Tuesday, December 29, 2009
FOSDEM 2010
Yes, EJBCA and SignServer will have a stand at the geek fest FOSDEM on the 6-7 february 2010. Visit FOSDEM, it's great!
Using Brainpool ECC curves in Java (with HSM)
In EAC ePassports the Brainpool family of curves can be used, and is used by some countries. Java (or more specifically the Sun JCE and PKCS#11 provider) does not have support for this curve naturally, it is not a named curve that it knows about. The kind guys over at Ministerie van Binnenlandse Zaken en Koninkrijksrelaties in Netherlands experimented and showed us how to use it with a SafeNet ProtectServer Gold.
I tested it out and wrote a howto for EJBCA. The downside is that you have to generate the keys with the HSM tools, so you can not generate new keys from within the EJBCA admin gui.
Of course if you are not using an HSM, the Bouncycastle provider has support for them out of the box.
I tested it out and wrote a howto for EJBCA. The downside is that you have to generate the keys with the HSM tools, so you can not generate new keys from within the EJBCA admin gui.
Of course if you are not using an HSM, the Bouncycastle provider has support for them out of the box.
Monday, December 21, 2009
EJBCA 3.9.3 released
Very convenient, so you have something to play with during the christmas holidays...here is EJBCA 3.9.3.
This is a minor release but packed with new minor features and fixes, 42 issues have been resolved.
Some minor features and options and some bug fixes and stabilizations.
Noteworthy changes:
- Fixed a regression in 3.9.2 where you could not upload files in the admin GUI.
- Certificate profiles can now specify a different signature algorithm than the CA. Useful to start migrating SHA1 CAs to issue SHA256 certificates.
- Possibility to use part of user data in LDAP DN but not in certificate DN when publishing certificate to LDAP.
- Possibility to set fixed end date of certificates in certificate profile and CA configuration.
- Possibility to configure several notification services for expiring certificates, notifying at different times, i.e. 30 days, 7 days, etc.
- Browser enrollment tested with Windows 7.
- ECC improvements and fixes for CAs and HSMs, CA renew keys, CA import, brainpool curves, explicit ec parameters, clientToolBox etc.
- GUI improvement to the admin GUI with nicer navigation menu and CSS. Contributed by Linagora, France.
- cert-cvc: fixed rare possibility to get bad encoding of EC points in certificates. Contributed by DGBK, Netherlands.
- CVC CA fixes and improvements for EAC PKI, approvals, import CAs, fix cli info command, .cvcert instear of .crt when downloading certs, etc.
- Don't publish certificates for inactive CA services to LDAP.
- Fix so renewing CA keys in admin GUI does not reload all CA tokens.
- Fixed an OutOfMemory error when failing to publish large CRLs with connection closed error.
- Fix download issues with IE for exported CA keystores.
- Many small optimizations, fixes and improvements.
Read the full changelog for details.
This is a minor release but packed with new minor features and fixes, 42 issues have been resolved.
Some minor features and options and some bug fixes and stabilizations.
Noteworthy changes:
- Fixed a regression in 3.9.2 where you could not upload files in the admin GUI.
- Certificate profiles can now specify a different signature algorithm than the CA. Useful to start migrating SHA1 CAs to issue SHA256 certificates.
- Possibility to use part of user data in LDAP DN but not in certificate DN when publishing certificate to LDAP.
- Possibility to set fixed end date of certificates in certificate profile and CA configuration.
- Possibility to configure several notification services for expiring certificates, notifying at different times, i.e. 30 days, 7 days, etc.
- Browser enrollment tested with Windows 7.
- ECC improvements and fixes for CAs and HSMs, CA renew keys, CA import, brainpool curves, explicit ec parameters, clientToolBox etc.
- GUI improvement to the admin GUI with nicer navigation menu and CSS. Contributed by Linagora, France.
- cert-cvc: fixed rare possibility to get bad encoding of EC points in certificates. Contributed by DGBK, Netherlands.
- CVC CA fixes and improvements for EAC PKI, approvals, import CAs, fix cli info command, .cvcert instear of .crt when downloading certs, etc.
- Don't publish certificates for inactive CA services to LDAP.
- Fix so renewing CA keys in admin GUI does not reload all CA tokens.
- Fixed an OutOfMemory error when failing to publish large CRLs with connection closed error.
- Fix download issues with IE for exported CA keystores.
- Many small optimizations, fixes and improvements.
Read the full changelog for details.
Sunday, December 13, 2009
EJBCA PKI webcasts
There is a series of webcasts about PKI in general and EJBCA in particular. Watch these cool clips at http://www.primekey.se/Company/Webcasts/.
Friday, November 27, 2009
EJBCA and OpenSSO integration
EJBCA and OpenSSO are great companions. EJBCA provides users with digital certificates for strong authentication and digital signatures, and OpenSSO uses these credentials to provide single sign-on and authorization. Using the latest buzzwords such as SAML, XACML etc.
Over at ejbca.org we have a couple of great articles how to set up integration between EJBCA and OpenSSO and how to configure the Certificate authentication module in OpenSSO. Issue a certificate in EJBCA and immediately use it to authenticate with OpenSSO.
Check out the EJBCA-OpenSSO articles at EJBCA.org.
Over at ejbca.org we have a couple of great articles how to set up integration between EJBCA and OpenSSO and how to configure the Certificate authentication module in OpenSSO. Issue a certificate in EJBCA and immediately use it to authenticate with OpenSSO.
Check out the EJBCA-OpenSSO articles at EJBCA.org.
Monday, November 23, 2009
MySQL on a SSD disk
I thought that my MySQL InnoDB database was a bit slow, at least when running on an encrypted disk. Added a 80GB X25-M SSD disk to keep the MySQL database on (only development data so no encryption needed there). My performance increased 5 times as worst and more then 10 times at best.
Application with a lot of short database access (such as large update statements in mysql) will get a huge boost with SSD. We will see how it performs in the long run...
So far it is highly recommended!
Bind-mount is really good:
mount -B /media/SSD/mysql /var/lib/mysql
or in fstab:
/media/SSD/mysql /var/lib/mysql bind defaults,bind 0 0
Did all this to get up the speed when producing really large CRLs (>500.000 revoked certificates). Works pretty neat.
Application with a lot of short database access (such as large update statements in mysql) will get a huge boost with SSD. We will see how it performs in the long run...
So far it is highly recommended!
Bind-mount is really good:
mount -B /media/SSD/mysql /var/lib/mysql
or in fstab:
/media/SSD/mysql /var/lib/mysql bind defaults,bind 0 0
Did all this to get up the speed when producing really large CRLs (>500.000 revoked certificates). Works pretty neat.
Thursday, November 5, 2009
USB pass-through to KVM in Ubuntu Karmic (9.10)
You have to allow lib-virt to use USB devices.
Edit /etc/apparmor.d/abstractions/libvirt-qemu and uncomment some lines.
# WARNING: uncommenting these gives the guest direct access to host hardware.
# This is required for USB pass through but is a security risk. You have been
# warned.
/sys/bus/usb/devices/ r,
/sys/devices/*/*/usb[0-9]*/** r,
/dev/bus/usb/*/[0-9]* rw,
Migrating vmware images to use in kvm instead is nicely described here: http://ubuntuforums.org/showthread.php?t=1163175.
For a RedHat image I simply ran:
sudo qemu-img convert -f vmdk redhat.vmdk -O qcow2 redhat.img
Create a new kvm machine in virt-manager, but temrinate when it tries to start installing. Simply reaplce the image virt-manager created with redhat.img and restart the new kvm machine.
Edit /etc/apparmor.d/abstractions/libvirt-qemu and uncomment some lines.
# WARNING: uncommenting these gives the guest direct access to host hardware.
# This is required for USB pass through but is a security risk. You have been
# warned.
/sys/bus/usb/devices/ r,
/sys/devices/*/*/usb[0-9]*/** r,
/dev/bus/usb/*/[0-9]* rw,
Migrating vmware images to use in kvm instead is nicely described here: http://ubuntuforums.org/showthread.php?t=1163175.
For a RedHat image I simply ran:
sudo qemu-img convert -f vmdk redhat.vmdk -O qcow2 redhat.img
Create a new kvm machine in virt-manager, but temrinate when it tries to start installing. Simply reaplce the image virt-manager created with redhat.img and restart the new kvm machine.
Subscribe to:
Comments (Atom)
Posts
