Friday, November 27, 2009

EJBCA and OpenSSO integration

EJBCA and OpenSSO are great companions. EJBCA provides users with digital certificates for strong authentication and digital signatures, and OpenSSO uses these credentials to provide single sign-on and authorization. Using the latest buzzwords such as SAML, XACML etc.
Over at we have a couple of great articles how to set up integration between EJBCA and OpenSSO and how to configure the Certificate authentication module in OpenSSO. Issue a certificate in EJBCA and immediately use it to authenticate with OpenSSO.

Check out the EJBCA-OpenSSO articles at

Monday, November 23, 2009

MySQL on a SSD disk

I thought that my MySQL InnoDB database was a bit slow, at least when running on an encrypted disk. Added a 80GB X25-M SSD disk to keep the MySQL database on (only development data so no encryption needed there). My performance increased 5 times as worst and more then 10 times at best.
Application with a lot of short database access (such as large update statements in mysql) will get a huge boost with SSD. We will see how it performs in the long run...
So far it is highly recommended!

Bind-mount is really good:
mount -B /media/SSD/mysql /var/lib/mysql
or in fstab:
/media/SSD/mysql /var/lib/mysql bind defaults,bind 0 0

Did all this to get up the speed when producing really large CRLs (>500.000 revoked certificates). Works pretty neat.

Thursday, November 5, 2009

USB pass-through to KVM in Ubuntu Karmic (9.10)

You have to allow lib-virt to use USB devices.

Edit /etc/apparmor.d/abstractions/libvirt-qemu and uncomment some lines.

# WARNING: uncommenting these gives the guest direct access to host hardware.
# This is required for USB pass through but is a security risk. You have been
# warned.
/sys/bus/usb/devices/ r,
/sys/devices/*/*/usb[0-9]*/** r,
/dev/bus/usb/*/[0-9]* rw,

Migrating vmware images to use in kvm instead is nicely described here:
For a RedHat image I simply ran:
sudo qemu-img convert -f vmdk redhat.vmdk -O qcow2 redhat.img

Create a new kvm machine in virt-manager, but temrinate when it tries to start installing. Simply reaplce the image virt-manager created with redhat.img and restart the new kvm machine.

SignServer 3.1.0 released

The PrimeKey SignServer team is happy to announce that SignServer 3.1 has been
released! This is a major new version with lots of exciting functionality for document signing and validation.

Development continues beyond this version and all requests from the community and from the EJBCA Developer Conference [1] are scheduled for SignServer 3.2 or later releases.

More information is available at the project web site [2] and the complete changelog can be viewed in the issue tracker [3].

SignServer 3.1 Release Notes ►
  • New module system: The byte code for a worker can be packaged as a separate module that can be loaded and unloaded at runtime.
  • New workers: XML Signer/Validator - Signing and validating XML documents. ODF Signer - Signing Open Document Format documents, for instance used by OOXML Signer - Signing Office Open XML documents. CRL Validator - Validating certificates by looking up certificate revocation lists. OCSP Validator - Validating certificates using the online certificate status protocol. MRTD SOD Signer - Creating and signing ePassport security objects.
  • Several other minor features, fixes and improvements.