Re: [Ejbca-develop] EJBCA WebSockets connection system

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 2017-01-06 22:32, Willi Trace wrote:
> Or we can kindly ask PrimeKey to include Peer Connectors and their new RA in Community Edition ;)

Well, that's a possibility.  I won't personally interfere with PrimeKey's business model and I also use the securityproxy in other projects.
PrimeKey's Peer Connector solution appears to be covering the entire EJBCA.

In my EJBCA implementation I didn't do anything with respect to administration and GUI, it was just a dedicated, bi-directional, mutually authenticated channel between two worlds, where one was considered as more secure than the other.

http://webpki.org/papers/mobile-ra-guide.pdf

The RA was written from scratch since my target built on having the user database outside of EJBCA, I.e. the CA became more like a certificate factory.

Anders
https://mobilepki.org/scc

>
> WT
>
> On Friday, January 6, 2017, Willi Trace <wil...@gm... <mailto:wil...@gm...>> wrote:
>
>     Hi Anders,
>
>     Seems exactly like I want to do so maybe I can use it with websockets and send it to you as update of securityproxy.
>
>     As I understand you are proposing to create messages between EJBCA and clients in JSON. I was thinking about using ExtRA message format with its integrity and encryption. But it may be good idea to do it in JSON.
>
>     I wonder how much work there is to integrate this with EJBCA. This is actually part where I am thinking about options and what would be the best way. It should be also in GUI in order to manage it easily and add, remove, etc. authorized clients.
>
>     Currently I have updated ExtRA API package for EJBCA 6.5.0. Configuration of databases and ExtRAWorker can be done more or less effectivelly using predefined scripts but what I would like to eliminate is database polling every 5 seconds which is ineffective.
>
>     WT
>
>
>     On Friday, January 6, 2017, Anders Rundgren <and...@gm... <javascript:_e(%7B%7D,'cvml','and...@gm...');>> wrote:
>
>         On 2017-01-06 19:51, Willi Trace wrote:
>
>             I am implementing websocket connection pool from EJBCA to clients primarily as a replacement of external RA and peer connections which are not available in Community Edition.
>
>             is there any work done on this which I can reuse or build on it?
>             Of course I would like to publish it to community when it will be ready.
>
>             My first concept is working similar to peer connections (although I do not know current implementation of Enterprise Edition) but through wss. It should be effective and easily managed through admin GUI authenticated by AKB.
>
>
>         Hi Willi,
>
>         I'm a former PrimeKey employee who some years ago developed a replacement for the external RA:
>         https://cyberphone.github.io/doc/openkeystore/javaapi/org/webpki/securityproxy/package-summary.html <https://cyberphone.github.io/doc/openkeystore/javaapi/org/webpki/securityproxy/package-summary.html>
>
>         I have integrated this with EJBCA but the integration is owned by PrimeKey.
>
>         I have been thinking about upgrading the public part (the API above) to use WebSocket but haven't had any time to do that.
>         The current scheme uses serialized Java objects which I also want to shelve.
>         Today I have totally (and forever...) left the WS/XML/XSD camp in favor of JSON.
>         So a new system would (from my perspective) be built on JSON.
>
>         https://cyberphone.github.io/doc/openkeystore/javaapi/org/webpki/json/package-summary.html <https://cyberphone.github.io/doc/openkeystore/javaapi/org/webpki/json/package-summary.html>
>
>         Two-way TLS auth seems good to keep.  In my setup I use a symmetric scheme so that the same cert+key is used in both directions.  That is, the self-signed cert is both server and client.
>
>         I had no problems integrating the proxy in EJBCA so I would still consider making a separate component.
>
>         Best
>         Anders
>
>
>
>             WT
>
>
>             ------------------------------------------------------------------------------
>             Check out the vibrant tech community on one of the world's most
>             engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
>             _______________________________________________
>             Ejbca-develop mailing list
>             Ejb...@li...
>             https://lists.sourceforge.net/lists/listinfo/ejbca-develop <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
>
>