Discussion:
[Ejbca-develop] EJBCA WebSockets connection system
Willi Trace
2017-01-06 18:51:37 UTC
Permalink
I am implementing websocket connection pool from EJBCA to clients primarily
as a replacement of external RA and peer connections which are not
available in Community Edition.

is there any work done on this which I can reuse or build on it?
Of course I would like to publish it to community when it will be ready.

My first concept is working similar to peer connections (although I do not
know current implementation of Enterprise Edition) but through wss. It
should be effective and easily managed through admin GUI authenticated by
AKB.

WT
Anders Rundgren
2017-01-06 19:37:42 UTC
Permalink
I am implementing websocket connection pool from EJBCA to clients primarily as a replacement of external RA and peer connections which are not available in Community Edition.
is there any work done on this which I can reuse or build on it?
Of course I would like to publish it to community when it will be ready.
My first concept is working similar to peer connections (although I do not know current implementation of Enterprise Edition) but through wss. It should be effective and easily managed through admin GUI authenticated by AKB.
Hi Willi,

I'm a former PrimeKey employee who some years ago developed a replacement for the external RA:
https://cyberphone.github.io/doc/openkeystore/javaapi/org/webpki/securityproxy/package-summary.html

I have integrated this with EJBCA but the integration is owned by PrimeKey.

I have been thinking about upgrading the public part (the API above) to use WebSocket but haven't had any time to do that.
The current scheme uses serialized Java objects which I also want to shelve.
Today I have totally (and forever...) left the WS/XML/XSD camp in favor of JSON.
So a new system would (from my perspective) be built on JSON.

https://cyberphone.github.io/doc/openkeystore/javaapi/org/webpki/json/package-summary.html

Two-way TLS auth seems good to keep. In my setup I use a symmetric scheme so that the same cert+key is used in both directions. That is, the self-signed cert is both server and client.

I had no problems integrating the proxy in EJBCA so I would still consider making a separate component.

Best
Anders
WT
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Willi Trace
2017-01-06 20:29:03 UTC
Permalink
Hi Anders,

Seems exactly like I want to do so maybe I can use it with websockets and
send it to you as update of securityproxy.

As I understand you are proposing to create messages between EJBCA and
clients in JSON. I was thinking about using ExtRA message format with its
integrity and encryption. But it may be good idea to do it in JSON.

I wonder how much work there is to integrate this with EJBCA. This is
actually part where I am thinking about options and what would be the best
way. It should be also in GUI in order to manage it easily and add, remove,
etc. authorized clients.

Currently I have updated ExtRA API package for EJBCA 6.5.0. Configuration
of databases and ExtRAWorker can be done more or less effectivelly using
predefined scripts but what I would like to eliminate is database polling
every 5 seconds which is ineffective.

WT
Post by Anders Rundgren
Post by Willi Trace
I am implementing websocket connection pool from EJBCA to clients
primarily as a replacement of external RA and peer connections which are
not available in Community Edition.
is there any work done on this which I can reuse or build on it?
Of course I would like to publish it to community when it will be ready.
My first concept is working similar to peer connections (although I do
not know current implementation of Enterprise Edition) but through wss. It
should be effective and easily managed through admin GUI authenticated by
AKB.
Hi Willi,
I'm a former PrimeKey employee who some years ago developed a replacement
https://cyberphone.github.io/doc/openkeystore/javaapi/org/we
bpki/securityproxy/package-summary.html
I have integrated this with EJBCA but the integration is owned by PrimeKey.
I have been thinking about upgrading the public part (the API above) to
use WebSocket but haven't had any time to do that.
The current scheme uses serialized Java objects which I also want to shelve.
Today I have totally (and forever...) left the WS/XML/XSD camp in favor of JSON.
So a new system would (from my perspective) be built on JSON.
https://cyberphone.github.io/doc/openkeystore/javaapi/org/we
bpki/json/package-summary.html
Two-way TLS auth seems good to keep. In my setup I use a symmetric scheme
so that the same cert+key is used in both directions. That is, the
self-signed cert is both server and client.
I had no problems integrating the proxy in EJBCA so I would still consider
making a separate component.
Best
Anders
Post by Willi Trace
WT
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Willi Trace
2017-01-06 21:32:23 UTC
Permalink
Or we can kindly ask PrimeKey to include Peer Connectors and their new
RA in Community Edition ;)

WT
Post by Willi Trace
Hi Anders,
Seems exactly like I want to do so maybe I can use it with websockets and
send it to you as update of securityproxy.
As I understand you are proposing to create messages between EJBCA and
clients in JSON. I was thinking about using ExtRA message format with its
integrity and encryption. But it may be good idea to do it in JSON.
I wonder how much work there is to integrate this with EJBCA. This is
actually part where I am thinking about options and what would be the best
way. It should be also in GUI in order to manage it easily and add, remove,
etc. authorized clients.
Currently I have updated ExtRA API package for EJBCA 6.5.0. Configuration
of databases and ExtRAWorker can be done more or less effectivelly using
predefined scripts but what I would like to eliminate is database polling
every 5 seconds which is ineffective.
WT
Post by Anders Rundgren
Post by Willi Trace
I am implementing websocket connection pool from EJBCA to clients
primarily as a replacement of external RA and peer connections which are
not available in Community Edition.
is there any work done on this which I can reuse or build on it?
Of course I would like to publish it to community when it will be ready.
My first concept is working similar to peer connections (although I do
not know current implementation of Enterprise Edition) but through wss. It
should be effective and easily managed through admin GUI authenticated by
AKB.
Hi Willi,
I'm a former PrimeKey employee who some years ago developed a replacement
https://cyberphone.github.io/doc/openkeystore/javaapi/org/we
bpki/securityproxy/package-summary.html
I have integrated this with EJBCA but the integration is owned by PrimeKey.
I have been thinking about upgrading the public part (the API above) to
use WebSocket but haven't had any time to do that.
The current scheme uses serialized Java objects which I also want to shelve.
Today I have totally (and forever...) left the WS/XML/XSD camp in favor of JSON.
So a new system would (from my perspective) be built on JSON.
https://cyberphone.github.io/doc/openkeystore/javaapi/org/we
bpki/json/package-summary.html
Two-way TLS auth seems good to keep. In my setup I use a symmetric
scheme so that the same cert+key is used in both directions. That is, the
self-signed cert is both server and client.
I had no problems integrating the proxy in EJBCA so I would still
consider making a separate component.
Best
Anders
Post by Willi Trace
WT
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Anders Rundgren
2017-01-07 06:08:06 UTC
Permalink
Or we can kindly ask PrimeKey to include Peer Connectors and their new RA in Community Edition ;)
Well, that's a possibility. I won't personally interfere with PrimeKey's business model and I also use the securityproxy in other projects.
PrimeKey's Peer Connector solution appears to be covering the entire EJBCA.

In my EJBCA implementation I didn't do anything with respect to administration and GUI, it was just a dedicated, bi-directional, mutually authenticated channel between two worlds, where one was considered as more secure than the other.

http://webpki.org/papers/mobile-ra-guide.pdf

The RA was written from scratch since my target built on having the user database outside of EJBCA, I.e. the CA became more like a certificate factory.

Anders
https://mobilepki.org/scc
WT
Hi Anders,
Seems exactly like I want to do so maybe I can use it with websockets and send it to you as update of securityproxy.
As I understand you are proposing to create messages between EJBCA and clients in JSON. I was thinking about using ExtRA message format with its integrity and encryption. But it may be good idea to do it in JSON.
I wonder how much work there is to integrate this with EJBCA. This is actually part where I am thinking about options and what would be the best way. It should be also in GUI in order to manage it easily and add, remove, etc. authorized clients.
Currently I have updated ExtRA API package for EJBCA 6.5.0. Configuration of databases and ExtRAWorker can be done more or less effectivelly using predefined scripts but what I would like to eliminate is database polling every 5 seconds which is ineffective.
WT
I am implementing websocket connection pool from EJBCA to clients primarily as a replacement of external RA and peer connections which are not available in Community Edition.
is there any work done on this which I can reuse or build on it?
Of course I would like to publish it to community when it will be ready.
My first concept is working similar to peer connections (although I do not know current implementation of Enterprise Edition) but through wss. It should be effective and easily managed through admin GUI authenticated by AKB.
Hi Willi,
https://cyberphone.github.io/doc/openkeystore/javaapi/org/webpki/securityproxy/package-summary.html <https://cyberphone.github.io/doc/openkeystore/javaapi/org/webpki/securityproxy/package-summary.html>
I have integrated this with EJBCA but the integration is owned by PrimeKey.
I have been thinking about upgrading the public part (the API above) to use WebSocket but haven't had any time to do that.
The current scheme uses serialized Java objects which I also want to shelve.
Today I have totally (and forever...) left the WS/XML/XSD camp in favor of JSON.
So a new system would (from my perspective) be built on JSON.
https://cyberphone.github.io/doc/openkeystore/javaapi/org/webpki/json/package-summary.html <https://cyberphone.github.io/doc/openkeystore/javaapi/org/webpki/json/package-summary.html>
Two-way TLS auth seems good to keep. In my setup I use a symmetric scheme so that the same cert+key is used in both directions. That is, the self-signed cert is both server and client.
I had no problems integrating the proxy in EJBCA so I would still consider making a separate component.
Best
Anders
WT
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
Loading...