Menu
▾
▴
Re: [Ejbca-develop] RA mode for CMP
|
From: Tomas G. <to...@pr...> - 2013-04-04 13:43:10
|
To fill in (perhaps a bit too much) from what Tham already said...) * No, there is no built in CMP functionality in the External RA. You have to develop that yourselves. But EJBCA have excellent CMP support used in hundreds of installations and different use-cases world-wide. Since you have not fully understood how CMP and the External RA works it would be much easier if you describe what goal you try to accomplish. Then we can suggest best practice for doing this (we have seen hundreds of different installations). For example: - What are the users and clients? - Where is registration of users done? - What protocols do the clients use? - Who communicates with what? ----- Installing EJBCA in a server gives you a Certificate Authority, with built in Registration Authority functions. This means that on the EJBCA server you can register and issue certificates for users. You can do this with many different protocols: - Web GUIs - Command line interface - CMP - SCEP - Web Service - and more... Against one Certificate Authority you can have multiple Registration Authorities. "Registration Authority" is an abstract concept, that does not mandate any specific technology to be used. Local, remote, distributed, web based, java GUI based, carrier pigeon based. External RA is an external server that can be used to develop RAs _if_ there is a requirement that no incoming connections are allowed to the CA server. If there is _not_ any such requirements, there is no use of the external RA. The External RA is an API, so you can develop your own External RA GUI. EJBCA comes with two pre-made external RA functions, External RA browser enrollment GUI, and External RA SCEP service. The meaning of RA mode for CMP is that an RA connects to the CA using CMP. The requests that the RA sends over CMP to the CA is treated as "trusted" and certificates are issued, if the RA is authenticated. The EJBCA External RA does _not_ use CMP to communicate with the CA server. The most common usages of CMP are: - Card management system works as an RA. Card management system communicates with CMP to EJBCA. - 3GPP/LTE network nodes, specified in the 3GPP standard how eNodes communicates using CMP to the CA (EJBCA). - Network routers getting certificates from the CA If you want to use CMP directly from your clients and want some network shielding, you can use the CMP Proxy instead. This sits between the client and the CA and breaks/inspects all network connections. Regards, Tomas ----- PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact in...@pr... for more information. http://www.primekey.se/Services/Support/ http://www.primekey.se/Services/Training/ On 04/04/2013 03:22 PM, eilaf sorkatti wrote: > Hello Tomas, > > Did you mean that she can't configure the CMP between external RA and > CA? even in RA mode? > > > On Tue, Apr 2, 2013 at 2:59 PM, sara <sar...@gm... > <mailto:sar...@gm...>> wrote: > > ok thank you > > ------------------------------------------------------------------------------ > Own the Future-Intel(R) Level Up Game Demo Contest 2013 > Rise to greatness in Intel's independent game demo contest. Compete > for recognition, cash, and the chance to get your game on Steam. > $5K grand prize plus 10 genre and skill prizes. Submit your demo > by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2 > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > <mailto:Ejb...@li...> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > -- > Eilaf Hamad Elnil Mugbil > University Of Khartoum > School Of Mathematical science > > > ------------------------------------------------------------------------------ > Minimize network downtime and maximize team effectiveness. > Reduce network management and security costs.Learn how to hire > the most talented Cisco Certified professionals. Visit the > Employer Resources Portal > http://www.cisco.com/web/learning/employer_resources/index.html > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
