EJBCA - Open Source Enterprise PKI

Accessing the WS signing certificate from inside a JAX-WS webservice

2009-06-25T16:24:00.003+02:00

When I have set up the webservice as in the previous post to require signatures, it's very normal that I would like to know who signed the certificate. Also I probably want to access the credentials of the signature, in this case the certificate.

How do I retrieve the signature certificate of a WS-security signed SOAP message?

I could not find any good post describing this on the Internet...

Well here it is now:


 @Resource
 private WebServiceContext wsContext; 

<snip>

     MessageContext mctx = wsContext.getMessageContext(); 
     Subject s = (Subject)mctx.get("CLIENT_SUBJECT");
     Set cs = s.getPublicCredentials();
     for (Iterator iterator = cs.iterator(); iterator.hasNext();) {
   Object object = (Object) iterator.next();
   System.out.println("Object: "+object.getClass().getName());
   if (object instanceof X509Certificate) {
    System.out.println("Found a certificate");
    X509Certificate cert = (X509Certificate) object;
    System.out.println(cert.toString());
   }
  }
     if (s != null) {
      Set ps = s.getPrincipals();
      for (Iterator iterator = ps.iterator(); iterator.hasNext();) {
       Principal principal = (Principal) iterator.next();
       if (principal instanceof X500Principal) {
        X500Principal xp = (X500Principal) principal;
    System.out.println(xp.getName());
       }
      }
     }

<snip>

Configuring Glassfish and SOAPui to use message level security with digital signatures

2009-06-22T19:23:00.003+02:00

I made a simple Jax-WS project with simple webservice. The tricky part is that I wanted message level security with WS-security digital signatures authenticating the message. It took me a while to get it right, so here is how it's done. You can configure WS-security layer on the server side simply by configuring Glassfish use it for all soap messaging. This was the easiest way for me to set it up.

* Configure glassfish:

This will use the default server keystore for signatures, the same keystore that is used for SSL.

In admin console go to: Configuration->Security->Message Security->SOAP
In Message Security tab select:

Default Provider: ServerProvider
Default Client Provider: ClientProvider

In Providers tab click ServerProvider:

Provider Type: server
class name (default): com.sun.xml.wss.provider.ServerSecurityAuthModule
Request policy:
- Authenticate Source: content
- Authenticate Recipient: null (blank)

Response policy:
- Authenticate Source: content
- Authenticate Recipient: null (blank)

Additional Properties:
leave as default

* Configure SOAPui

Create a project and send a message to the server. When the server is configured to require signature you should receive a "Error validating request" message back.

Open project view. Go to tab Security Configuration->Keystores/Certificates.
Add a keystore glassfish/domains/domain1/config/keystore.jks, password changeit and default alias s1as.
Change to tab Outgoing WS-Security Configurations. Create a new configuration called "sign".
Add a new WSS Entry called Timestamp with Time To Live 1000 (or something).
Add a new WSS Entry called Signature:
- Keystore: keystore.jks
- Alias: s1as
- Password: changeit
- Key Identifier Type: Binary Security Token
- Signature Algorithm: http://www.w3.org/2000/09/xmldsig#rsa-sha1
- Signature Canonicalization: http://www.w3.org/2001/10/xml-exc-c14n#
- Use single certificate for signing
- Add a new part: Name=Body, Namespace=http://schemas.xmlsoap.org/soap/envelope/, Encode=Element
- Add a new part: Name=Timestamp, Namespace=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd, Encode=Element

Finally in the request window add the configuration. Select XML view and click Aut in the bottom, select Outgoing WSS=Sign

Now you will probably have an issue with glassfish being unable to verify your message. This is due to canonicalization and SOAPui making nice display of the XML for you.
Go into the XML view and remove all whitespace and newlines in the soapenv:Body tag.

Now it should work!

Build an open source enterprise OCSP validation service

2009-06-07T15:27:00.003+02:00

Build a high performance OCSP responder using EJBCA. EJBCA is a J2EE enterprise open source PKI that you can deploy as a certificate authority or an ocsp responder.

EJBCA is a J2EE enterprise open source PKI that you can deploy as a certificate authority or an ocsp responder.

With the release fo EJBCA 3.9.0 it is easier than ever to set up a high performance, high reliability OCSP responder.
OCSP stands for online certificate status protocol and is defined in RFC2560. In short it provides an online service for validating that a certicate, as used by SSL or VPN etc, has not been revoked. OCSP has the basic functionality defined in RFC2560 and this, in it's plain form, it widely used. If using a high speed hardware security module (HSM) for signature operations you can easily answer 500 requests per second with the EJBCA external OCSP responder. Certificate status information is kept in a regular database, such as MySQL, making it very suitable for online services because you can really update the information on line without waiting for the certificate authority to issued certificate revocation lists (CRLs).

To further improve scalability of OCSP IETF has defined a lighweight OCSP profile in RFC5019. This profile builds on the usage of http get instead of http put which is the default transport used. Using http get the responder can set http headers to enable caching by regular proxies. Caching makes the service slightly less online, in the meaning that you always gets fresh information, but can improve performance across networks. EJBCA 3.9.0 improves the EJBCA external OCSP responder with full support for RFC5019.

If you plan on building an OCSP service there are many things to consider:
- standards support
- performance
- scalability by adding cluster nodes
- transaction and audit logging
- authentication of callers, possibly requiring signed requests
- use of custom OCSP extensions
- OCSP responder independent of CA service provider
- renewal of OCSP responder keys

A typical configuration for OCSP uses two or more OCSP responder nodes. Each OCSP responder keeps it's own database. By using it's own database you can assure truly high availability because the nodes are completely independent and you can do maintenance on one node, including the database, without affecting uptime of the service. The OCSP responder nodes should be connected to a set of HSMs in a high availability setup, if one HSM breaks, another keeps the service running albeit with less available performance.
Each OCSP responder will produce full transaction and audit logging. Audit logging is needed in order to maintain trust, since a validation service such as OCSP is about trust. Transaction logging will be needed if you want to keep records of users of the service either for billing purposes or to keep statistics.

Visit EJBCA.org for downloads and documentation.

EJBCA 3.9.0 released

2009-06-07T14:43:00.003+02:00

After much hard work, EJBCA 3.9.0 is finally released. This might just
be the best release ever of EJBCA :-)

This is a major release adding many new features and improvements, and fixing numerous bugs.
126 issues have been resolved for this release. Check the changelog, there is a good chance that your favorite issue has been resolved.

Some noteworthy changes:
- Support for CAs using DSA keys. EJBCA now supports all major algorithms; RSA, DSA and ECDSA.
- External RA improvements. CA service running as an EJBCA services gives full cluster functionality and support for multiple external RAs. As a bonus it is now much easier to install and configure.
- Robust re-publishing mechanism for publishers that fail, running as an
EJBCA service.
- OCSP responder improvements with performance improvements and support
for on-line renewal of OCSP responder keys and certificates. The external OCSP responder can now saturate high performance HSMs.
- OCSP monitoring tool for monitoring synchronization between EJBCA and
external OCSP responders.
- GUI for configuring the external OCSP publisher with new options.
- Possible to change OCSP signing keys in a running external OCSP responder.
- New commands and stress tests in the client toolbox.
- A new admin web gui front page with status overview panels.
- Possible to configure status of certificates issued for end entities, i.e. issue certificate revoked "on hold".
- New DN attribute, Name.
- Performance improvement by caching and lowering number of database queries.
- XKMS now works also on Java 6.
- Possibility to set user validity start and end time in WS API.
- Lots of small fixes and improvements to the admin GUI.
- Lots of small bugfixes.
- Keon CA to EJBCA migration guide.

Note that the configuration of External RA changed dramatically (to the better). If using the external RA, please read the manual how to install and configure the RA CA service in EJBCA 3.9.

Note that this version brings database changes. Read the UPGRADE document for upgrade instructions.

This release should, as always, work on JBoss, Glassfish, Weblogic and OC4J, together with most available databases.

Read the changelog for details.

New status overview in the EJBCA admin GUI

2009-05-11T15:12:00.006+02:00

In EJBCA 3.9 the admin GUI will get it's first really nice update in a year or so. Apart from the usual additional options etc that pops up in every release, this release changes a fundamental concept - the first page.
We have long been thinking about have the first page be a kind of portal page where an administrator can get an overview of important status and information of the system. Originally we was planning this for the major re-make of the admin gui planned for 4.1. In 3.9 we got the opportunity, thanks to corporate sponsored development and our new developer Markus.

The first page meeting the administrator now has two panels- One with an overview of CAs on-line/off-line status and CRL status and one with number of pending publisher queue items (new feature in 3.9).

We even got some new style sheet items in there :-).
Combined with the on-line documentation links from the admin GUI (question marks in the image) it's really nice.

View a full set of screen shots at sourceforge.

Migrating ext3 to ext4 on an encrypted root disk (ubuntu 9.04)

2009-04-26T13:14:00.004+02:00

Ext4 is supposed to be much faster than ext3. Anything that makes development of EJBCA a bit quicker is interesting, so I just had to migrate to ext4 now that Ubuntu 9.04 is out.
The usual ext3 to ext4 migration guides are for normal unencrypted disk. Since my laptop has full disk enryption a few addition steps are needed.
Also the guides mention that you have to do 'grub-install' after migration. I did not have to do that.
Either it is because:
- I only migrated / and not /boot
- The standard upgrade to Ubuntu 9.04 already installed a new grub for me.

Anyhow, here are the steps hwo to migrate an encrypted root disk from ext3 to ext4.

Shut down computer properly, don't hibernate.
Boot from Ubuntu 9.04 cd and use it as a live cd (no changes to computer).
Open a terminal and become root.
#sudo su -

Set up crypto add encrypted disk to lvm
#cryptsetup luksOpen /dev/sda1 root
#lvm vgchange -a y

Mount root disk and just check that it's the correct disk before migrating
#mkdir /mnt/root
#mount /dev/tlap/root /mnt/root

Unmount and do the migration to ext4 (as described in the ext4 wiki and numerous other sites)
#umount /mnt/root/
#tune2fs -O extents,uninit_bg,dir_index /dev/tlap/root
#e2fsck -pfD /dev/tlap/root

Mount new ext4 disk and change fstab to ext4
#mount /dev/tlap/root /mnt/root
#cd /mnt/root/etc/
#vi fstab

Change ext3 to ext4 for you / disk (/dev/sda1 for me).
# /dev/mapper/tlap-root
UUID=ca86bf3d-40fb-4b4d-89c6-15ce94674fa0 / ext4 relatime,errors=remount-ro 0 1

Save, unmount /mnt/root and reboot.
After reboot check /etc/fstab and 'mount' and you will see that it's ext4 now.

tomas@tlap:~/tmp$ mount
/dev/mapper/tlap-root on / type ext4 (rw,relatime,errors=remount-ro)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
...

Update:
I migrated my rather slowish home computer (AMD 4200+, 4GB, WD Raptor) running 'ant clean; ant' both before and after migration. The conclusion is that it takes 1 minute, give or take a few seconds, on both ext3 and ext4. Not huge leaps in speed there unfortunately.

What to do when you mac address of eth0 changed (debian/ubuntu)?

2009-04-23T15:56:00.001+02:00

It always takes me too long to google up this answer so I'll write it here..

Either edit or delete this file:
/etc/udev/rules.d/70-persistent-net.rules

If you delete it, a reboot will create a new one with your new mac address.

External RA improvements

2009-04-14T14:43:00.003+02:00

In the upcoming EJBCA 3.9 the External RA is finally getting some long waited improvements.
The CA component will now run as a service in EJBCA. This means that you do most of the configuration in the admin-GUI of EJBCA and that it runs very nicely in a CA cluster. You can also configure multiple external RAs, as many as you need.
Setting up a cluster of external RAs is now very simple, if you have a cluster of two external RAs simply configure two external RA services in EJBCA and you're done. No need to use complicated database clusters etc on the external RAs, each external RA node can be simple and stand-alone.

Installation of the external RA is also much much simpler now. Configure the path to the external RA package in EJBCA and the needed CA service is automatically pulled into EJBCA so it is available to be configured in the Admin-GUI. The only thing that needs some though is the configuration of datasources in your application server.

To summarize:
- Easier to install and configure
- Runs nice in a CA cluster
- Runs nice against multiple external RAs

As an added bonus, it's also now almost trivial for developers to implement new types of external RA messages. Internally it uses java reflection, so all you have to do is implement the message classes and handlers. The rest is handled automatically.

EJBCA 3.8.2 released

2009-03-28T00:29:00.000+01:00

"This is a minor release adding improvements and bugfixes
- Add street and pseudonym DN attributes.
- OCSP improvements, RFC 5019, nextUpdate, support for requests using GET, improved configuration and error handling.
- Correct coding of optional Issuing Distribution Point in CRLs.
- Possible to publish userPassword in LDAP.
- A few minor fixes."
Check out the change-log for all the details.

A pretty cool feature that hides behind the "RFC 5019" improvement is that you can now cache OCSP responses. If you use HTTP GET you will be able to use simple network components like a HTTP/1.1 cache (Apache httpd config included in the docs) for caching and load-balancing between your responders. I'd love to see someone try this out on a massive scale and report back to me with some statistics.. =)

Using smart card browser authentication in Ubuntu

2009-02-03T12:36:00.002+01:00

To use smart card authentication in Firefox on Ubuntu 8.10 you have to install pcscd, a working card reader driver (if the built in ccid does not work for you) and a pkcs#11 module.

This example works for Ubuntu 8.10. In my case I have an OmniKey CardMan 3021 USB card reader and a smart card with 2048 bit RSA keys. To be able to use 2048 bit keys using the OmniKey reader I have to use their driver.

- Download driver from omnikey.com and put in /tmp

# sudo su -
# apt-get install pcscd
# cd /tmp
# tar -zxvf ifdokccid_lnx_x64-3.5.1.tar.gz
# cd /usr/lib/pcsc/drivers
# cp -r /tmp/ifdokccid_lnx_x64-3.5.1/ifdokccid_lnx_x64-3.5.1.bundle .
# rm -rf ifd-ccid.bundle/
# /etc/init.d/pcscd restart
# apt-get install mozilla-opensc

Finally open pkcs11.html in Firefox and click "Install opensc in linux".

--- pkcs11.html ---
<HTML>
<HEAD>
<TITLE>opensc</TITLE>
</HEAD>
<BODY>
<SCRIPT>
PKCS11_PUBLIC_READ_CERT = 0x1<<28;
function doInstallPkcs11Windows()
{
pkcs11.addmodule("opensc", "opensc-pkcs11.dll", PKCS11_PUBLIC_READ_CERT, 0);
}
function doInstallPkcs11Linux()
{
pkcs11.addmodule("opensc", "opensc-pkcs11.so", PKCS11_PUBLIC_READ_CERT, 0);
}
function doUninstallPkcs11()
{
pkcs11.deletemodule("opensc");
}
</SCRIPT>
<a href=javascript:doInstallPkcs11Linux();>Install opensc in Linux</a><br>
<a href=javascript:doInstallPkcs11Windows();>Install opensc in Windows</a><br>
<a href=javascript:doUninstallPkcs11();>Uninstall opensc</a><br>
</BODY>
</HTML>

EJBCA 3.8.1 released

2009-01-29T12:43:00.002+01:00

This is a minor release, targeted for adding support for JBoss 5 and fixing a mistake that caused install on Glassfish to fail.
It also adds a few minor improvements and bugfixes.
- Add support for JBoss 5.
- Fix support for Glassfish caused by a forgotten commit in 3.8.0.
- Improve support for Weblogic 10.3.
- Fix support for IPv6 subject alternative names.
- A few minor CMP, OCSP and CVC fixes.

See the full changelog at ejbca.org for details.

HTC G1 android phone and tele2

2008-12-20T17:25:00.006+01:00

Hardly surprising the G1 works perfectly also in sweden. To configure for tele2 I only configured five items in the APN configuration.
- Name: Tele2
- APN: internet.tele2.se
- MMSC: http://mmsc.tele2.se
- MMS proxy: 130.244.202.30
- MMS port: 8080
After this this phone works like a charm. Buying the phone from google was easy and delivery was fast, only a week.
Now all we have to do is run EJBCA on the phone :-)

To re-encode movies to show on the phone (using cinema app for example) do this on Ubuntu:
- apt-get install avidemux, and start avidemux. Avidemux works great as a mobile media encoder.
- Open the file you want to convert.
- In Video dropdown select MGEG-4 ASP (lavc).
- Click Configure->Encoding Mode->Single pass - bitrate, enter 384 kb/s and click ok.
- Click Filters, double click MPlayer resize, width 480, height 320, click OK then close.
- In Audio dropdown select AAC (FAAC).
- Click Configure and select bitrate 96.
- In Format dropdown select MP4.
- Finally click Save and enter the new filename with .mp4 ending.

Now just make sure you copy the file to sdcard intact.

Zepto Nox A15 and Ubuntu 8.10

2008-12-16T14:26:00.004+01:00

On my new Zepto Nox A15 most things work out of the box, except suspend to ram (hibernate works) and screen brightness. I blame the nvidia proprietary driver for this...

This is what I did to get screen brighness settings to work:
-----
First check out the latest nvclock source code:
> cvs -d:pserver:anonymous@nvclock.cvs.sourceforge.net:/cvsroot/nvclock login
> cvs -z3 -d:pserver:anonymous@nvclock.cvs.sourceforge.net:/cvsroot/nvclock co -P nvclock
> cd nvclock
> gedit src/backend/nv50.c
change line 331 from:
if((nv_card->subvendor_id == PCI_VENDOR_ID_SONY) && nv_card->gpu == MOBILE)
to
if(nv_card->gpu == MOBILE)
> ./configure --prefix=/usr
> make
> sudo make install
> sudo cp src/smartdimmer /usr/bin/smartdimmer

Now we have the command so fix up hal so it calls nvclock when the brightness keys on the keyboard are pressed:
> sudo gedit /usr/lib/hal/scripts/linux/hal-system-lcd-set-brightness-linux

if [ -w "$HAL_PROP_LINUX_SYSFS_PATH/brightness" ]; then
echo "$value" > $HAL_PROP_LINUX_SYSFS_PATH/brightness
if [ "$HAL_PROP_LAPTOP_PANEL_ACCESS_METHOD" = "general" ]; then
# if nvidia nvclock command exists, try to use it
if command -v nvclock &>/dev/null
then
#echo " Yes, command :nvclock: was found."
foo="$(((($value +1)*10)+5))"
nvclock -S $foo
fi
fi
exit 0
fi
-----

Done. Now if only suspend would work it would be perfect.
I also have some slight problems with sound settings (volume up/down) that worked at first but not anymore...

Oh I forgot to say...EJBCA works perfect!

EJBCA 3.8.0 released

2008-12-16T14:12:00.003+01:00

EJBCA 3.8.0 have a whole range of fixes. One of the most interesting is the improvements in the authorization module, making it much easier to configure administrators and allowing you to use externally issued certificates as administrator certificates (for example from a national id).
This will hopefully get rid of most questions posted asking about problems configuring new administrators.

See http://ejbca.org/ for the download and full changelog.

News was published on Serverside.com.

Simple Certificate Archival solution

2008-11-19T14:24:00.006+01:00

Introduction

From syscheck 1.2 and on there is a script-based archival solution.

New and revoked certificates are stored on local disk in a file-tree and optional remote SSH server.

syscheck svn: https://ejbca.svn.sourceforge.net/svnroot/ejbca/trunk/syscheck/

Setup of publisher

Go to: EJBCA Adminweb → ”Edit Publishers” → Add new name: ”Archival publisher”

Select/ enter the following:

Publisher Type: ”Custom Publisher”

Class Path: ”org.ejbca.core.model.ca.publisher.GeneralPurposeCustomPublisher”

Properties of Custom Publisher:

crl.application /path/to/syscheck/related-enabled/902_export_crl.sh

crl.failOnStandardError true

crl.failOnErrorCode true

cert.application /path/to/syscheck/related-enabled/900_export_cert.sh

cert.failOnStandardError true

cert.failOnErrorCode true

revoke.application /path/to/syscheck/related-enabled/901_export_revocation.sh

revoke.failOnStandardError true

revoke.failOnErrorCode true

Use the publisher on CA:s

Go to: EJBCA Adminweb → ”Edit Certificate Authorites”

Select the CA you want CRL archival on, then click on edit CA

At ”CRL Publishers”:

Select ”Archival publisher”

Do this for all CA:s you want CRL Archival for.

Use the publisher on Certificate profile:s

Go to: EJBCA Adminweb → ”Edit Certifcate Profiles”

At: ”Publishers”

Select ”Archival publisher”

Do this for all Certificate profiles:s you want Certifcate Archival for.

Presentation from FSCONS

2008-10-31T10:07:00.002+01:00

Johan and Tham went to FSCONS 2008 and presented "Secure communication with open source PKI". It's a basic introduction to PKI and a demonstration of email-signing, Apache client cert authentication and using certs in OpenVPN.

Direct link to the video (use VLC to play it if it doesn't work).

The presentation slides.

EJBCA and BouncyCastle on OSOR.eu eID/PKI/eSignature Community Workshop

2008-10-27T10:37:00.002+01:00

I will present a "Lightening talk" on the OSOR.eu eID/PKI/eSignature Community Workshop in Brussels on the 13th of November 2008. The talk will be a short one describing experience from both the BouncyCastle and the EJBCA projects regarding open source usage in the EU. The hope is to give some input what the EU can do to help, or not to discriminate, open source projects/products.
The BouncyCastle part is made by David Hook of Lockboxlabs.

Presentation from Open Standards Forum

2008-10-13T10:04:00.003+02:00

You can read and view my presentation from Oasis Open Standards Forum that took place in London in the beginning of October. The event was very interesting, a lot is happening in the standardization and technology arena.

Presentation slides.

Presentation movie (73MB).

EJBCA @ FSCONS 2008

2008-10-08T14:28:00.003+02:00

Two core EJBCA developers from PrimeKey Solutions AB will be present at this years FSCONS (2008-10-24 to 26th). Since PrimeKey sponsors the conference, we will have a booth somewhere in "the lounge area". So drop by and ask questions about the latest and greatest, suggest new features or tell us how you want to use EJBCA.

It currently looks like we get a chance to talk the last day at 16:00 on the subject "Secure communications with Open Source PKI". The preliminary plan is to give a simple hands-on presentation on how easy PKI can be used for secure email, client SSL authentication, OpenVPN and more.

We hope to see you all there!

Succesful EAC ePassport PKI interoperability tests

2008-09-14T11:40:00.003+02:00

EJBCA was present on the Prague event for PKI interoperability tests, since both Sweden and Portugal uses EJBCA for their EAC CVC PKI. The tests were a huge success and no problems were encountered in EJBCA. Interoperability was tested with many different countries using different implementations and algorithms.

Look out for EJBCA 3.7.1, that will bring ECC support (as tested on the event) and a lot of CVC usability enhancements.

Bouncycastle supported by Lock Box Labs

2008-09-06T17:29:00.004+02:00

My favorite open source project, the Java crypto provider Bouncycastle (http://www.bouncycastle.org/) have gotten their own legal entity offering support contracts. Go get one!

Cert-cvc library 1.2.7 released

2008-09-01T14:07:00.000+02:00

This release of the CV certificate library, for EAC 1.11 ePassports, contains full support for both RSA and ECC algorithms.

This marks another milestone for ePassport support in EJBCA. The cert-cvc library now has full support and can be freely used by anyone under the LGPLv2 license.

Changes:
- Support for ECC keys and signatures, need BC version 1.41 which is included in svn.
- Fix bug where outer signature in authenticated requests did not include CARef in TBS
- Don't add caRef if not passed, or passed as null, to CertificateGenerator.
- Translations of Swedish javadoc to English.

Cheers,
Tomas

Oasis Open Standards Forum in London

2008-08-13T14:51:00.003+02:00

On the 30th of September to 3rd of October Oasis will hold Open Standard Forum near London. For more information see the official website.

I'm also excited about listening to the other speakers at the event, covering many different areas of identity- and key management.

I have been accepted as a speaker and will talk about XML protocol interfaces to a PKI. I will mostly use case studies to kind of outline the requirements of an XML protocol. The most detailed case study is the Hardtoken Management Framework developed by Philip in cooperation with the Swedish police (www.hardtokenmgmt.org). The hardtoken management framework is the basis for the smart card management at the Swedish police and uses Webservice interface to communicate with the PKI.
On interesting topic, where we might receive some feedback(?), is what happened to XKMS and if there is any future efforts in that direction. Also looking more into the future we may see a merging of symmetric key management (EKMI) and PKI management.

Maybe we'll see some standardization in this area?

If you have your ways pass London you should join.

EJBCA gets ePassport contribution from Swedish National Police Board

2008-07-11T15:46:00.002+02:00

The open source enterprise PKI software EJBCA has received support for EU EAC ePassports. The Swedish National Police Board has developed the cert-cvc java library used for the implementation, and contributes the library to the open source project under the LGPL license. The Police Board also supported the development to integrate the library into EJBCA.

EAC, short for Extended Access Control, is the standard developed in the EU to protect fingerprint and iris data stored on electronic travel documents (passports). Fingerprints will be stored on all EU passport within a few years, with pilot project starting this year. Releasing the library to the open source means that other EU member states does not have to develop everything themselves, and could make implementation much easier and less expensive.
A perfect example of openness and cooperation.

This release is feature complete for EU EAC ePassports using RSA algorithm. ECC support is still not complete. Any help in the ECC area is welcome.

The library is released, with full source, and can be downloaded from sourceforge — http://sourceforge.net/projects/ejbca/."

EJBCA HA best practices

2008-07-05T19:47:00.002+02:00

There are many ways to design a HA system taking all considerations into account. After dealing with this issue for a couple of years, here is our teams experience on what works and what doesn't work.

There are two important components in a HA EJBCA setup:

Database
EJBCA application server

The database is by far the trickiest to set up in HA-mode. The database holds everything that is really important in an EJBCA setup.
In case of failure, everything can be re-created from the EJBCA distribution except the database contents.
A full HA setup would look like:

Load balancers in front of the EJBCA app servers
EJBCA app servers using a single HA database on a single ip
Load balancers in front of the database cluster
A HA database cluster

This is of course expensive and this setup is suitable for organizations with dedicated database/app server/load balancer groups that have the resources and knowledge to handle this kind of system.

Most shops however simply don't want, don't need, or can't handle that kind of complexity.

Another alternative, that does not provide full HA, but that does provide very good data safety with short fail over times is:

Two combined EJBCA/database servers with three ip's, one real for each server and one "virtual" that can be moved.
Node 1 has the virtual ip by default.
Database master on node 1 that replicates, in real time, to node 2.
EJBCA running on both nodes using the "virtual" ip as database ip.
If node 1 fails, a script must be manually run that changes the virtual ip to node 2, and restarts app server on node 2. Now node 2 is master and single point of failure while node 1 is brought up again.
When node 1 is brought up again the system is either restored to original state with node 1 as master (requires restoring database on node 1 and reseting replication), or node 2 is now the master and replicates to node 1 (requires starting replication in that direction).

Other alternatives that you might start to look at is to include software load balancers and automatic fail-over scripts in the combined servers.
In our experience this is not a good idea!
In most cases this setup will cause more problems than it solves and your issues will originate from the load balancing software/fail-over scripts not working instead of the database/EJBCA not working.
If you are not sure what you are doing and has done this kind of setups several times before, stay away from it.