Menu
▾
▴
Re: [Ejbca-develop] Implementation NofM
|
From: Carlos R. <cm...@eu...> - 2017-01-06 10:46:02
|
On Thu, 2017-01-05 at 19:54 +0100, Willi Trace wrote: > > You can achieve dual control by combining infrastructure access to CA and logical access using CA operator token. Could you please detail this implementation? Can you give some references or how to implement on EJBCA? > > Infrastructure administrator would not be able to do operations with CA alone because of absence of authorization and CA operator wouldn't be able to do operations on CA without infrastructure administrator (or call this roles as you want). > > This will ensure dual control what you want. > Logs and procedural design will ensure audit trails. > > WT Thank you. Regards, Carlos Rodrigues > > On Thursday, January 5, 2017, Andreas Schwier <and...@ca...> wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The SmartCard-HSM supports n-of-m authentication [1]. However this is currently only supported via JCE, but integration with EJBCA is done via PKCS#11 [2]. If there is serious demand, then we could make it work via PKCS#11 as well. Andreas [1] https://www.smartcard-hsm.com/2015/10/10/Shared_Control_over_Key_Usage.html [2] https://www.smartcard-hsm.com/2014/09/05/Accessing_your_SmartCard-HSM_from_EJBCA.html On 01/05/2017 07:07 PM, Soluti Quintiliano wrote: > Hummm...A smartcard or security token + password split between MofN, not > great but still simple. > > You probably will have problems with backing this up. > > If you really need to segregate this, during the install EJBCA allows > you to generate the Superadmin cert using a PKCS11 library so you can > use a smartcard or token and have the superadmin cert protected. I > personally wouldn't do this. Its easier to use the superadmin for > initial config and then replace it for the CA operator's cert. > > Just out of curiosity, can you share you PKI architecture idea? I've > been using EJBCA in large scale for 5 years and haven't had any issue > regards limiting access to CA Administration. Using small number of > trusted managers allowing only them to make changes on CA's and > profiles. Even then, everything is verified from the logs, and, if > something unusual or even not authorized happens ( the alarms go on, > never happens), and then audited. > > []'s > > > Proteja o endereço de email de seus contatos como estou protegendo o seu. > Ao enviar mensagens para mais de um endereço use SEMPRE o > "Cco" (cópia oculta) ou "Bcc" (Blind carbon copy). > > /Esta mensagem é enviada exclusivamente a seu destinatário e pode conter > informações > confidenciais, protegidas por sigilo profissional. Sua utilização > desautorizada é ilegal e sujeita > o infrator às penas da lei. Se você a recebeu indevidamente, queira, por > gentileza, reenvia-la > ao emitente, esclarecendo o equívoco. > > This message is directed exclusively to its addressee and may contain > confidential data, > protected under professional secrecy rules. Its unauthorized use is > illegal and may subject > the transgressor to the law's penalties. If you're not the addressee, > please send it back, > elucidating the failure./ > > 2017-01-05 15:47 GMT-02:00 Carlos Rodrigues <cm...@eu... > <mailto:cm...@eu...>>: > > Hello, > > I don't have HSM device, there no another way to do that? > > Regards, > Carlos Rodrigues > > On Thu, 2017-01-05 at 15:05 -0200, Soluti Quintiliano wrote: >> HI, >> >> Out of the box, the easy option is to limit access to EJBCA CA >> interface through user permissions. You can then storage the AC >> Admin (Superadmin) certificate inside an HSM and ensure the access >> to this specific key with MofN. You ll also need to isolate the >> access to EJBCA's shell server... >> >> Att. >> >> >> Proteja o endereço de email de seus contatos como estou protegendo >> o seu. >> Ao enviar mensagens para mais de um endereço use SEMPRE o >> "Cco" (cópia oculta) ou "Bcc" (Blind carbon copy). >> >> /Esta mensagem é enviada exclusivamente a seu destinatário e pode >> conter informações >> confidenciais, protegidas por sigilo profissional. Sua utilização >> desautorizada é ilegal e sujeita >> o infrator às penas da lei. Se você a recebeu indevidamente, >> queira, por gentileza, reenvia-la >> ao emitente, esclarecendo o equívoco. >> >> This message is directed exclusively to its addressee and may >> contain confidential data, >> protected under professional secrecy rules. Its unauthorized use >> is illegal and may subject >> the transgressor to the law's penalties. If you're not the >> addressee, please send it back, >> elucidating the failure./ >> >> 2017-01-05 14:31 GMT-02:00 Carlos Rodrigues <cm...@eu... >> <mailto:cm...@eu...>>: >>> Hello, >>> >>> I would like to know how to configure EJBCA to requires more than >>> one person to active Certification Authority and prevent to >>> change the CA settings? >>> >>> Any one could help me? >>> >>> Regards, >>> Carlos Rodrigues >>> >>> On Wed, 2016-12-28 at 14:16 +0000, Carlos Rodrigues wrote: >>>> Hello, >>>> >>>> I need to create one Certification Authority that needs more >>>> than one person to open CA to do any CA operation. >>>> This should be including change CA to set approval settings. >>>> >>>> >>>> Regards, >>>> >>>> -- >>>> Carlos Rodrigues >>>> >>>> Engenheiro de Software Sénior >>>> >>>> Eurotux Informática, S.A. | www.eurotux.com >>>> <http://www.eurotux.com/> >>>> (t) +351 253 680 300 <tel:+351%20253%20680%20300> (m) +351 911 >>>> 926 110 <tel:+351%20911%20926%20110> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Ejbca-develop mailing list >>>> Ejb...@li... >>>> <mailto:Ejb...@li...> >>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>> <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> >>> -- >>> Carlos Rodrigues >>> >>> Engenheiro de Software Sénior >>> >>> Eurotux Informática, S.A. | www.eurotux.com <http://www.eurotux.com/> >>> (t) +351 253 680 300 <tel:+351%20253%20680%20300> (m) +351 911 >>> 926 110 <tel:+351%20911%20926%20110> >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... >>> <mailto:Ejb...@li...> >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> >>> >> > -- > > Carlos Rodrigues > > Engenheiro de Software Sénior > > Eurotux Informática, S.A. | www.eurotux.com <http://www.eurotux.com/> > (t) +351 253 680 300 <tel:+351%20253%20680%20300> (m) +351 911 926 > 110 <tel:+351%20911%20926%20110> > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > -- --------- CardContact Systems GmbH |.##> <##.| Schülerweg 38 |# #| D-32429 Minden, Germany |# #| Phone +49 571 56149 |'##> <##'| http://www.cardcontact.de --------- Registergericht Bad Oeynhausen HRB 14880 Geschäftsführer Andreas Schwier -- --------- CardContact Systems GmbH |.##> <##.| Schülerweg 38 |# #| D-32429 Minden, Germany |# #| Phone +49 571 56149 |'##> <##'| http://www.cardcontact.de --------- Registergericht Bad Oeynhausen HRB 14880 Geschäftsführer Andreas Schwier ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Ejbca-develop mailing list Ejb...@li... https://lists.sourceforge.net/lists/listinfo/ejbca-develop > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > _______________________________________________ Ejbca-develop mailing list Ejb...@li... https://lists.sourceforge.net/lists/listinfo/ejbca-develop -- Carlos Rodrigues Engenheiro de Software Sénior Eurotux Informática, S.A. | www.eurotux.com (t) +351 253 680 300 (m) +351 911 926 110 |
