SlideShare a Scribd company logo

Massimiliano Pala

P
prensacespi
Technology
1 of 22
Download to read offline
Supported by Interoperability and Usability of PKI Dartmouth College http://www.openca.org OpenCA v1.0.2+ (ten-ten2) Massimiliano Pala <project.manager@openca.org>
Outline  Basic Installation Procedures  Graphical Installer vs Source code Installer  New Features Overview  Auto CA, Auto CRL, and Auto E-Mail  Browser Request & Authenticated Browser Request  Level of Assurance and License Agreements  Cryptographic Updates  ECDSA support  Upgrading to SHA256  Brief Demonstration M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
OpenCA – Graphical Installer  Graphical installer for binary installation  Donation by BitRock  Available for Fedora, Ubuntu, OpenSolaris, etc...  Useful for 99% of common installations  Runs in both graphical and text mode for remote installation  Not available for every platform  New distributions  More resources needed  Community support  Dependencies  OpenCA-Tools M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
OpenCA – Graphical Installer (cont.) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
OpenCA – Graphical Installer (cont.) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Installing OpenCA from Sources-1  Source package installation  Suitable for many UNIX systems  BSD, Solaris, Linux, etc..  More flexible (allows many options to be set at installation time)  Requires more expertise in solving configuration issues  Dependencies  OpenSSL  OpenCA-Tools M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Installing OpenCA from Sources-2  Example: $ ./configure --prefix=/opt/openca --with-openssl-prefix=/opt/openca-openssl --with-httpd-user=apache ... $ make ... $ make install-offline ... $ make install-online M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Installing OpenCA: what's Next ?  Many Options to fit your CA  System Configuration(s)  Certificate Profiles and Certificate Policies  Service(s) configuration  Web Server  LDAP  Data Exchange device(s) or scripts  Core Configuration file  PREFIX/etc/openca/config.xml  Activate changes: restart OpenCA! M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Online Daemons  On-Line daemons to ease Grid operations  On-Line CA support  Supported CA Operations  Automatic Certificate Issuing  Automatic CRL issuing  Supported RA Operations  Automatic E-Mail warning to Users M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Auto Certificate Issuing  CA Interface  CA Operations -> Auto Certificate Issuing -> Enable  RA Options  Registration Authority (Requested by the User or setup in the request)  RA Operator that approved the request  Singed Requests only  Request Details  Requested Role  Level of Assurance  Accepted Algorithms and Key Sizes M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Auto CRL Issuing System  CA Interface  CA Operations -> Auto CRL Issuing -> Enable  CRL Options  Issue CRL Every Period  CRL Validity is Period  CRL Extension  Where Period can be:  Days, Hours, Minutes, Seconds (for Issuing Period)  Days, Hours (for Validity – Limitation of OpenSSL) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Auto E-Mail System  RA Interface  RA Operations -> Auto E-Mail -> Enable  Daemon Process Options  Check Period for outgoing mail  Days, Hours, Minutes, Seconds  E-Mail Options  Warn for Expiring Certificates  Filter Certificates by:  Role, LOA, Validity Period (minimum lifespan)  Up to two warning E-Mails  Certificates expiring within (Days, Hours) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Browser Request  Unified Request for different browsers  Mozilla, Firefox, Konqueror, Opera, IE6, IE7  Support Server Side Key and Request Generation  XML configuration  PREFIX/etc/openca/browser_request.xml  Different Sections supported  User, Certificate, Keygen, Agreement  Subsections (Groups of Input fields)  Base DN added automatically to the request  Final Request Status (eg., NEW, APPROVED)  Full Input fields configuration M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Browser Request (cont.)  $EXEC::[function] - Executes a function and uses the output to populate the input object  loadDataSources() - generates the list of the configured datasources in datasources.xml.template (**)  loadRoles() - generates the list of Roles (or profiles)  loadLoa() - generates the list of Levels Of Assurance  loadKeygenMode() - generates the list of Key Generation Modes allowed for the currently used browser (check the loa.xml config file as well)  loadKeyTypes() - generates the list of allowed Key Types. Currently supported are RSA, DSA, ECDSA; the list can be shorter depending on the capabilities of the browser and the type of current request.  loadKeyStrengths() - generates the list of allowed Key Strengths (check the loa.xml config file for more explanation) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Browser Request Configuration ... <input> <!-- Name of the Input Field --> <name>loa</name> <!-- Label displayed to the User --> <label>Level of Assurance</label> <!-- Info Image and Link (right of Input) --> <info img=quot;bulb.pngquot;>?cmd=viewLoas</info> <!-- Type of input (eg., textfield, select, popup_menu, checkbox, etc...) --> <type>select</type> <charset>UTF8_LETTERS</charset> <value></value> <minlen>1</minlen> <required>YES</required> </input> ... M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Authenticated Browser Request  Same Characteristics as the normal Request  Requires authentication to a Data Source  Currently Supported only LDAP  XML configuration  PREFIX/etc/openca/auth_browser_request.xml.template  Uses Datasources to determine the list of available data source for authentication and data retireval purposes  $DATA::[FIELD] - substitute the value with the FIELD value gathered from the chosen datasource:  e.g., 'givenName' available as $DATA::giveName. M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
LOAs and License Agreements  Level of Assurance  Different LOAs require different request properties  Different LOAs require different user behaviors  LOA configuration  Level, Name, Description  <Requires>  <Strength>  <Name>  <Allowed>ALGOR+MINKEYSIZE</Allowed>  Keygen  <Mode>Server (or Browser)</Mode>  <Agreement>agreement_file</Agreement>  Cert (i.e. CP and CPS) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Cryptographic Updates  Support for ECDSA  Only with ECDSA enabled openssl  No encryption is supported (as in DSA)  Smaller Keysizes (124 -> 521 bits)  Subset of curves supported (standard curves – NIST)  Support for SHA256  Enabled by default on OpenCA 1.0.x  No browsers support ECDSA requests  use Server Side generation  Support for ECDSA certificates in browsers still to be fully tested  Absolutely needed – 2010 is deadline for SHA1! M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
OpenCA: Next Steps  Integrating openca-tools with libpki  Take advantage of the extended support of algorithms and token interface  Adding PRQP web interface to OpenCA  Discovery of services for clients  Start of the OpenCA-DigiSign project  Beginning in April 2009  New C-Based codebase  Integrated with LibPKI  Commercial Support available M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Questions M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Questions contribute contribute contribute contribute contribute contribute Thank You! contribute contribute contribute contribute contribute contribute M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
OpenCA References  OpenCA HomePage: https://www.openca.org  Main Contact: project dot manager at openca dot org M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina

Recommended

Window International Network Prayer Points
Window International Network Prayer PointsWindow International Network Prayer Points
Window International Network Prayer Pointswin1040
 
Customer Service
Customer ServiceCustomer Service
Customer Servicesbeissner
 
Vinod Rebello
Vinod RebelloVinod Rebello
Vinod Rebelloprensacespi
 
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCacheClustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCacheCris Holdorph
 
What's New with Windows Phone - FoxCon Talk
What's New with Windows Phone - FoxCon TalkWhat's New with Windows Phone - FoxCon Talk
What's New with Windows Phone - FoxCon TalkSam Basu
 
Oracle database appliance my first 90 days
Oracle database appliance my first 90 daysOracle database appliance my first 90 days
Oracle database appliance my first 90 daysRogerio Bacchi Eguchi
 
Api Design
Api DesignApi Design
Api Designsumithra jonnalagadda
 
Aioug ha day oct2015 goldengate- High Availability Day 2015
Aioug ha day oct2015 goldengate- High Availability Day 2015Aioug ha day oct2015 goldengate- High Availability Day 2015
Aioug ha day oct2015 goldengate- High Availability Day 2015aioughydchapter
 

Recommended

Window International Network Prayer Points
Window International Network Prayer PointsWindow International Network Prayer Points
Window International Network Prayer Pointswin1040
 
Customer Service
Customer ServiceCustomer Service
Customer Servicesbeissner
 
Vinod Rebello
Vinod RebelloVinod Rebello
Vinod Rebelloprensacespi
 
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCacheClustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCacheCris Holdorph
 
What's New with Windows Phone - FoxCon Talk
What's New with Windows Phone - FoxCon TalkWhat's New with Windows Phone - FoxCon Talk
What's New with Windows Phone - FoxCon TalkSam Basu
 
Oracle database appliance my first 90 days
Oracle database appliance my first 90 daysOracle database appliance my first 90 days
Oracle database appliance my first 90 daysRogerio Bacchi Eguchi
 
Api Design
Api DesignApi Design
Api Designsumithra jonnalagadda
 
Aioug ha day oct2015 goldengate- High Availability Day 2015
Aioug ha day oct2015 goldengate- High Availability Day 2015Aioug ha day oct2015 goldengate- High Availability Day 2015
Aioug ha day oct2015 goldengate- High Availability Day 2015aioughydchapter
 
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our ServersHTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our ServersJean-Frederic Clere
 
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...Dennis Martin
 
Systems Automation with Puppet
Systems Automation with PuppetSystems Automation with Puppet
Systems Automation with Puppetelliando dias
 
Leveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN PerformanceLeveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN Performancebrettallison
 
Cowboy dating with big data TechDays at Lohika-2020
Cowboy dating with big data TechDays at Lohika-2020Cowboy dating with big data TechDays at Lohika-2020
Cowboy dating with big data TechDays at Lohika-2020b0ris_1
 
Nagios 3
Nagios 3Nagios 3
Nagios 3rajni_kant
 
Apache Commons Overview
Apache Commons OverviewApache Commons Overview
Apache Commons Overviewghessler
 
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9Nuno Godinho
 
Ethernet summit 2011_toe
Ethernet summit 2011_toeEthernet summit 2011_toe
Ethernet summit 2011_toeintilop
 
Wikilims Road4
Wikilims Road4Wikilims Road4
Wikilims Road4guestcc22df
 
OAuth FTW
OAuth FTWOAuth FTW
OAuth FTWChris Messina
 
How OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris MessinaHow OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris MessinaCarsonified Team
 
NFF-GO (YANFF) - Yet Another Network Function Framework
NFF-GO (YANFF) - Yet Another Network Function FrameworkNFF-GO (YANFF) - Yet Another Network Function Framework
NFF-GO (YANFF) - Yet Another Network Function FrameworkMichelle Holley
 
Stackato Presentation Techzone 2013
Stackato Presentation Techzone 2013Stackato Presentation Techzone 2013
Stackato Presentation Techzone 2013Martin Kenneth Michalsky
 
Running PHP on a Java container
Running PHP on a Java containerRunning PHP on a Java container
Running PHP on a Java containernetinhoteixeira
 
JSON-RPC Proxy Generation with PHP 5
JSON-RPC Proxy Generation with PHP 5JSON-RPC Proxy Generation with PHP 5
JSON-RPC Proxy Generation with PHP 5Stephan Schmidt
 
Real-time Streaming Pipelines with FLaNK
Real-time Streaming Pipelines with FLaNKReal-time Streaming Pipelines with FLaNK
Real-time Streaming Pipelines with FLaNKData Con LA
 
Jboss World 2011 Infinispan
Jboss World 2011 InfinispanJboss World 2011 Infinispan
Jboss World 2011 Infinispancbo_
 
elk_stack_alexander_szalonnas
elk_stack_alexander_szalonnaselk_stack_alexander_szalonnas
elk_stack_alexander_szalonnasAlexander Szalonnas
 
Fluentd and Embulk Game Server 4
Fluentd and Embulk Game Server 4Fluentd and Embulk Game Server 4
Fluentd and Embulk Game Server 4N Masahiro
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 

More Related Content

Similar to Massimiliano Pala

HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our ServersHTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our ServersJean-Frederic Clere
 
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...Dennis Martin
 
Systems Automation with Puppet
Systems Automation with PuppetSystems Automation with Puppet
Systems Automation with Puppetelliando dias
 
Leveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN PerformanceLeveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN Performancebrettallison
 
Cowboy dating with big data TechDays at Lohika-2020
Cowboy dating with big data TechDays at Lohika-2020Cowboy dating with big data TechDays at Lohika-2020
Cowboy dating with big data TechDays at Lohika-2020b0ris_1
 
Apache Commons Overview
Apache Commons OverviewApache Commons Overview
Apache Commons Overviewghessler
 
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9Nuno Godinho
 
Ethernet summit 2011_toe
Ethernet summit 2011_toeEthernet summit 2011_toe
Ethernet summit 2011_toeintilop
 
How OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris MessinaHow OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris MessinaCarsonified Team
 
NFF-GO (YANFF) - Yet Another Network Function Framework
NFF-GO (YANFF) - Yet Another Network Function FrameworkNFF-GO (YANFF) - Yet Another Network Function Framework
NFF-GO (YANFF) - Yet Another Network Function FrameworkMichelle Holley
 
Running PHP on a Java container
Running PHP on a Java containerRunning PHP on a Java container
Running PHP on a Java containernetinhoteixeira
 
JSON-RPC Proxy Generation with PHP 5
JSON-RPC Proxy Generation with PHP 5JSON-RPC Proxy Generation with PHP 5
JSON-RPC Proxy Generation with PHP 5Stephan Schmidt
 
Real-time Streaming Pipelines with FLaNK
Real-time Streaming Pipelines with FLaNKReal-time Streaming Pipelines with FLaNK
Real-time Streaming Pipelines with FLaNKData Con LA
 
Jboss World 2011 Infinispan
Jboss World 2011 InfinispanJboss World 2011 Infinispan
Jboss World 2011 Infinispancbo_
 
Fluentd and Embulk Game Server 4
Fluentd and Embulk Game Server 4Fluentd and Embulk Game Server 4
Fluentd and Embulk Game Server 4N Masahiro
 

Similar to Massimiliano Pala (20)

HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our ServersHTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
 
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...
 
Systems Automation with Puppet
Systems Automation with PuppetSystems Automation with Puppet
Systems Automation with Puppet
 
Leveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN PerformanceLeveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN Performance
 
Cowboy dating with big data TechDays at Lohika-2020
Cowboy dating with big data TechDays at Lohika-2020Cowboy dating with big data TechDays at Lohika-2020
Cowboy dating with big data TechDays at Lohika-2020
 
Nagios 3
Nagios 3Nagios 3
Nagios 3
 
Apache Commons Overview
Apache Commons OverviewApache Commons Overview
Apache Commons Overview
 
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
 
Ethernet summit 2011_toe
Ethernet summit 2011_toeEthernet summit 2011_toe
Ethernet summit 2011_toe
 
Wikilims Road4
Wikilims Road4Wikilims Road4
Wikilims Road4
 
OAuth FTW
OAuth FTWOAuth FTW
OAuth FTW
 
How OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris MessinaHow OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris Messina
 
NFF-GO (YANFF) - Yet Another Network Function Framework
NFF-GO (YANFF) - Yet Another Network Function FrameworkNFF-GO (YANFF) - Yet Another Network Function Framework
NFF-GO (YANFF) - Yet Another Network Function Framework
 
Stackato Presentation Techzone 2013
Stackato Presentation Techzone 2013Stackato Presentation Techzone 2013
Stackato Presentation Techzone 2013
 
Running PHP on a Java container
Running PHP on a Java containerRunning PHP on a Java container
Running PHP on a Java container
 
JSON-RPC Proxy Generation with PHP 5
JSON-RPC Proxy Generation with PHP 5JSON-RPC Proxy Generation with PHP 5
JSON-RPC Proxy Generation with PHP 5
 
Real-time Streaming Pipelines with FLaNK
Real-time Streaming Pipelines with FLaNKReal-time Streaming Pipelines with FLaNK
Real-time Streaming Pipelines with FLaNK
 
Jboss World 2011 Infinispan
Jboss World 2011 InfinispanJboss World 2011 Infinispan
Jboss World 2011 Infinispan
 
elk_stack_alexander_szalonnas
elk_stack_alexander_szalonnaselk_stack_alexander_szalonnas
elk_stack_alexander_szalonnas
 
Fluentd and Embulk Game Server 4
Fluentd and Embulk Game Server 4Fluentd and Embulk Game Server 4
Fluentd and Embulk Game Server 4
 

Recently uploaded

SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Recently uploaded (20)

SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

Massimiliano Pala

  • 1. Supported by Interoperability and Usability of PKI Dartmouth College http://www.openca.org OpenCA v1.0.2+ (ten-ten2) Massimiliano Pala <project.manager@openca.org>
  • 2. Outline  Basic Installation Procedures  Graphical Installer vs Source code Installer  New Features Overview  Auto CA, Auto CRL, and Auto E-Mail  Browser Request & Authenticated Browser Request  Level of Assurance and License Agreements  Cryptographic Updates  ECDSA support  Upgrading to SHA256  Brief Demonstration M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 3. OpenCA – Graphical Installer  Graphical installer for binary installation  Donation by BitRock  Available for Fedora, Ubuntu, OpenSolaris, etc...  Useful for 99% of common installations  Runs in both graphical and text mode for remote installation  Not available for every platform  New distributions  More resources needed  Community support  Dependencies  OpenCA-Tools M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 4. OpenCA – Graphical Installer (cont.) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 5. OpenCA – Graphical Installer (cont.) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 6. Installing OpenCA from Sources-1  Source package installation  Suitable for many UNIX systems  BSD, Solaris, Linux, etc..  More flexible (allows many options to be set at installation time)  Requires more expertise in solving configuration issues  Dependencies  OpenSSL  OpenCA-Tools M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 7. Installing OpenCA from Sources-2  Example: $ ./configure --prefix=/opt/openca --with-openssl-prefix=/opt/openca-openssl --with-httpd-user=apache ... $ make ... $ make install-offline ... $ make install-online M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 8. Installing OpenCA: what's Next ?  Many Options to fit your CA  System Configuration(s)  Certificate Profiles and Certificate Policies  Service(s) configuration  Web Server  LDAP  Data Exchange device(s) or scripts  Core Configuration file  PREFIX/etc/openca/config.xml  Activate changes: restart OpenCA! M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 9. Online Daemons  On-Line daemons to ease Grid operations  On-Line CA support  Supported CA Operations  Automatic Certificate Issuing  Automatic CRL issuing  Supported RA Operations  Automatic E-Mail warning to Users M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 10. Auto Certificate Issuing  CA Interface  CA Operations -> Auto Certificate Issuing -> Enable  RA Options  Registration Authority (Requested by the User or setup in the request)  RA Operator that approved the request  Singed Requests only  Request Details  Requested Role  Level of Assurance  Accepted Algorithms and Key Sizes M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 11. Auto CRL Issuing System  CA Interface  CA Operations -> Auto CRL Issuing -> Enable  CRL Options  Issue CRL Every Period  CRL Validity is Period  CRL Extension  Where Period can be:  Days, Hours, Minutes, Seconds (for Issuing Period)  Days, Hours (for Validity – Limitation of OpenSSL) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 12. Auto E-Mail System  RA Interface  RA Operations -> Auto E-Mail -> Enable  Daemon Process Options  Check Period for outgoing mail  Days, Hours, Minutes, Seconds  E-Mail Options  Warn for Expiring Certificates  Filter Certificates by:  Role, LOA, Validity Period (minimum lifespan)  Up to two warning E-Mails  Certificates expiring within (Days, Hours) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 13. Browser Request  Unified Request for different browsers  Mozilla, Firefox, Konqueror, Opera, IE6, IE7  Support Server Side Key and Request Generation  XML configuration  PREFIX/etc/openca/browser_request.xml  Different Sections supported  User, Certificate, Keygen, Agreement  Subsections (Groups of Input fields)  Base DN added automatically to the request  Final Request Status (eg., NEW, APPROVED)  Full Input fields configuration M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 14. Browser Request (cont.)  $EXEC::[function] - Executes a function and uses the output to populate the input object  loadDataSources() - generates the list of the configured datasources in datasources.xml.template (**)  loadRoles() - generates the list of Roles (or profiles)  loadLoa() - generates the list of Levels Of Assurance  loadKeygenMode() - generates the list of Key Generation Modes allowed for the currently used browser (check the loa.xml config file as well)  loadKeyTypes() - generates the list of allowed Key Types. Currently supported are RSA, DSA, ECDSA; the list can be shorter depending on the capabilities of the browser and the type of current request.  loadKeyStrengths() - generates the list of allowed Key Strengths (check the loa.xml config file for more explanation) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 15. Browser Request Configuration ... <input> <!-- Name of the Input Field --> <name>loa</name> <!-- Label displayed to the User --> <label>Level of Assurance</label> <!-- Info Image and Link (right of Input) --> <info img=quot;bulb.pngquot;>?cmd=viewLoas</info> <!-- Type of input (eg., textfield, select, popup_menu, checkbox, etc...) --> <type>select</type> <charset>UTF8_LETTERS</charset> <value></value> <minlen>1</minlen> <required>YES</required> </input> ... M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 16. Authenticated Browser Request  Same Characteristics as the normal Request  Requires authentication to a Data Source  Currently Supported only LDAP  XML configuration  PREFIX/etc/openca/auth_browser_request.xml.template  Uses Datasources to determine the list of available data source for authentication and data retireval purposes  $DATA::[FIELD] - substitute the value with the FIELD value gathered from the chosen datasource:  e.g., 'givenName' available as $DATA::giveName. M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 17. LOAs and License Agreements  Level of Assurance  Different LOAs require different request properties  Different LOAs require different user behaviors  LOA configuration  Level, Name, Description  <Requires>  <Strength>  <Name>  <Allowed>ALGOR+MINKEYSIZE</Allowed>  Keygen  <Mode>Server (or Browser)</Mode>  <Agreement>agreement_file</Agreement>  Cert (i.e. CP and CPS) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 18. Cryptographic Updates  Support for ECDSA  Only with ECDSA enabled openssl  No encryption is supported (as in DSA)  Smaller Keysizes (124 -> 521 bits)  Subset of curves supported (standard curves – NIST)  Support for SHA256  Enabled by default on OpenCA 1.0.x  No browsers support ECDSA requests  use Server Side generation  Support for ECDSA certificates in browsers still to be fully tested  Absolutely needed – 2010 is deadline for SHA1! M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 19. OpenCA: Next Steps  Integrating openca-tools with libpki  Take advantage of the extended support of algorithms and token interface  Adding PRQP web interface to OpenCA  Discovery of services for clients  Start of the OpenCA-DigiSign project  Beginning in April 2009  New C-Based codebase  Integrated with LibPKI  Commercial Support available M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 20. Questions M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 21. Questions contribute contribute contribute contribute contribute contribute Thank You! contribute contribute contribute contribute contribute contribute M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 22. OpenCA References  OpenCA HomePage: https://www.openca.org  Main Contact: project dot manager at openca dot org M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina