EJBCA was present on the Prague event for PKI interoperability tests, since both Sweden and Portugal uses EJBCA for their EAC CVC PKI. The tests were a huge success and no problems were encountered in EJBCA. Interoperability was tested with many different countries using different implementations and algorithms.
Look out for EJBCA 3.7.1, that will bring ECC support (as tested on the event) and a lot of CVC usability enhancements.
Sunday, September 14, 2008
Saturday, September 6, 2008
Bouncycastle supported by Lock Box Labs
My favorite open source project, the Java crypto provider Bouncycastle (http://www.bouncycastle.org/) have gotten their own legal entity offering support contracts. Go get one!
Monday, September 1, 2008
Cert-cvc library 1.2.7 released
This release of the CV certificate library, for EAC 1.11 ePassports, contains full support for both RSA and ECC algorithms.
This marks another milestone for ePassport support in EJBCA. The cert-cvc library now has full support and can be freely used by anyone under the LGPLv2 license.
Changes:
- Support for ECC keys and signatures, need BC version 1.41 which is included in svn.
- Fix bug where outer signature in authenticated requests did not include CARef in TBS
- Don't add caRef if not passed, or passed as null, to CertificateGenerator.
- Translations of Swedish javadoc to English.
Cheers,
Tomas
This marks another milestone for ePassport support in EJBCA. The cert-cvc library now has full support and can be freely used by anyone under the LGPLv2 license.
Changes:
- Support for ECC keys and signatures, need BC version 1.41 which is included in svn.
- Fix bug where outer signature in authenticated requests did not include CARef in TBS
- Don't add caRef if not passed, or passed as null, to CertificateGenerator.
- Translations of Swedish javadoc to English.
Cheers,
Tomas
Wednesday, August 13, 2008
Oasis Open Standards Forum in London
On the 30th of September to 3rd of October Oasis will hold Open Standard Forum near London. For more information see the official website.
I'm also excited about listening to the other speakers at the event, covering many different areas of identity- and key management.
I have been accepted as a speaker and will talk about XML protocol interfaces to a PKI. I will mostly use case studies to kind of outline the requirements of an XML protocol. The most detailed case study is the Hardtoken Management Framework developed by Philip in cooperation with the Swedish police (www.hardtokenmgmt.org). The hardtoken management framework is the basis for the smart card management at the Swedish police and uses Webservice interface to communicate with the PKI.
On interesting topic, where we might receive some feedback(?), is what happened to XKMS and if there is any future efforts in that direction. Also looking more into the future we may see a merging of symmetric key management (EKMI) and PKI management.
Maybe we'll see some standardization in this area?
If you have your ways pass London you should join.
I'm also excited about listening to the other speakers at the event, covering many different areas of identity- and key management.
I have been accepted as a speaker and will talk about XML protocol interfaces to a PKI. I will mostly use case studies to kind of outline the requirements of an XML protocol. The most detailed case study is the Hardtoken Management Framework developed by Philip in cooperation with the Swedish police (www.hardtokenmgmt.org). The hardtoken management framework is the basis for the smart card management at the Swedish police and uses Webservice interface to communicate with the PKI.
On interesting topic, where we might receive some feedback(?), is what happened to XKMS and if there is any future efforts in that direction. Also looking more into the future we may see a merging of symmetric key management (EKMI) and PKI management.
Maybe we'll see some standardization in this area?
If you have your ways pass London you should join.
Friday, July 11, 2008
EJBCA gets ePassport contribution from Swedish National Police Board
The open source enterprise PKI software EJBCA has received support for EU EAC ePassports. The Swedish National Police Board has developed the cert-cvc java library used for the implementation, and contributes the library to the open source project under the LGPL license. The Police Board also supported the development to integrate the library into EJBCA.
EAC, short for Extended Access Control, is the standard developed in the EU to protect fingerprint and iris data stored on electronic travel documents (passports). Fingerprints will be stored on all EU passport within a few years, with pilot project starting this year. Releasing the library to the open source means that other EU member states does not have to develop everything themselves, and could make implementation much easier and less expensive.
A perfect example of openness and cooperation.
This release is feature complete for EU EAC ePassports using RSA algorithm. ECC support is still not complete. Any help in the ECC area is welcome.
The library is released, with full source, and can be downloaded from sourceforge — http://sourceforge.net/projects/ejbca/."
EAC, short for Extended Access Control, is the standard developed in the EU to protect fingerprint and iris data stored on electronic travel documents (passports). Fingerprints will be stored on all EU passport within a few years, with pilot project starting this year. Releasing the library to the open source means that other EU member states does not have to develop everything themselves, and could make implementation much easier and less expensive.
A perfect example of openness and cooperation.
This release is feature complete for EU EAC ePassports using RSA algorithm. ECC support is still not complete. Any help in the ECC area is welcome.
The library is released, with full source, and can be downloaded from sourceforge — http://sourceforge.net/projects/ejbca/."
Saturday, July 5, 2008
EJBCA HA best practices
There are many ways to design a HA system taking all considerations into account. After dealing with this issue for a couple of years, here is our teams experience on what works and what doesn't work.
There are two important components in a HA EJBCA setup:
In case of failure, everything can be re-created from the EJBCA distribution except the database contents.
A full HA setup would look like:
Most shops however simply don't want, don't need, or can't handle that kind of complexity.
Another alternative, that does not provide full HA, but that does provide very good data safety with short fail over times is:
In our experience this is not a good idea!
In most cases this setup will cause more problems than it solves and your issues will originate from the load balancing software/fail-over scripts not working instead of the database/EJBCA not working.
If you are not sure what you are doing and has done this kind of setups several times before, stay away from it.
There are two important components in a HA EJBCA setup:
- Database
- EJBCA application server
In case of failure, everything can be re-created from the EJBCA distribution except the database contents.
A full HA setup would look like:
- Load balancers in front of the EJBCA app servers
- EJBCA app servers using a single HA database on a single ip
- Load balancers in front of the database cluster
- A HA database cluster
Most shops however simply don't want, don't need, or can't handle that kind of complexity.
Another alternative, that does not provide full HA, but that does provide very good data safety with short fail over times is:
- Two combined EJBCA/database servers with three ip's, one real for each server and one "virtual" that can be moved.
- Node 1 has the virtual ip by default.
- Database master on node 1 that replicates, in real time, to node 2.
- EJBCA running on both nodes using the "virtual" ip as database ip.
- If node 1 fails, a script must be manually run that changes the virtual ip to node 2, and restarts app server on node 2. Now node 2 is master and single point of failure while node 1 is brought up again.
- When node 1 is brought up again the system is either restored to original state with node 1 as master (requires restoring database on node 1 and reseting replication), or node 2 is now the master and replicates to node 1 (requires starting replication in that direction).
In our experience this is not a good idea!
In most cases this setup will cause more problems than it solves and your issues will originate from the load balancing software/fail-over scripts not working instead of the database/EJBCA not working.
If you are not sure what you are doing and has done this kind of setups several times before, stay away from it.
Friday, June 6, 2008
Using UTF-8 in mysql
To use EJBCA-JBoss-MySQL with exotic UTF-8 characters you need to configure MySQL to create the tables with utf-8 character encoding, eotherwise you will get an exception when trying to save a subjectDN for a user.
To use utf8 in mysql you have to set the following options in my.cnf:
default-character-set=utf8
collation-server = utf8_general_ci
BEFORE you start MySQL, create the database and start JBoss.
To check the encoding of the tables:
mysql -u root -p
> use information_schema;
> select table_schema,table_name, table_collation from tables;
| ejbca2 | UserData | utf8_general_ci |
| ejbca2 | UserDataSourceData | utf8_general_ci |
| ejbcatest | AccessRulesData | latin1_swedish_ci |
| ejbcatest | AdminEntityData | latin1_swedish_ci |
Default when installing MySQL in ubuntu is to create with 'table_collation' latin1_swedish_c1', but we want 'utf8_general_ci', which it creates in a database created with the new settings in my.cnf.
To use utf8 in mysql you have to set the following options in my.cnf:
default-character-set=utf8
collation-server = utf8_general_ci
BEFORE you start MySQL, create the database and start JBoss.
To check the encoding of the tables:
mysql -u root -p
> use information_schema;
> select table_schema,table_name, table_collation from tables;
| ejbca2 | UserData | utf8_general_ci |
| ejbca2 | UserDataSourceData | utf8_general_ci |
| ejbcatest | AccessRulesData | latin1_swedish_ci |
| ejbcatest | AdminEntityData | latin1_swedish_ci |
Default when installing MySQL in ubuntu is to create with 'table_collation' latin1_swedish_c1', but we want 'utf8_general_ci', which it creates in a database created with the new settings in my.cnf.
Subscribe to:
Comments (Atom)
Posts
