SlideShare a Scribd company logo

Massimiliano Pala

P
prensacespi
Technology
1 of 22
Download to read offline
Supported by Interoperability and Usability of PKI Dartmouth College http://www.openca.org OpenCA v1.0.2+ (ten-ten2) Massimiliano Pala <project.manager@openca.org>
Outline  Basic Installation Procedures  Graphical Installer vs Source code Installer  New Features Overview  Auto CA, Auto CRL, and Auto E-Mail  Browser Request & Authenticated Browser Request  Level of Assurance and License Agreements  Cryptographic Updates  ECDSA support  Upgrading to SHA256  Brief Demonstration M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
OpenCA – Graphical Installer  Graphical installer for binary installation  Donation by BitRock  Available for Fedora, Ubuntu, OpenSolaris, etc...  Useful for 99% of common installations  Runs in both graphical and text mode for remote installation  Not available for every platform  New distributions  More resources needed  Community support  Dependencies  OpenCA-Tools M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
OpenCA – Graphical Installer (cont.) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
OpenCA – Graphical Installer (cont.) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Installing OpenCA from Sources-1  Source package installation  Suitable for many UNIX systems  BSD, Solaris, Linux, etc..  More flexible (allows many options to be set at installation time)  Requires more expertise in solving configuration issues  Dependencies  OpenSSL  OpenCA-Tools M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Installing OpenCA from Sources-2  Example: $ ./configure --prefix=/opt/openca --with-openssl-prefix=/opt/openca-openssl --with-httpd-user=apache ... $ make ... $ make install-offline ... $ make install-online M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Installing OpenCA: what's Next ?  Many Options to fit your CA  System Configuration(s)  Certificate Profiles and Certificate Policies  Service(s) configuration  Web Server  LDAP  Data Exchange device(s) or scripts  Core Configuration file  PREFIX/etc/openca/config.xml  Activate changes: restart OpenCA! M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Online Daemons  On-Line daemons to ease Grid operations  On-Line CA support  Supported CA Operations  Automatic Certificate Issuing  Automatic CRL issuing  Supported RA Operations  Automatic E-Mail warning to Users M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Auto Certificate Issuing  CA Interface  CA Operations -> Auto Certificate Issuing -> Enable  RA Options  Registration Authority (Requested by the User or setup in the request)  RA Operator that approved the request  Singed Requests only  Request Details  Requested Role  Level of Assurance  Accepted Algorithms and Key Sizes M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Auto CRL Issuing System  CA Interface  CA Operations -> Auto CRL Issuing -> Enable  CRL Options  Issue CRL Every Period  CRL Validity is Period  CRL Extension  Where Period can be:  Days, Hours, Minutes, Seconds (for Issuing Period)  Days, Hours (for Validity – Limitation of OpenSSL) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Auto E-Mail System  RA Interface  RA Operations -> Auto E-Mail -> Enable  Daemon Process Options  Check Period for outgoing mail  Days, Hours, Minutes, Seconds  E-Mail Options  Warn for Expiring Certificates  Filter Certificates by:  Role, LOA, Validity Period (minimum lifespan)  Up to two warning E-Mails  Certificates expiring within (Days, Hours) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Browser Request  Unified Request for different browsers  Mozilla, Firefox, Konqueror, Opera, IE6, IE7  Support Server Side Key and Request Generation  XML configuration  PREFIX/etc/openca/browser_request.xml  Different Sections supported  User, Certificate, Keygen, Agreement  Subsections (Groups of Input fields)  Base DN added automatically to the request  Final Request Status (eg., NEW, APPROVED)  Full Input fields configuration M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Browser Request (cont.)  $EXEC::[function] - Executes a function and uses the output to populate the input object  loadDataSources() - generates the list of the configured datasources in datasources.xml.template (**)  loadRoles() - generates the list of Roles (or profiles)  loadLoa() - generates the list of Levels Of Assurance  loadKeygenMode() - generates the list of Key Generation Modes allowed for the currently used browser (check the loa.xml config file as well)  loadKeyTypes() - generates the list of allowed Key Types. Currently supported are RSA, DSA, ECDSA; the list can be shorter depending on the capabilities of the browser and the type of current request.  loadKeyStrengths() - generates the list of allowed Key Strengths (check the loa.xml config file for more explanation) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Browser Request Configuration ... <input> <!-- Name of the Input Field --> <name>loa</name> <!-- Label displayed to the User --> <label>Level of Assurance</label> <!-- Info Image and Link (right of Input) --> <info img=quot;bulb.pngquot;>?cmd=viewLoas</info> <!-- Type of input (eg., textfield, select, popup_menu, checkbox, etc...) --> <type>select</type> <charset>UTF8_LETTERS</charset> <value></value> <minlen>1</minlen> <required>YES</required> </input> ... M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Authenticated Browser Request  Same Characteristics as the normal Request  Requires authentication to a Data Source  Currently Supported only LDAP  XML configuration  PREFIX/etc/openca/auth_browser_request.xml.template  Uses Datasources to determine the list of available data source for authentication and data retireval purposes  $DATA::[FIELD] - substitute the value with the FIELD value gathered from the chosen datasource:  e.g., 'givenName' available as $DATA::giveName. M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
LOAs and License Agreements  Level of Assurance  Different LOAs require different request properties  Different LOAs require different user behaviors  LOA configuration  Level, Name, Description  <Requires>  <Strength>  <Name>  <Allowed>ALGOR+MINKEYSIZE</Allowed>  Keygen  <Mode>Server (or Browser)</Mode>  <Agreement>agreement_file</Agreement>  Cert (i.e. CP and CPS) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Cryptographic Updates  Support for ECDSA  Only with ECDSA enabled openssl  No encryption is supported (as in DSA)  Smaller Keysizes (124 -> 521 bits)  Subset of curves supported (standard curves – NIST)  Support for SHA256  Enabled by default on OpenCA 1.0.x  No browsers support ECDSA requests  use Server Side generation  Support for ECDSA certificates in browsers still to be fully tested  Absolutely needed – 2010 is deadline for SHA1! M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
OpenCA: Next Steps  Integrating openca-tools with libpki  Take advantage of the extended support of algorithms and token interface  Adding PRQP web interface to OpenCA  Discovery of services for clients  Start of the OpenCA-DigiSign project  Beginning in April 2009  New C-Based codebase  Integrated with LibPKI  Commercial Support available M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Questions M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Questions contribute contribute contribute contribute contribute contribute Thank You! contribute contribute contribute contribute contribute contribute M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
OpenCA References  OpenCA HomePage: https://www.openca.org  Main Contact: project dot manager at openca dot org M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina

Recommended

Window International Network Prayer Points
Window International Network Prayer PointsWindow International Network Prayer Points
Window International Network Prayer Pointswin1040
 
Customer Service
Customer ServiceCustomer Service
Customer Servicesbeissner
 
Vinod Rebello
Vinod RebelloVinod Rebello
Vinod Rebelloprensacespi
 
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCacheClustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCacheCris Holdorph
 
What's New with Windows Phone - FoxCon Talk
What's New with Windows Phone - FoxCon TalkWhat's New with Windows Phone - FoxCon Talk
What's New with Windows Phone - FoxCon TalkSam Basu
 
Oracle database appliance my first 90 days
Oracle database appliance my first 90 daysOracle database appliance my first 90 days
Oracle database appliance my first 90 daysRogerio Bacchi Eguchi
 
Api Design
Api DesignApi Design
Api Designsumithra jonnalagadda
 
Aioug ha day oct2015 goldengate- High Availability Day 2015
Aioug ha day oct2015 goldengate- High Availability Day 2015Aioug ha day oct2015 goldengate- High Availability Day 2015
Aioug ha day oct2015 goldengate- High Availability Day 2015aioughydchapter
 

Recommended

Window International Network Prayer Points
Window International Network Prayer PointsWindow International Network Prayer Points
Window International Network Prayer Pointswin1040
 
Customer Service
Customer ServiceCustomer Service
Customer Servicesbeissner
 
Vinod Rebello
Vinod RebelloVinod Rebello
Vinod Rebelloprensacespi
 
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCacheClustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCacheCris Holdorph
 
What's New with Windows Phone - FoxCon Talk
What's New with Windows Phone - FoxCon TalkWhat's New with Windows Phone - FoxCon Talk
What's New with Windows Phone - FoxCon TalkSam Basu
 
Oracle database appliance my first 90 days
Oracle database appliance my first 90 daysOracle database appliance my first 90 days
Oracle database appliance my first 90 daysRogerio Bacchi Eguchi
 
Api Design
Api DesignApi Design
Api Designsumithra jonnalagadda
 
Aioug ha day oct2015 goldengate- High Availability Day 2015
Aioug ha day oct2015 goldengate- High Availability Day 2015Aioug ha day oct2015 goldengate- High Availability Day 2015
Aioug ha day oct2015 goldengate- High Availability Day 2015aioughydchapter
 
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our ServersHTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our ServersJean-Frederic Clere
 
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...Dennis Martin
 
Systems Automation with Puppet
Systems Automation with PuppetSystems Automation with Puppet
Systems Automation with Puppetelliando dias
 
Leveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN PerformanceLeveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN Performancebrettallison
 
Cowboy dating with big data TechDays at Lohika-2020
Cowboy dating with big data TechDays at Lohika-2020Cowboy dating with big data TechDays at Lohika-2020
Cowboy dating with big data TechDays at Lohika-2020b0ris_1
 
Nagios 3
Nagios 3Nagios 3
Nagios 3rajni_kant
 
Apache Commons Overview
Apache Commons OverviewApache Commons Overview
Apache Commons Overviewghessler
 
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9Nuno Godinho
 
Ethernet summit 2011_toe
Ethernet summit 2011_toeEthernet summit 2011_toe
Ethernet summit 2011_toeintilop
 
Wikilims Road4
Wikilims Road4Wikilims Road4
Wikilims Road4guestcc22df
 
OAuth FTW
OAuth FTWOAuth FTW
OAuth FTWChris Messina
 
How OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris MessinaHow OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris MessinaCarsonified Team
 
NFF-GO (YANFF) - Yet Another Network Function Framework
NFF-GO (YANFF) - Yet Another Network Function FrameworkNFF-GO (YANFF) - Yet Another Network Function Framework
NFF-GO (YANFF) - Yet Another Network Function FrameworkMichelle Holley
 
Stackato Presentation Techzone 2013
Stackato Presentation Techzone 2013Stackato Presentation Techzone 2013
Stackato Presentation Techzone 2013Martin Kenneth Michalsky
 
Running PHP on a Java container
Running PHP on a Java containerRunning PHP on a Java container
Running PHP on a Java containernetinhoteixeira
 
JSON-RPC Proxy Generation with PHP 5
JSON-RPC Proxy Generation with PHP 5JSON-RPC Proxy Generation with PHP 5
JSON-RPC Proxy Generation with PHP 5Stephan Schmidt
 
Real-time Streaming Pipelines with FLaNK
Real-time Streaming Pipelines with FLaNKReal-time Streaming Pipelines with FLaNK
Real-time Streaming Pipelines with FLaNKData Con LA
 
Jboss World 2011 Infinispan
Jboss World 2011 InfinispanJboss World 2011 Infinispan
Jboss World 2011 Infinispancbo_
 
elk_stack_alexander_szalonnas
elk_stack_alexander_szalonnaselk_stack_alexander_szalonnas
elk_stack_alexander_szalonnasAlexander Szalonnas
 
Fluentd and Embulk Game Server 4
Fluentd and Embulk Game Server 4Fluentd and Embulk Game Server 4
Fluentd and Embulk Game Server 4N Masahiro
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 

More Related Content

Similar to Massimiliano Pala

HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our ServersHTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our ServersJean-Frederic Clere
 
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...Dennis Martin
 
Systems Automation with Puppet
Systems Automation with PuppetSystems Automation with Puppet
Systems Automation with Puppetelliando dias
 
Leveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN PerformanceLeveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN Performancebrettallison
 
Cowboy dating with big data TechDays at Lohika-2020
Cowboy dating with big data TechDays at Lohika-2020Cowboy dating with big data TechDays at Lohika-2020
Cowboy dating with big data TechDays at Lohika-2020b0ris_1
 
Apache Commons Overview
Apache Commons OverviewApache Commons Overview
Apache Commons Overviewghessler
 
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9Nuno Godinho
 
Ethernet summit 2011_toe
Ethernet summit 2011_toeEthernet summit 2011_toe
Ethernet summit 2011_toeintilop
 
How OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris MessinaHow OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris MessinaCarsonified Team
 
NFF-GO (YANFF) - Yet Another Network Function Framework
NFF-GO (YANFF) - Yet Another Network Function FrameworkNFF-GO (YANFF) - Yet Another Network Function Framework
NFF-GO (YANFF) - Yet Another Network Function FrameworkMichelle Holley
 
Running PHP on a Java container
Running PHP on a Java containerRunning PHP on a Java container
Running PHP on a Java containernetinhoteixeira
 
JSON-RPC Proxy Generation with PHP 5
JSON-RPC Proxy Generation with PHP 5JSON-RPC Proxy Generation with PHP 5
JSON-RPC Proxy Generation with PHP 5Stephan Schmidt
 
Real-time Streaming Pipelines with FLaNK
Real-time Streaming Pipelines with FLaNKReal-time Streaming Pipelines with FLaNK
Real-time Streaming Pipelines with FLaNKData Con LA
 
Jboss World 2011 Infinispan
Jboss World 2011 InfinispanJboss World 2011 Infinispan
Jboss World 2011 Infinispancbo_
 
Fluentd and Embulk Game Server 4
Fluentd and Embulk Game Server 4Fluentd and Embulk Game Server 4
Fluentd and Embulk Game Server 4N Masahiro
 

Similar to Massimiliano Pala (20)

HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our ServersHTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
 
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...
 
Systems Automation with Puppet
Systems Automation with PuppetSystems Automation with Puppet
Systems Automation with Puppet
 
Leveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN PerformanceLeveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN Performance
 
Cowboy dating with big data TechDays at Lohika-2020
Cowboy dating with big data TechDays at Lohika-2020Cowboy dating with big data TechDays at Lohika-2020
Cowboy dating with big data TechDays at Lohika-2020
 
Nagios 3
Nagios 3Nagios 3
Nagios 3
 
Apache Commons Overview
Apache Commons OverviewApache Commons Overview
Apache Commons Overview
 
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
 
Ethernet summit 2011_toe
Ethernet summit 2011_toeEthernet summit 2011_toe
Ethernet summit 2011_toe
 
Wikilims Road4
Wikilims Road4Wikilims Road4
Wikilims Road4
 
OAuth FTW
OAuth FTWOAuth FTW
OAuth FTW
 
How OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris MessinaHow OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris Messina
 
NFF-GO (YANFF) - Yet Another Network Function Framework
NFF-GO (YANFF) - Yet Another Network Function FrameworkNFF-GO (YANFF) - Yet Another Network Function Framework
NFF-GO (YANFF) - Yet Another Network Function Framework
 
Stackato Presentation Techzone 2013
Stackato Presentation Techzone 2013Stackato Presentation Techzone 2013
Stackato Presentation Techzone 2013
 
Running PHP on a Java container
Running PHP on a Java containerRunning PHP on a Java container
Running PHP on a Java container
 
JSON-RPC Proxy Generation with PHP 5
JSON-RPC Proxy Generation with PHP 5JSON-RPC Proxy Generation with PHP 5
JSON-RPC Proxy Generation with PHP 5
 
Real-time Streaming Pipelines with FLaNK
Real-time Streaming Pipelines with FLaNKReal-time Streaming Pipelines with FLaNK
Real-time Streaming Pipelines with FLaNK
 
Jboss World 2011 Infinispan
Jboss World 2011 InfinispanJboss World 2011 Infinispan
Jboss World 2011 Infinispan
 
elk_stack_alexander_szalonnas
elk_stack_alexander_szalonnaselk_stack_alexander_szalonnas
elk_stack_alexander_szalonnas
 
Fluentd and Embulk Game Server 4
Fluentd and Embulk Game Server 4Fluentd and Embulk Game Server 4
Fluentd and Embulk Game Server 4
 

Recently uploaded

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Massimiliano Pala

  • 1. Supported by Interoperability and Usability of PKI Dartmouth College http://www.openca.org OpenCA v1.0.2+ (ten-ten2) Massimiliano Pala <project.manager@openca.org>
  • 2. Outline  Basic Installation Procedures  Graphical Installer vs Source code Installer  New Features Overview  Auto CA, Auto CRL, and Auto E-Mail  Browser Request & Authenticated Browser Request  Level of Assurance and License Agreements  Cryptographic Updates  ECDSA support  Upgrading to SHA256  Brief Demonstration M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 3. OpenCA – Graphical Installer  Graphical installer for binary installation  Donation by BitRock  Available for Fedora, Ubuntu, OpenSolaris, etc...  Useful for 99% of common installations  Runs in both graphical and text mode for remote installation  Not available for every platform  New distributions  More resources needed  Community support  Dependencies  OpenCA-Tools M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 4. OpenCA – Graphical Installer (cont.) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 5. OpenCA – Graphical Installer (cont.) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 6. Installing OpenCA from Sources-1  Source package installation  Suitable for many UNIX systems  BSD, Solaris, Linux, etc..  More flexible (allows many options to be set at installation time)  Requires more expertise in solving configuration issues  Dependencies  OpenSSL  OpenCA-Tools M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 7. Installing OpenCA from Sources-2  Example: $ ./configure --prefix=/opt/openca --with-openssl-prefix=/opt/openca-openssl --with-httpd-user=apache ... $ make ... $ make install-offline ... $ make install-online M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 8. Installing OpenCA: what's Next ?  Many Options to fit your CA  System Configuration(s)  Certificate Profiles and Certificate Policies  Service(s) configuration  Web Server  LDAP  Data Exchange device(s) or scripts  Core Configuration file  PREFIX/etc/openca/config.xml  Activate changes: restart OpenCA! M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 9. Online Daemons  On-Line daemons to ease Grid operations  On-Line CA support  Supported CA Operations  Automatic Certificate Issuing  Automatic CRL issuing  Supported RA Operations  Automatic E-Mail warning to Users M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 10. Auto Certificate Issuing  CA Interface  CA Operations -> Auto Certificate Issuing -> Enable  RA Options  Registration Authority (Requested by the User or setup in the request)  RA Operator that approved the request  Singed Requests only  Request Details  Requested Role  Level of Assurance  Accepted Algorithms and Key Sizes M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 11. Auto CRL Issuing System  CA Interface  CA Operations -> Auto CRL Issuing -> Enable  CRL Options  Issue CRL Every Period  CRL Validity is Period  CRL Extension  Where Period can be:  Days, Hours, Minutes, Seconds (for Issuing Period)  Days, Hours (for Validity – Limitation of OpenSSL) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 12. Auto E-Mail System  RA Interface  RA Operations -> Auto E-Mail -> Enable  Daemon Process Options  Check Period for outgoing mail  Days, Hours, Minutes, Seconds  E-Mail Options  Warn for Expiring Certificates  Filter Certificates by:  Role, LOA, Validity Period (minimum lifespan)  Up to two warning E-Mails  Certificates expiring within (Days, Hours) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 13. Browser Request  Unified Request for different browsers  Mozilla, Firefox, Konqueror, Opera, IE6, IE7  Support Server Side Key and Request Generation  XML configuration  PREFIX/etc/openca/browser_request.xml  Different Sections supported  User, Certificate, Keygen, Agreement  Subsections (Groups of Input fields)  Base DN added automatically to the request  Final Request Status (eg., NEW, APPROVED)  Full Input fields configuration M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 14. Browser Request (cont.)  $EXEC::[function] - Executes a function and uses the output to populate the input object  loadDataSources() - generates the list of the configured datasources in datasources.xml.template (**)  loadRoles() - generates the list of Roles (or profiles)  loadLoa() - generates the list of Levels Of Assurance  loadKeygenMode() - generates the list of Key Generation Modes allowed for the currently used browser (check the loa.xml config file as well)  loadKeyTypes() - generates the list of allowed Key Types. Currently supported are RSA, DSA, ECDSA; the list can be shorter depending on the capabilities of the browser and the type of current request.  loadKeyStrengths() - generates the list of allowed Key Strengths (check the loa.xml config file for more explanation) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 15. Browser Request Configuration ... <input> <!-- Name of the Input Field --> <name>loa</name> <!-- Label displayed to the User --> <label>Level of Assurance</label> <!-- Info Image and Link (right of Input) --> <info img=quot;bulb.pngquot;>?cmd=viewLoas</info> <!-- Type of input (eg., textfield, select, popup_menu, checkbox, etc...) --> <type>select</type> <charset>UTF8_LETTERS</charset> <value></value> <minlen>1</minlen> <required>YES</required> </input> ... M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 16. Authenticated Browser Request  Same Characteristics as the normal Request  Requires authentication to a Data Source  Currently Supported only LDAP  XML configuration  PREFIX/etc/openca/auth_browser_request.xml.template  Uses Datasources to determine the list of available data source for authentication and data retireval purposes  $DATA::[FIELD] - substitute the value with the FIELD value gathered from the chosen datasource:  e.g., 'givenName' available as $DATA::giveName. M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 17. LOAs and License Agreements  Level of Assurance  Different LOAs require different request properties  Different LOAs require different user behaviors  LOA configuration  Level, Name, Description  <Requires>  <Strength>  <Name>  <Allowed>ALGOR+MINKEYSIZE</Allowed>  Keygen  <Mode>Server (or Browser)</Mode>  <Agreement>agreement_file</Agreement>  Cert (i.e. CP and CPS) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 18. Cryptographic Updates  Support for ECDSA  Only with ECDSA enabled openssl  No encryption is supported (as in DSA)  Smaller Keysizes (124 -> 521 bits)  Subset of curves supported (standard curves – NIST)  Support for SHA256  Enabled by default on OpenCA 1.0.x  No browsers support ECDSA requests  use Server Side generation  Support for ECDSA certificates in browsers still to be fully tested  Absolutely needed – 2010 is deadline for SHA1! M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 19. OpenCA: Next Steps  Integrating openca-tools with libpki  Take advantage of the extended support of algorithms and token interface  Adding PRQP web interface to OpenCA  Discovery of services for clients  Start of the OpenCA-DigiSign project  Beginning in April 2009  New C-Based codebase  Integrated with LibPKI  Commercial Support available M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 20. Questions M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 21. Questions contribute contribute contribute contribute contribute contribute Thank You! contribute contribute contribute contribute contribute contribute M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 22. OpenCA References  OpenCA HomePage: https://www.openca.org  Main Contact: project dot manager at openca dot org M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina