ejbca-develop — Development discussions

Re: [Ejbca-develop] Page/template Customization

[Jack D. P. <jac...@ps...>]

Sorry, I missed this - it is exactly what I was looking for.  Thank you!
 
Jack D. Pond

"A wise man thinks it more advantageous not to join the battle than to win." --
Francois de La Rochefoucauld, 1613-1680
> -----Original Message-----
> From: Tomas Gustavsson [mailto:to...@pr...]
> Sent: Monday, July 30, 2012 2:24 AM
> To: ejb...@li...
> Subject: Re: [Ejbca-develop] Page/template Customization
> 
> 
> Hi,
> 
> Did you see http://www.ejbca.org/adminguide.html#Customizing%20EJBCA ?
> 
> Using an ejbca-custom directory is how you can override distribution files in
a safe,
> controllable fashion, surviving upgrades (assuming you changes are compatible
withthe
> new version).
> 
> Using plugins, http://www.ejbca.org/adminguide.html#EJBCA%20Plugins, is
another
> way how you can add you own functionality, including completely customized web
> saites, in a controllable way.
> 
> Cheers,
> Tomas
> 
> On 07/27/2012 05:59 PM, Jack D. Pond wrote:
> > I really have tried to search on this, but came up with nothing.
> >
> > Most projects have a way of modifying look and feel (other than just
> > .css) as well as actual page content without changing the original.
> > For example, in bugzilla, it is by overriding default templates
> > (template/en/default) with equivalently named templates in
> > template/en/custom (see
> > http://www.bugzilla.org/docs/tip/en/html/cust-templates.html)
> >
> > 1) Is there an equivalent approach in this tool?
> >
> > 2) Is it documented anywhere?
> >
> > 3) Do I just modify the files in  modules/*-gui/resources . . .
> > directly and create my own mechanism for updating with new  revisions?
> >
> > Jack D. Pond
> > *
> > **Description: PSITEX Logo***
> >
> >
> > */"In politics, a lie unanswered becomes truth within 24 hours." --
> > Willie Brown (b. 1934)/*
> >
> >
> >
> > ----------------------------------------------------------------------
> > --------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond.
> > Discussions will include endpoint security, mobile security and the
> > latest in malware threats.
> > http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> >
> >
> >
> > _______________________________________________
> > Ejbca-develop mailing list
> > Ejb...@li...
> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and threat
landscape has
> changed and how IT managers can respond. Discussions will include endpoint
security,
> mobile security and the latest in malware threats.
> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop

Re: [Ejbca-develop] Fwd: Disable all logging to DB

[Tomas G. <to...@pr...>]

Right Anders,

I was wrong, you are right ;-)

Cheers,
Tomas

On 07/30/2012 01:04 PM, ejbca-support wrote:
> On 2012-07-30 12:57, Arshad Noor wrote:
>> Any suggestions on how to address this?  Thanks.
>>
>> Arshad
>
> Hi Arshad,
>
> Take this line:
> #usedLogDevices=Log4jLogDevice;OldLogDevice
>
> and make it into:
> usedLogDevices=Log4jLogDevice
>
> Anders
> tech support
>
>>
>> Begin forwarded message:
>>
>>> *From:* Arshad Noor <ars...@st... <mailto:ars...@st...>>
>>> *Date:* July 12, 2012 1:17:56 PM PDT
>>> *To:* ejb...@li... <mailto:ejb...@li...>
>>> *Subject:* *Disable all logging to DB*
>>>
>>> Hello,
>>>
>>> The "Maximizing Performance" section of the Admin Guide has this line:
>>>
>>> "Disable logging to database in log.properties, only use Log4jLogDevice. This removes a database insert and gives a big boost."
>>>
>>> Additionally, the log.properties file in the $EJBCA_HOME/conf indicates:
>>>
>>> # Internal EJBCA logging device that writes to the database. See logdevices/oldlog.properties.sample for more information.
>>> OldLogDevice=org.ejbca.core.model.log.OldLogDeviceFactory;logdevices/oldlog.properties
>>>
>>> This seems to imply that by commenting the OldLogDevice line in this
>>> file and redeploying the EAR, one can turn off DB-logging.  However,
>>> this does not seem to work.
>>>
>>> Can someone shed some light on how to turn off DB logging completely?
>>>
>>> I am assuming that the server.log file is capturing all events that
>>> might normally have been logged in the DB.  If this is not true, it
>>> will be helpful to know what does NOT get logged if DB-logging is
>>> turned off.
>>>
>>> Thank you.
>>>
>>> Arshad Noor
>>> StrongAuth, Inc.
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>
>>
>>
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejb...@li...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>

Re: [Ejbca-develop] Fwd: Disable all logging to DB

[ejbca-support <ejb...@pr...>]

On 2012-07-30 12:57, Arshad Noor wrote:
> Any suggestions on how to address this?  Thanks.
> 
> Arshad

Hi Arshad,

Take this line:
#usedLogDevices=Log4jLogDevice;OldLogDevice

and make it into:
usedLogDevices=Log4jLogDevice

Anders
tech support

> 
> Begin forwarded message:
> 
>> *From:* Arshad Noor <ars...@st... <mailto:ars...@st...>>
>> *Date:* July 12, 2012 1:17:56 PM PDT
>> *To:* ejb...@li... <mailto:ejb...@li...>
>> *Subject:* *Disable all logging to DB*
>>
>> Hello,
>>
>> The "Maximizing Performance" section of the Admin Guide has this line:
>>
>> "Disable logging to database in log.properties, only use Log4jLogDevice. This removes a database insert and gives a big boost."
>>
>> Additionally, the log.properties file in the $EJBCA_HOME/conf indicates:
>>
>> # Internal EJBCA logging device that writes to the database. See logdevices/oldlog.properties.sample for more information.
>> OldLogDevice=org.ejbca.core.model.log.OldLogDeviceFactory;logdevices/oldlog.properties
>>
>> This seems to imply that by commenting the OldLogDevice line in this
>> file and redeploying the EAR, one can turn off DB-logging.  However,
>> this does not seem to work.
>>
>> Can someone shed some light on how to turn off DB logging completely?
>>
>> I am assuming that the server.log file is capturing all events that
>> might normally have been logged in the DB.  If this is not true, it
>> will be helpful to know what does NOT get logged if DB-logging is
>> turned off.
>>
>> Thank you.
>>
>> Arshad Noor
>> StrongAuth, Inc.
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> 
> 
> 
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> 

Re: [Ejbca-develop] Fwd: Disable all logging to DB

[Tomas G. <to...@pr...>]

Check conf/log.properties.

Doing what you say:
----
 >> # Internal EJBCA logging device that writes to the database. See
 >> logdevices/oldlog.properties.sample for more information.
 >> 
OldLogDevice=org.ejbca.core.model.log.OldLogDeviceFactory;logdevices/oldlog.properties
 >>
 >> This seems to imply that by commenting the OldLogDevice line in this
 >> file and redeploying the EAR, one can turn off DB-logging.  However,
 >> this does not seem to work.
----

Does work, unless you are configuring the .sample file?

(at least it works for a whole bunch of deployments, so I believe it 
works :-))

Cheers,
Tomas

On 07/30/2012 12:57 PM, Arshad Noor wrote:
> Any suggestions on how to address this?  Thanks.
>
> Arshad
>
> Begin forwarded message:
>
>> *From:* Arshad Noor <ars...@st...
>> <mailto:ars...@st...>>
>> *Date:* July 12, 2012 1:17:56 PM PDT
>> *To:* ejb...@li...
>> <mailto:ejb...@li...>
>> *Subject:* *Disable all logging to DB*
>>
>> Hello,
>>
>> The "Maximizing Performance" section of the Admin Guide has this line:
>>
>> "Disable logging to database in log.properties, only use
>> Log4jLogDevice. This removes a database insert and gives a big boost."
>>
>> Additionally, the log.properties file in the $EJBCA_HOME/conf indicates:
>>
>> # Internal EJBCA logging device that writes to the database. See
>> logdevices/oldlog.properties.sample for more information.
>> OldLogDevice=org.ejbca.core.model.log.OldLogDeviceFactory;logdevices/oldlog.properties
>>
>> This seems to imply that by commenting the OldLogDevice line in this
>> file and redeploying the EAR, one can turn off DB-logging.  However,
>> this does not seem to work.
>>
>> Can someone shed some light on how to turn off DB logging completely?
>>
>> I am assuming that the server.log file is capturing all events that
>> might normally have been logged in the DB.  If this is not true, it
>> will be helpful to know what does NOT get logged if DB-logging is
>> turned off.
>>
>> Thank you.
>>
>> Arshad Noor
>> StrongAuth, Inc.
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
>
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>

[Ejbca-develop] Fwd: Disable all logging to DB

[Arshad N. <ars...@st...>]

Any suggestions on how to address this?  Thanks.

Arshad

Begin forwarded message:

> From: Arshad Noor <ars...@st...>
> Date: July 12, 2012 1:17:56 PM PDT
> To: ejb...@li...
> Subject: Disable all logging to DB
> 
> Hello,
> 
> The "Maximizing Performance" section of the Admin Guide has this line:
> 
> "Disable logging to database in log.properties, only use Log4jLogDevice. This removes a database insert and gives a big boost."
> 
> Additionally, the log.properties file in the $EJBCA_HOME/conf indicates:
> 
> # Internal EJBCA logging device that writes to the database. See logdevices/oldlog.properties.sample for more information.
> OldLogDevice=org.ejbca.core.model.log.OldLogDeviceFactory;logdevices/oldlog.properties
> 
> This seems to imply that by commenting the OldLogDevice line in this
> file and redeploying the EAR, one can turn off DB-logging.  However,
> this does not seem to work.
> 
> Can someone shed some light on how to turn off DB logging completely?
> 
> I am assuming that the server.log file is capturing all events that
> might normally have been logged in the DB.  If this is not true, it
> will be helpful to know what does NOT get logged if DB-logging is
> turned off.
> 
> Thank you.
> 
> Arshad Noor
> StrongAuth, Inc.

Re: [Ejbca-develop] Page/template Customization

[Tomas G. <to...@pr...>]

Hi,

Did you see http://www.ejbca.org/adminguide.html#Customizing%20EJBCA ?

Using an ejbca-custom directory is how you can override distribution 
files in a safe, controllable fashion, surviving upgrades (assuming you 
changes are compatible withthe new version).

Using plugins, http://www.ejbca.org/adminguide.html#EJBCA%20Plugins, is 
another way how you can add you own functionality, including completely 
customized web saites, in a controllable way.

Cheers,
Tomas

On 07/27/2012 05:59 PM, Jack D. Pond wrote:
> I really have tried to search on this, but came up with nothing.
>
> Most projects have a way of modifying look and feel (other than just
> .css) as well as actual page content without changing the original. For
> example, in bugzilla, it is by overriding default templates
> (template/en/default) with equivalently named templates in
> template/en/custom (see
> http://www.bugzilla.org/docs/tip/en/html/cust-templates.html)
>
> 1) Is there an equivalent approach in this tool?
>
> 2) Is it documented anywhere?
>
> 3) Do I just modify the files in  modules/*-gui/resources . . . directly
> and create my own mechanism for updating with new  revisions?
>
> Jack D. Pond
> *
> **Description: PSITEX Logo***
>
>
> */"In politics, a lie unanswered becomes truth within 24 hours." --
> Willie Brown (b. 1934)/*
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
>
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>

Re: [Ejbca-develop] Page/template Customization

[ejbca-support <ejb...@pr...>]

On 2012-07-27 17:59, Jack D. Pond wrote:
> I really have tried to search on this, but came up with nothing.
> 
>  
> 
> Most projects have a way of modifying look and feel (other than just .css) as well as actual page content without changing the original. For example, in bugzilla, it is by overriding default templates (template/en/default) with equivalently named templates in template/en/custom (see http://www.bugzilla.org/docs/tip/en/html/cust-templates.html)

This may be a feature of a GUI-revision in the workings.

The reason why this isn't a major issue is that the majority of CAs are used by
a handful of people; the users only (at best) sees an external custom RA or CMS.

Cheers,
Anders
PrimeKey tech support

> 
>  
> 
> 1) Is there an equivalent approach in this tool?
> 
> 2) Is it documented anywhere?
> 
> 3) Do I just modify the files in  modules/*-gui/resources . . . directly and create my own mechanism for updating with new  revisions?
> 
>  
> 
>  
> 
> Jack D. Pond
> *
> **Description: PSITEX Logo***
> 
> 
> */"In politics, a lie unanswered becomes truth within 24 hours." -- Willie Brown (b. 1934)/*
> 
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> 
> 
> 
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> 

Re: [Ejbca-develop] can move to next page with wrong password

[Tomas G. <to...@pr...>]

Hi,

There are no security issues with this process. The second page does not contain any sensitive information.

Cheers,
Tomas

Toru Tanaka <tanaka_toru@g.ogis-ri.co.jp> skrev:

Hi Tomas,
Thank you for prompt reply.
I understood there is no special reason about this implementation.

This point is designated by our custmer.

The user can move next page even if wrong password is entered.
Therefore,
the user understand that they entered wrong password when the certificate  did not issue. 
Our customer feel that something is wrong.

In addition, about the serucity aspect,
we think it is not very good that users can move next page when wrong password is entered.

So, we consider it is better to change of this implementation.
Concretely, 
if the user enter wrong password, user can not move next page.

If our change is good, 
would be it possible to consider marge of main ejbca? 

Toru Tanaka




2012/7/27 Tomas Gustavsson <to...@pr...>

Hi Toru,

I think it is mostly historical and technical implementation reasons. Nothing is really sent to validate the information until after the second step. Technically there is no reason we could not validate it after the first step (as well).

Cheers,
Tomas

Toru Tanaka <tanaka_toru@g.ogis-ri.co.jp> skrev:

Hi all

This is cofirmation of specification.
When we issue client certificate, 
1. Access Public Web Page
2. Enter designated "user name" and "password"
3. Choice bit number etc and download

the above precedure is needed.
procedure is no problem.
But, in procedure 2 "Enter designated "user name" and "password""
even if wrong password is entered, I can move next page.
#certificate cannot download.

I wonder this implimentation.
Are there the reason of this implimentation ?

Thanks in advance

Toru Tanaka


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Ejbca-develop mailing list
Ejb...@li...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop

Re: [Ejbca-develop] can move to next page with wrong password

[ejbca-support <ejb...@pr...>]

Hi Tanaka-San,

The reason why this part may look a bit primitive is that it isn't
really intended for large-scale usage.  Most customers targeting such
uses rather build a specific RA for this purpose where e-mail is
typically used to provide a unique (signed) URL to the user rather
than leaving a page open for arbitrary access.  Then the user doesn't
have to know the EJBCA username either, only the password since the
username is an implicit part of the signed URL.

However, feel free providing an upgrade to the public web.  I can't
though promise when and if it will be integrated because we are doing
lots of new things on EJBCA all the time.  Recently we made it conform
to Common Criteria.

Cheers,
Anders
PrimeKey tech support

On 2012-07-27 06:47, Toru Tanaka wrote:
> Hi Tomas,
> Thank you for prompt reply.
> I understood there is no special reason about this implementation.
> 
> This point is designated by our custmer.
> 
> The user can move next page even if wrong password is entered.
> Therefore,
> the user understand that they entered wrong password when the certificate  did not issue.
> Our customer feel that something is wrong.
> 
> In addition, about the serucity aspect,
> we think it is not very good that users can move next page when wrong password is entered.
> 
> So, we consider it is better to change of this implementation.
> Concretely,
> if the user enter wrong password, user can not move next page.
> 
> If our change is good,
> would be it possible to consider marge of main ejbca?
> 
> Toru Tanaka
> 
> 
> 
> 
> 2012/7/27 Tomas Gustavsson <to...@pr... <mailto:to...@pr...>>
> 
>     __ Hi Toru,
> 
>     I think it is mostly historical and technical implementation reasons. Nothing is really sent to validate the information until after the second step. Technically there is no reason we could not validate it after the first step (as well).
> 
>     Cheers,
>     Tomas
> 
>     Toru Tanaka <tanaka_toru@g.ogis-ri.co.jp <mailto:tanaka_toru@g.ogis-ri.co.jp>> skrev:
> 
>         Hi all
> 
>         This is cofirmation of specification.
>         When we issue client certificate,
>         1. Access Public Web Page
>         2. Enter designated "user name" and "password"
>         3. Choice bit number etc and download
> 
>         the above precedure is needed.
>         procedure is no problem.
>         But, in procedure 2 "Enter designated "user name" and "password""
>         even if wrong password is entered, I can move next page.
>         #certificate cannot download.
> 
>         I wonder this implimentation.
>         Are there the reason of this implimentation ?
> 
>         Thanks in advance
> 
>         Toru Tanaka
> 
> 
>     ------------------------------------------------------------------------------
>     Live Security Virtual Conference
>     Exclusive live event will cover all the ways today's security and
>     threat landscape has changed and how IT managers can respond. Discussions
>     will include endpoint security, mobile security and the latest in malware
>     threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>     _______________________________________________
>     Ejbca-develop mailing list
>     Ejb...@li... <mailto:Ejb...@li...>
>     https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> 
> 
> 
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> 

Re: [Ejbca-develop] can move to next page with wrong password

[Toru T. <tanaka_toru@g.ogis-ri.co.jp>]

Hi Tomas,
Thank you for prompt reply.
I understood there is no special reason about this implementation.

This point is designated by our custmer.

The user can move next page even if wrong password is entered.
Therefore,
the user understand that they entered wrong password when the certificate
did not issue.
Our customer feel that something is wrong.

In addition, about the serucity aspect,
we think it is not very good that users can move next page when wrong
password is entered.

So, we consider it is better to change of this implementation.
Concretely,
if the user enter wrong password, user can not move next page.

If our change is good,
would be it possible to consider marge of main ejbca?

Toru Tanaka




2012/7/27 Tomas Gustavsson <to...@pr...>

> ** Hi Toru,
>
> I think it is mostly historical and technical implementation reasons.
> Nothing is really sent to validate the information until after the second
> step. Technically there is no reason we could not validate it after the
> first step (as well).
>
> Cheers,
> Tomas
>
> Toru Tanaka <tanaka_toru@g.ogis-ri.co.jp> skrev:
>
>> Hi all
>>
>> This is cofirmation of specification.
>> When we issue client certificate,
>> 1. Access Public Web Page
>> 2. Enter designated "user name" and "password"
>> 3. Choice bit number etc and download
>>
>> the above precedure is needed.
>> procedure is no problem.
>> But, in procedure 2 "Enter designated "user name" and "password""
>> even if wrong password is entered, I can move next page.
>> #certificate cannot download.
>>
>> I wonder this implimentation.
>> Are there the reason of this implimentation ?
>>
>> Thanks in advance
>>
>> Toru Tanaka
>>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
>

Re: [Ejbca-develop] can move to next page with wrong password

[Tomas G. <to...@pr...>]

Hi Toru,

I think it is mostly historical and technical implementation reasons. Nothing is really sent to validate the information until after the second step. Technically there is no reason we could not validate it after the first step (as well).

Cheers,
Tomas

Toru Tanaka <tanaka_toru@g.ogis-ri.co.jp> skrev:

Hi all

This is cofirmation of specification.
When we issue client certificate, 
1. Access Public Web Page
2. Enter designated "user name" and "password"
3. Choice bit number etc and download

the above precedure is needed.
procedure is no problem.
But, in procedure 2 "Enter designated "user name" and "password""
even if wrong password is entered, I can move next page.
#certificate cannot download.

I wonder this implimentation.
Are there the reason of this implimentation ?

Thanks in advance

Toru Tanaka

[Ejbca-develop] can move to next page with wrong password

[Toru T. <tanaka_toru@g.ogis-ri.co.jp>]

Hi all

This is cofirmation of specification.
When we issue client certificate,
1. Access Public Web Page
2. Enter designated "user name" and "password"
3. Choice bit number etc and download

the above precedure is needed.
procedure is no problem.
But, in procedure 2 "Enter designated "user name" and "password""
even if wrong password is entered, I can move next page.
#certificate cannot download.

I wonder this implimentation.
Are there the reason of this implimentation ?

Thanks in advance

Toru Tanaka

Re: [Ejbca-develop] rough estimation

[ejbca-support <ejb...@pr...>]

On 2012-07-18 17:41, Martin Paljak wrote:
> On Wed, Jul 18, 2012 at 6:34 PM, Andreas Bürki <ab...@an...> wrote:
>> If distribution is the problem I doubt, as banks send random number
>> generators (little plastic thing) to every on-line banking customer as
>> well. Maybe the costs of hard tokens are too high.
> 
> I would suggest that for simple one-sided authentication purposes,
> integration with smart cards is more error-prone (requires client-side
> software) than OTP tokens. And thus cheaper (support costs).
> 

Unfortunately this problem has been taken to the phone world as well.
BankID doesn't use the built-in enrollment mechanisms since these are:

1. all-over-the-map
2. largely inferior.  Android 4.0 uses a system created 1996 (!)

Anders

Re: [Ejbca-develop] rough estimation

[Martin P. <ma...@ma...>]

On Wed, Jul 18, 2012 at 6:34 PM, Andreas Bürki <ab...@an...> wrote:
> If distribution is the problem I doubt, as banks send random number
> generators (little plastic thing) to every on-line banking customer as
> well. Maybe the costs of hard tokens are too high.

I would suggest that for simple one-sided authentication purposes,
integration with smart cards is more error-prone (requires client-side
software) than OTP tokens. And thus cheaper (support costs).

Martin

Re: [Ejbca-develop] rough estimation

[Andreas B. <ab...@an...>]

Am 18.07.2012 11:44, schrieb ejbca-support:
> On 2012-07-18 11:28, Andreas Bürki wrote:
>> Anders,
>>
>> Why not PrimeKey offering such a "Cloud Service"? - No audit, no user
>> verification needed, no pain, just the plain CA in the sky...
> 
> Well, we actually do this to some extent but a technology provider
> should also be a bit cautious about competing with their customers...
> 
> The largest EJBCA-powered "CA in the Sky" is probably the Swedish BankID
> where a number of banks have outsourced the "Certificate Factory" to
> another party (BankGiroCentralen) so this concept is well established.
> I.e. the BankID member banks are RAs for their customers.


Ah, I see, BankGiroCentralen is something like SIX Group in CH (owned by
Swiss banks. They offer as well PKI services to Swss banks (have no
idea, what PKI system it is)

Hint:
http://www.six-interbank-clearing.com/tkicch_index/tkicch_home/tkicch_onswissinterbankclearing/tkicch_news_mediareleases/tkicch_media_zkbdatalink.htm?printout=1
-> is part of six-group.com


> The only "fly in the soup" is that enrolling smart cards using a cloud
> CA is not particularly straightforward.  Therefore BankID is only
> able to enroll "soft tokens" directly to end-users.  Hard tokens
> require physical distribution of tokens and have thus never gotten
> very big.


If distribution is the problem I doubt, as banks send random number
generators (little plastic thing) to every on-line banking customer as
well. Maybe the costs of hard tokens are too high.

Cheeers, Andreas


> 
> Anders
> 
>>
>> Just my 2 Rappen
>>
>>
>> Cheers, Andreas
>>
>> Am 18.07.2012 08:05, schrieb ejbca-support:
>>> Hans,
>>> There is another option to consider as well.
>>>
>>> If you are targeting an external market of employee/member certificates
>>> you could run the CA as a "Cloud Service" where external administrators
>>> perform the the actual RA tasks.  Then your work is limited to running
>>> a secure service; not verifying that people are what they claim to be :-)
>>>
>>> Just my 2 öres
>>>
>>> Anders
>>> PrimeKey tech support
>>>
>>> On 2012-07-17 23:14, Hans Witvliet wrote:
>>>> Hi Tomas, Martin, andreas, Tham, rshad and all others...
>>>>
>>>> Yes, i think i've got the rough picture.
>>>>
>>>> >From a hardware/software p.o.v. its complication compares with a
>>>> telephone exchange, (between singe server and datacenter full of
>>>> equipment)
>>>>
>>>> @Tomas: no i don't underestimate the costs of an HSM, but these are
>>>> well-known expensive, but you get value/safety for money.
>>>> otoh the amount of hours needed for a project is (from what i know)
>>>> always vastly under estimated. With the well known end results:
>>>> - unfinished projects
>>>> - going over budget
>>>> - unpaid overtime.
>>>>
>>>> At least now i'm convinced that if it comes this far, i'll not be
>>>> tempted to give estimations myself (towards a customer), but leave that
>>>> to someone more experienced in managing projects.
>>>>
>>>> thank you all very much indeed.
>>>>
>>>> Hans
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Live Security Virtual Conference
>>>> Exclusive live event will cover all the ways today's security and 
>>>> threat landscape has changed and how IT managers can respond. Discussions 
>>>> will include endpoint security, mobile security and the latest in malware 
>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>>> _______________________________________________
>>>> Ejbca-develop mailing list
>>>> Ejb...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Live Security Virtual Conference
>>> Exclusive live event will cover all the ways today's security and 
>>> threat landscape has changed and how IT managers can respond. Discussions 
>>> will include endpoint security, mobile security and the latest in malware 
>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> _______________________________________________
>>> Ejbca-develop mailing list
>>> Ejb...@li...
>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and 
>> threat landscape has changed and how IT managers can respond. Discussions 
>> will include endpoint security, mobile security and the latest in malware 
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>
>>
>>
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejb...@li...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>
> 
> 

-- 
Andreas Bürki

E-Mail:
ab...@an...
Zertifikat - SHA1-Fingerprint:
54:99:02:5F:60:CE:7A:27:0E:73:79:24:CA:C7:A0:CC:60:39:05:9F

Re: [Ejbca-develop] rough estimation

[ejbca-support <ejb...@pr...>]

On 2012-07-18 11:28, Andreas Bürki wrote:
> Anders,
> 
> Why not PrimeKey offering such a "Cloud Service"? - No audit, no user
> verification needed, no pain, just the plain CA in the sky...

Well, we actually do this to some extent but a technology provider
should also be a bit cautious about competing with their customers...

The largest EJBCA-powered "CA in the Sky" is probably the Swedish BankID
where a number of banks have outsourced the "Certificate Factory" to
another party (BankGiroCentralen) so this concept is well established.
I.e. the BankID member banks are RAs for their customers.

The only "fly in the soup" is that enrolling smart cards using a cloud
CA is not particularly straightforward.  Therefore BankID is only
able to enroll "soft tokens" directly to end-users.  Hard tokens
require physical distribution of tokens and have thus never gotten
very big.

Anders

> 
> Just my 2 Rappen
> 
> 
> Cheers, Andreas
> 
> Am 18.07.2012 08:05, schrieb ejbca-support:
>> Hans,
>> There is another option to consider as well.
>>
>> If you are targeting an external market of employee/member certificates
>> you could run the CA as a "Cloud Service" where external administrators
>> perform the the actual RA tasks.  Then your work is limited to running
>> a secure service; not verifying that people are what they claim to be :-)
>>
>> Just my 2 öres
>>
>> Anders
>> PrimeKey tech support
>>
>> On 2012-07-17 23:14, Hans Witvliet wrote:
>>> Hi Tomas, Martin, andreas, Tham, rshad and all others...
>>>
>>> Yes, i think i've got the rough picture.
>>>
>>> >From a hardware/software p.o.v. its complication compares with a
>>> telephone exchange, (between singe server and datacenter full of
>>> equipment)
>>>
>>> @Tomas: no i don't underestimate the costs of an HSM, but these are
>>> well-known expensive, but you get value/safety for money.
>>> otoh the amount of hours needed for a project is (from what i know)
>>> always vastly under estimated. With the well known end results:
>>> - unfinished projects
>>> - going over budget
>>> - unpaid overtime.
>>>
>>> At least now i'm convinced that if it comes this far, i'll not be
>>> tempted to give estimations myself (towards a customer), but leave that
>>> to someone more experienced in managing projects.
>>>
>>> thank you all very much indeed.
>>>
>>> Hans
>>>
>>> ------------------------------------------------------------------------------
>>> Live Security Virtual Conference
>>> Exclusive live event will cover all the ways today's security and 
>>> threat landscape has changed and how IT managers can respond. Discussions 
>>> will include endpoint security, mobile security and the latest in malware 
>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> _______________________________________________
>>> Ejbca-develop mailing list
>>> Ejb...@li...
>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and 
>> threat landscape has changed and how IT managers can respond. Discussions 
>> will include endpoint security, mobile security and the latest in malware 
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejb...@li...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> 
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> 
> 
> 
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> 

Re: [Ejbca-develop] rough estimation

[Andreas B. <ab...@an...>]

Anders,

Why not PrimeKey offering such a "Cloud Service"? - No audit, no user
verification needed, no pain, just the plain CA in the sky...

Just my 2 Rappen


Cheers, Andreas

Am 18.07.2012 08:05, schrieb ejbca-support:
> Hans,
> There is another option to consider as well.
> 
> If you are targeting an external market of employee/member certificates
> you could run the CA as a "Cloud Service" where external administrators
> perform the the actual RA tasks.  Then your work is limited to running
> a secure service; not verifying that people are what they claim to be :-)
> 
> Just my 2 öres
> 
> Anders
> PrimeKey tech support
> 
> On 2012-07-17 23:14, Hans Witvliet wrote:
>> Hi Tomas, Martin, andreas, Tham, rshad and all others...
>>
>> Yes, i think i've got the rough picture.
>>
>> >From a hardware/software p.o.v. its complication compares with a
>> telephone exchange, (between singe server and datacenter full of
>> equipment)
>>
>> @Tomas: no i don't underestimate the costs of an HSM, but these are
>> well-known expensive, but you get value/safety for money.
>> otoh the amount of hours needed for a project is (from what i know)
>> always vastly under estimated. With the well known end results:
>> - unfinished projects
>> - going over budget
>> - unpaid overtime.
>>
>> At least now i'm convinced that if it comes this far, i'll not be
>> tempted to give estimations myself (towards a customer), but leave that
>> to someone more experienced in managing projects.
>>
>> thank you all very much indeed.
>>
>> Hans
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and 
>> threat landscape has changed and how IT managers can respond. Discussions 
>> will include endpoint security, mobile security and the latest in malware 
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejb...@li...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>
> 
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop

-- 
Andreas Bürki

E-Mail:
ab...@an...
Zertifikat - SHA1-Fingerprint:
54:99:02:5F:60:CE:7A:27:0E:73:79:24:CA:C7:A0:CC:60:39:05:9F

Re: [Ejbca-develop] rough estimation

[ejbca-support <ejb...@pr...>]

Hans,
There is another option to consider as well.

If you are targeting an external market of employee/member certificates
you could run the CA as a "Cloud Service" where external administrators
perform the the actual RA tasks.  Then your work is limited to running
a secure service; not verifying that people are what they claim to be :-)

Just my 2 öres

Anders
PrimeKey tech support

On 2012-07-17 23:14, Hans Witvliet wrote:
> Hi Tomas, Martin, andreas, Tham, rshad and all others...
> 
> Yes, i think i've got the rough picture.
> 
>>From a hardware/software p.o.v. its complication compares with a
> telephone exchange, (between singe server and datacenter full of
> equipment)
> 
> @Tomas: no i don't underestimate the costs of an HSM, but these are
> well-known expensive, but you get value/safety for money.
> otoh the amount of hours needed for a project is (from what i know)
> always vastly under estimated. With the well known end results:
> - unfinished projects
> - going over budget
> - unpaid overtime.
> 
> At least now i'm convinced that if it comes this far, i'll not be
> tempted to give estimations myself (towards a customer), but leave that
> to someone more experienced in managing projects.
> 
> thank you all very much indeed.
> 
> Hans
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> 

Re: [Ejbca-develop] rough estimation

[Hans W. <hw...@a-...>]

Hi Tomas, Martin, andreas, Tham, rshad and all others...

Yes, i think i've got the rough picture.

>From a hardware/software p.o.v. its complication compares with a
telephone exchange, (between singe server and datacenter full of
equipment)

@Tomas: no i don't underestimate the costs of an HSM, but these are
well-known expensive, but you get value/safety for money.
otoh the amount of hours needed for a project is (from what i know)
always vastly under estimated. With the well known end results:
- unfinished projects
- going over budget
- unpaid overtime.

At least now i'm convinced that if it comes this far, i'll not be
tempted to give estimations myself (towards a customer), but leave that
to someone more experienced in managing projects.

thank you all very much indeed.

Hans

Re: [Ejbca-develop] rough estimation

[Tomas G. <to...@pr...>]

Oh I forgot one thing ;-)

 >> I had a vague hope that someone might say:
 >> For hotel-chain-such-and-so (ZZZ employees) we needed X people for Y
 >> months, for getting all procedures legally water-tight.
 >> Specially interfacing towards P&O-software XYZ was a real PITA.

Especially integrating with windows smart card logon and such is a PITA.

It can be done, but many administrators have unrealistic expectations 
how easy (and cheaply) it should be to integrate smart cards in an 
organization.

Cheers,
Tomas

 > On 07/16/2012 09:59 PM, Hans Witvliet wrote:
>> On Mon, 2012-07-16 at 13:21 +0200, Tham Wickenberg wrote:
>>> Hello,
>>>
>>> I agree with Martin but thought I would throw my two cents in there as
>>> well.
>> Tnx, anything to avoid tunnelvision from my side is welcome..
>>
>>> First I would like to divide the problem into client side and CA side.
>>> The cost for the client side integration will largely be a function of
>>> what client software and systems you want to integrate with. I know very
>>> little about this side.
>> Client side is dealt with for 100%
>>
>>> On the CA side I have more experience. In my experience the cost and
>>> time required for setting up and maintaining the CA is a function of the
>>> required:
>>>
>>> * Security/Trust
>>>      High security requires HSM, more personel because of role separation,
>>> hardening, access control, physical security etc. Trust may require more
>>> documentation and audit depending on the relationship with relying
>>> parties. If a FIPS or Common Criteria certified CA is required that will
>>> limit your choices and possibly increase your cost in comparison to
>>> other alternatives.
>>>
>>> * Availability/Reliability
>>> High availability/reliability costs more because you will need
>>> redundancy in staff and in components. You will need multiple
>>> CA-servers/ Database Servers, perhaps multiple site setup etc. You will
>>> also want to have support from an integration specialist and/or software
>>> vendor if you require high availability.
>>>
>>> * Performance
>>>      Cost may rise if you need a high performance solution. You may see
>>> increased cost in terms of hardware and staffing needs if you have high
>>> volumes and performance requirements. Most small CA implementations are
>>> NOT performance intensive though. One issued certificate per second is
>>> 3600 issued certificates per hour ofc.
>> Obviously, when asked to advise any software for ca/ra/crl/ocsp/etc
>> ejbca will be my first choice, knowing the developpers and some of their
>> clients.
>>
>> I don't think that the costs of "the iron" will be significant, compared
>> with other costs.
>>
>>> * Certificate Enrollment Process.
>>> What your staffing needs are going to be are heavily dependent on how
>>> automated and distributed your enrollment process is. If you are
>>> enrolling a lot of users/machines you should automate it or expect a lot
>>> of manual labour. This cost will be more related to the card solution
>>> you choose and again is not my area.
>>>
>>> Due to differences in the above the time needed for setting up a CA will
>>> vary greatly from a one person - two weeks project to a four people -
>>> three months project. The effort for maintainig will vary from one
>>> person part time to many people full time.
>>>
>>> I have not discussed revocation and revocation information here, but I
>>> think it will be largely the same function as above.
>>>
>>> I realize this 'it depends' answer can be frustrating. I really can't be
>>> more precise than this without knowing more about the requirements, but
>>> I can tell you that if you score high on some of the requirements above
>>> it will probably not be very cheap.
>>>
>>> I hope this was a useful post, everyone is welcome to correct me or agree!
>> Well, it becomes clear that in this phase i do not know enough customer
>> requirements to present a real case.
>> I'm confident that with ejbca it gives me all the functionality for a
>> single machine for a tiny organisation towards clusters of HA-capable
>> subfunctions for a medium sized company.
>>
>>
>> I had a vague hope that someone might say:
>> For hotel-chain-such-and-so (ZZZ employees) we needed X people for Y
>> months, for getting all procedures legally water-tight.
>> Specially interfacing towards P&O-software XYZ was a real PITA.
>>
>> Or at the other end of the spectrum: "we tried it and you should just
>> forget about it"
>>
>>
>> Hans
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejb...@li...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>

Re: [Ejbca-develop] rough estimation

[Tomas G. <to...@pr...>]

Hi Hans,

Of course PrimeKey has extensive experience from many customer 
deployments. We have a "standard" setup that will install a redundant 
standard PKI with HSMs with approx 2 people in 2 weeks. After that there 
is one week training for the operations staff, long term support and 
maintenance, etc etc.
The preparations before deployment can vary a lot depending on the 
specific requirements, policies etc. From almost 0 to months of 
preparations.
If the pure "standard" deployment suits you, you can get away rather 
cheap, say <100KEUR, including stuff like training.

On the other side of the spectrum we have installed many national 
id/ePassport PKIs, with high availability and high audit requirements, 
as well as integration with card/passport manufacturing processes. Such 
a project might go for something like 0.5-1MEUR, including training and 
first years maintenance.

For a normal organization I would not recommend to go with an "official" 
CA (i.e. recognized by browsers etc). The audit cost is very high (100s 
of KEUR), and there is usually no benefit for organizational usage. Self 
signed environment is most common, and it does not have to be small.
 From what you describe you might cope with something rather standard to 
start with, but it needs to be a rather serious base PKI that you can 
build on and extend as you go (requests from other departments).

You could go for a "standard" redundant and audit enabled PKI and then 
budget every year for integration and expansion costs as the PKI usage 
grows and more departments hooks in. If you start with one CA and a few 
thousand certs, you may end up with 20 CAs and 20 million certs after 5 
years of operations (all in one EJBCA installation of course).

We have installations that have grown like that, and naturally the total 
cost is not a one-time cost, but a continuous operational cost that is 
spread out on an ever growing number of customers (internal to the 
organization).

I don't know what your expectations are on the organizational overhead 
but many people get surprized by the PKI hardware costs when it comes to 
HSMs. If you have a professional installation with redundancy and (more 
than one) test environments, HSM costs alone easily gets up to 50-100KEUR.

Cheers,
Tomas

On 07/16/2012 09:59 PM, Hans Witvliet wrote:
> On Mon, 2012-07-16 at 13:21 +0200, Tham Wickenberg wrote:
>> Hello,
>>
>> I agree with Martin but thought I would throw my two cents in there as
>> well.
> Tnx, anything to avoid tunnelvision from my side is welcome..
>
>> First I would like to divide the problem into client side and CA side.
>> The cost for the client side integration will largely be a function of
>> what client software and systems you want to integrate with. I know very
>> little about this side.
> Client side is dealt with for 100%
>
>> On the CA side I have more experience. In my experience the cost and
>> time required for setting up and maintaining the CA is a function of the
>> required:
>>
>> * Security/Trust
>>     High security requires HSM, more personel because of role separation,
>> hardening, access control, physical security etc. Trust may require more
>> documentation and audit depending on the relationship with relying
>> parties. If a FIPS or Common Criteria certified CA is required that will
>> limit your choices and possibly increase your cost in comparison to
>> other alternatives.
>>
>> * Availability/Reliability
>> High availability/reliability costs more because you will need
>> redundancy in staff and in components. You will need multiple
>> CA-servers/ Database Servers, perhaps multiple site setup etc. You will
>> also want to have support from an integration specialist and/or software
>> vendor if you require high availability.
>>
>> * Performance
>>     Cost may rise if you need a high performance solution. You may see
>> increased cost in terms of hardware and staffing needs if you have high
>> volumes and performance requirements. Most small CA implementations are
>> NOT performance intensive though. One issued certificate per second is
>> 3600 issued certificates per hour ofc.
> Obviously, when asked to advise any software for ca/ra/crl/ocsp/etc
> ejbca will be my first choice, knowing the developpers and some of their
> clients.
>
> I don't think that the costs of "the iron" will be significant, compared
> with other costs.
>
>> * Certificate Enrollment Process.
>> What your staffing needs are going to be are heavily dependent on how
>> automated and distributed your enrollment process is. If you are
>> enrolling a lot of users/machines you should automate it or expect a lot
>> of manual labour. This cost will be more related to the card solution
>> you choose and again is not my area.
>>
>> Due to differences in the above the time needed for setting up a CA will
>> vary greatly from a one person - two weeks project to a four people -
>> three months project. The effort for maintainig will vary from one
>> person part time to many people full time.
>>
>> I have not discussed revocation and revocation information here, but I
>> think it will be largely the same function as above.
>>
>> I realize this 'it depends' answer can be frustrating. I really can't be
>> more precise than this without knowing more about the requirements, but
>> I can tell you that if you score high on some of the requirements above
>> it will probably not be very cheap.
>>
>> I hope this was a useful post, everyone is welcome to correct me or agree!
> Well, it becomes clear that in this phase i do not know enough customer
> requirements to present a real case.
> I'm confident that with ejbca it gives me all the functionality for a
> single machine for a tiny organisation towards clusters of HA-capable
> subfunctions for a medium sized company.
>
>
> I had a vague hope that someone might say:
> For hotel-chain-such-and-so (ZZZ employees) we needed X people for Y
> months, for getting all procedures legally water-tight.
> Specially interfacing towards P&O-software XYZ was a real PITA.
>
> Or at the other end of the spectrum: "we tried it and you should just
> forget about it"
>
>
> Hans
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop

Re: [Ejbca-develop] rough estimation

[Arshad N. <ars...@st...>]

On 07/16/2012 12:59 PM, Hans Witvliet wrote:
>
> I had a vague hope that someone might say:
> For hotel-chain-such-and-so (ZZZ employees) we needed X people for Y
> months, for getting all procedures legally water-tight.
> Specially interfacing towards P&O-software XYZ was a real PITA.
>
> Or at the other end of the spectrum: "we tried it and you should just
> forget about it"

PKI deployments vary in cost and time-to-deliver based on the business
process they are intended to support, just as a database application
varies for the same reasons.

However, we have learned some things deploying PKIs for the last 13+
years: there are some things that can be standardized even if the
customer does not ask for it, so it can be packaged as solution.
Variability is what drives up costs (think about what Ford did for
car prices in the early 20th century).

This model has enabled us to guarantee that we can build a core PKI
for any business purpose in 60-business days or less.  This includes
Root CA, Subordinate CAs, HSMs, Certificate Profiles document, CP,
DR testing and training.

We usually do these deployments with 1-2 people.  The largest PKI
took us 5 months with 3 people because it was Windows CA (not easy
to work with); the smallest one took us exactly 30-days (EJBCA).
Some of our PKI customers are: the world's largest pharmaceutical;
the world's largest telco, bio-technology companies for embedded
device certificates, a defense contractor, a central bank of a
nation, etc.

Arshad Noor
StrongAuth, Inc.

Re: [Ejbca-develop] rough estimation

[Hans W. <hw...@a-...>]

On Mon, 2012-07-16 at 13:21 +0200, Tham Wickenberg wrote:
> Hello,
> 
> I agree with Martin but thought I would throw my two cents in there as 
> well.
Tnx, anything to avoid tunnelvision from my side is welcome..

> First I would like to divide the problem into client side and CA side. 
> The cost for the client side integration will largely be a function of 
> what client software and systems you want to integrate with. I know very 
> little about this side.
Client side is dealt with for 100%

> On the CA side I have more experience. In my experience the cost and 
> time required for setting up and maintaining the CA is a function of the 
> required:
> 
> * Security/Trust
>    High security requires HSM, more personel because of role separation, 
> hardening, access control, physical security etc. Trust may require more 
> documentation and audit depending on the relationship with relying 
> parties. If a FIPS or Common Criteria certified CA is required that will 
> limit your choices and possibly increase your cost in comparison to 
> other alternatives.
> 
> * Availability/Reliability
> High availability/reliability costs more because you will need 
> redundancy in staff and in components. You will need multiple 
> CA-servers/ Database Servers, perhaps multiple site setup etc. You will 
> also want to have support from an integration specialist and/or software 
> vendor if you require high availability.
> 
> * Performance
>    Cost may rise if you need a high performance solution. You may see 
> increased cost in terms of hardware and staffing needs if you have high 
> volumes and performance requirements. Most small CA implementations are 
> NOT performance intensive though. One issued certificate per second is 
> 3600 issued certificates per hour ofc.

Obviously, when asked to advise any software for ca/ra/crl/ocsp/etc
ejbca will be my first choice, knowing the developpers and some of their
clients.

I don't think that the costs of "the iron" will be significant, compared
with other costs.

> * Certificate Enrollment Process.
> What your staffing needs are going to be are heavily dependent on how 
> automated and distributed your enrollment process is. If you are 
> enrolling a lot of users/machines you should automate it or expect a lot 
> of manual labour. This cost will be more related to the card solution 
> you choose and again is not my area.
> 
> Due to differences in the above the time needed for setting up a CA will 
> vary greatly from a one person - two weeks project to a four people - 
> three months project. The effort for maintainig will vary from one 
> person part time to many people full time.
> 
> I have not discussed revocation and revocation information here, but I 
> think it will be largely the same function as above.
> 
> I realize this 'it depends' answer can be frustrating. I really can't be 
> more precise than this without knowing more about the requirements, but 
> I can tell you that if you score high on some of the requirements above 
> it will probably not be very cheap.
> 
> I hope this was a useful post, everyone is welcome to correct me or agree!

Well, it becomes clear that in this phase i do not know enough customer
requirements to present a real case.
I'm confident that with ejbca it gives me all the functionality for a
single machine for a tiny organisation towards clusters of HA-capable
subfunctions for a medium sized company.


I had a vague hope that someone might say:
For hotel-chain-such-and-so (ZZZ employees) we needed X people for Y
months, for getting all procedures legally water-tight.
Specially interfacing towards P&O-software XYZ was a real PITA.

Or at the other end of the spectrum: "we tried it and you should just
forget about it"


Hans

Re: [Ejbca-develop] rough estimation

[Tham W. <ejb...@pr...>]

Hello,

I agree with Martin but thought I would throw my two cents in there as 
well.

First I would like to divide the problem into client side and CA side. 
The cost for the client side integration will largely be a function of 
what client software and systems you want to integrate with. I know very 
little about this side.

On the CA side I have more experience. In my experience the cost and 
time required for setting up and maintaining the CA is a function of the 
required:

* Security/Trust
   High security requires HSM, more personel because of role separation, 
hardening, access control, physical security etc. Trust may require more 
documentation and audit depending on the relationship with relying 
parties. If a FIPS or Common Criteria certified CA is required that will 
limit your choices and possibly increase your cost in comparison to 
other alternatives.

* Availability/Reliability
High availability/reliability costs more because you will need 
redundancy in staff and in components. You will need multiple 
CA-servers/ Database Servers, perhaps multiple site setup etc. You will 
also want to have support from an integration specialist and/or software 
vendor if you require high availability.

* Performance
   Cost may rise if you need a high performance solution. You may see 
increased cost in terms of hardware and staffing needs if you have high 
volumes and performance requirements. Most small CA implementations are 
NOT performance intensive though. One issued certificate per second is 
3600 issued certificates per hour ofc.

* Certificate Enrollment Process.
What your staffing needs are going to be are heavily dependent on how 
automated and distributed your enrollment process is. If you are 
enrolling a lot of users/machines you should automate it or expect a lot 
of manual labour. This cost will be more related to the card solution 
you choose and again is not my area.

Due to differences in the above the time needed for setting up a CA will 
vary greatly from a one person - two weeks project to a four people - 
three months project. The effort for maintainig will vary from one 
person part time to many people full time.

I have not discussed revocation and revocation information here, but I 
think it will be largely the same function as above.

I realize this 'it depends' answer can be frustrating. I really can't be 
more precise than this without knowing more about the requirements, but 
I can tell you that if you score high on some of the requirements above 
it will probably not be very cheap.

I hope this was a useful post, everyone is welcome to correct me or agree!

Cheers,
Tham Wickenberg / PrimeKey Solutions

On 7/12/12 6:18 PM, Hans Witvliet wrote:
> On Thu, 2012-07-12 at 10:27 +0200, Andreas Bürki wrote:
>> Hi Hans
>>
>> How do you define:
>>> 1) fully implemented official PKI
>> more specific, how do you define
>>
>> official?
>>
> Hi Andreas,
>
> perhaps i was a bit too brief there...
>
> I know that there are companies/organisation that have taken the lengthy
> trouble and have certificates signed by commercial CA's. When employees
> are hired/fired, certificates are created or revoked, etc etc etc
>
>
> So what we see is at one hand, there are companies that start looking
> for the possibilities that PKI offer, but have nothing implemented
> _yet_).
>
> And on the other hand, small organisations that do not want/need a
> trusted third party (only two parties involved) but want to use the
> possibilities that asymetric keys and certificates offer.
> Obviously, the needs of an airplane manufacturer are somewhat different
> from that of a table-tennis-organisation ;-) But even there, there must
> be a connection between the management of new/leaving members and
> revocation of their certificate.
>
> So, to summarize, if a small org or medium company needs to start
> enrolling certificates & smartcards, can anything been said about
> - amount of time for implementing
> - cost estimation
>
> I have no intention of being part of it, but if i say to a potential
> customer:
> "all your members/workers need a smartcard holding certificates"
> and
> "your organisation must take care of issuing and revoking",
> I can expect the questions that if they don't have that, what it will
> cost them and how long it will take....
>
> Hence my question
>
> Hans
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop

Re: [Ejbca-develop] Clustering mode: nodenames discovery

[Tomas G. <to...@pr...>]

Btw.
There is usually no need for you to use the "Clear caches" button. the 
caches auto-refresh regularly. Only if you have configured the caches to 
never expire should you need to use that. And you only need to configure 
caches for that if you run an ultra-performant PKI  (tm ;-)), say > 200 
certs/second.

Cheers,
Tomas

On 07/14/2012 09:22 AM, Tomas Gustavsson wrote:
>
> Hi Bruno,
>
> You are correct in most of your analysis. EJBCA uses
> "InetAddress.getLocalHost" to get the local hostname. What this returns
> depends on what is in the host file of course.
>
>   > - is this behavior may considered as a bug? (using nodename rather
>   >    binding IP name).
>
> No, it is deliberate. Hostname is much more flexible, and often more
> correct than ip address. EJBCA does not know which IP JBoss binds to,
> and it can change at any time. Most hosts have multiple IPs, and EJBCA
> can not know which are used for what. With a hostname the cluster nodes
> can have each others hostnames in the local hosts file if needed. This
> can point to anywhere so it is configurable by the admins.
>
> You can simply add the correct ip addresses in the cluster nodes's local
> hosts files.
>
> One improvement that I could think of would be if you could override the
> detected hostname by a configuration option. Than you could use other
> hostnames than the real ones, pointing to other ip-adresses?
>
> By the way, if JBoss is behind an apache proxy, it does not matter what
> IP JBoss binds to, since it will be apache that accepts the connection.
> So it is actually the IPs/hostnames that apache binds to that are relevant.
>
>   > - can you confirm if I remove by hand the node in the nodelist, each
>   >    time I'll start EJBCA on a node, it will add the new member? (since
>   >    EJBCA will check if the hostname exists)
>
> Yes this is correct.
>
>   > - more or less the same question when JBoss are not directly reachable
>   >    but only through an Apache (on a different nodename.. :)
>
> If "nodename" is not reachable from one cluster node to the other, even
> if you add the correct ip address in the local hosts file, you can not
> use the global "clear cache" button. Very simple :-) If you need to
> clear caches when the cluster nodes can not talk to each other, you need
> to clear the cache individually on all nodes.
>
> An error when clicking the button simply means that the cache was not
> cleared on that host, and you have to clear it manually. There is a CLI
> for clearing caches as well, so you can easily script it.
>
> Cheers,
> Tomas
>
> On 07/13/2012 04:19 PM, Bruno Bonfils wrote:
>> Hi folks,
>>
>> I'm wondering how EJBCA determines the "nodename" in a cluster
>> environnement. As far as I understand/remember the code, EJBCA use the
>> hostname of the server, which may we wrong.
>>
>> My environnement is the following:
>> 	2 JBoss, each one use a dedicated IP address (given as -b when
>> starting jboss)
>> 	Each JBoss is protected by an Apache acting as reverse proxy
>>
>> When I start EJBCA, if I displays the list of nodes I can see the list
>> of hostnames of servere where EJBCA is running. And when I click on
>> "Clear all caches" button, I had a "Connexion refused" exception.
>> Indeed, the code is:
>>
>> "String nodeip = InetAddress.getByName(nodename).getHostAddress();"
>>
>> But, since I use a dedicated IP for JBoss, EJBCA is not reachable on the
>> nodename's primary address.
>>
>> So my questions are:
>>
>> - is this behavior may considered as a bug? (using nodename rather
>>     binding IP name).
>> - can you confirm if I remove by hand the node in the nodelist, each
>>     time I'll start EJBCA on a node, it will add the new member? (since
>>     EJBCA will check if the hostname exists)
>> - more or less the same question when JBoss are not directly reachable
>>     but only through an Apache (on a different nodename.. :)
>>
>> Best regards
>>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>