EJBCA and OpenSSO are great companions. EJBCA provides users with digital certificates for strong authentication and digital signatures, and OpenSSO uses these credentials to provide single sign-on and authorization. Using the latest buzzwords such as SAML, XACML etc.
Over at ejbca.org we have a couple of great articles how to set up integration between EJBCA and OpenSSO and how to configure the Certificate authentication module in OpenSSO. Issue a certificate in EJBCA and immediately use it to authenticate with OpenSSO.
Check out the EJBCA-OpenSSO articles at EJBCA.org.
Friday, November 27, 2009
Monday, November 23, 2009
MySQL on a SSD disk
I thought that my MySQL InnoDB database was a bit slow, at least when running on an encrypted disk. Added a 80GB X25-M SSD disk to keep the MySQL database on (only development data so no encryption needed there). My performance increased 5 times as worst and more then 10 times at best.
Application with a lot of short database access (such as large update statements in mysql) will get a huge boost with SSD. We will see how it performs in the long run...
So far it is highly recommended!
Bind-mount is really good:
mount -B /media/SSD/mysql /var/lib/mysql
or in fstab:
/media/SSD/mysql /var/lib/mysql bind defaults,bind 0 0
Did all this to get up the speed when producing really large CRLs (>500.000 revoked certificates). Works pretty neat.
Application with a lot of short database access (such as large update statements in mysql) will get a huge boost with SSD. We will see how it performs in the long run...
So far it is highly recommended!
Bind-mount is really good:
mount -B /media/SSD/mysql /var/lib/mysql
or in fstab:
/media/SSD/mysql /var/lib/mysql bind defaults,bind 0 0
Did all this to get up the speed when producing really large CRLs (>500.000 revoked certificates). Works pretty neat.
Thursday, November 5, 2009
USB pass-through to KVM in Ubuntu Karmic (9.10)
You have to allow lib-virt to use USB devices.
Edit /etc/apparmor.d/abstractions/libvirt-qemu and uncomment some lines.
# WARNING: uncommenting these gives the guest direct access to host hardware.
# This is required for USB pass through but is a security risk. You have been
# warned.
/sys/bus/usb/devices/ r,
/sys/devices/*/*/usb[0-9]*/** r,
/dev/bus/usb/*/[0-9]* rw,
Migrating vmware images to use in kvm instead is nicely described here: http://ubuntuforums.org/showthread.php?t=1163175.
For a RedHat image I simply ran:
sudo qemu-img convert -f vmdk redhat.vmdk -O qcow2 redhat.img
Create a new kvm machine in virt-manager, but temrinate when it tries to start installing. Simply reaplce the image virt-manager created with redhat.img and restart the new kvm machine.
Edit /etc/apparmor.d/abstractions/libvirt-qemu and uncomment some lines.
# WARNING: uncommenting these gives the guest direct access to host hardware.
# This is required for USB pass through but is a security risk. You have been
# warned.
/sys/bus/usb/devices/ r,
/sys/devices/*/*/usb[0-9]*/** r,
/dev/bus/usb/*/[0-9]* rw,
Migrating vmware images to use in kvm instead is nicely described here: http://ubuntuforums.org/showthread.php?t=1163175.
For a RedHat image I simply ran:
sudo qemu-img convert -f vmdk redhat.vmdk -O qcow2 redhat.img
Create a new kvm machine in virt-manager, but temrinate when it tries to start installing. Simply reaplce the image virt-manager created with redhat.img and restart the new kvm machine.
SignServer 3.1.0 released
The PrimeKey SignServer team is happy to announce that SignServer 3.1 has been
released! This is a major new version with lots of exciting functionality for document signing and validation.
Development continues beyond this version and all requests from the community and from the EJBCA Developer Conference [1] are scheduled for SignServer 3.2 or later releases.
More information is available at the project web site [2] and the complete changelog can be viewed in the issue tracker [3].
SignServer 3.1 Release Notes ►
[2] http://www.signserver.org
[3] http://jira.primekey.se/browse/DSS
released! This is a major new version with lots of exciting functionality for document signing and validation.
Development continues beyond this version and all requests from the community and from the EJBCA Developer Conference [1] are scheduled for SignServer 3.2 or later releases.
More information is available at the project web site [2] and the complete changelog can be viewed in the issue tracker [3].
SignServer 3.1 Release Notes ►
- New module system: The byte code for a worker can be packaged as a separate module that can be loaded and unloaded at runtime.
- New workers: XML Signer/Validator - Signing and validating XML documents. ODF Signer - Signing Open Document Format documents, for instance used by OpenOffice.org. OOXML Signer - Signing Office Open XML documents. CRL Validator - Validating certificates by looking up certificate revocation lists. OCSP Validator - Validating certificates using the online certificate status protocol. MRTD SOD Signer - Creating and signing ePassport security objects.
- Several other minor features, fixes and improvements.
[2] http://www.signserver.org
[3] http://jira.primekey.se/browse/DSS