Saturday, December 20, 2008

HTC G1 android phone and tele2

Hardly surprising the G1 works perfectly also in sweden. To configure for tele2 I only configured five items in the APN configuration.
- Name: Tele2
- APN: internet.tele2.se
- MMSC: http://mmsc.tele2.se
- MMS proxy: 130.244.202.30
- MMS port: 8080
After this this phone works like a charm. Buying the phone from google was easy and delivery was fast, only a week.
Now all we have to do is run EJBCA on the phone :-)

To re-encode movies to show on the phone (using cinema app for example) do this on Ubuntu:
- apt-get install avidemux, and start avidemux. Avidemux works great as a mobile media encoder.
- Open the file you want to convert.
- In Video dropdown select MGEG-4 ASP (lavc).
- Click Configure->Encoding Mode->Single pass - bitrate, enter 384 kb/s and click ok.
- Click Filters, double click MPlayer resize, width 480, height 320, click OK then close.
- In Audio dropdown select AAC (FAAC).
- Click Configure and select bitrate 96.
- In Format dropdown select MP4.
- Finally click Save and enter the new filename with .mp4 ending.

Now just make sure you copy the file to sdcard intact.

Tuesday, December 16, 2008

Zepto Nox A15 and Ubuntu 8.10

On my new Zepto Nox A15 most things work out of the box, except suspend to ram (hibernate works) and screen brightness. I blame the nvidia proprietary driver for this...

This is what I did to get screen brighness settings to work:
-----
First check out the latest nvclock source code:
> cvs -d:pserver:anonymous@nvclock.cvs.sourceforge.net:/cvsroot/nvclock login
> cvs -z3 -d:pserver:anonymous@nvclock.cvs.sourceforge.net:/cvsroot/nvclock co -P nvclock
> cd nvclock
> gedit src/backend/nv50.c
change line 331 from:
if((nv_card->subvendor_id == PCI_VENDOR_ID_SONY) && nv_card->gpu == MOBILE)
to
if(nv_card->gpu == MOBILE)
> ./configure --prefix=/usr
> make
> sudo make install
> sudo cp src/smartdimmer /usr/bin/smartdimmer

Now we have the command so fix up hal so it calls nvclock when the brightness keys on the keyboard are pressed:
> sudo gedit /usr/lib/hal/scripts/linux/hal-system-lcd-set-brightness-linux

if [ -w "$HAL_PROP_LINUX_SYSFS_PATH/brightness" ]; then
echo "$value" > $HAL_PROP_LINUX_SYSFS_PATH/brightness
if [ "$HAL_PROP_LAPTOP_PANEL_ACCESS_METHOD" = "general" ]; then
# if nvidia nvclock command exists, try to use it
if command -v nvclock &>/dev/null
then
#echo " Yes, command :nvclock: was found."
foo="$(((($value +1)*10)+5))"
nvclock -S $foo
fi
fi
exit 0
fi
-----

Done. Now if only suspend would work it would be perfect.
I also have some slight problems with sound settings (volume up/down) that worked at first but not anymore...

Oh I forgot to say...EJBCA works perfect!

EJBCA 3.8.0 released

EJBCA 3.8.0 have a whole range of fixes. One of the most interesting is the improvements in the authorization module, making it much easier to configure administrators and allowing you to use externally issued certificates as administrator certificates (for example from a national id).
This will hopefully get rid of most questions posted asking about problems configuring new administrators.

See http://ejbca.org/ for the download and full changelog.

News was published on Serverside.com.

Wednesday, November 19, 2008

Simple Certificate Archival solution

Introduction


From syscheck 1.2 and on there is a script-based archival solution.

New and revoked certificates are stored on local disk in a file-tree and optional remote SSH server.

syscheck svn: https://ejbca.svn.sourceforge.net/svnroot/ejbca/trunk/syscheck/

Setup of publisher


Go to: EJBCA Adminweb → ”Edit Publishers” → Add new name: ”Archival publisher”


Select/ enter the following:


Publisher Type: ”Custom Publisher”

Class Path: ”org.ejbca.core.model.ca.publisher.GeneralPurposeCustomPublisher”

Properties of Custom Publisher:

crl.application /path/to/syscheck/related-enabled/902_export_crl.sh

crl.failOnStandardError true

crl.failOnErrorCode true

cert.application /path/to/syscheck/related-enabled/900_export_cert.sh

cert.failOnStandardError true

cert.failOnErrorCode true

revoke.application /path/to/syscheck/related-enabled/901_export_revocation.sh

revoke.failOnStandardError true

revoke.failOnErrorCode true

Use the publisher on CA:s

Go to: EJBCA Adminweb → ”Edit Certificate Authorites”

Select the CA you want CRL archival on, then click on edit CA

At ”CRL Publishers”:

Select ”Archival publisher”

Do this for all CA:s you want CRL Archival for.

Use the publisher on Certificate profile:s

Go to: EJBCA Adminweb → ”Edit Certifcate Profiles”

At: ”Publishers”

Select ”Archival publisher”

Do this for all Certificate profiles:s you want Certifcate Archival for.


Friday, October 31, 2008

Presentation from FSCONS

Johan and Tham went to FSCONS 2008 and presented "Secure communication with open source PKI". It's a basic introduction to PKI and a demonstration of email-signing, Apache client cert authentication and using certs in OpenVPN.



Direct link to the video (use VLC to play it if it doesn't work).

The presentation slides.

Monday, October 27, 2008

EJBCA and BouncyCastle on OSOR.eu eID/PKI/eSignature Community Workshop

I will present a "Lightening talk" on the OSOR.eu eID/PKI/eSignature Community Workshop in Brussels on the 13th of November 2008. The talk will be a short one describing experience from both the BouncyCastle and the EJBCA projects regarding open source usage in the EU. The hope is to give some input what the EU can do to help, or not to discriminate, open source projects/products.
The BouncyCastle part is made by David Hook of Lockboxlabs.

Monday, October 13, 2008

Presentation from Open Standards Forum

You can read and view my presentation from Oasis Open Standards Forum that took place in London in the beginning of October. The event was very interesting, a lot is happening in the standardization and technology arena.

Presentation slides.

Presentation movie (73MB).

Wednesday, October 8, 2008

EJBCA @ FSCONS 2008

Two core EJBCA developers from PrimeKey Solutions AB will be present at this years FSCONS (2008-10-24 to 26th). Since PrimeKey sponsors the conference, we will have a booth somewhere in "the lounge area". So drop by and ask questions about the latest and greatest, suggest new features or tell us how you want to use EJBCA.

It currently looks like we get a chance to talk the last day at 16:00 on the subject "Secure communications with Open Source PKI". The preliminary plan is to give a simple hands-on presentation on how easy PKI can be used for secure email, client SSL authentication, OpenVPN and more.

We hope to see you all there!

Sunday, September 14, 2008

Succesful EAC ePassport PKI interoperability tests

EJBCA was present on the Prague event for PKI interoperability tests, since both Sweden and Portugal uses EJBCA for their EAC CVC PKI. The tests were a huge success and no problems were encountered in EJBCA. Interoperability was tested with many different countries using different implementations and algorithms.

Look out for EJBCA 3.7.1, that will bring ECC support (as tested on the event) and a lot of CVC usability enhancements.

Saturday, September 6, 2008

Bouncycastle supported by Lock Box Labs

My favorite open source project, the Java crypto provider Bouncycastle (http://www.bouncycastle.org/) have gotten their own legal entity offering support contracts. Go get one!

Monday, September 1, 2008

Cert-cvc library 1.2.7 released

This release of the CV certificate library, for EAC 1.11 ePassports, contains full support for both RSA and ECC algorithms.

This marks another milestone for ePassport support in EJBCA. The cert-cvc library now has full support and can be freely used by anyone under the LGPLv2 license.

Changes:
- Support for ECC keys and signatures, need BC version 1.41 which is included in svn.
- Fix bug where outer signature in authenticated requests did not include CARef in TBS
- Don't add caRef if not passed, or passed as null, to CertificateGenerator.
- Translations of Swedish javadoc to English.


Cheers,
Tomas

Wednesday, August 13, 2008

Oasis Open Standards Forum in London

On the 30th of September to 3rd of October Oasis will hold Open Standard Forum near London. For more information see the official website.

I'm also excited about listening to the other speakers at the event, covering many different areas of identity- and key management.

I have been accepted as a speaker and will talk about XML protocol interfaces to a PKI. I will mostly use case studies to kind of outline the requirements of an XML protocol. The most detailed case study is the Hardtoken Management Framework developed by Philip in cooperation with the Swedish police (www.hardtokenmgmt.org). The hardtoken management framework is the basis for the smart card management at the Swedish police and uses Webservice interface to communicate with the PKI.
On interesting topic, where we might receive some feedback(?), is what happened to XKMS and if there is any future efforts in that direction. Also looking more into the future we may see a merging of symmetric key management (EKMI) and PKI management.

Maybe we'll see some standardization in this area?

If you have your ways pass London you should join.

Friday, July 11, 2008

EJBCA gets ePassport contribution from Swedish National Police Board

The open source enterprise PKI software EJBCA has received support for EU EAC ePassports. The Swedish National Police Board has developed the cert-cvc java library used for the implementation, and contributes the library to the open source project under the LGPL license. The Police Board also supported the development to integrate the library into EJBCA.

EAC, short for Extended Access Control, is the standard developed in the EU to protect fingerprint and iris data stored on electronic travel documents (passports). Fingerprints will be stored on all EU passport within a few years, with pilot project starting this year. Releasing the library to the open source means that other EU member states does not have to develop everything themselves, and could make implementation much easier and less expensive.
A perfect example of openness and cooperation.

This release is feature complete for EU EAC ePassports using RSA algorithm. ECC support is still not complete. Any help in the ECC area is welcome.

The library is released, with full source, and can be downloaded from sourceforge — http://sourceforge.net/projects/ejbca/."

Saturday, July 5, 2008

EJBCA HA best practices

There are many ways to design a HA system taking all considerations into account. After dealing with this issue for a couple of years, here is our teams experience on what works and what doesn't work.

There are two important components in a HA EJBCA setup:
  • Database
  • EJBCA application server
The database is by far the trickiest to set up in HA-mode. The database holds everything that is really important in an EJBCA setup.
In case of failure, everything can be re-created from the EJBCA distribution except the database contents.
A full HA setup would look like:
  • Load balancers in front of the EJBCA app servers
  • EJBCA app servers using a single HA database on a single ip
  • Load balancers in front of the database cluster
  • A HA database cluster
This is of course expensive and this setup is suitable for organizations with dedicated database/app server/load balancer groups that have the resources and knowledge to handle this kind of system.

Most shops however simply don't want, don't need, or can't handle that kind of complexity.

Another alternative, that does not provide full HA, but that does provide very good data safety with short fail over times is:
  • Two combined EJBCA/database servers with three ip's, one real for each server and one "virtual" that can be moved.
  • Node 1 has the virtual ip by default.
  • Database master on node 1 that replicates, in real time, to node 2.
  • EJBCA running on both nodes using the "virtual" ip as database ip.
  • If node 1 fails, a script must be manually run that changes the virtual ip to node 2, and restarts app server on node 2. Now node 2 is master and single point of failure while node 1 is brought up again.
  • When node 1 is brought up again the system is either restored to original state with node 1 as master (requires restoring database on node 1 and reseting replication), or node 2 is now the master and replicates to node 1 (requires starting replication in that direction).
Other alternatives that you might start to look at is to include software load balancers and automatic fail-over scripts in the combined servers.
In our experience this is not a good idea!
In most cases this setup will cause more problems than it solves and your issues will originate from the load balancing software/fail-over scripts not working instead of the database/EJBCA not working.
If you are not sure what you are doing and has done this kind of setups several times before, stay away from it.

Friday, June 6, 2008

Using UTF-8 in mysql

To use EJBCA-JBoss-MySQL with exotic UTF-8 characters you need to configure MySQL to create the tables with utf-8 character encoding, eotherwise you will get an exception when trying to save a subjectDN for a user.

To use utf8 in mysql you have to set the following options in my.cnf:
default-character-set=utf8
collation-server = utf8_general_ci

BEFORE you start MySQL, create the database and start JBoss.

To check the encoding of the tables:
mysql -u root -p
> use information_schema;
> select table_schema,table_name, table_collation from tables;
| ejbca2 | UserData | utf8_general_ci |
| ejbca2 | UserDataSourceData | utf8_general_ci |
| ejbcatest | AccessRulesData | latin1_swedish_ci |
| ejbcatest | AdminEntityData | latin1_swedish_ci |

Default when installing MySQL in ubuntu is to create with 'table_collation' latin1_swedish_c1', but we want 'utf8_general_ci', which it creates in a database created with the new settings in my.cnf.

Thursday, April 10, 2008

Controlling an EJBCA cluster node

Just a little glimpse on what is possible to easily achieve.

Some people have clustered high security environments, where you need multiple people to access a shell or console the EJBCA machine. In such an environment it is convenient if you can do some stuff without logging in...NodeControl is born. Nodecontrol runns in a separate Tomcat instance so is independent of JBoss/EJBCA.
With NodeControl you can:
  1. Check HealthCheck on EJBCA
  2. Start/stop JBoss
  3. Add/remove the node in the cluster by turning on/off the maintenance file in HealthCheck (if maintenance is on, healthcheck returns an error with your message in it)
  4. Tail and grep in logfiles from pre-configured directories. Also 'tail -f' a logfile through openssl (or nc) to your machine.
Naturally the NodeControl needs certificate authentication where you drop allowed certificates in a directory. Everything highly configurable of course, and presented in a slick looking ajax gui :)

Some of these functions should probably be available in a future re-make of the EJBCA admin-GUI.

Thursday, March 20, 2008

Quick install of Alfresco....

.... with MySQL as database back-end and OpenOffice integration.

Alfresco-and-OpenOffice

Wednesday, March 12, 2008

EJBCA on Weblogic 9

You do not need the administrative Gui to perform start, stop, deploy or undeploy on Weblogic.
To be able to use the command line you have to enable tunneling (no restart required).

In the gui go to "Environment -> Servers -> myserver(admin) -> Protocols -> Enable Tunneling"

On the command line edit bea/weblogic92/server/bin/config/config.xml and add the following to the <server> section (restart required):

<tunneling-enabled>true</tunneling-enabled>

After this you can use the command line tools. For exampel:

java weblogic.Deployer -user weblogic -password weblogic -name mymodule -undeploy
java weblogic.Deployer -user weblogic -password weblogic -name mymodule -deploy -source /home/jboss/ejbca/dist/ejbca.ear
java weblogic.Deployer -user weblogic -password weblogic -name mymodule -stop
java weblogic.Deployer -user weblogic -password weblogic -name mymodule -start

Monday, March 10, 2008

New page about scripts addons for EJBCA

Scipts for generating lots of users

Made by kinneh and MrsTidy 2007
Tested to generate 20.000 Users, be aware of diskusage (We used about 2GB)

...


http://wiki.ejbca.org/ejbca-scripts

Monday, February 11, 2008

Converting keystores between JKS and P12

Johan dug up these keytool commands, that works with JDK6 and onwards (not in JDK5 and earlier).

JKS → P12
keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore keystore.p12

P12 → JKS
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore keystore.jks

I recently retested the p12 to jks conversion on Java 7u79, converting a superadmin.p12 keystore from EJBCA to JKS. Still works!

If you need a CA software that can generate both JKS, P12 or PEM keystores directly so you don't have to convert. Take a look at EJBCA Community, or it's supported big brother EJBCA Enterprise.

Using Websphere and WAS under Ubuntu Linux

Some notes about using Websphere ND and RAD under Ubuntu Linux 7.10.

Because Ubuntu uses dash as the default shell (/bin/sh is a link to /bin/dash not /bin/bash) and websphere installation
too requires bash, although it erroneously uses /bin/sh you have two options:
  • Change the link /bin/sh to /bin/bash instead of /bin/dash.
  • Change /bin/sh to /bin/bash in the websphere shell scripts.
To change to websphere shell scripts you can use the following command, that I found on the web (replace paths to meet you installation):
sudo perl -p -i -e "s/\/sh$/\/bash/" /opt/IBM/WebSphere/AppServer/bin/*.sh

To install Rational Applicaton Developer (RAD v7) on a recent Ubuntu you need to
specify some options to java, or your java gui windows will be completely
blank, making it hard to to any installation :-).
To make it work, simply set this environment variable before running
the installer:
export IBM_JAVA_OPTIONS=-Dawt.toolkit=sun.awt.motif.MToolkit

EJBCA PKI blog

Here I will post mostly technical stuff happening during development of EJBCA (http://ejbca.org). This will work like a memory bank for me, and a place for others to find stuff that I have struggled with, or compiled from various sources in the internet.

Welcome!