Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jens G Jensen UK e-Science Alternative CA software Jens G Jensen UK e-Science CA Rutherford Appleton Laboratory.

Published byEleanor Burns Modified over 8 years ago

Similar presentations

Presentation on theme: "Jens G Jensen UK e-Science Alternative CA software Jens G Jensen UK e-Science CA Rutherford Appleton Laboratory."— Presentation transcript:

1 Jens G Jensen UK e-Science Alternative CA software Jens G Jensen UK e-Science CA Rutherford Appleton Laboratory

2 Jens G Jensen UK e-Science A talk in three parts Part one being about Baltimore uniCert Part two, being the second part, about pyCA Part three, being the third and final part, about the Java based solution that we’re working on

3 Jens G Jensen UK e-Science Part one Baltimore uniCert

4 Jens G Jensen UK e-Science Baltimore uniCert Spent a day talking with Baltimore techies We haven’t actually tested it yet… …so presentation will be salvo errore et omissione… You can get more information from the Baltimore web site (but will have to register to get it  ) And we also know people you can ask…

5 Jens G Jensen UK e-Science uniCert, technical requirements Root CA is online – works with FIPS 140 level 3 or 4 HSM Must use Oracle as underlying database (comes with licence) CA Operator (see later) must run on Microsoft Windows All other parts of the CA run on Solaris (two boxes required)

6 Jens G Jensen UK e-Science uniCert, terminology “CA” – refers to online signing system “RA” – refers to online request management system “RA Operator” (“RAO”) – the (human) RA “CA Operator” (“CAO”) – the signing module “ARM” – advanced registration module – sort of an “automated RAO”

7 Jens G Jensen UK e-Science Schematics CA RA CAO RAX dB Web RAO User Web interface Cert Status Service ARM CMP SQL

8 Jens G Jensen UK e-Science uniCert, additional comments Can modify contents of certificates easily Point-and-click CA “policies” – also very easy to manage sub-CAs with different policies Can have different policies for different RAs Can do automatic renewal (on old keys) Cannot do automatic re-key (i.e. re-key is like initial request – have to go through RAs again)

9 Jens G Jensen UK e-Science Baltimore Tech I quote: “Full development roadmap and commitment” Standard protocols used whenever possible (CMP, OCSP, LDAP, SQL) – not for RAO, though 30 day evaluation licence available (of course this requires 30 consecutive days of my time…)

10 Jens G Jensen UK e-Science uniCert in e-Science? We decided not to evaluate it for now… …too much work to migrate from existing solution (uniCert mostly assumes you start from scratch) …too much work to adopt “weird” UK namespace requirements (OU and L identify RA) – may be possible with ARM but will probably be a lot of work

11 Jens G Jensen UK e-Science Part two pyCA

12 Jens G Jensen UK e-Science Overview Written in python Runs as CGI programs under Apache Front end to OpenSSL LDAP support http://www.pyca.de/ Not being actively developed at the moment – the author “does not have time but will bugfix”

13 Jens G Jensen UK e-Science (Default) Certificate Hierarchy Email certs Auth certs Server certs Code signing Email CA Auth CA Server CA Code Signing CA ROOT CA

14 Jens G Jensen UK e-Science Part three UK e-Science Java solution

15 Jens G Jensen UK e-Science Overview Submits request to our current OpenCA system Written in Java as signed applets Crypto based on the BouncyCastle and jcetaglib libraries http://www.bouncycastle.org/ http://jcetaglib.sourceforge.net/ Still under development

16 Jens G Jensen UK e-Science Obligatory Diagram Request Applet Cert Applet Online OpenCA Web User interface Offline signing system CAUser’s computer thingy Private key cert & key

17 Jens G Jensen UK e-Science PCKS#12 Problems using KeyStore class from applet – not from java application –Applet complains of invalid signature on provider –Problem is with JCE 1.4, works with 1.3 The KeyStore class is used to generate the PKCS#12 file

18 Jens G Jensen UK e-Science Browser support Browsers generally come equipped with JCE 1.1 or similar Currently users must install 1.4

19 Jens G Jensen UK e-Science Portability Not very… Written to take some of e-Science’s peculiarities into account –Namespace: OU and L, requirements on name forms Written to submit requests into OpenCA In the (near) future, can provide more generally useful CA software

20 Jens G Jensen UK e-Science Future developments Need to review the code, and clean it up Can replace OpenCA: since applets provide the user friendly interface, no need for OpenCA –Plan to replace system with a simpler Apache/mod_ssl/Perl-CGI/OpenSSL system using a PostgreSQL database Produce general non-eScience software?

Download ppt "Jens G Jensen UK e-Science Alternative CA software Jens G Jensen UK e-Science CA Rutherford Appleton Laboratory."

Similar presentations

EIONET Training Beginners Zope Course Miruna Bădescu Finsiel Romania Copenhagen, 27 October 2003.

EIONET Training Beginners Zope Course Miruna Bădescu Finsiel Romania Copenhagen, 27 October 2003.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
1 Database Driven Web Application Clients Application Servers including web servers Database Server Traditional client-server (2-tier architecture): client:

1 Database Driven Web Application Clients Application Servers including web servers Database Server Traditional client-server (2-tier architecture): client:
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Certificate Authorities - Commercial Options Robert Brentrup Educause/Dartmouth PKI Summit July 26, 2005.

Certificate Authorities - Commercial Options Robert Brentrup Educause/Dartmouth PKI Summit July 26, 2005.
VxWorks Real-Time Kernel Connectivity

VxWorks Real-Time Kernel Connectivity
Authorizing Access to Services at Penn State University

Authorizing Access to Services at Penn State University
INFORMATION SYSTEMS SERVICES UNIVERSITY OF LEEDS Presentation to the UK e-Science Grid Workshop ‘Managing Access to Resources on the Grid’ e-Science Institute,

INFORMATION SYSTEMS SERVICES UNIVERSITY OF LEEDS Presentation to the UK e-Science Grid Workshop ‘Managing Access to Resources on the Grid’ e-Science Institute,
PKI Administration Using EJBCA and OpenCA

PKI Administration Using EJBCA and OpenCA
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
Digital Certificate Service Monitoring Services Module Chrysa Papagianni.

Digital Certificate Service Monitoring Services Module Chrysa Papagianni.
X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster

X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster
Introduction to Web Application Architectures Web Application Architectures 18 th March 2005 Bogdan L. Vrusias

Introduction to Web Application Architectures Web Application Architectures 18 th March 2005 Bogdan L. Vrusias
Asset: Academic Survey System & Evaluation Tool Bert G. Wachsmuth Seton Hall University.

Asset: Academic Survey System & Evaluation Tool Bert G. Wachsmuth Seton Hall University.
Robofest 2001 Online Management System Jim Needham MCS 4833/01 Senior Project Dr. Chan-Jin Chung, Ph.D.

Robofest 2001 Online Management System Jim Needham MCS 4833/01 Senior Project Dr. Chan-Jin Chung, Ph.D.
Jun Peng Stanford University – Department of Civil and Environmental Engineering Nov 17, 2000 DISSERTATION PROPOSAL A Software Framework for Collaborative.

Jun Peng Stanford University – Department of Civil and Environmental Engineering Nov 17, 2000 DISSERTATION PROPOSAL A Software Framework for Collaborative.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
Masud Hasan 03-60-475 Secure Email Project 1. Secure Email It uses Digital Certificate combined with S/MIME capable email clients to digitally sign and.

Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.

Similar presentations

Ads by Google