Wednesday, December 19, 2012

EJBCA 5.0.8 released

We are pleased to announce the release of EJBCA Enterprise version 5.0.8.

This is a maintenance release with improvements and bug fixes. In all 12 issues have been fixed.

* Noteworthy changes:
- Private key is not longer needed to verify database protection using the ejbca-db-cli.
- Improved robustness of 'ejbca.sh ca importcertdir' command.
- It is now possible to obfuscate log signer key password.
- Fixed a but with CMP certificate authentication.
- Minor bugfixes.

These are all minor issues and improvement.

Regards,
PrimeKey EJBCA Team

EJBCA 4.0.13 released

We are glad to release version 4.0.13 of EJBCA to the Community.

This is a maintenance release containing a few new features and improvements. In all 25 issues have been resolved.

* Noteworthy changes:
- New self-registration work-flow available in the public web.
- Added extended key usage for WiFi EAP authentication.
- Some build improvements to avoid issues on some platforms (no javascript, no jasper).
- More minor GUI improvements by David Carella of Linagora.
- Minor bug fixes.

The release do not contain any critical fixes, but is a natural step in improving the Community version of EJBCA.

The self-registration work-flow that first appeared in the EJBCA v5.0 Enterprise version has now also been released in EJBCA 4.0. Self registration has been a long standing request from the community and also some customers, and we a glad to say that it is now available in all active versions of EJBCA. Don't miss to try it out!

Get the new release from http://www.ejbca.org/.

Happy holidays,
PrimeKey EJBCA Team

Thursday, October 25, 2012

EJBCA 5 receives Common Criteria, EAL4+, certificate



We are pleased to announce that PrimeKey Solutions AB has successfully completed Common Criteria EAL4+ Certification of EJBCA version 5. The much awaited Common Criteria certificate, issued by ANSSI (Agence nationale de la sécurité des systèmes d’information), is an important milestone in EJBCAs 10+ years rich history of achievements.
With this formal evidence that EJBCA confirms to the rigorous security standards for Certificate Issuance and Management Systems, this Common Criteria certification benefits Primekey’s customers and partners, as well as the community, and strengthens EJBCA’s position as the top pick of secure Certificate Authority software around the world.

EJBCA is certified based on the CIMC Protection Profile (v1.0) at security level 3. The assurance level is EAL4+ (EAL4 augmented with ALC_FLR.2).

Beyond a Shadow of a Doubt

Due to regulations and legislations, the Common Criteria EAL4+ Certification is often mandatory to reach the highest level of security requirements in computer software. The proof of achieved CC certification is a neccessity for EJBCA users who need to run mission critical PKI, and who will have their own software, solution or service, certified and audited for standards compliance, such as CWA and WebTrust. PrimeKey welcomes, of course, the certification as an additional proof that our EJBCA development adheres to the strictest security practices and enables us to reach out to customers that require formal certification.

Our clients' projects often have to undergo own strict security certification and audit processes. This official proof of EJBCA's Common Criteria Certification will help them reach positive outcome, which sometimes is crucial for us in order to sign a new contract”, says CEO Konstantin Papaxanthis.

From now on, no organisation has to refrain from using EJBCA because of any particular security requirements. PrimeKey's customers can go straight ahead having their EJBCA based projects security evaluated and formally certified as audit compliant to the most demanding standards.
For more info on “EJBCA v.5” please visit www.primekey.se/.

The EJBCA community can also be assured that the development of EJBCA Community Edition follows the same certified development process.

About Common Criteria

The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard for computer security certification. Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard manner.
For more info on “Common Criteria” please visit www.commoncriteriaportal.org/.

About EJBCA PKI

A serious enterprise class PKI, EJBCA is utilized as a Certification Authority, to build complete PKI infrastructures within organizations who issue certificates for different purposes, such as:
  • Strong authentication for users accessing your intranet/extranet/internet resources.
  • Secure communication with SSL servers and SSL clients.
  • Smart card logon.
  • Signing and encrypting email.
  • VPN connections by issuing certificates to your VPN routers.
  • Client VPN access with certificates in users VPN clients.
  • Secure logon to web applications (Single sign-on).
  • Creating signed documents.
  • Mobile PKI, like enrolling iOS.
  • Secure mobile networks, i.e. 3GPP/LTE/4G using the CMP protocol.
  • Counterfeit prevention.
  • Issue national eIDs.
  • Issue and inspect electronic passports, including EU EAC ePassports.
  • ... and many many more ...
For more info on “EJBCA” please visit www.ejbca.org/.

Saturday, September 29, 2012

SignServer 3.2.3 Released

The PrimeKey SignServer team is happy to announce that SignServer 3.2.3 has been released!

This is a maintenance release - in total 34 features, options, bugs and stabilizations have been fixed or added.

Development continues beyond this version and all requests from the community are scheduled for SignServer 3.2.4 or later releases.

More information is available at the project web site and the complete changelog can be viewed in the issue tracker.

The most noteworthy changes can be seen below.

Major new features and improvements:
  • Support for running SignServer without database
  • Configurable to disable the key usage counter 
  • Signer certificate check in Health check for all Signers
  • Check that the timestamp signer certificate is included in the certificate chain
  • Health check response of TimeStampSigner now considers status of time source
  • Down-for-maintenance support in Health check
  • Support for supplying filename as request metadata 

Bug fixes:
  • Client CLI only supported 10 arguments on Windows
  • Null value was inserted when removing last wsadmin on Oracle
  • PDF Signature could not be larger than 15000 bytes
  • Sample configuration for renewal worker not functional
  • Various documentation updates 

Notice:
Some internal API changes has been done as part of DSS-528. If you have custom code some changes might be required.

Regards,
The PrimeKey SignServer team

Tuesday, June 19, 2012

CESeCore gains Common Criteria certification


After 2 years of work, and 6 months of administrative waiting period CESeCore has finally received the final, signed, Common Criteria certification.

Providing a certified component library

By June 2012 the CESeCore project fullfilled its primary purposes: to make the CESeCore Security Core 1); Common Criteria EAL 4+ certified and 2); publicly available for integration with enterprise applications.
Vendors aiming to attain their own Common Criteria certification will continue to draw significant benefits through the use of the fully approved CESeCore library, which greatly shortens and simplifies implementation of many important security functions.
The certified CESeCore has also taken PrimeKey's EJBCA Enterprise edition a steady leap forward towards its own final Common Criteria certification.

"When we created CESeCore, we added the most important security functions from certificate management, certificate validation and timestamping, into a re-usable Java Enterprise component library. And we worked patiently to have it Common Criteria certified! Anyone who needs these security functions no longer have to re-invent the wheel."
— Tomas Gustavsson, PrimeKey CTO

Certification details

CESeCore is certified based on the CIMC Protection Profile (v1.0) at security level 3. The assurance level is EAL4+ (EAL4 augmented with ALC_FLR.2).
For those interested all details are available in the CESeCore Security Target.

EJBCA to be completed

Building on the CESeCore, EJBCA 5.0 has already completed the evaluation for the Common Criteria evaluation at the same level. We are only awaiting the administrative process to receive the final certificate also for EJBCA.

Tuesday, June 5, 2012

EJBCA 5.0.5 released

4 Jun 2012 — Stockholm, Sweden

Primekey proudly presents the 5.0.5 maintenance release of EJBCA.
Quite some effort was put into stabilizing the 5.0.x release for production use, including bug fixes and improvements of usability for issues discovered during production deployments.

To find out how to access EJBCA 5 visit PrimeKey's PKI Shop.

EJBCA PKI *5.0.5* release notes
A maintenance release containing a couple of small features and many bug fixes. The following are a selection of the most noteworthy:

New features
  • Index recommendations have changed.
  • CVC CAs can now be created from the Command Line Interface.
  • EJBCA now supports Japanese localization.
  • Overall performance increases.
  • Removed redundant and excessive logging to audit logs.

Bug fixes
  • Fixed bug where recursive deny rules caused deny for system user.

Development continues beyond this version and all requests from the community are scheduled for EJBCA 5.0.6 or later releases.
More information is available at the project web site and the complete changelog can be viewed in the issue tracker.

Friday, June 1, 2012

Mobile ID client from Nerd integrated with EJBCA PKI from PrimeKey

Mobile ID is a open source new Android app for signatures and encryption developed by Nerd in Greece. It is still a beta version, but I though it might be interesting to know. It has been integrated with EJBCA so you can get a certificate easily. Development and further integration will also continue beyond this point. Also see press release.

Friday, May 11, 2012

Enterprise EJBCA features vs Community


EJBCA version 6 with EJBCA Enterprise and EJBCA Community is released by now. Instead of this blog post, that are getting aged, you should head over to the newer pages.

This is a continuation of the blog post EJBCA will always be Open Source.

Here we will describe the feature difference between EJBCA 5 (Enterprise) and EJBCA 4 (Community). For a high level overview you should first read EJBCA will always be Open Source.
For a list of all the features in EJBCA, visit EJBCA.org.

The freshest, most up to date, description of EJBCA Enterprise features will be available at PrimeKey.

EJBCA Enterprise Edition vs Community

EJBCA 5 has features required for high trust environments:
  • Common Criteria EAL4+ and CWA 14167 certified.
  • Certified access control and authorization module, for assurance and high trust role separation.
  • Integrity protected security audit log, with digital signature or HMAC protection.
  • Improved security audit log messages, complete information that is auditable.
  • Full database integrity protection of all tables, to detect database manipulation.
  • Authentication of local CLI users enabling role separation also for local CLI.
  • Penetration tested with improved security.
Users requiring certified operations, Common Criteria, CWA, ETSI or WebTrust will benefit greatly from EJBCA 5.
In addition to that there are other minor changes that are unique to EJBCA 5. These changes are the result of the majority of development resources now focusing on future versions of EJBCA, and will eventually water down to Community EJBCA.
  • Smaller release ZIP file.
  • Minor CLI improvements with new methods and parameters.
  • New database CLI for database export, import and verification.
  • Support for Permanent Identifiers (RFC 4043) and authorityInformationAccess in CRLs.
  • Support for SIP and Kerberos extended key usages.
  • Improved memory efficiency in certain use cases.
  • Optimized database usage.
  • Other minor improvements and bugfixes.

Normal users will be satisfied with the feature set, and the record breaking performance, of EJBCA 4.

Feature comparison table

The freshest, most up to date, description of EJBCA Enterprise features will be available at PrimeKey.
This is a snapshot at the time this blog post was written.

FeatureEnterpriseCommunity
License Open Source LGPL v2.1 or later Open Source LGPL v2.1 or later
PKI features Full, including all protocols Full, including all protocols
Recommended for EJBCA Enterprise is recommended for Corporations, Governments and other organizations looking for an enterprise scale, production-ready, certified, open source PKI solution without any upfront license fees. EJBCA Community is recommended for developers and technical PKI users in non-mission critical environments. As this version is unsupported it is intended to be used by those prepared to spend time and resource solving issues independently.
Suitable for EJBCA is suitable for small to huge scale PKI deployments ranging from 1000 to over 100 million issued certificates. EJBCA is suitable for small to huge scale PKI deployments ranging from 1000 to over 100 million issued certificates.
Security Certifications EJBCA Enterprise has been certified under Common Criteria EAL 4+ (CIMC Protection Profile) and CWA 14167-1 (at customer locations). None
Commercial support PrimeKey provides commercial support with Service Level Agreements (SLA) for issue tracking, problem resolution, patches and fixes. None provided, community support through forums and mailing lists.
Integrity protected security audit EJBCA Enterprise features a Common Criteria certified security audit mechanism using HMAC or digital signatures for integrity protection. No
Database integrity protection EJBCA Enterprise features a Common Criteria certified database protection protecting the database from malicious DBAs. No
Penetration tested EJBCA Enterprise has been penetration tested as part of Common Criteria evaluation, and by independent security testers. No
Role separation Full role separation including local command line interface. Role separation for remote access users.
Security flaw remediation process PrimeKey have a Common Criteria evaluated tracking process for security, and other, bug reports. EJBCA Community follows an open development and issue tracking process, without guaranteed response times.
License Price / Subscription No software license fee – Provided as part of an annual subscription for commercial level support. No software license fee – free to download, free to use.
Additional features Emergency hot fixes, security alerts, best practice advice, private issue tracking portal, additional guides and tools. Most feature complete and most flexible PKI, with highest performance, compared to most open source and commercial PKIs.
Training Customers and Partners get training on latest certified PKI from PrimeKey (additional cost depending on your contract). Contact PrimeKey.

Thursday, May 3, 2012

Cert-cvc 1.3.0 released

We have released version 1.3.0 of the ePassport EAC library cert-cvc. This version is a minor release that only adds support for BouncyCastle v 1.47.
Cert-cvc now work with BC 1.46 and BC 1.47.

Visit EJBCA.org for downloads.

Regards,
PrimeKey EJBCA Team

EJBCA will always be Open Source


Since EJBCA 5 there is now one version of EJBCA that is free to download and one that is not.
This blog will try to clarify why and what this means.

Why we are doing this

EJBCA 5.0 is Common Criteria and CWA (14167) certified software. Software certification costs many hundred of thousands of euros, a substantial investment by PrimeKey Solutions to fulfil customer needs for certified software.

PrimeKey is a commercial company employing most of the EJBCA developers and makes a living out of selling support, services and training for EJBCA and SignServer.
PrimeKey can not afford to give away certification for free to large organizations with much larger funds than PrimeKey itself. Without employed EJBCA developers EJBCA can not continue to be among the top PKI software in the world.

To fulfil the needs of these customers, and also the community, two version of EJBCA are needed:
  • Certified versions of EJBCA, not available for free download.
  • Non-certified versions of EJBCA, available for free download.

EJBCA Enterprise Edition

Many organizations require that PKI software is certified according to Common Criteria and/or CWA.
Certified software can require additional features, such as secure audit logging and database integrity protection.
Software certification is a business requirement and has generally little to do with the code itself. EJBCA 5 is aimed to the Enterprises that have these higher trust requirements.

Enterprise EJBCA is:
  • available to all support customers.
  • features all newest features required for higher trust and maximum performance
  • security certified according to Common Criteria and CWA
  • supported with SLA
  • Open Source LGPL v2.1 or later
The current Enterprise EJBCA version is EJBCA 5.0.

EJBCA Community Edition

EJBCA is an open source project. It is one of the most widely used PKIs in the world with deployments on all habited continents.
Organizations that do not require certified software or SLA support can use the Community EJBCA.

PrimeKey will still maintain the Community version of EJBCA. We will continue to provide new features and bug fixes to ensure that both versions of EJBCA will remain the leading PKI software.

PrimeKey always contributes back the features from the certified version to the Community, and PrimeKey's customers pay for development of many features that goes directly into the open source project.

Community EJBCA is:
  • available for anyone to download and use
  • still maintained with new features and bug fixes
  • supported by the community
  • Open Source LGPL v2.1 or later
  • advanced features will be introduced first in Enterprise EJBCA but may eventually end up in later versions of Community EJBCA
The current Community EJBCA version is EJBCA 4.0.

Wednesday, May 2, 2012

Open Source at Security Document World 2012

I will hold a presentation called "Leveraging Open Source technologies for secure electronic documents" at Security Document World 2012.

Summary of the presentation:

Todays security documents requires the deployments of extensive security software infrastructures, primarily PKI based. Current, and future, security documents such as passports, ids, driver licenses and tachographs all require one or several public key infrastructures to produce and use.
This presentation will show open source solutions available to support these documents, including CSCS, Document Signer, CVCA, DV and Inspection Systems. We will explain how security document producers can use these solutions in the best and most efficient way, and what pitfalls to avoid. In order to reap the full benefits of open source and open standards there are a few more things to consider apart from simply viewing it as cost free software.
Finally we will display real world use cases where open source software is part of the production of millions of security documents.

I will mention several open source project:
- EJBCA
- SignServer
- JMRTD
- ISODL
- BouncyCastle
- etc

Looking forward seeing you at the conference :-)

Friday, March 9, 2012

EJBCA 5.0.4 released

We have released EJBCA 5.0.4 to our customers. This is a release that is delivered for, hopefully, final evaluation for Common Criteria EAL 4+. We keep our fingers crossed.

A few new minor features was also added during the development phase. These are customer requested OCSP features and a few usability improvement found during customer installations.

This is a maintenance release with a few bug fixes and new features. In all, 20 issues have been resolved.

Noteworthy changes:
  • OCSP: Possibility to only publish revoked certificates to Validation Authority.
  • OCSP: Possibility to treat "non existing is good" based on URI on the Validation Authority.
  • Do not allow creation of CAs using weak keys.
  • Add Kerberos extended key usages.
  • Add possibility to specify certificate profile to CA init CLI command.
  • Fix a few more tests on windows platform.
  • Fixed minor security issues in admin web.
  • Fixed a few cosmetic issues improving usability.

EJBCA 5.0.x, being a certified version, is not available for free download on the internet, as previous version has always been. Contact PrimeKey if you want access to EJBCA 5.0.

Saturday, February 11, 2012

Ubuntu GNU/Linux 12.04 (precise) on Sony Vaio SE15 (VPCSE1v9E)

Ubuntu GNU/Linux 12.04 (precise) on Sony Vaio SE15 (VPCSE1v9E), SandyBridge version.

Update 2013: This machine has very poor build quality. If you use it daily it will start falling apart after a year or so of use. Don't buy.

The findings here are not my own. All credits goes to the authors in the Ubuntu forums on vaio S compatibility.

Update Ubuntu 13.10:
Using Ubuntu 13.10  by now, and everything works basically flawless. Still starting to look for a new machine though, as the quality of this one is not so good. Casting eyes on the new Dell XP13 DE, with Linux pre-installed...

Update Ubuntu 12.10:
Using Ubuntu 12.10 I have changed my approach a little bit.
  • Use hacked BIOS with advanced menus. This enables me to permanently disable the Radeon in BIOS. Otherwise it will be re-activated after suspend/resume so power consumption will be high after resume.
  • Use the powersavings script below.
  • Use Kernel 3.7 from Ubuntu Mainline. This have some new power saving improvement.

With the above I can really get 4+ hours out of the battery, stable through suspend/resume cycles.

Update Ubuntu 12.04: In Ubuntu 12.04 no kernel parameters are needed. ASPM does not seem to work anyhow and the i915 parameters are enabled by default in the kernel.
I have also found a weak point of the laptop. The air intake fr cooling is located under the machine, exactly where your leg is if you have the laptop in your lap. When blocking the air intake with your leg the machine overheats and throttles the CPU to a crawl.

The Vaio SE15 is a very nice machine. It is easy to replace an existing HDD with an
SSD, it is very light and has good screen and keyboard.
Installing Ubuntu 12.04, precise pangolin from USB works like a charm, no issues.
Update: Due to inadequate cooling I would not buy this machine again. Extremely nice chassis, but overheats and throttles the CPU very easily.

I used the alternate installer in order to get full disk encryption. The alternate installer completed without any glitches, and boots me directly into Ubuntu.
A minor gotcha is that most times, but not always, I get a blank screen instead of the boot password screen (to unlock full disk encryption). It is not hung though, so just enter your password in the blank screen and it boots.

Using 12.04 everything works out of the box, trackpad (including two finger scrolling), wireless, screen, suspend and resume. I used wired network during install, but connected to wifi ince installed.

Using the Vaio the only thing that needs attention is the switchable graphics, and powersaving features. Powersaving is the area where GNU/Linux, by default, is not as good as the Mac, and requires some technical tweaking.

I use only the Stamina (Integrated Intel graphics) mode of the Vaio, and want Speed (Discrete ATI graphics) to be disabled at all times.
By default the ATI card is powered on even in Stamina mode (the physical switch does not physically power of the ATI graphics), so when booting Ubuntu the first time fans will be always on until you manage to power of the ATI card.

With the settings distilled from Ubuntu forums on vaio S compatibility everything works nice and I get the following results.

Battery drain between 9500 and 12500 mW when idling and doing light work (like writing this). This should give a standard battery life between 4-5 hours using the built in 52170mWh battery.
In reality I am a developer, and with some things open and doing some real work, power consumption is between 15 and 30W, giving battery times of say 2-3 hours.

I also added an instruction how to enable TRIM support if you are using an SSD, and also how to re-enable hibernate in Ubuntu 12.04 (precise).


On to the forum summary of settings.


* 1. Make sure Intel powersaving features are enabled
-----------------------------------------------
sudo vi /etc/default/grub

Add some items to the kernel boot parameters, use the following line

GRUB_CMDLINE_LINUX_DEFAULT="quite splash i915.i915_enable_fbc=1 i915.i915_enable_rc6=1 pcie_aspm=force"

update-grub

pcie_aspm=force does not work btw, if anyone can solve this that would be benefitial. Getting:
"ACPI _OSC control for PCIe not granted, disabling ASPM"
-----------------------------------------------

* 2. Disable (power off) Radeon discrete graphics at all times, and power of bluetooth on boot.
We use vgaswitcheroo for this. It is included by default in Ubuntu 12.04, no need to install anything
We also make sure bluetooth is disabled on boot hrer.

- Power of at boot
sudo vi /etc/rc.local

add the following before 'exit 0'
echo OFF > /sys/kernel/debug/vgaswitcheroo/switch
rfkill block bluetooth


- Install so it runs at resume from suspend
(not sure this is needed, but it does not hurt and does not take ant time)

sudo vi /etc/pm/sleep.d/10_disable_radeon

add the following to the file
#!/bin/sh
# Action script ensures that discrete graphics card is disabled after
# resuming from standby/hibernate
#
#
case "${1}" in
resume|thaw)
echo OFF > /sys/kernel/debug/vgaswitcheroo/switch
;;
esac


sudo chmod +x /etc/pm/sleep.d/10_disable_radeon
-----------------------------------------------


* 3. Add script to enable/disable powersavings in battery vs powered mode
-----------------------------------------------
sudo apt-get install ethtool
sudo vi /etc/pm/power.d/powersavings

add the following to the file

------ Start add from below -----
#!/bin/sh

# Shell script to reduce energy consumption when running battery. Place
# it in /etc/pm/power.d/ and give execution rights.

# This is a modified version of an original script of by Skumpic,
# available here: http://blog.liberailvoip.it/2010/04/27/
# ubuntu-lucid-lynx-acer-aspire-one-impostazioni-ottimizzate-
# autonomia-prestazioni/

# Disable Wake On Lan
ethtool -s eth0 wol d

if on_ac_power; then
# ----- Start AC powered settings #

# Disable laptop mode
echo 0 > /proc/sys/vm/laptop_mode

# Set SATA channel: max performance
for foo in /sys/class/scsi_host/host*/link_power_management_policy;
do echo max_performance > $foo;
done

# Set Max Power for wifi interface
# change value according to your hardware!
iwconfig wlan0 txpower 14   

# Disable wifi power saving
iwconfig wlan0 power off

# CPU Governor: Performance
for foo in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor;
do echo performance > $foo;
done

# Disabile USB autosuspend
for foo in /sys/bus/usb/devices/*/power/control;
do echo on > $foo;
done

# Disable PCI autosuspend
for foo in /sys/bus/pci/devices/*/power/control;
do echo on > $foo;
done

# Disabile audio_card power saving
echo 0 > /sys/module/snd_hda_intel/parameters/power_save_controller
echo 0 > /sys/module/snd_hda_intel/parameters/power_save

# Set maximum display backlight
echo 15 > /sys/class/backlight/acpi_video0/brightness

# ----- End AC powered settings #

else

# ----- Start battery powered settings #

# Enable Laptop-Mode disk writing
echo 5 > /proc/sys/vm/laptop_mode

# Set SATA channel to power saving
for foo in /sys/class/scsi_host/host*/link_power_management_policy;
do echo min_power > $foo;
done

# Activate wifi power saving
iwconfig wlan0 power timeout 500ms

# Reduce wifi txpower
iwconfig wlan0 txpower 5

# Select Ondemand CPU Governor
for foo in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor;
do echo ondemand > $foo;
done

# Activate USB autosuspend
echo auto > /sys/bus/usb/devices/1-1.1/power/control # Fingerprint sensor
echo auto > /sys/bus/usb/devices/1-1.3/power/control # Webcam

# Activate PCI autosuspend
for foo in /sys/bus/pci/devices/*/power/control;
do echo auto > $foo;
done

# Activate audio card power saving
# (sounds shorter than 5 seconds will not be played)
echo 5 > /sys/module/snd_hda_intel/parameters/power_save
echo 1 > /sys/module/snd_hda_intel/parameters/power_save_controller

# Set medium display backlight
echo 5 > /sys/class/backlight/acpi_video0/brightness


# ----- End battery powered settings #

fi

----- Stop add above -----

Make executable

sudo chmod +x /etc/pm/power.d/powersavings
-----------------------------------------------

* 4. Enable TRIM on SSD
-----------------------------------------------
(only if using an SSD)

sudo cp /etc/fstab /etc/fstab_bak-notrim
sudo vi /etc/fstab

look for the root partition entry, something like:
/dev/mapper/host-root / ext4 errors=remount-ro

add discard to the parameters, like
/dev/mapper/host-root / ext4 discard,errors=remount-ro

You can also add the noatime parameter to save some disc writes.

Reboot to enable
-----------------------------------------------

* 5. Re-enable hibernate in Ubuntu 12.04 (Precise)
-----------------------------------------------
In Ubuntu 12.04, Precise, Hibernate is not available by default. It is rather easy to enable though.
When enabled, both hibernate and suspend works well on the Vaio.

sudo vi /etc/polkit-1/localauthority/50-local.d/com.ubuntu.desktop.pkla

Add the following (probably creating the file)
[Re-enable hibernate by default]
Identity=unix-user:*
Action=org.freedesktop.upower.hibernate
ResultActive=yes

Credits for this tip goes to
Askubuntu


Reboot to enable
-----------------------------------------------



You can use acpi_call instead of vgaswitcheroo to disable the radeon video card.
acpi_call causes resume to take a long time, so therefore I recommend vgaswitcheroo,
which is also included by default in Ubuntu (12.04).

This is only kept for reference, don't use if you followed the guide above.

* Use acpi_call to turn of ATI card at all times.
-----------------------------------------------
(also disable bluetooth on boot)

- build and test
sudo apt-get install git
git clone https://github.com/mkottman/acpi_call.git
cd acpi_call
make
sudo insmod acpi_call.ko
lspci -vnnn | grep VGA
sudo chmod +x test_off.sh
./test_off.sh
(Trying \_SB.PCI0.PEG0.PEGP._OFF: works!)

- Install
sudo cp acpi_call.ko /lib/modules/`uname -r`/kernel/
sudo depmod
sudo modprobe acpi_call
sudo vi /etc/modules
- add the following after 'lp'
acpi_call

- Make sure it starts
sudo vi /usr/local/bin/radeon_off_sony_sa.sh

add the following to the file
#!/bin/sh
echo "\_SB.PCI0.PEG0.PEGP._OFF" > /proc/acpi/call

sudo chmod +x /usr/local/bin/radeon_off_sony_sa.sh

- Test
sudo /usr/local/bin/radeon_off_sony_sa.sh
sudo cat /proc/acpi/call

- Install so it runs at boot
sudo vi /etc/rc.local

add the following before 'exit 0'
/usr/local/bin/radeon_off_sony_sa.sh
rfkill block bluetooth

- Install so it runs at resume from suspend
(this can make resume be a little slow, with black screen for a few seconds when resuming)

sudo vi /etc/pm/sleep.d/10_disable_radeon

add the following to the file
#!/bin/sh
# Action script ensures that discrete graphics card is disabled after
# resuming from standby/hibernate
#
#
PATH=/usr/local/bin:/bin
case "${1}" in
resume|thaw)
radeon_off_sony_sa.sh
;;
esac

sudo chmod +x /etc/pm/sleep.d/10_disable_radeon
-----------------------------------------------

Wednesday, January 25, 2012

EJBCA 5.0.2 released, delivered for Common Criteria Certification

23 January 2011 - Stockholm, Sweden

Primekey proudly presents the 5.0.2 maintenance release of EJBCA. This release is the candidate for Common Criteria for Information Technology Security Evaluation (Common Criteria) certification, and a majority of the effort for this release has been devoted to addressing issues to meet Common Criteria's exacting standards.

Quite some effort was also put into stabilizing the 5.0.x release for production use, including improvements of performance and usability.

EJBCA 5.0.2 Release Notes

A maintenance release containing a couple of small features and many bug fixes. The following are a selection of the most noteworthy:

  • New features:

    • Support has been added for incorporating external plugins in the EJBCA EAR file at build time, allowing the addition of custom administrative capabilities and specialized RA systems.

  • Bug fixes:

    • The Web interface has been thoroughly audited and cleaned from XSS issues.

    • Authorization checks have tightened up in accordance to Common Criteria demands.

    • Audit logging has been improved and fixed where lacking.

Development continues beyond this version and all requests from the community are scheduled for EJBCA 5.0.3 or later releases.

More information is available at the project web site and the complete change log can be viewed in the issue tracker.


For more information, please contact:

Tomas Gustavsson, CTO, PrimeKey Solutions AB, tel: +46(0)707 42 10 96, e-mail: tomas@primekey.se

PrimeKey Solutions AB

PrimeKey is the world's leading open source PKI (public key infrastructure) company, and founders and commercial force behind some of the most downloaded open source PKI projects – EJBCA and SignServer.

An open source security software pioneer, PrimeKey provides enterprise class solutions to key public and commercial sector clients worldwide. Organizations turn to PrimeKey's open source software platforms to implement security solutions (such as e-passports, product authenticity, document signing, digital signatures, unified digital identities) and their associated high speed and high availability validation.

PrimeKey's enterprise class integration, training and support services and dedication to open standards help customers achieve their organizational goals. www.primekey.se

The EJBCA Project

EJBCA PKI is a Certification Authority and a complete enterprise PKI management system, delivered either as an integrable part or as a turnkey solution. EJBCA OCSP and EAC are sub functions of EJBCA PKI, and are used for on-line validation and ePassports.

EJBCA offers great advantages such as excellent cost-effectiveness, unmatched flexibility, complete integration – and full professional maintenance and support by PrimeKey. www.ejbca.com