Discussion:
[Ejbca-develop] External RA - peer connector based VS database based
Willi Trace
2016-10-23 09:21:12 UTC
Permalink
I am thinking about advantages to use new peer connector based External RA
over the old database based External RA.

What are arguments to start using new peer connector based External RA?

When I setup database on External RA and connect to database from CA
securely over TLS and I will be using encryption and signing of External RA
messages to authorize on CA using administration roles, then, as I
understand, I have the similar setup as peer connector.

Why should I used it and change the above mentioned setup to peer
connection based External RA?

Moreover, when I have custom External RA messages, what is the impact on
using it together with peer connector based External RA? Would it be
possible? Is it using External RA messaged behind?
From the documentation of peer connection based External RA I don't have
enough technical information to be convinced to at least try it in my
environment.

WT
Tomas Gustavsson
2016-10-24 08:14:09 UTC
Permalink
Hi,
Post by Willi Trace
I am thinking about advantages to use new peer connector based External
RA over the old database based External RA.
What are arguments to start using new peer connector based External RA?
When I setup database on External RA and connect to database from CA
securely over TLS and I will be using encryption and signing of External
RA messages to authorize on CA using administration roles, then, as I
understand, I have the similar setup as peer connector.
Why should I used it and change the above mentioned setup to peer
connection based External RA?
Did you check https://www.ejbca.org/docs/kara.html ?

Some key points, where some may be interesting for you and some not.

First this is of course that Peer Connectors are only available in EJBCA
Enterprise.
- Peer connectors is easy to set up, all in Admin GUI
- you don't have to open up your database through firewalls etc.
- it is fast, no 5 second polling delay, it is instant
- no local data stored at the RA, no special clustering considerations
- peer connectors have location based authorization, a combination of
the end user and the RA itself, all verified on the CA
- one architecture for all external entities, OCSP and RA
- supports approval based work-flows nicely
- and there is a new user friendly GUI :-)

In the end of course it's all about your own specific requirements.
Post by Willi Trace
Moreover, when I have custom External RA messages, what is the impact on
using it together with peer connector based External RA? Would it be
possible? Is it using External RA messaged behind?
No, it is not using the old external RA messages. It is better and more
secure messaging.
Post by Willi Trace
From the documentation of peer connection based External RA I don't have
enough technical information to be convinced to at least try it in my
environment.
You can contact PrimeKey if you need more information.

Cheers,
Tomas
Post by Willi Trace
WT
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Loading...