I am using External RA database which is then processed by EJCBA in internal network (no connection to EJBCA is allowed, therefore I am not able to use EJBCA web services).
However I have a requests to publish web services for client applications instead of providing externalra-client libraries and to integrate with let's say "External Web Services (EWS)". Basically I need to create a simple server that would have EWS as one interface to client applications and one interface to EJBCA through External RA database.
Moreover the client application will have its certificate to authorize requests on EJBCA so it would need to sign requests through EWS and it should be somehow managed by EJBCA.
Anyone developed something like that?
I'm thinking about publishing web services with objects as External RA requests and responses.
EWS would be over https with mutual authentication between client application and External RA server.
External RA server would need to have a mapping of which client certificate can use which internla External RA server keystore to sign requests and decrypt responses (because External RA messages have its own structure which can't be built on client application without externalra jar or other implementation).
When the client application sends a request for example to add new user to EJBCA, External RA server will check if the client is allowed and which internal keystore to use. Then External RA server will create External RA message, sign it, encrypt it with certificate of service worker, and store it inside database. Client application will receive ID through which can be asking for response.
Does it make sense?
The whole setup is:
Client App <-------------------------------------------> External RA server <---------------------------------- EJBCA
web services external RA database
mutual authentication
Client RA certificate internal RA keystores
and private key mapping for signing
and decryption
Last edit: Roman 2016-07-16
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am using External RA database which is then processed by EJCBA in internal network (no connection to EJBCA is allowed, therefore I am not able to use EJBCA web services).
However I have a requests to publish web services for client applications instead of providing externalra-client libraries and to integrate with let's say "External Web Services (EWS)". Basically I need to create a simple server that would have EWS as one interface to client applications and one interface to EJBCA through External RA database.
Moreover the client application will have its certificate to authorize requests on EJBCA so it would need to sign requests through EWS and it should be somehow managed by EJBCA.
Anyone developed something like that?
I'm thinking about publishing web services with objects as External RA requests and responses.
EWS would be over https with mutual authentication between client application and External RA server.
External RA server would need to have a mapping of which client certificate can use which internla External RA server keystore to sign requests and decrypt responses (because External RA messages have its own structure which can't be built on client application without externalra jar or other implementation).
When the client application sends a request for example to add new user to EJBCA, External RA server will check if the client is allowed and which internal keystore to use. Then External RA server will create External RA message, sign it, encrypt it with certificate of service worker, and store it inside database. Client application will receive ID through which can be asking for response.
Does it make sense?
The whole setup is:
Client App <-------------------------------------------> External RA server <---------------------------------- EJBCA web services external RA database mutual authentication Client RA certificate internal RA keystores and private key mapping for signing and decryptionLast edit: Roman 2016-07-16