Re: [Ejbca-develop] EJBCA WebSockets connection system

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Anders,

Seems exactly like I want to do so maybe I can use it with websockets and
send it to you as update of securityproxy.

As I understand you are proposing to create messages between EJBCA and
clients in JSON. I was thinking about using ExtRA message format with its
integrity and encryption. But it may be good idea to do it in JSON.

I wonder how much work there is to integrate this with EJBCA. This is
actually part where I am thinking about options and what would be the best
way. It should be also in GUI in order to manage it easily and add, remove,
etc. authorized clients.

Currently I have updated ExtRA API package for EJBCA 6.5.0. Configuration
of databases and ExtRAWorker can be done more or less effectivelly using
predefined scripts but what I would like to eliminate is database polling
every 5 seconds which is ineffective.

WT

On Friday, January 6, 2017, Anders Rundgren <and...@gm...>
wrote:

> On 2017-01-06 19:51, Willi Trace wrote:
>
>> I am implementing websocket connection pool from EJBCA to clients
>> primarily as a replacement of external RA and peer connections which are
>> not available in Community Edition.
>>
>> is there any work done on this which I can reuse or build on it?
>> Of course I would like to publish it to community when it will be ready.
>>
>> My first concept is working similar to peer connections (although I do
>> not know current implementation of Enterprise Edition) but through wss. It
>> should be effective and easily managed through admin GUI authenticated by
>> AKB.
>>
>
> Hi Willi,
>
> I'm a former PrimeKey employee who some years ago developed a replacement
> for the external RA:
> https://cyberphone.github.io/doc/openkeystore/javaapi/org/we
> bpki/securityproxy/package-summary.html
>
> I have integrated this with EJBCA but the integration is owned by PrimeKey.
>
> I have been thinking about upgrading the public part (the API above) to
> use WebSocket but haven't had any time to do that.
> The current scheme uses serialized Java objects which I also want to
> shelve.
> Today I have totally (and forever...) left the WS/XML/XSD camp in favor of
> JSON.
> So a new system would (from my perspective) be built on JSON.
>
> https://cyberphone.github.io/doc/openkeystore/javaapi/org/we
> bpki/json/package-summary.html
>
> Two-way TLS auth seems good to keep.  In my setup I use a symmetric scheme
> so that the same cert+key is used in both directions.  That is, the
> self-signed cert is both server and client.
>
> I had no problems integrating the proxy in EJBCA so I would still consider
> making a separate component.
>
> Best
> Anders
>
>
>
>> WT
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>
>>
>>
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejb...@li...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>>
>>
>