Menu
▾
▴
signserver-develop
You can subscribe to this list here.
| 2008 |
Jan
(1) |
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(4) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
(4) |
Dec
|
| 2010 |
Jan
(1) |
Feb
|
Mar
|
Apr
(4) |
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(3) |
| 2012 |
Jan
(1) |
Feb
(8) |
Mar
(10) |
Apr
|
May
(12) |
Jun
(2) |
Jul
(28) |
Aug
(15) |
Sep
(12) |
Oct
(2) |
Nov
|
Dec
(16) |
| 2013 |
Jan
(30) |
Feb
(1) |
Mar
|
Apr
(11) |
May
(2) |
Jun
(11) |
Jul
(15) |
Aug
(4) |
Sep
(1) |
Oct
(10) |
Nov
(1) |
Dec
(2) |
| 2014 |
Jan
(8) |
Feb
(13) |
Mar
(12) |
Apr
(24) |
May
(2) |
Jun
(1) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(2) |
Dec
(1) |
| 2015 |
Jan
(3) |
Feb
(6) |
Mar
|
Apr
|
May
(7) |
Jun
(7) |
Jul
(3) |
Aug
(5) |
Sep
(1) |
Oct
(8) |
Nov
(6) |
Dec
|
| 2016 |
Jan
|
Feb
(3) |
Mar
(5) |
Apr
(9) |
May
(26) |
Jun
(8) |
Jul
|
Aug
|
Sep
(11) |
Oct
(8) |
Nov
(1) |
Dec
(2) |
| 2017 |
Jan
(4) |
Feb
(7) |
Mar
(7) |
Apr
(4) |
May
(1) |
Jun
(5) |
Jul
(3) |
Aug
(3) |
Sep
(1) |
Oct
(4) |
Nov
(5) |
Dec
(1) |
| 2018 |
Jan
(4) |
Feb
(1) |
Mar
(1) |
Apr
(1) |
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
(1) |
Mar
(2) |
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
(2) |
Dec
|
| 2020 |
Jan
(3) |
Feb
|
Mar
(2) |
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
(1) |
| 2023 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
| 2025 |
Jan
|
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Markus K. <ma...@pr...> - 2014-04-02 09:42:11
|
Hi Martin, SignServer uses the BouncyCastle library (currently version 1.47) for constructing the PKCS#10 request. Looking at the code of BC, it looks like the attributes are not included if empty. I have forwarded your question to the bouncycastle mailing list here: http://bouncycastle.org/devmailarchive/msg13727.html Best regards, Markus On 2014-04-02 09:04, Martin Kannel wrote: > Hi signserver developers! > > I'm writing you to notify that Signserver 3.5.0 provide a bit invalid > certificate request: > > In current case the the KeyOne software from Safelayer company does not > accept it like valid request. > Here is this in more detail: > -------- > In the ASN.1 specification of PKCS#10 : > > CertificationRequestInfo ::= SEQUENCE { > version INTEGER { v1(0) } (v1,...), > subject Name, > subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }}, > attributes [0] Attributes{{ CRIAttributes }} > } > > the attributes field is NOT OPTIONAL, then the DER encoding of this > structure in case it doesnt' specify any atribute must be a SET OF of > length 0. > > In DER encoding you've sent this SET OF is not present and then is not a > correct PKCS#10 > ------ > > It seems like "attributes" field is missing? > > > Our components are: > RHEL6 + Oracle JDK7 + JBOSS 7.1.1 + Signserver 3.5.0 and nCipher netHSM using PKCS11 library > > Best regards > -- Kind regards, Markus Kilås PKI Specialist PrimeKey Solutions AB Anderstorpsv. 16 171 54 Solna Sweden Phone: +46 70 424 94 85 Skype: markusatskype Email: mar...@pr... www.primekey.se |
|
From: Martin K. <mar...@cy...> - 2014-04-02 07:18:09
|
Hi signserver developers!
I'm writing you to notify that Signserver 3.5.0 provide a bit invalid
certificate request:
In current case the the KeyOne software from Safelayer company does not
accept it like valid request.
Here is this in more detail:
--------
In the ASN.1 specification of PKCS#10 :
CertificationRequestInfo ::= SEQUENCE {
version INTEGER { v1(0) } (v1,...),
subject Name,
subjectPKInfo SubjectPublicKeyInfo{{ PKInfoAlgorithms }},
attributes [0] Attributes{{ CRIAttributes }}
}
the attributes field is NOT OPTIONAL, then the DER encoding of this
structure in case it doesnt' specify any atribute must be a SET OF of
length 0.
In DER encoding you've sent this SET OF is not present and then is not a
correct PKCS#10
------
It seems like "attributes" field is missing?
Our components are:
RHEL6 + Oracle JDK7 + JBOSS 7.1.1 + Signserver 3.5.0 and nCipher netHSM using PKCS11 library
Best regards
--
Martin Kannel
|
|
From: Tomas G. <to...@pr...> - 2014-03-19 20:35:41
|
Interesting, thanks for the info. On 19 mars 2014 16:45:23 CET, Luis Maia <lui...@gm...> wrote: >On 03/19/2014 09:04 AM, Tomas Gustavsson wrote: >> SunPKCS11 always keeps the session open and reuses it. Authentication >is >> needed in order to create new sessions right, so even if SunPKCS11 >would >> be able to create new sessions, it would have to store the PKCS#11 >> password (i.e. autologin), preventing use of smart cards for PKCS#11 >> login etc. >> >> If the session is broken (network pulled) you usually need to restart >> Java in order for SunPKCS11 to create new sessions. >Actually if the card invalidates the session with the provider logout() > >method you do not have to restart JAVA. > >I've been developing a smartcard library (used in persistent applets >from the browser) using the SUNPKCS11 and taking care of issues like >terminal disconnection events, card removal, card insertion,etc. >I noticed that some middleware for smartcards do not invalidate >sessions >when the logout method is called, but apart from that (required a few >changes in the middleware source code) it works without restarting java > >for long-lived sessions interacting with the webapp (and multiple cards > >being removed and inserted, browser refreshed,etc). > >As i cache the keystore across multiple signatures, when a card is >removed if i call the logout method and reinsert a new card it works >fine, but i must catch the insertion events and force a logout >(SUNPKCS11 is not aware of cards being removed). > >To implement the card events we used Threads checking with the >smartcardio the card presence or absence from the terminal (you can >even >use blocking methods). >It may not be the nicest solution but it works with buggy middleware >and >since the session will only be reestablished when a card is absent it >is >fast. > > >Cheers, >Luís. > >> Cheers, >> Tomas >> >> On 2014-03-19 09:33, Markus Kilås wrote: >>> On 2014-03-18 15:56, Luis Maia wrote: >>>> >>>> >>>> On Tue, Mar 18, 2014 at 2:35 PM, Markus Kilås <ma...@pr... >>>> <mailto:ma...@pr...>> wrote: >>>> >>>> On 2014-03-18 14:10, Luis Maia wrote: >>>> > >>>> > Em 18/03/2014 09:10, "Markus Kilås" <ma...@pr... >>>> <mailto:ma...@pr...> >>>> > <mailto:ma...@pr... <mailto:ma...@pr...>>> >escreveu: >>>> >> >>>> >> On 2014-03-18 09:32, Antoine Louiset wrote: >>>> >> > call the getKeystore() method because the private key >changes >>>> for every >>>> >> > signing. >>>> > >>>> >> Yes, a quick look in the CESeCore code seems to show that >after >>>> >> activation the keystore is cached. So I believe it is >likely that >>>> >> upgrading to SignServer 3.5 would resolve this issue for >you. >>>> > >>>> > I am not so sure that caching is a solution, because the >keystore >>>> would >>>> > return the cached private key... >>>> >>>> In SignServer 3.5 (or if it was 3.4) we have the option to >actually >>>> cache the PrivateKey instance which gives a different >performance as >>>> compared to the normal way the getPrivateKey() method obtains >the key >>>> (from the keystore) so I don't think the PrivateKey is >completely cached >>>> only because the KeyStore is. >>>> >>>> Anyway, would it be a problem if the PrivateKey was cached? >>>> >>>> >>>> I have no idea how the underlying implementation should work, but >i've >>>> seen some EID pkcs#11 devices behaving erratically if the private >key is >>>> cached. >>> I could imagine their would be problem if a cached PrivateKey >instance >>> tries to use some session not available anymore. Haven't experienced >>> this yet when testing with Utimaco and SoftHSM but for sure their >could >>> be some issues. >>> >>>> An explanation I've been told (feature not a bug) to throw >exception's >>>> on cached keys from their developers is due to the strict non >caching >>>> policy in qualified signatures... >>>> This would also mean that a session would remain established and >the >>>> card would try to reuse the session of a qualified signature and >throw >>>> an exception. >>>> >>>> Also, in a library I've been implementing, the pin would be cached >for a >>>> qualified signature and an exception thrown immediately IF the >private >>>> key object was reused (which is kind of stupid) instead of >destroying >>>> the previous session... >>>> >>>> Notice that I've no idea what should be the "right" implementation, >but >>>> i've had problems before with maintaining sessions and had to make >some >>>> workarounds. >>> I think the SunPKCS11 implementation often re-uses old sessions, I >tried >>> some time to have it close all old session but it always seems to >have >>> at least one left open, but was some time ago. >>> >>>> >>>> Meanwhile using our HSM none of this problems have ever surfaced, >but >>>> thinking about what Antoine told : >>>> >>>> " the private key changes for every signing." >>>> >>>> I keep wondering if caching the private key will maintain the >session on >>>> the device and will work properly. >>> Yes, I was wondering about this statement too and I thought it means >>> that he selects a key from the keystore based on which user it is. >In >>> that case caching the PrivateKey instance would not help, however >>> caching the KeyStore (assuming it works with the HSM/PKCS#11 >>> implementation) could give better performance as it might not have >to >>> ask the HSM to enumerate all keys every time. >>> >>>> >>>> >>>> I know i'm getting in middle of the discussion here, but i think we >will >>>> have the same problem soon when we will rotate our keys and it is >nice >>>> to have a discussion before we hit the problems. >>> I think this is a useful discussion. Your input is very welcome. >>> >>> We are also interested in the topic of how to make it useful for >signers >>> to have access to multiple key-pairs and certificates. >>> >>> >>> Regards, >>> >>> Markus >>> >>>> >>>> Cheers, >>>> >>>> Luis. >>>> >>>> >>>> >>>> >>> >>> >> >------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and >their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> SignServer-develop mailing list >> Sig...@li... >> https://lists.sourceforge.net/lists/listinfo/signserver-develop > > >------------------------------------------------------------------------------ >Learn Graph Databases - Download FREE O'Reilly Book >"Graph Databases" is the definitive new guide to graph databases and >their >applications. Written by three acclaimed leaders in the field, >this first edition is now available. Download your free book today! >http://p.sf.net/sfu/13534_NeoTech >_______________________________________________ >SignServer-develop mailing list >Sig...@li... >https://lists.sourceforge.net/lists/listinfo/signserver-develop |
|
From: Luis M. <lui...@gm...> - 2014-03-19 15:45:54
|
On 03/19/2014 09:04 AM, Tomas Gustavsson wrote: > SunPKCS11 always keeps the session open and reuses it. Authentication is > needed in order to create new sessions right, so even if SunPKCS11 would > be able to create new sessions, it would have to store the PKCS#11 > password (i.e. autologin), preventing use of smart cards for PKCS#11 > login etc. > > If the session is broken (network pulled) you usually need to restart > Java in order for SunPKCS11 to create new sessions. Actually if the card invalidates the session with the provider logout() method you do not have to restart JAVA. I've been developing a smartcard library (used in persistent applets from the browser) using the SUNPKCS11 and taking care of issues like terminal disconnection events, card removal, card insertion,etc. I noticed that some middleware for smartcards do not invalidate sessions when the logout method is called, but apart from that (required a few changes in the middleware source code) it works without restarting java for long-lived sessions interacting with the webapp (and multiple cards being removed and inserted, browser refreshed,etc). As i cache the keystore across multiple signatures, when a card is removed if i call the logout method and reinsert a new card it works fine, but i must catch the insertion events and force a logout (SUNPKCS11 is not aware of cards being removed). To implement the card events we used Threads checking with the smartcardio the card presence or absence from the terminal (you can even use blocking methods). It may not be the nicest solution but it works with buggy middleware and since the session will only be reestablished when a card is absent it is fast. Cheers, Luís. > Cheers, > Tomas > > On 2014-03-19 09:33, Markus Kilås wrote: >> On 2014-03-18 15:56, Luis Maia wrote: >>> >>> >>> On Tue, Mar 18, 2014 at 2:35 PM, Markus Kilås <ma...@pr... >>> <mailto:ma...@pr...>> wrote: >>> >>> On 2014-03-18 14:10, Luis Maia wrote: >>> > >>> > Em 18/03/2014 09:10, "Markus Kilås" <ma...@pr... >>> <mailto:ma...@pr...> >>> > <mailto:ma...@pr... <mailto:ma...@pr...>>> escreveu: >>> >> >>> >> On 2014-03-18 09:32, Antoine Louiset wrote: >>> >> > call the getKeystore() method because the private key changes >>> for every >>> >> > signing. >>> > >>> >> Yes, a quick look in the CESeCore code seems to show that after >>> >> activation the keystore is cached. So I believe it is likely that >>> >> upgrading to SignServer 3.5 would resolve this issue for you. >>> > >>> > I am not so sure that caching is a solution, because the keystore >>> would >>> > return the cached private key... >>> >>> In SignServer 3.5 (or if it was 3.4) we have the option to actually >>> cache the PrivateKey instance which gives a different performance as >>> compared to the normal way the getPrivateKey() method obtains the key >>> (from the keystore) so I don't think the PrivateKey is completely cached >>> only because the KeyStore is. >>> >>> Anyway, would it be a problem if the PrivateKey was cached? >>> >>> >>> I have no idea how the underlying implementation should work, but i've >>> seen some EID pkcs#11 devices behaving erratically if the private key is >>> cached. >> I could imagine their would be problem if a cached PrivateKey instance >> tries to use some session not available anymore. Haven't experienced >> this yet when testing with Utimaco and SoftHSM but for sure their could >> be some issues. >> >>> An explanation I've been told (feature not a bug) to throw exception's >>> on cached keys from their developers is due to the strict non caching >>> policy in qualified signatures... >>> This would also mean that a session would remain established and the >>> card would try to reuse the session of a qualified signature and throw >>> an exception. >>> >>> Also, in a library I've been implementing, the pin would be cached for a >>> qualified signature and an exception thrown immediately IF the private >>> key object was reused (which is kind of stupid) instead of destroying >>> the previous session... >>> >>> Notice that I've no idea what should be the "right" implementation, but >>> i've had problems before with maintaining sessions and had to make some >>> workarounds. >> I think the SunPKCS11 implementation often re-uses old sessions, I tried >> some time to have it close all old session but it always seems to have >> at least one left open, but was some time ago. >> >>> >>> Meanwhile using our HSM none of this problems have ever surfaced, but >>> thinking about what Antoine told : >>> >>> " the private key changes for every signing." >>> >>> I keep wondering if caching the private key will maintain the session on >>> the device and will work properly. >> Yes, I was wondering about this statement too and I thought it means >> that he selects a key from the keystore based on which user it is. In >> that case caching the PrivateKey instance would not help, however >> caching the KeyStore (assuming it works with the HSM/PKCS#11 >> implementation) could give better performance as it might not have to >> ask the HSM to enumerate all keys every time. >> >>> >>> >>> I know i'm getting in middle of the discussion here, but i think we will >>> have the same problem soon when we will rotate our keys and it is nice >>> to have a discussion before we hit the problems. >> I think this is a useful discussion. Your input is very welcome. >> >> We are also interested in the topic of how to make it useful for signers >> to have access to multiple key-pairs and certificates. >> >> >> Regards, >> >> Markus >> >>> >>> Cheers, >>> >>> Luis. >>> >>> >>> >>> >> >> > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > SignServer-develop mailing list > Sig...@li... > https://lists.sourceforge.net/lists/listinfo/signserver-develop |
|
From: Tomas G. <to...@pr...> - 2014-03-19 09:04:08
|
SunPKCS11 always keeps the session open and reuses it. Authentication is needed in order to create new sessions right, so even if SunPKCS11 would be able to create new sessions, it would have to store the PKCS#11 password (i.e. autologin), preventing use of smart cards for PKCS#11 login etc. If the session is broken (network pulled) you usually need to restart Java in order for SunPKCS11 to create new sessions. Cheers, Tomas On 2014-03-19 09:33, Markus Kilås wrote: > On 2014-03-18 15:56, Luis Maia wrote: >> >> >> >> On Tue, Mar 18, 2014 at 2:35 PM, Markus Kilås <ma...@pr... >> <mailto:ma...@pr...>> wrote: >> >> On 2014-03-18 14:10, Luis Maia wrote: >> > >> > Em 18/03/2014 09:10, "Markus Kilås" <ma...@pr... >> <mailto:ma...@pr...> >> > <mailto:ma...@pr... <mailto:ma...@pr...>>> escreveu: >> >> >> >> On 2014-03-18 09:32, Antoine Louiset wrote: >> >> > call the getKeystore() method because the private key changes >> for every >> >> > signing. >> > >> >> Yes, a quick look in the CESeCore code seems to show that after >> >> activation the keystore is cached. So I believe it is likely that >> >> upgrading to SignServer 3.5 would resolve this issue for you. >> > >> > I am not so sure that caching is a solution, because the keystore >> would >> > return the cached private key... >> >> In SignServer 3.5 (or if it was 3.4) we have the option to actually >> cache the PrivateKey instance which gives a different performance as >> compared to the normal way the getPrivateKey() method obtains the key >> (from the keystore) so I don't think the PrivateKey is completely cached >> only because the KeyStore is. >> >> Anyway, would it be a problem if the PrivateKey was cached? >> >> >> I have no idea how the underlying implementation should work, but i've >> seen some EID pkcs#11 devices behaving erratically if the private key is >> cached. > > I could imagine their would be problem if a cached PrivateKey instance > tries to use some session not available anymore. Haven't experienced > this yet when testing with Utimaco and SoftHSM but for sure their could > be some issues. > >> >> An explanation I've been told (feature not a bug) to throw exception's >> on cached keys from their developers is due to the strict non caching >> policy in qualified signatures... >> This would also mean that a session would remain established and the >> card would try to reuse the session of a qualified signature and throw >> an exception. >> >> Also, in a library I've been implementing, the pin would be cached for a >> qualified signature and an exception thrown immediately IF the private >> key object was reused (which is kind of stupid) instead of destroying >> the previous session... >> >> Notice that I've no idea what should be the "right" implementation, but >> i've had problems before with maintaining sessions and had to make some >> workarounds. > > I think the SunPKCS11 implementation often re-uses old sessions, I tried > some time to have it close all old session but it always seems to have > at least one left open, but was some time ago. > >> >> >> Meanwhile using our HSM none of this problems have ever surfaced, but >> thinking about what Antoine told : >> >> " the private key changes for every signing." >> >> I keep wondering if caching the private key will maintain the session on >> the device and will work properly. > > Yes, I was wondering about this statement too and I thought it means > that he selects a key from the keystore based on which user it is. In > that case caching the PrivateKey instance would not help, however > caching the KeyStore (assuming it works with the HSM/PKCS#11 > implementation) could give better performance as it might not have to > ask the HSM to enumerate all keys every time. > >> >> >> >> I know i'm getting in middle of the discussion here, but i think we will >> have the same problem soon when we will rotate our keys and it is nice >> to have a discussion before we hit the problems. > > I think this is a useful discussion. Your input is very welcome. > > We are also interested in the topic of how to make it useful for signers > to have access to multiple key-pairs and certificates. > > > Regards, > > Markus > >> >> >> Cheers, >> >> Luis. >> >> >> >> > > > |
|
From: Markus K. <ma...@pr...> - 2014-03-19 08:33:36
|
On 2014-03-18 15:56, Luis Maia wrote: > > > > On Tue, Mar 18, 2014 at 2:35 PM, Markus Kilås <ma...@pr... > <mailto:ma...@pr...>> wrote: > > On 2014-03-18 14:10, Luis Maia wrote: > > > > Em 18/03/2014 09:10, "Markus Kilås" <ma...@pr... > <mailto:ma...@pr...> > > <mailto:ma...@pr... <mailto:ma...@pr...>>> escreveu: > >> > >> On 2014-03-18 09:32, Antoine Louiset wrote: > >> > call the getKeystore() method because the private key changes > for every > >> > signing. > > > >> Yes, a quick look in the CESeCore code seems to show that after > >> activation the keystore is cached. So I believe it is likely that > >> upgrading to SignServer 3.5 would resolve this issue for you. > > > > I am not so sure that caching is a solution, because the keystore > would > > return the cached private key... > > In SignServer 3.5 (or if it was 3.4) we have the option to actually > cache the PrivateKey instance which gives a different performance as > compared to the normal way the getPrivateKey() method obtains the key > (from the keystore) so I don't think the PrivateKey is completely cached > only because the KeyStore is. > > Anyway, would it be a problem if the PrivateKey was cached? > > > I have no idea how the underlying implementation should work, but i've > seen some EID pkcs#11 devices behaving erratically if the private key is > cached. I could imagine their would be problem if a cached PrivateKey instance tries to use some session not available anymore. Haven't experienced this yet when testing with Utimaco and SoftHSM but for sure their could be some issues. > > An explanation I've been told (feature not a bug) to throw exception's > on cached keys from their developers is due to the strict non caching > policy in qualified signatures... > This would also mean that a session would remain established and the > card would try to reuse the session of a qualified signature and throw > an exception. > > Also, in a library I've been implementing, the pin would be cached for a > qualified signature and an exception thrown immediately IF the private > key object was reused (which is kind of stupid) instead of destroying > the previous session... > > Notice that I've no idea what should be the "right" implementation, but > i've had problems before with maintaining sessions and had to make some > workarounds. I think the SunPKCS11 implementation often re-uses old sessions, I tried some time to have it close all old session but it always seems to have at least one left open, but was some time ago. > > > Meanwhile using our HSM none of this problems have ever surfaced, but > thinking about what Antoine told : > > " the private key changes for every signing." > > I keep wondering if caching the private key will maintain the session on > the device and will work properly. Yes, I was wondering about this statement too and I thought it means that he selects a key from the keystore based on which user it is. In that case caching the PrivateKey instance would not help, however caching the KeyStore (assuming it works with the HSM/PKCS#11 implementation) could give better performance as it might not have to ask the HSM to enumerate all keys every time. > > > > I know i'm getting in middle of the discussion here, but i think we will > have the same problem soon when we will rotate our keys and it is nice > to have a discussion before we hit the problems. I think this is a useful discussion. Your input is very welcome. We are also interested in the topic of how to make it useful for signers to have access to multiple key-pairs and certificates. Regards, Markus > > > Cheers, > > Luis. > > > > -- Kind regards, Markus Kilås PKI Specialist PrimeKey Solutions AB Anderstorpsv. 16 171 54 Solna Sweden Phone: +46 70 424 94 85 Skype: markusatskype Email: mar...@pr... www.primekey.se |
|
From: Markus K. <ma...@pr...> - 2014-03-18 14:35:52
|
On 2014-03-18 14:10, Luis Maia wrote: > > Em 18/03/2014 09:10, "Markus Kilås" <ma...@pr... > <mailto:ma...@pr...>> escreveu: >> >> On 2014-03-18 09:32, Antoine Louiset wrote: >> > call the getKeystore() method because the private key changes for every >> > signing. > >> Yes, a quick look in the CESeCore code seems to show that after >> activation the keystore is cached. So I believe it is likely that >> upgrading to SignServer 3.5 would resolve this issue for you. > > I am not so sure that caching is a solution, because the keystore would > return the cached private key... In SignServer 3.5 (or if it was 3.4) we have the option to actually cache the PrivateKey instance which gives a different performance as compared to the normal way the getPrivateKey() method obtains the key (from the keystore) so I don't think the PrivateKey is completely cached only because the KeyStore is. Anyway, would it be a problem if the PrivateKey was cached? // Markus > > Maybe casting the pkcs11 provider to authprovider and calling the method > logout() will produce the desired result if the underlying > implementation honors the session invalidation (some pkcs11 middleware > is buggy). > > You won't need to instantiate a new keystore then. > -- Kind regards, Markus Kilås PKI Specialist PrimeKey Solutions AB Anderstorpsv. 16 171 54 Solna Sweden Phone: +46 70 424 94 85 Skype: markusatskype Email: mar...@pr... www.primekey.se |
|
From: Luis M. <lm...@ro...> - 2014-03-18 13:10:56
|
Em 18/03/2014 09:10, "Markus Kilås" <ma...@pr...> escreveu: > > On 2014-03-18 09:32, Antoine Louiset wrote: > > call the getKeystore() method because the private key changes for every > > signing. > Yes, a quick look in the CESeCore code seems to show that after > activation the keystore is cached. So I believe it is likely that > upgrading to SignServer 3.5 would resolve this issue for you. I am not so sure that caching is a solution, because the keystore would return the cached private key... Maybe casting the pkcs11 provider to authprovider and calling the method logout() will produce the desired result if the underlying implementation honors the session invalidation (some pkcs11 middleware is buggy). You won't need to instantiate a new keystore then. |
|
From: Antoine L. <ant...@yo...> - 2014-03-18 11:10:59
|
Thanks a lot Markus !! See you Antoine Le 18/03/2014 10:09, Markus Kilås a écrit : > quick look in the CESeCore code seems to show that after > activation the keystore is cached. So I believe it is likely that > upgrading to SignServer 3.5 would resolve this issue for you. |
|
From: Markus K. <ma...@pr...> - 2014-03-18 09:09:57
|
On 2014-03-18 09:32, Antoine Louiset wrote: > Hi Markus, > > Thanks for your answer. I use signserver 3.2.4 with a PDF Signer. I make > some tests and I see that the getKeystore() is very long. > > You are right, this is not exactly how it works. I made some changes to > call the getKeystore() method because the private key changes for every > signing. I see. Normally the worker only calls getPrivateKey() before performing the signing. The getKeystore() method is only used for other operations such as key generation or listing keys etc. Those operations are normally not on the "fast path". This is probably why we haven't experienced any performance problem. > > I see that in the new version of signserver, you use the cesecore > library. Maybe there is an optimization for that ? Yes, a quick look in the CESeCore code seems to show that after activation the keystore is cached. So I believe it is likely that upgrading to SignServer 3.5 would resolve this issue for you. Best regards, Markus > > Have a nice day ! > > > Antoine > > Le 18/03/2014 08:54, Markus Kilås a écrit : >> Hi Antoine, >> In my mind that is not how it works. >> Can you give some more details in how you observe this and what signer >> you are using? >> >> >> BR, >> Markus >> >> >> >> On 2014-03-18 01:30, Antoine Louiset wrote: >>> Hi everyone, >>> >>> Is there a way not to create a new instance of the pkcs11 builder for >>> each signing with a HSM ? >>> >>> In this way, it takes a lot of time (20 seconds) with 300 pairs of keys >>> just to load the keystore... >>> >>> Thanks for your help ! >>> >>> >>> >>> Antoine >>> >>> >>> ------------------------------------------------------------------------------ >>> Learn Graph Databases - Download FREE O'Reilly Book >>> "Graph Databases" is the definitive new guide to graph databases and their >>> applications. Written by three acclaimed leaders in the field, >>> this first edition is now available. Download your free book today! >>> http://p.sf.net/sfu/13534_NeoTech >>> _______________________________________________ >>> SignServer-develop mailing list >>> Sig...@li... >>> https://lists.sourceforge.net/lists/listinfo/signserver-develop >>> >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> SignServer-develop mailing list >> Sig...@li... >> https://lists.sourceforge.net/lists/listinfo/signserver-develop > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > SignServer-develop mailing list > Sig...@li... > https://lists.sourceforge.net/lists/listinfo/signserver-develop > |
|
From: Antoine L. <ant...@yo...> - 2014-03-18 08:41:02
|
Hi Markus, Thanks for your answer. I use signserver 3.2.4 with a PDF Signer. I make some tests and I see that the getKeystore() is very long. You are right, this is not exactly how it works. I made some changes to call the getKeystore() method because the private key changes for every signing. I see that in the new version of signserver, you use the cesecore library. Maybe there is an optimization for that ? Have a nice day ! Antoine Le 18/03/2014 08:54, Markus Kilås a écrit : > Hi Antoine, > In my mind that is not how it works. > Can you give some more details in how you observe this and what signer > you are using? > > > BR, > Markus > > > > On 2014-03-18 01:30, Antoine Louiset wrote: >> Hi everyone, >> >> Is there a way not to create a new instance of the pkcs11 builder for >> each signing with a HSM ? >> >> In this way, it takes a lot of time (20 seconds) with 300 pairs of keys >> just to load the keystore... >> >> Thanks for your help ! >> >> >> >> Antoine >> >> >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> SignServer-develop mailing list >> Sig...@li... >> https://lists.sourceforge.net/lists/listinfo/signserver-develop >> > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > SignServer-develop mailing list > Sig...@li... > https://lists.sourceforge.net/lists/listinfo/signserver-develop |
|
From: Markus K. <ma...@pr...> - 2014-03-18 07:54:37
|
Hi Antoine, In my mind that is not how it works. Can you give some more details in how you observe this and what signer you are using? BR, Markus On 2014-03-18 01:30, Antoine Louiset wrote: > Hi everyone, > > Is there a way not to create a new instance of the pkcs11 builder for > each signing with a HSM ? > > In this way, it takes a lot of time (20 seconds) with 300 pairs of keys > just to load the keystore... > > Thanks for your help ! > > > > Antoine > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > SignServer-develop mailing list > Sig...@li... > https://lists.sourceforge.net/lists/listinfo/signserver-develop > |
|
From: Antoine L. <ant...@yo...> - 2014-03-18 03:00:05
|
Hi everyone, Is there a way not to create a new instance of the pkcs11 builder for each signing with a HSM ? In this way, it takes a lot of time (20 seconds) with 300 pairs of keys just to load the keystore... Thanks for your help ! Antoine |
|
From: Markus K. <ma...@pr...> - 2014-03-14 10:54:56
|
Hi all, We have decided to move the SignServer SVN repository from SourceForge to our own infrastructure. This means that there is now a new URL when checking out SignServer: https://svn.cesecore.eu/svn/signserver/trunk/ The easiest way to switch is to checkout a new copy of SignServer. However, if you have an existing checkout of SignServer it might be possible to change to the new URL without checking it out again. See the SVN book for instructions for "relocate": http://svnbook.red-bean.com/en/1.6/svn.ref.svn.c.switch.html With the new repository we will take advantage of the same infrastructure as used by the EJBCA and CESeCore projects. We expect an increase in performance when doing SVN operations such as checking out or making diffs between different revisions. Hopefully the change will put an end to the problems we have had with the existing repository, especially since the end of last year and until now where SVN operations has been failing from time to time. This change is being tracked as: https://jira.primekey.se/browse/DSS-723 Let us know if you are experiencing any issues. Best regards, The PrimeKey SignServer team |
|
From: Markus K. <ma...@pr...> - 2014-02-28 08:25:17
|
We are happy to announce that SignServer 3.5.0 has been released! This is a major release with in total 51 issues resolved. The most noteworthy changes can be seen below. SignServer 3.5.0 Release Notes: New features and improvements: - Support for JBoss AS 7.1, JBoss EAP 6.1 and GlassFish 3.1. - Support for MariaDB. - Support for JDK 7. - All worker configuration can now be done from the Admin GUI. - Document signer for XAdES-BES and XAdES-T contributed by Luis Maia. - Document validator for XAdES-BES and XAdES-T. - Support for different signature algorithms in XML signers. - Various AdminGUI/remote administration improvements. The security issue found in 3.4.2 opened up the server for a possible denial of service attack if exposed on a public network. Hence SignServer users are recommended to either upgrade to the 3.4.3 version, or this most recent version (3.5.0). Read the full changelog for details (https://jira.primekey.se/browse/DSS?report=com.atlassian.jira.plugin.system.project:changelog-panel#selectedTab=com.atlassian.jira.plugin.system.project%3Achangelog-panel). Regards, The PrimeKey SignServer team |
|
From: Antoine L. <ant...@yo...> - 2014-02-25 15:04:35
|
Hi Markus, log4j.rootlogger is set to DEBUG I have INFO log level in signserver.log, very strange ! Thanks for your help ! Le 18/02/2014 11:58, Markus Kilås a écrit : > What log level do you currently get in the signserver.log file? |
|
From: Markus K. <ma...@pr...> - 2014-02-20 14:29:04
|
The PrimeKey SignServer team are happy to announce that SignServer 3.4.3 has been released! This is a maintenance release – 2 issues have been resolved. The most noteworthy changes can be seen below. SignServer 3.4.3 Release Notes: Bug fixes: - Regression introduced in 3.4.2: test signatures were not performed as part of the getstatus command or from health check. - Upgraded a 3rd party Apache library with a security fix. The security issue opens up the server for a possible denial of service attack if exposed on a public network. Users are recommended to either upgrade to the 3.4.3 version or the soon to be released 3.5.0 version. Read the full changelog for details (https://jira.primekey.se/browse/DSS?report=com.atlassian.jira.plugin.system.project:changelog-panel#selectedTab=com.atlassian.jira.plugin.system.project%3Achangelog-panel). Regards, The PrimeKey SignServer team |
|
From: Markus K. <ma...@pr...> - 2014-02-18 10:59:02
|
Hi Antoine, What log level do you currently get in the signserver.log file? Have you changed log4j.rootLogger? Best regards, Markus On 2014-02-18 08:12, Antoine Louiset wrote: > Thanks for your answer, unfortunately, it does not work. Maybe, I have > to set different options in glassfish ? > > --- > Antoine Louiset > > Le 17.02.2014 10:46, Markus Kilås a écrit : >> On 2014-02-17 09:38, Antoine Louiset wrote: >>> Hi everyone, >>> >>> I deploy signserver.ear on a glassfish server 2.1.1, I do not have >>> sources on it. >>> >>> Do you know how can I set the log level for signserver ? >>> >>> The version of signserver is 3.2.1 >>> >>> Thanks ! >>> >>> Have a nice day ! >>> >> >> Hi Antoine, >> >> The Log4j configured used with GlassFish is in: >> SIGNSERVER_HOME/modules/SignServer-Module-Log4j/src/log4j.properties >> >> This is then packaged as a JAR called SignServer-Module-Log4j.jar in >> the >> lib folder of signserver.ear at build/deploy time. >> >> If you don't have the sources available you can manually replace the >> log4j.properties in the jar in the ear instead. >> >> >> Best regards, >> Markus >> >> >> PrimeKey Solutions offers a commercial EJBCA & SignServer support >> subscription and training. Please see www.primekey.se or contact >> in...@pr... for more information. >> http://www.primekey.se/Services/Support/ >> http://www.primekey.se/Services/Training/ >> >> >> ------------------------------------------------------------------------------ >> Android apps run on BlackBerry 10 >> Introducing the new BlackBerry 10.2.1 Runtime for Android apps. >> Now with support for Jelly Bean, Bluetooth, Mapview and more. >> Get your Android app in front of a whole new audience. Start now. >> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk >> _______________________________________________ >> SignServer-develop mailing list >> Sig...@li... >> https://lists.sourceforge.net/lists/listinfo/signserver-develop > > ------------------------------------------------------------------------------ > Managing the Performance of Cloud-Based Applications > Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. > Read the Whitepaper. > http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk > _______________________________________________ > SignServer-develop mailing list > Sig...@li... > https://lists.sourceforge.net/lists/listinfo/signserver-develop > -- Kind regards, Markus Kilås PKI Specialist PrimeKey Solutions AB Anderstorpsv. 16 171 54 Solna Sweden Phone: +46 70 424 94 85 Skype: markusatskype Email: mar...@pr... www.primekey.se |
|
From: Antoine L. <ant...@yo...> - 2014-02-18 08:27:36
|
Thanks for your answer, unfortunately, it does not work. Maybe, I have to set different options in glassfish ? --- Antoine Louiset Le 17.02.2014 10:46, Markus Kilås a écrit : > On 2014-02-17 09:38, Antoine Louiset wrote: >> Hi everyone, >> >> I deploy signserver.ear on a glassfish server 2.1.1, I do not have >> sources on it. >> >> Do you know how can I set the log level for signserver ? >> >> The version of signserver is 3.2.1 >> >> Thanks ! >> >> Have a nice day ! >> > > Hi Antoine, > > The Log4j configured used with GlassFish is in: > SIGNSERVER_HOME/modules/SignServer-Module-Log4j/src/log4j.properties > > This is then packaged as a JAR called SignServer-Module-Log4j.jar in > the > lib folder of signserver.ear at build/deploy time. > > If you don't have the sources available you can manually replace the > log4j.properties in the jar in the ear instead. > > > Best regards, > Markus > > > PrimeKey Solutions offers a commercial EJBCA & SignServer support > subscription and training. Please see www.primekey.se or contact > in...@pr... for more information. > http://www.primekey.se/Services/Support/ > http://www.primekey.se/Services/Training/ > > > ------------------------------------------------------------------------------ > Android apps run on BlackBerry 10 > Introducing the new BlackBerry 10.2.1 Runtime for Android apps. > Now with support for Jelly Bean, Bluetooth, Mapview and more. > Get your Android app in front of a whole new audience. Start now. > http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk > _______________________________________________ > SignServer-develop mailing list > Sig...@li... > https://lists.sourceforge.net/lists/listinfo/signserver-develop |
|
From: Markus K. <ma...@pr...> - 2014-02-17 09:47:07
|
On 2014-02-17 09:38, Antoine Louiset wrote: > Hi everyone, > > I deploy signserver.ear on a glassfish server 2.1.1, I do not have > sources on it. > > Do you know how can I set the log level for signserver ? > > The version of signserver is 3.2.1 > > Thanks ! > > Have a nice day ! > Hi Antoine, The Log4j configured used with GlassFish is in: SIGNSERVER_HOME/modules/SignServer-Module-Log4j/src/log4j.properties This is then packaged as a JAR called SignServer-Module-Log4j.jar in the lib folder of signserver.ear at build/deploy time. If you don't have the sources available you can manually replace the log4j.properties in the jar in the ear instead. Best regards, Markus PrimeKey Solutions offers a commercial EJBCA & SignServer support subscription and training. Please see www.primekey.se or contact in...@pr... for more information. http://www.primekey.se/Services/Support/ http://www.primekey.se/Services/Training/ |
|
From: Antoine L. <ant...@yo...> - 2014-02-17 08:37:48
|
Hi everyone, I deploy signserver.ear on a glassfish server 2.1.1, I do not have sources on it. Do you know how can I set the log level for signserver ? The version of signserver is 3.2.1 Thanks ! Have a nice day ! -- Antoine Louiset |
|
From: Markus K. <ma...@pr...> - 2014-02-04 08:30:02
|
It's the same properties as you used in you code.
The actual file used by the SignServer CLIs is:
conf/glassfish/jndi.properties
Regards,
Markus
On 2014-02-03 15:40, ant...@yo... wrote:
> Do you know which informations do you have to put in the jndi.properties
> file ?
>
> Have a nice day !
>
> Le 03.02.2014 15:29, Markus Kilås a écrit :
>> No the JavaDoc comment is out-dated.
>>
>> The class will use the ServiceLocator for lookups which uses an empty
>> initial context. Typically you will have to have a jndi.properties on
>> the classpath with the CORBA properties (for GlassFish).
>>
>> I will remove this comment to not cause confusions.
>>
>> Regards,
>> Markus
>>
>> On 2014-02-03 09:49, ant...@yo... wrote:
>>> Thanks Markus for your answer.
>>>
>>> Unfortunately, I can not test with 2 glassfish v2.
>>>
>>> In SigningAndValidationEJB constructor comment, we can see that :
>>> /**
>>> * Creates an instance of SigningAndValidationEJB with default
>>> initial context:
>>> * <pre>
>>> * INITIAL_CONTEXT_FACTORY =
>>> "org.jnp.interfaces.NamingContextFactory"
>>> * URL_PKG_PREFIXES = "org.jboss.naming:org.jnp.interfaces"
>>> * PROVIDER_URL = "jnp://localhost:1099"
>>> * </pre>
>>> *
>>> * @throws NamingException If an naming exception is encountered.
>>> */
>>>
>>> Is it the correct configuration to connect with an EJB ?
>>>
>>> Thanks,
>>>
>>>
>>>
>>> Antoine
>>>
>>>
>>>
>>> Le 03.02.2014 09:23, Markus Kilås a écrit :
>>>> On 2014-02-02 01:43, ant...@yo... wrote:
>>>>> Hi everyone,
>>>>>
>>>>> I try to access to a Remote EJB from an instance of glassfish 3.
>>>>>
>>>>> Signserver is running on another server on glassfish 2.
>>>>>
>>>>> I can not access to the remote ejb. The jndi name is not recognized.
>>>>>
>>>>> Here is my code :
>>>>>
>>>>> Properties props = new Properties();
>>>>> props.setProperty("org.omg.CORBA.ORBInitialHost", "signserverpki");
>>>>> props.setProperty("org.omg.CORBA.ORBInitialPort", "3700");
>>>>> InitialContext ic = null;
>>>>> try {
>>>>> ic = new InitialContext(props);
>>>>> } catch (NamingException ex) {
>>>>> java.util.logging.Logger.getLogger(SignatureWS.class.getName()).log(Level.SEVERE,
>>>>> null, ex);
>>>>> }
>>>>>
>>>>> IRemote worker = null;
>>>>> try {
>>>>> worker = (IRemote)
>>>>> ic.lookup("org.signserver.ejb.interfaces.IWorkerSession$IRemote");
>>>>> } catch (NamingException ex) {
>>>>> java.util.logging.Logger.getLogger(SignatureWS.class.getName()).log(Level.SEVERE,
>>>>> null, ex);
>>>>> }
>>>>>
>>>>> The exception thrown is :
>>>>> javax.naming.NamingException: Lookup failed for
>>>>> 'org.signserver.ejb.interfaces.IWorkerSession$IRemote' in
>>>>> SerialContext[myEnv={org.omg.CORBA.ORBInitialPort=3700,
>>>>> java.naming.factory.initial=com.sun.enterprise.naming.impl.SerialInitContextFactory,
>>>>> org.omg.CORBA.ORBInitialHost=signserverpki,
>>>>> java.naming.factory.state=com.sun.corba.ee.impl.presentation.rmi.JNDIStateFactoryImpl,
>>>>> java.naming.factory.url.pkgs=com.sun.enterprise.naming} [Root
>>>>> exception
>>>>> is javax.naming.NameNotFoundException:
>>>>> org.signserver.ejb.interfaces.IWorkerSession$IRemote not found]
>>>>>
>>>>>
>>>>> I am working with signserver 3.2.3
>>>>>
>>>>> Thanks a lot for your help.
>>>>>
>>>>>
>>>>> Antoine
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> WatchGuard Dimension instantly turns raw network data into
>>>>> actionable
>>>>> security intelligence. It gives you real-time visual feedback on key
>>>>> security issues and trends. Skip the complicated setup - simply
>>>>> import
>>>>> a virtual appliance and go from zero to informed in seconds.
>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
>>>>> _______________________________________________
>>>>> SignServer-develop mailing list
>>>>> Sig...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>>>>
>>>>
>>>> Hi Antoine,
>>>>
>>>> I don't think I tried EJB lookups between different application
>>>> servers
>>>> and especially not between two different versions, but at least the
>>>> code
>>>> looks correct if it were used to lookup from a client application.
>>>>
>>>> Maybe there could be an issue with the two different versions, have
>>>> you
>>>> tried if the code works between two GlassFish V2 ?
>>>>
>>>>
>>>> Regards,
>>>> Markus
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Managing the Performance of Cloud-Based Applications
>>>> Take advantage of what the Cloud has to offer - Avoid Common
>>>> Pitfalls.
>>>> Read the Whitepaper.
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
>>>> _______________________________________________
>>>> SignServer-develop mailing list
>>>> Sig...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>>
>>> ------------------------------------------------------------------------------
>>> Managing the Performance of Cloud-Based Applications
>>> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
>>> Read the Whitepaper.
>>> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> SignServer-develop mailing list
>>> Sig...@li...
>>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>>
>>
>>
>>
>> --
>> Kind regards,
>> Markus Kilås
>> PKI Specialist
>>
>> PrimeKey Solutions AB
>>
>> Anderstorpsv. 16
>> 171 54 Solna
>> Sweden
>>
>> Phone: +46 70 424 94 85
>> Skype: markusatskype
>> Email: mar...@pr...
>>
>> www.primekey.se
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Managing the Performance of Cloud-Based Applications
>> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
>> Read the Whitepaper.
>> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
>> _______________________________________________
>> SignServer-develop mailing list
>> Sig...@li...
>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>
--
Kind regards,
Markus Kilås
PKI Specialist
PrimeKey Solutions AB
Anderstorpsv. 16
171 54 Solna
Sweden
Phone: +46 70 424 94 85
Skype: markusatskype
Email: mar...@pr...
www.primekey.se
|
|
From: <ant...@yo...> - 2014-02-03 17:07:11
|
Do you know which informations do you have to put in the jndi.properties
file ?
Have a nice day !
Le 03.02.2014 15:29, Markus Kilås a écrit :
> No the JavaDoc comment is out-dated.
>
> The class will use the ServiceLocator for lookups which uses an empty
> initial context. Typically you will have to have a jndi.properties on
> the classpath with the CORBA properties (for GlassFish).
>
> I will remove this comment to not cause confusions.
>
> Regards,
> Markus
>
> On 2014-02-03 09:49, ant...@yo... wrote:
>> Thanks Markus for your answer.
>>
>> Unfortunately, I can not test with 2 glassfish v2.
>>
>> In SigningAndValidationEJB constructor comment, we can see that :
>> /**
>> * Creates an instance of SigningAndValidationEJB with default
>> initial context:
>> * <pre>
>> * INITIAL_CONTEXT_FACTORY =
>> "org.jnp.interfaces.NamingContextFactory"
>> * URL_PKG_PREFIXES = "org.jboss.naming:org.jnp.interfaces"
>> * PROVIDER_URL = "jnp://localhost:1099"
>> * </pre>
>> *
>> * @throws NamingException If an naming exception is encountered.
>> */
>>
>> Is it the correct configuration to connect with an EJB ?
>>
>> Thanks,
>>
>>
>>
>> Antoine
>>
>>
>>
>> Le 03.02.2014 09:23, Markus Kilås a écrit :
>>> On 2014-02-02 01:43, ant...@yo... wrote:
>>>> Hi everyone,
>>>>
>>>> I try to access to a Remote EJB from an instance of glassfish 3.
>>>>
>>>> Signserver is running on another server on glassfish 2.
>>>>
>>>> I can not access to the remote ejb. The jndi name is not recognized.
>>>>
>>>> Here is my code :
>>>>
>>>> Properties props = new Properties();
>>>> props.setProperty("org.omg.CORBA.ORBInitialHost", "signserverpki");
>>>> props.setProperty("org.omg.CORBA.ORBInitialPort", "3700");
>>>> InitialContext ic = null;
>>>> try {
>>>> ic = new InitialContext(props);
>>>> } catch (NamingException ex) {
>>>> java.util.logging.Logger.getLogger(SignatureWS.class.getName()).log(Level.SEVERE,
>>>> null, ex);
>>>> }
>>>>
>>>> IRemote worker = null;
>>>> try {
>>>> worker = (IRemote)
>>>> ic.lookup("org.signserver.ejb.interfaces.IWorkerSession$IRemote");
>>>> } catch (NamingException ex) {
>>>> java.util.logging.Logger.getLogger(SignatureWS.class.getName()).log(Level.SEVERE,
>>>> null, ex);
>>>> }
>>>>
>>>> The exception thrown is :
>>>> javax.naming.NamingException: Lookup failed for
>>>> 'org.signserver.ejb.interfaces.IWorkerSession$IRemote' in
>>>> SerialContext[myEnv={org.omg.CORBA.ORBInitialPort=3700,
>>>> java.naming.factory.initial=com.sun.enterprise.naming.impl.SerialInitContextFactory,
>>>> org.omg.CORBA.ORBInitialHost=signserverpki,
>>>> java.naming.factory.state=com.sun.corba.ee.impl.presentation.rmi.JNDIStateFactoryImpl,
>>>> java.naming.factory.url.pkgs=com.sun.enterprise.naming} [Root
>>>> exception
>>>> is javax.naming.NameNotFoundException:
>>>> org.signserver.ejb.interfaces.IWorkerSession$IRemote not found]
>>>>
>>>>
>>>> I am working with signserver 3.2.3
>>>>
>>>> Thanks a lot for your help.
>>>>
>>>>
>>>> Antoine
>>>>
>>>> ------------------------------------------------------------------------------
>>>> WatchGuard Dimension instantly turns raw network data into
>>>> actionable
>>>> security intelligence. It gives you real-time visual feedback on key
>>>> security issues and trends. Skip the complicated setup - simply
>>>> import
>>>> a virtual appliance and go from zero to informed in seconds.
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
>>>> _______________________________________________
>>>> SignServer-develop mailing list
>>>> Sig...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>>>
>>>
>>> Hi Antoine,
>>>
>>> I don't think I tried EJB lookups between different application
>>> servers
>>> and especially not between two different versions, but at least the
>>> code
>>> looks correct if it were used to lookup from a client application.
>>>
>>> Maybe there could be an issue with the two different versions, have
>>> you
>>> tried if the code works between two GlassFish V2 ?
>>>
>>>
>>> Regards,
>>> Markus
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Managing the Performance of Cloud-Based Applications
>>> Take advantage of what the Cloud has to offer - Avoid Common
>>> Pitfalls.
>>> Read the Whitepaper.
>>> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> SignServer-develop mailing list
>>> Sig...@li...
>>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>
>> ------------------------------------------------------------------------------
>> Managing the Performance of Cloud-Based Applications
>> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
>> Read the Whitepaper.
>> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
>> _______________________________________________
>> SignServer-develop mailing list
>> Sig...@li...
>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>
>
>
>
> --
> Kind regards,
> Markus Kilås
> PKI Specialist
>
> PrimeKey Solutions AB
>
> Anderstorpsv. 16
> 171 54 Solna
> Sweden
>
> Phone: +46 70 424 94 85
> Skype: markusatskype
> Email: mar...@pr...
>
> www.primekey.se
>
>
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
|
|
From: Markus K. <ma...@pr...> - 2014-02-03 14:29:51
|
No the JavaDoc comment is out-dated.
The class will use the ServiceLocator for lookups which uses an empty
initial context. Typically you will have to have a jndi.properties on
the classpath with the CORBA properties (for GlassFish).
I will remove this comment to not cause confusions.
Regards,
Markus
On 2014-02-03 09:49, ant...@yo... wrote:
> Thanks Markus for your answer.
>
> Unfortunately, I can not test with 2 glassfish v2.
>
> In SigningAndValidationEJB constructor comment, we can see that :
> /**
> * Creates an instance of SigningAndValidationEJB with default
> initial context:
> * <pre>
> * INITIAL_CONTEXT_FACTORY =
> "org.jnp.interfaces.NamingContextFactory"
> * URL_PKG_PREFIXES = "org.jboss.naming:org.jnp.interfaces"
> * PROVIDER_URL = "jnp://localhost:1099"
> * </pre>
> *
> * @throws NamingException If an naming exception is encountered.
> */
>
> Is it the correct configuration to connect with an EJB ?
>
> Thanks,
>
>
>
> Antoine
>
>
>
> Le 03.02.2014 09:23, Markus Kilås a écrit :
>> On 2014-02-02 01:43, ant...@yo... wrote:
>>> Hi everyone,
>>>
>>> I try to access to a Remote EJB from an instance of glassfish 3.
>>>
>>> Signserver is running on another server on glassfish 2.
>>>
>>> I can not access to the remote ejb. The jndi name is not recognized.
>>>
>>> Here is my code :
>>>
>>> Properties props = new Properties();
>>> props.setProperty("org.omg.CORBA.ORBInitialHost", "signserverpki");
>>> props.setProperty("org.omg.CORBA.ORBInitialPort", "3700");
>>> InitialContext ic = null;
>>> try {
>>> ic = new InitialContext(props);
>>> } catch (NamingException ex) {
>>> java.util.logging.Logger.getLogger(SignatureWS.class.getName()).log(Level.SEVERE,
>>> null, ex);
>>> }
>>>
>>> IRemote worker = null;
>>> try {
>>> worker = (IRemote)
>>> ic.lookup("org.signserver.ejb.interfaces.IWorkerSession$IRemote");
>>> } catch (NamingException ex) {
>>> java.util.logging.Logger.getLogger(SignatureWS.class.getName()).log(Level.SEVERE,
>>> null, ex);
>>> }
>>>
>>> The exception thrown is :
>>> javax.naming.NamingException: Lookup failed for
>>> 'org.signserver.ejb.interfaces.IWorkerSession$IRemote' in
>>> SerialContext[myEnv={org.omg.CORBA.ORBInitialPort=3700,
>>> java.naming.factory.initial=com.sun.enterprise.naming.impl.SerialInitContextFactory,
>>> org.omg.CORBA.ORBInitialHost=signserverpki,
>>> java.naming.factory.state=com.sun.corba.ee.impl.presentation.rmi.JNDIStateFactoryImpl,
>>> java.naming.factory.url.pkgs=com.sun.enterprise.naming} [Root
>>> exception
>>> is javax.naming.NameNotFoundException:
>>> org.signserver.ejb.interfaces.IWorkerSession$IRemote not found]
>>>
>>>
>>> I am working with signserver 3.2.3
>>>
>>> Thanks a lot for your help.
>>>
>>>
>>> Antoine
>>>
>>> ------------------------------------------------------------------------------
>>> WatchGuard Dimension instantly turns raw network data into actionable
>>> security intelligence. It gives you real-time visual feedback on key
>>> security issues and trends. Skip the complicated setup - simply
>>> import
>>> a virtual appliance and go from zero to informed in seconds.
>>> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> SignServer-develop mailing list
>>> Sig...@li...
>>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>>
>>
>> Hi Antoine,
>>
>> I don't think I tried EJB lookups between different application servers
>> and especially not between two different versions, but at least the
>> code
>> looks correct if it were used to lookup from a client application.
>>
>> Maybe there could be an issue with the two different versions, have you
>> tried if the code works between two GlassFish V2 ?
>>
>>
>> Regards,
>> Markus
>>
>>
>> ------------------------------------------------------------------------------
>> Managing the Performance of Cloud-Based Applications
>> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
>> Read the Whitepaper.
>> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
>> _______________________________________________
>> SignServer-develop mailing list
>> Sig...@li...
>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>
--
Kind regards,
Markus Kilås
PKI Specialist
PrimeKey Solutions AB
Anderstorpsv. 16
171 54 Solna
Sweden
Phone: +46 70 424 94 85
Skype: markusatskype
Email: mar...@pr...
www.primekey.se
|
|
From: <ant...@yo...> - 2014-02-03 13:02:12
|
Thanks Markus for your answer.
Unfortunately, I can not test with 2 glassfish v2.
In SigningAndValidationEJB constructor comment, we can see that :
/**
* Creates an instance of SigningAndValidationEJB with default
initial context:
* <pre>
* INITIAL_CONTEXT_FACTORY =
"org.jnp.interfaces.NamingContextFactory"
* URL_PKG_PREFIXES = "org.jboss.naming:org.jnp.interfaces"
* PROVIDER_URL = "jnp://localhost:1099"
* </pre>
*
* @throws NamingException If an naming exception is encountered.
*/
Is it the correct configuration to connect with an EJB ?
Thanks,
Antoine
Le 03.02.2014 09:23, Markus Kilås a écrit :
> On 2014-02-02 01:43, ant...@yo... wrote:
>> Hi everyone,
>>
>> I try to access to a Remote EJB from an instance of glassfish 3.
>>
>> Signserver is running on another server on glassfish 2.
>>
>> I can not access to the remote ejb. The jndi name is not recognized.
>>
>> Here is my code :
>>
>> Properties props = new Properties();
>> props.setProperty("org.omg.CORBA.ORBInitialHost", "signserverpki");
>> props.setProperty("org.omg.CORBA.ORBInitialPort", "3700");
>> InitialContext ic = null;
>> try {
>> ic = new InitialContext(props);
>> } catch (NamingException ex) {
>> java.util.logging.Logger.getLogger(SignatureWS.class.getName()).log(Level.SEVERE,
>> null, ex);
>> }
>>
>> IRemote worker = null;
>> try {
>> worker = (IRemote)
>> ic.lookup("org.signserver.ejb.interfaces.IWorkerSession$IRemote");
>> } catch (NamingException ex) {
>> java.util.logging.Logger.getLogger(SignatureWS.class.getName()).log(Level.SEVERE,
>> null, ex);
>> }
>>
>> The exception thrown is :
>> javax.naming.NamingException: Lookup failed for
>> 'org.signserver.ejb.interfaces.IWorkerSession$IRemote' in
>> SerialContext[myEnv={org.omg.CORBA.ORBInitialPort=3700,
>> java.naming.factory.initial=com.sun.enterprise.naming.impl.SerialInitContextFactory,
>> org.omg.CORBA.ORBInitialHost=signserverpki,
>> java.naming.factory.state=com.sun.corba.ee.impl.presentation.rmi.JNDIStateFactoryImpl,
>> java.naming.factory.url.pkgs=com.sun.enterprise.naming} [Root
>> exception
>> is javax.naming.NameNotFoundException:
>> org.signserver.ejb.interfaces.IWorkerSession$IRemote not found]
>>
>>
>> I am working with signserver 3.2.3
>>
>> Thanks a lot for your help.
>>
>>
>> Antoine
>>
>> ------------------------------------------------------------------------------
>> WatchGuard Dimension instantly turns raw network data into actionable
>> security intelligence. It gives you real-time visual feedback on key
>> security issues and trends. Skip the complicated setup - simply
>> import
>> a virtual appliance and go from zero to informed in seconds.
>> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
>> _______________________________________________
>> SignServer-develop mailing list
>> Sig...@li...
>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>
>
> Hi Antoine,
>
> I don't think I tried EJB lookups between different application servers
> and especially not between two different versions, but at least the
> code
> looks correct if it were used to lookup from a client application.
>
> Maybe there could be an issue with the two different versions, have you
> tried if the code works between two GlassFish V2 ?
>
>
> Regards,
> Markus
>
>
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
|
8 messages has been excluded from this view by a project administrator.
