Presentation is loading. Please wait.

Presentation is loading. Please wait.

A New UK CA Portal David Meredith Jens Jensen John Kewley.

Published byMaud Cannon Modified over 9 years ago

Similar presentations

Presentation on theme: "A New UK CA Portal David Meredith Jens Jensen John Kewley."— Presentation transcript:

1 A New UK CA Portal David Meredith Jens Jensen John Kewley

2 UK CA 2 Min Overview UK CA – Issues IGTF accredited user and certificates for the UK (other certs too – code-sign). 33432issued in total, ~3000 currently valid, are 1691 host certs, 1243 certs processed using CertWizard. RA operator network to assert user identities (check photo IDs) to managed certificate requests (approve/reject/revoke). Personal TERENA certs not available to UK users (currently, free host certs but UK is not signed up and would have to pay personal certs and establish RA network). UK CA certs required in EGI/international scope.

3 Components Postgres CA DB – Holds certificates, CSRs (New and Renew requests), CRRs, RA list, RA operator details. – Does not store private keys Signing – Offline - manually extract requests from CA DB – Signs requests (CSR + UK CA cert chain signatures => Cert) – Uploads certs back into the DB Interfaces – OpenCA Portal (CA/RA ops) – crr/csr/approve/revoke/manage requests – Bespoke Scripts (CA ops) – CLI DB management – REST Server (User) – REST server used by new PECR + CertWiz – CertificateWizard (User) – GUI request/renew/revoke/manage certificates in stored in PKCS12 KeyStore file. – PECR Scripts (User) – CLI Perl client scripts to request certificates in bulk

4 CA DB OpenCA: /cgi-bin/pub/pki* /cgi-bin/ra/RAServer* REST Server: /csr_user_request /csr_host_request /crr_request /bulk_host_csr Cwiz PeCR Cust Certs in Standalone keyStore file (PKCS12) Current Situation Signing Machine A. CSRs B. Certs Other scripts: ‘roleChangeUtils.sh’ ‘doOpList.sh’ ‘doRaEmail.sh’ ClientsServerOffline Certs in browser

5 UK OpenCA Our current version is old – Requires RH4, digest code :-( – Difficult to update to newer OpenCA due to bespoke DB changes – Want to evolve/improve our CA into the future 3 Options: 1.DB porting exercise to new off-shelf CA portal 2.Brownfield = Refactor + update current legacy OpenCA 3.Greenfield = Roll our own replacement

6 Refactor+Update or Roll Own? Build on existing code-base – usually end up re-developing with replacement code anyway. We want to customise our CA: Recent policy changes will allow us to generate CSR + PrivKey on the server for subsequent download as.p12 file but with no retention of private key on server. Allows us to replace current key generation in browser KeyStore (~spkac): Non standard with limited/varied browser support. Can re-use CertWiz libs to gen CSR in new portal (imagine a portal version of CertWizard for requesting certs)

7 /csr_user_request /csr_host_request /crr_request /bulk_host_csr Cwiz PeCR Cust /raop/* /caop/* /pub/request/* /cert_owner/renew/* Roll Own CA Portal 1.Replace OpenCA RA+CA Interfaces/scripts with a new RA-CA Portal 2.Depending on policy changes, +/- new User Portal (or just rely on CertWiz/PECR) +/- 1) 2)

8 New CA Portal Java/JSP, Spring MVC, Spring Security Bootstrap CSS/JavaScript lib (from Twitter) Spring Security: “a powerful and highly customizable authentication and access- control framework. Is a de-facto standard for securing Java (Web) apps. – I agree, its good, and so is Spring MVC

9 Spring Sec intercepts URL requests and applies different authentication filters SpringSecurityConfig.xml No cert required for: -REST URLs (use own message level authentication - PPPK) -Public pages Inject ordered Auth provider chain PTO

10 Auth Provider determines roles from DN CaJdbcUserDetailsService

11 viewRalist.jsp Role Based Content Display

12 New RA-CA Portal /caporta/cert_owner

13 /caportal/raop/searchcert

14 /caportal/raop/viewcert?certId=34720

15 /caportal/raop/searchcsr

16 /caportal/raop/viewcsr?requestId=73743368

17 /caportal/raop/searchralist

18 Model (MVC) Domain Model Maps to DB tables

19 View (MVC) Renders the Model – no logic View

20 Controller (MVC) - Prepares Model for view (HashMap containing domain objs + other data) Controllers

21 TODO Finish RA/CA actions – RA operator actions nearly fully reproduced – CA operator actions (e.g. edit RA list, DB actions…) User interface for CSRs (NEW and RENEW) – Recently proposed policy changes means we can generate CSR+PrivKey on the server for subsequent download (e.g. as.p12 file) – Will make life far easier for me and for users

Download ppt "A New UK CA Portal David Meredith Jens Jensen John Kewley."

Similar presentations

INFN CA1 active since July 1998 manager: –Roberto Cecchini types of certificates released: –personal –server –object signing.

INFN CA1 active since July manager: –Roberto Cecchini types of certificates released: –personal –server –object signing.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
SSL Implementation Guide Onno W. Purbo

SSL Implementation Guide Onno W. Purbo
By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Multiple Tiers in Action

Multiple Tiers in Action
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Website Development with PHP and MySQL Introduction.

Website Development with PHP and MySQL Introduction.
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.

TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
2014 User Group Meeting - Maumee Bay Lodge and Convention Center.

2014 User Group Meeting - Maumee Bay Lodge and Convention Center.
Web Application Architecture: multi-tier (2-tier, 3-tier) & mvc

Web Application Architecture: multi-tier (2-tier, 3-tier) & mvc
Linux Operations and Administration

Linux Operations and Administration
CSCI 6962: Server-side Design and Programming

CSCI 6962: Server-side Design and Programming

Similar presentations

Ads by Google