Tuesday, December 27, 2011

EJBCA 4.0.7 released

EJBCA PKI 4.0.7 was released as a Christmas gift on the 25th of December 2011.

A maintenance release containing 6 bug fixes and 4 new features or improvements.
New features
  • Documented EJBCA integration with the secure email server Djigzo.
  • Added a plug-in build system.
Bug fixes
  • Fixed an error reading large OCSP requests in some cases.
  • Fixed a few minor XSS issues.
  • Fixed a build issue of the Validation Authority on some platforms.
  • Improved support for Chinese in the admin console.

Development continues beyond this version and all requests from the community are scheduled for EJBCA 4.0.8 or later releases.

More information is available at the project web site and the complete changelog can be viewed in the issue tracker.

Wednesday, December 21, 2011

SignServer 3.2.1 released

SignServer v 3.2.1 was recently released. The server side (PKI) document signature server gained a lot of improvements to PDF digital signing.
Secure PDF documents are a lot more complex than you'd think at first. There are a lot of security options, and several passwords and mechanisms to protect the various security aspects.

Major new features and improvements
  • Improved servlet error handling.

  • Deploy documentation with application.

  • Improved API for archiving.

  • Support for signing PDFs with document restrictions.

  • Support for: PDF permissions enforcement; modification of PDF permissions; setting PDF permission passwords.

  • Refuse to certify PDFs already certified and refuse to sign when signing is not
    allowed.

Bug fixes
  • Remote EJB worker interface could not be used with ECC with explicit parameters.

  • Warnings printed on STDERR.

  • Web service interface did not log XFORWARDEDFOR headers.

  • Typo in sample configuration for PDFSigner.

  • Setting healthcheck properties had no effect.

  • CRL download should close streams correctly and allow for caching.

  • Supplied username and password ignored in SigningAndValidationWS.

  • Unit tests failed in certain situations.

  • Ant target for testing individual tests did not work.

  • Switching application server type did not update jndi.properties.

  • JavaDoc failed to build.

SignServer 3.2.1 is a great tool to digitally sign and secure different types of documents. And of course it integrates well with EJBCA.

Thursday, December 1, 2011

EJBCA - Djigzo integration

The Djigzo email encryption gateway has a new release out with easy integration with EJBCA.

Basically it allows an email encryption gateway to automatically connect to EJBCA for certificate management. This makes it possible for a truly transparent, for users, email encryption solution.

For more info see the Guide at EJBCA.org.

You can also read the full EJBCA Setup Guide over at Djigzo.com.

EJBCA 4.0.6 released

Old news by now, but I'm travelling in Asia...

It is only a minor release, but it's good to have the blog complete :-)

The PrimeKey EJBCA team is happy to announce that EJBCA 4.0.6 has been released! This is a maintenance release — 4 issues have been resolved. The most noteworthy changes can be seen below.
EJBCA 4.0.6 release notes

A maintenance release containing 3 bug fixes and 1 new feature.

New features:
  • CMP, Implement message type KeyUpdateRequest.
Bug fixes:
  • Fixed importing empty CRL via CLI.
  • Fixed minor CMP and XSS issues.

Development continues beyond this version and all requests from the community are scheduled for EJBCA 4.0.7 or later releases.

More information is available at the project web site and the complete changelog can be viewed in the issue tracker.

Wednesday, November 9, 2011

EJBCA 4.0.5 released

EJBCA, the Open Source Enterprise PKI, version 4.0.5 has been released.

This is a maintenance release with a few improvements and bug fixes. In all 7 issues have been resolved.

Noteworthy changes:
  • Correct comparison of public key in HSM and CA certificate.
  • Fixed regression during republish.
  • Many small bug fixes.
View the full changelog. in our Jira.

We are currently focusing on bringing common criteria certification to EJBCA, something that will come in EJBCA 5, which is the next release that we are working on.

See the PrimeKey release news.

Regards,
The PrimeKey EJBCA Team

About the EJBCA project
EJBCA PKI is a Certification Authority and a complete enterprise PKI management system, delivered either as an integrable part or as a turnkey solution. EJBCA OCSP and EAC are sub functions of EJBCA PKI, and are used for on-line validation and ePassports.

EJBCA offers great advantages such as excellent cost-effectiveness, unmatched flexibility, complete integration – and full professional maintenance and support by PrimeKey, www.ejbca.com

Friday, October 14, 2011

Notes from the Oasis International Cloud Symposium 2011

Just home from the the Oasis International Cloud Symposium 2011 i made a few notes. The notes should not be seen as giving a view what was most interesting or most important. They are just the notes that I happened to take down, I can have missed things drinking coffee, checking email or whatever.

One conclusion is that Cloud computing promises a lot, but due to legal, security, privacy and interoperability issues use of cloud computing for more sensitive types of data is still far away.

Day 1
-----
Security loves the Cloud. In many cases organizations moving old applications to the cloud gets more secure. They get a platform managed by experts etc.
There are a lot of other security challenges in the cloud, but platform security can often become better.

Local government authorities tend to compete instead of cooperate. Due to how their organizations work and how they procure IT, they do not have any idea of what operation of their services actually cost, and they don't have a mind set of sharing (with other authorities).

Adding complexity (for seemingly increasing availability) can actually decrease availability. Having a back-up site with automatic fail over is not much point if
service work on the back up site brings the primary site down (the speaker had a real example).
(my notes, this we have also noted in practice)

PaaS cloud services can handle availability issues, but you have to spread the applications across availability zones.

Day 2
-----
Private market and government manages risk differently. Government tends to treat things as national security risks, while private views everything as a business risk and only calculates the cost.

Moving lots of things to the Cloud can increase security but also creates huge targets to concentrate on for the bad guys.

ENISA has created a book describing many different risk management methodologies.

Something missing is a way for the (cloud) customer to make informed risk assessments, such as security "grades" or checklists of the cloud provider.

There is a need for, in many applications, of stronger authentication (than the usual username/pwd). The are wide-spread PKI eId infrastructures deployed ready to be used.
Many examples of security breaches would have been considerably more difficult with the use of PKI authentication.

XACML is a flexible authorization framework that makes things better and more flexible. It can de-couple, and centralize, authorization decisions from the apps themselves.

Security audit is essential for real cloud operations.

Privacy issues are important. Users personal data needs protection using technical, business and policy means. There is no single silver bullet, but all areas are needed.

Currently processing of personal data in public clouds is not possible due to data protection reasons.

There is a lot of legal impediments to successful cloud implementations.

An interesting figure is that 50% of all productivity gains (economics, GNP).

Technology issues in cloud computing are mostly solved, or will be solved soon. Remaining issues that are harder are QoS, SLAs, data ownership and jurisdiction.
There are many issues in the legal arena.

Day 3
-----
There are several cloud reference architectures out there. ISO is trying to combine them into one, but there will probably be several for different areas (IT, telecom etc).

EGI (European Grid Initiative) is aligning with NIST and will deploy a federated cloud in Europe.

Microsoft showed a commercial video, a bit of track imho...

Anil Saldhana of RedHat described the work that the IDCloud TC of Oasis is doing with use cases.

There is a lot of standardization efforts in the cloud area. All different standardisation organizations are trying to figure out what of all this is their part to work on.
Everyone is approximately pulling in the right direction but it will take some time before the dust settles and everyone figures out where they can best contribute.

The standardization process must be Open!

IEEE is working on Inter cloud protocols. ISO is looking at a higher level starting with common terminology and reference architectures.

GICTF is trying to find the best of other standard organizations to work with.

IGTF operates as a global CA for, the OGF.

Thursday, October 6, 2011

EJBCA 4.0.4 released

EJBCA, the Open Source Enterprise PKI, version 4.0.4 has been released.

This is a maintenance release with a few new features and bug fixes. In all 33 issues have been resolved.

Noteworthy changes:
  • Improved CMP with many new authentication modules in both client and RA mode, and support for Nested content
  • Support for custom certificate extensions with raw or RA defined values.
  • Many small bug fixes.
With this update EJBCA has support for most use cases for CMP, including the new 3GPP standard for PKI security in 4G/LTE mobile networks.

View the full changelog. in our Jira.

We are currently focusing on bringing common criteria certification to EJBCA, something that will come in EJBCA 5, which is the next release that we are working on.

See the PrimeKey release news.

Regards,
The PrimeKey EJBCA Team

About the EJBCA project
EJBCA PKI is a Certification Authority and a complete enterprise PKI management system, delivered either as an integrable part or as a turnkey solution. EJBCA OCSP and EAC are sub functions of EJBCA PKI, and are used for on-line validation and ePassports.

EJBCA offers great advantages such as excellent cost-effectiveness, unmatched flexibility, complete integration – and full professional maintenance and support by PrimeKey, www.ejbca.com

Friday, July 1, 2011

SignServer 3.1.5 and 3.2.0 released

Within a day SignServer, the enterprise digital signature server, released two new versions, 3.1.5 and 3.2.0. The most interesting of course, being SignServer 3.2.0.

To download, visit SignServer.org

Release notes for SignServer 3.2.0.

Release notes for SignServer 3.1.5.

SignServer supports many different signature formats such as XML, PDF, ODF, OOXML, CMS and MRTD (ePassport).

Wednesday, June 15, 2011

New EJBCA + SignServer LiveCD available

I have just created a new EJBCA LiveCD with EJBCA 4.0.3 and SignServer 3.2-svn.

On this LiveCD there is the latest release of OpenSC (0.12.1). Smart card enrollment and authentication has been tested with both Feitian and Aventra smart cards.

The LiveCD is available to download from the EJBCA web site.

Regards,
Tomas

Sunday, June 12, 2011

CMP for OpenSSL, new tool in the PKI professionals toolbox

I was hinted by a user of EJBCA at CMP for OpenSSL. It's a nice new open source toolkit, both development API and client tools.

The cmpclient works perfect with EJBCA CMP in RA mode. I have documented how it works, with a sample command in the EJBCA Admin Guide.

All in all, good signs for CMP I think.

Tuesday, June 7, 2011

CMP interoperability

I have been making more tests, and some improvements, on CMP interoperability for EJBCA.

You can see some of the results here.

In short, CMP mostly seems to work purely technical. What is cumbersome with the CMP protocol is that there are so many options. For a CA to say that you support CMP does not mean much. You must explicitly say which specific CMP work-flows, with technical details that you support. Otherwise it does not mean much. For example, how are enrolling clients authenticated? Common options include:
  • Shared secret used for Password based MAC, where keyId is username (specified in profile in RFC). Shared secret must be in clear text in CA database, which is a down-side. Pre-registration of end entities needed.
  • Shared secret with one-time password in regToken control. Pre-registration of end entities needed.
  • Digital signature protected request message, where digital signature is based on an out-of-band issued certificate, possibly from another CA. Pre-registration of end entities needed.
  • RA type application with Password based HMAC, where RA specifies the certificate contents in the request, and authenticated using a shared secret. No pre-registration of end entities needed.
  • RA type application with digital signature authentication. No pre-registration of end entities needed.
  • Etc...

The options virtually have no limits.

As you see it is a very large work to implement all options. The rule we use is that we implement options that we actually see usage of, which of course means that we need to improve continuously. I think it is the only way to work efficiently however, not to implement functions that will never be used. The downside is of course that someone can come along and find our implementation not supporting their use-case. Usually new things can be implemented with rather short investment.

Thursday, June 2, 2011

EJBCA 4.0.3 released

On the 1st of June we released EJBCA 4.0.3. This is a minor release with only a few fixes. In all 5 issues have been resolved.

Noteworthy changes:
  • Improved CMP interoperability, with minor improvement and bugfixes.
  • Fixed a bug that made it impossible to delete end entity profile on certain databases, in particular hsql (test database).
In particular the release is aimed at resolving a minor issue when using the HSQL database used for testing. We wanted to make this release in order for any testing of EJBCA to run smoothly. At the same time we took the chance to make some CMP improvements, making some improvement that makes CMP client mode now work using the BouncyCastle 1.46 API.

Read the full Changelog for details, https://jira.primekey.se/secure/IssueNavigator.jspa?reset=true&pid=10000&fixfor=10443.

Regards,
The PrimeKey EJBCA Team

Sunday, May 22, 2011

EJBCA 4.0.2 released

We are proud to release EJBCA 4.0.2. This release brings many optimizations and improvements to EJBCA 4.0. We regard this as the best version of EJBCA to date, setting new performance records as well as improving on the already extensive feature set. A thorough time for QA also assures that this should be one of the most stable releases in production for the coming months.

In all 44 issues have been resolved.

Noteworthy changes:
  • Internal optimizations makes this the fastest version of EJBCA ever, capable of issuing > 400 certificates/second (depending on configuration).
  • Certificate enrollment now works also with Safari and Chrome browsers and Android 2.3.4.
  • Support for PrivateKeyUsagePeriod certificate extension.
  • Fixed a time zone bug issuing CVC certificates where the date was encoded using local timezone instead of GMT in certificates.
  • More admin console and public web improvements from David Carella of Linagora.
  • Now uses ISO8601 date format consistently when entering dates in admin console.
  • Automatic generation of Norwegian UNID numbers from CMP requests.
  • Many small bug fixes and improvements.

The ISO8601 date format (yyyy-MM-dd HH:mm:ssZZ) is used in the Admin GUI and EJBCA WS interface,
so clients no longer have to be aware of in what time zone the CA servers are located.
The old format (in US Locale) will still work for incoming requests in the WS, but any returned
UserDataVOWS containing custom start and end date will use the new format.

Read the full Changelog for details.

Regards,
The PrimeKey EJBCA Team

Tuesday, May 3, 2011

EJCBA 3.11.2 released

The PrimeKey EJBCA team is happy to announce that EJBCA 3.11.2 has been released! This is a maintenance release – 23 issues have been resolved. The most noteworthy changes can be seen below.
EJBCA 3.11.2 is a maintenance release in the 3.11 branch of EJBCA. The main release branch of EJBCA is the 4.0 branch, where 4.0.1 has been released, and 4.0.2 is upcoming.

EJBCA 3.11.2 Release Notes

Improvements and new features:
  • Increased algorithm support on PKCS11 HSMs.
  • Added a webservice based RA written by Daniel Horn.
  • It is now possible to disable the command line interface.
  • There are new commands to import CRLs and certificates which are useful when migrating to EJBCA.
  • Documented the fact that External OCSP does not run on JBoss 5.x.
  • Added GlassFish database schema for Oracle.
  • Added a webservice call for retrieving CA path.
Bug fixes:
  • Removed some unelegant error messages from the GUI.
  • Removed a bug that sometimes caused a day longer validity of certificates due to day light savings.
  • Fixed bug which prevented revokation after upgrading from EJBCA 3.4.x.
  • Fixed a bug causing some information to not be logged during WS calls.
  • Fixed a bug preventing revoked certificates to be republished to the VA server.
  • Republish button now works with special characters and without certificate request history.

Development continues beyond this version and all requests from the community are scheduled for EJBCA 3.11.3 or later releases.

More information is available at the project web site and the complete changelog can be viewed in the issue tracker.

Thursday, March 3, 2011

EJBCA 4.0.0 released

The PrimeKey EJBCA team is happy to announce that a new generation of EJBCA is finally here. As always, you can download the release from SourceForge.

In this release, the underlying framework has changed from Java Enterprise Edition 2, to 5. EJBCA 4 will constitute the solid base for EJBCA for the coming years. Together with major refactoring, the Java Enterprise upgrade significantly improves the quality of the EJBCA code and internal architecture, allowing for faster development time. The technology upgrades also make way for the development of a new Administration GUI and the integration with CESeCore.

164 issues have been resolved for this release. The most noteworthy changes can be seen below.

Development continues beyond this version and all requests from the community are scheduled for EJBCA 4.0.1 or later releases.

More information is available at the project web site and the complete change log can be viewed in the issue tracker.

EJBCA 4.0.0 Release Notes:
New features:
- Framework changed to Java Enterprise Edition (JEE) 5.
- Well defined database schema for all supported application servers and databases. You are now able to switch application server.
- Support for the Ingres database without patching.
- Numerous features and improvements to the Administration GUI, command line interface and core functionality.

Bug fixes:
- Improved reliability of EJBCA services.
- Many small bug fixes and stabilizations.

For more information, please contact:
Tomas Gustavsson, CTO, PrimeKey Solutions AB,
tel: +46(0)707 42 10 96, e-mail: tomas at primekey dot se

Tuesday, February 8, 2011

Smart cards working with OpenSC/Linux/Firefox

I just tested the Aventra MyEID smart card with the latest opensc (trunk). Works like a charm.

You need OpenSSL development libs to build the pkcs15-init tool in opensc, for Ubuntu this means installing the libss-dev package.
sudo apt-get install libssl-dev autoconf libtool
sudo apt-get install pkg-config libpcsclite-dev
svn co http://www.opensc-project.org/svn/opensc/trunk opensc
cd opensc
./bootstrap
./configure --prefix=/usr
make
sudo make install
pkcs15-init -E
pkcs15-init -C --pin foo123 --puk foo123
(or just 'pkcs15-init -C' but you have to enter pin code about 20 times)
pkcs15-init -P -a 01 -l test01
pkcs15-init -F


After this is done, you need to add the /usr/lib/opensc-pkcs11.so as a Security Device in Firefox. To enroll, simply add a new user in EJBCA, go to Public Web and do a browser enrollment. I used Medium Security in order to get 1024 bit RSA keys, that I know works with my cardreader that does not have Extended APDU using CCID.
Browser enrollment will generate a new key on the smart card, get a certificate from EJBCA and store the certificate on the smart card.

With this test we now know about three cards that works well to do browser enrollment with FireFox.


Also see the old blog post about using openssl enging to make certificate requests and import certificates to the smart card.

Friday, February 4, 2011

New WebServiceRA Application

PrimeKey is pleased to announce the availability of WebServiceRA , an RA (Registration Authority) Administration application.
WebServiceRA is a functioning Java application that communicates with EJBCA certificate authorities using EJBCA web services.

In addition to providing many Java code examples of using the EjbcaWS web service interface, this program provides a simple UI for creating and querying end entities, as well as generating certificates (as either P12 or JKS files).

The source code and instructions for building and running this application may be downloaded from Sourceforge