EJBCA and OpenSSO are great companions. EJBCA provides users with digital certificates for strong authentication and digital signatures, and OpenSSO uses these credentials to provide single sign-on and authorization. Using the latest buzzwords such as SAML, XACML etc.
Over at ejbca.org we have a couple of great articles how to set up integration between EJBCA and OpenSSO and how to configure the Certificate authentication module in OpenSSO. Issue a certificate in EJBCA and immediately use it to authenticate with OpenSSO.
Check out the EJBCA-OpenSSO articles at EJBCA.org.
Friday, November 27, 2009
Monday, November 23, 2009
MySQL on a SSD disk
I thought that my MySQL InnoDB database was a bit slow, at least when running on an encrypted disk. Added a 80GB X25-M SSD disk to keep the MySQL database on (only development data so no encryption needed there). My performance increased 5 times as worst and more then 10 times at best.
Application with a lot of short database access (such as large update statements in mysql) will get a huge boost with SSD. We will see how it performs in the long run...
So far it is highly recommended!
Bind-mount is really good:
mount -B /media/SSD/mysql /var/lib/mysql
or in fstab:
/media/SSD/mysql /var/lib/mysql bind defaults,bind 0 0
Did all this to get up the speed when producing really large CRLs (>500.000 revoked certificates). Works pretty neat.
Application with a lot of short database access (such as large update statements in mysql) will get a huge boost with SSD. We will see how it performs in the long run...
So far it is highly recommended!
Bind-mount is really good:
mount -B /media/SSD/mysql /var/lib/mysql
or in fstab:
/media/SSD/mysql /var/lib/mysql bind defaults,bind 0 0
Did all this to get up the speed when producing really large CRLs (>500.000 revoked certificates). Works pretty neat.
Thursday, November 5, 2009
USB pass-through to KVM in Ubuntu Karmic (9.10)
You have to allow lib-virt to use USB devices.
Edit /etc/apparmor.d/abstractions/libvirt-qemu and uncomment some lines.
# WARNING: uncommenting these gives the guest direct access to host hardware.
# This is required for USB pass through but is a security risk. You have been
# warned.
/sys/bus/usb/devices/ r,
/sys/devices/*/*/usb[0-9]*/** r,
/dev/bus/usb/*/[0-9]* rw,
Migrating vmware images to use in kvm instead is nicely described here: http://ubuntuforums.org/showthread.php?t=1163175.
For a RedHat image I simply ran:
sudo qemu-img convert -f vmdk redhat.vmdk -O qcow2 redhat.img
Create a new kvm machine in virt-manager, but temrinate when it tries to start installing. Simply reaplce the image virt-manager created with redhat.img and restart the new kvm machine.
Edit /etc/apparmor.d/abstractions/libvirt-qemu and uncomment some lines.
# WARNING: uncommenting these gives the guest direct access to host hardware.
# This is required for USB pass through but is a security risk. You have been
# warned.
/sys/bus/usb/devices/ r,
/sys/devices/*/*/usb[0-9]*/** r,
/dev/bus/usb/*/[0-9]* rw,
Migrating vmware images to use in kvm instead is nicely described here: http://ubuntuforums.org/showthread.php?t=1163175.
For a RedHat image I simply ran:
sudo qemu-img convert -f vmdk redhat.vmdk -O qcow2 redhat.img
Create a new kvm machine in virt-manager, but temrinate when it tries to start installing. Simply reaplce the image virt-manager created with redhat.img and restart the new kvm machine.
SignServer 3.1.0 released
The PrimeKey SignServer team is happy to announce that SignServer 3.1 has been
released! This is a major new version with lots of exciting functionality for document signing and validation.
Development continues beyond this version and all requests from the community and from the EJBCA Developer Conference [1] are scheduled for SignServer 3.2 or later releases.
More information is available at the project web site [2] and the complete changelog can be viewed in the issue tracker [3].
SignServer 3.1 Release Notes ►
[2] http://www.signserver.org
[3] http://jira.primekey.se/browse/DSS
released! This is a major new version with lots of exciting functionality for document signing and validation.
Development continues beyond this version and all requests from the community and from the EJBCA Developer Conference [1] are scheduled for SignServer 3.2 or later releases.
More information is available at the project web site [2] and the complete changelog can be viewed in the issue tracker [3].
SignServer 3.1 Release Notes ►
- New module system: The byte code for a worker can be packaged as a separate module that can be loaded and unloaded at runtime.
- New workers: XML Signer/Validator - Signing and validating XML documents. ODF Signer - Signing Open Document Format documents, for instance used by OpenOffice.org. OOXML Signer - Signing Office Open XML documents. CRL Validator - Validating certificates by looking up certificate revocation lists. OCSP Validator - Validating certificates using the online certificate status protocol. MRTD SOD Signer - Creating and signing ePassport security objects.
- Several other minor features, fixes and improvements.
[2] http://www.signserver.org
[3] http://jira.primekey.se/browse/DSS
Wednesday, October 21, 2009
EJBCA 3.9.2 released
We are proud to announce the release of EJBCA 3.9.2. We believe this is
the most stable release of EJBCA to date.
This is a minor release but packed with new minor features and fixes, 38
issues have been resolved. Some minor features and options and many bug
fixes and stabilizations.
Noteworthy changes:
- Sign and verify of files with clientToolBox when the private key is
stored on a HSM.
- Possible to limit signing keys for an external OCSP responder to keys
within a set of key aliases.
- Add support for the TSL signer extended key usage
- Use improved validity period parsing in Certificate Profiles
- Add option to use publisher queue or not for CRLs and certificates
- Document MS application policies extension
- Fixes for ejbcaClientToolBox.bat for windows platform
- Timeouts for LDAP publishers to handle unstable LDAP servers
- For issue where CRL service may stop running if database is stopped
for some period
- Change so that Issuing Distribution Point on CRLs is not used by
default in CA configuration
- Fix issue using IAIK provider with several CAs
- Fix slow revocation if a user have many certificates
- cert-cvc: getting expiration date returns 00.00 hours but it means
it's valid the whole day
- cert-cvc: bad encoding of EC points in certificates in rare cases
where affineX and affineY is not same size
- Many small optimizations, fixes and improvements.
Read the full changelog for details.
For upgrade instructions, please see UPGRADE.
----
Work has already started for EJBCA 3.9.3, as well as 3.10. For 3.9.3 we
will for the first time in ages get some new bling on the admin GUI,
thanks to David Carella in France who contributed some styles for the
admin GUI.
EJBCA 3.10 will have many changes, preparing for the big move to EJBCA
4.0. Among other things all configuration in properties files are now
possible to store outside of the ear file, and change dynamically in
runtime.
Regards,
The EJBCA team at PrimeKey.
the most stable release of EJBCA to date.
This is a minor release but packed with new minor features and fixes, 38
issues have been resolved. Some minor features and options and many bug
fixes and stabilizations.
Noteworthy changes:
- Sign and verify of files with clientToolBox when the private key is
stored on a HSM.
- Possible to limit signing keys for an external OCSP responder to keys
within a set of key aliases.
- Add support for the TSL signer extended key usage
- Use improved validity period parsing in Certificate Profiles
- Add option to use publisher queue or not for CRLs and certificates
- Document MS application policies extension
- Fixes for ejbcaClientToolBox.bat for windows platform
- Timeouts for LDAP publishers to handle unstable LDAP servers
- For issue where CRL service may stop running if database is stopped
for some period
- Change so that Issuing Distribution Point on CRLs is not used by
default in CA configuration
- Fix issue using IAIK provider with several CAs
- Fix slow revocation if a user have many certificates
- cert-cvc: getting expiration date returns 00.00 hours but it means
it's valid the whole day
- cert-cvc: bad encoding of EC points in certificates in rare cases
where affineX and affineY is not same size
- Many small optimizations, fixes and improvements.
Read the full changelog for details.
For upgrade instructions, please see UPGRADE.
----
Work has already started for EJBCA 3.9.3, as well as 3.10. For 3.9.3 we
will for the first time in ages get some new bling on the admin GUI,
thanks to David Carella in France who contributed some styles for the
admin GUI.
EJBCA 3.10 will have many changes, preparing for the big move to EJBCA
4.0. Among other things all configuration in properties files are now
possible to store outside of the ear file, and change dynamically in
runtime.
Regards,
The EJBCA team at PrimeKey.
Friday, September 25, 2009
Presentation from EJBCA Developers conference
We held an EJBCA developers conference in Sweden on the 13-15 of September. Some presentations from the conference are now up on http://www.primekey.se/Community/.
/Tomas
/Tomas
Thursday, September 3, 2009
Open Source security project gets EU funding
Article (in Swedish) about PrimeKey Solutions (in a consortium that the article does not mention) getting funding for developing an EAL certified open source security core.
http://www.idg.se/2.1085/1.243826/eu-miljoner-till-svenska-it-foretag
http://www.idg.se/2.1085/1.243826/eu-miljoner-till-svenska-it-foretag
Subscribe to:
Comments (Atom)
Posts
