before deploying MongoDB.

10. Loadbalancer

    • A load balancer is required in front of the three VMs to route traffic and perform failure detection.