Menu
▾
▴
Re: [Ejbca-develop] Implementation NofM
|
From: Andreas S. <and...@ca...> - 2017-01-05 18:43:47
|
The SmartCard-HSM supports n-of-m authentication [1]. However this is currently only supported via JCE, but integration with EJBCA is done via PKCS#11 [2]. If there is serious demand, then we could make it work via PKCS#11 as well. Andreas [1] https://www.smartcard-hsm.com/2015/10/10/Shared_Control_over_Key_Usage.html [2] https://www.smartcard-hsm.com/2014/09/05/Accessing_your_SmartCard-HSM_from_EJBCA.html On 01/05/2017 07:07 PM, Soluti Quintiliano wrote: > Hummm...A smartcard or security token + password split between MofN, not > great but still simple. > > You probably will have problems with backing this up. > > If you really need to segregate this, during the install EJBCA allows > you to generate the Superadmin cert using a PKCS11 library so you can > use a smartcard or token and have the superadmin cert protected. I > personally wouldn't do this. Its easier to use the superadmin for > initial config and then replace it for the CA operator's cert. > > Just out of curiosity, can you share you PKI architecture idea? I've > been using EJBCA in large scale for 5 years and haven't had any issue > regards limiting access to CA Administration. Using small number of > trusted managers allowing only them to make changes on CA's and > profiles. Even then, everything is verified from the logs, and, if > something unusual or even not authorized happens ( the alarms go on, > never happens), and then audited. > > []'s > > > Proteja o endereço de email de seus contatos como estou protegendo o seu. > Ao enviar mensagens para mais de um endereço use SEMPRE o > "Cco" (cópia oculta) ou "Bcc" (Blind carbon copy). > > /Esta mensagem é enviada exclusivamente a seu destinatário e pode conter > informações > confidenciais, protegidas por sigilo profissional. Sua utilização > desautorizada é ilegal e sujeita > o infrator às penas da lei. Se você a recebeu indevidamente, queira, por > gentileza, reenvia-la > ao emitente, esclarecendo o equívoco. > > This message is directed exclusively to its addressee and may contain > confidential data, > protected under professional secrecy rules. Its unauthorized use is > illegal and may subject > the transgressor to the law's penalties. If you're not the addressee, > please send it back, > elucidating the failure./ > > 2017-01-05 15:47 GMT-02:00 Carlos Rodrigues <cm...@eu... > <mailto:cm...@eu...>>: > > Hello, > > I don't have HSM device, there no another way to do that? > > Regards, > Carlos Rodrigues > > On Thu, 2017-01-05 at 15:05 -0200, Soluti Quintiliano wrote: >> HI, >> >> Out of the box, the easy option is to limit access to EJBCA CA >> interface through user permissions. You can then storage the AC >> Admin (Superadmin) certificate inside an HSM and ensure the access >> to this specific key with MofN. You ll also need to isolate the >> access to EJBCA's shell server... >> >> Att. >> >> >> Proteja o endereço de email de seus contatos como estou protegendo >> o seu. >> Ao enviar mensagens para mais de um endereço use SEMPRE o >> "Cco" (cópia oculta) ou "Bcc" (Blind carbon copy). >> >> /Esta mensagem é enviada exclusivamente a seu destinatário e pode >> conter informações >> confidenciais, protegidas por sigilo profissional. Sua utilização >> desautorizada é ilegal e sujeita >> o infrator às penas da lei. Se você a recebeu indevidamente, >> queira, por gentileza, reenvia-la >> ao emitente, esclarecendo o equívoco. >> >> This message is directed exclusively to its addressee and may >> contain confidential data, >> protected under professional secrecy rules. Its unauthorized use >> is illegal and may subject >> the transgressor to the law's penalties. If you're not the >> addressee, please send it back, >> elucidating the failure./ >> >> 2017-01-05 14:31 GMT-02:00 Carlos Rodrigues <cm...@eu... >> <mailto:cm...@eu...>>: >>> Hello, >>> >>> I would like to know how to configure EJBCA to requires more than >>> one person to active Certification Authority and prevent to >>> change the CA settings? >>> >>> Any one could help me? >>> >>> Regards, >>> Carlos Rodrigues >>> >>> On Wed, 2016-12-28 at 14:16 +0000, Carlos Rodrigues wrote: >>>> Hello, >>>> >>>> I need to create one Certification Authority that needs more >>>> than one person to open CA to do any CA operation. >>>> This should be including change CA to set approval settings. >>>> >>>> >>>> Regards, >>>> >>>> -- >>>> Carlos Rodrigues >>>> >>>> Engenheiro de Software Sénior >>>> >>>> Eurotux Informática, S.A. | www.eurotux.com >>>> <http://www.eurotux.com/> >>>> (t) +351 253 680 300 <tel:+351%20253%20680%20300> (m) +351 911 >>>> 926 110 <tel:+351%20911%20926%20110> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Ejbca-develop mailing list >>>> Ejb...@li... >>>> <mailto:Ejb...@li...> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>> <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> >>> -- >>> Carlos Rodrigues >>> >>> Engenheiro de Software Sénior >>> >>> Eurotux Informática, S.A. | www.eurotux.com <http://www.eurotux.com/> >>> (t) +351 253 680 300 <tel:+351%20253%20680%20300> (m) +351 911 >>> 926 110 <tel:+351%20911%20926%20110> >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... >>> <mailto:Ejb...@li...> >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> >>> >> > -- > > Carlos Rodrigues > > Engenheiro de Software Sénior > > Eurotux Informática, S.A. | www.eurotux.com <http://www.eurotux.com/> > (t) +351 253 680 300 <tel:+351%20253%20680%20300> (m) +351 911 926 > 110 <tel:+351%20911%20926%20110> > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > -- --------- CardContact Systems GmbH |.##> <##.| Schülerweg 38 |# #| D-32429 Minden, Germany |# #| Phone +49 571 56149 |'##> <##'| http://www.cardcontact.de --------- Registergericht Bad Oeynhausen HRB 14880 Geschäftsführer Andreas Schwier -- --------- CardContact Systems GmbH |.##> <##.| Schülerweg 38 |# #| D-32429 Minden, Germany |# #| Phone +49 571 56149 |'##> <##'| http://www.cardcontact.de --------- Registergericht Bad Oeynhausen HRB 14880 Geschäftsführer Andreas Schwier |
