SlideShare a Scribd company logo

Massimiliano Pala

P
prensacespi
Technology
1 of 22
Download to read offline
Supported by Interoperability and Usability of PKI Dartmouth College http://www.openca.org OpenCA v1.0.2+ (ten-ten2) Massimiliano Pala <project.manager@openca.org>
Outline  Basic Installation Procedures  Graphical Installer vs Source code Installer  New Features Overview  Auto CA, Auto CRL, and Auto E-Mail  Browser Request & Authenticated Browser Request  Level of Assurance and License Agreements  Cryptographic Updates  ECDSA support  Upgrading to SHA256  Brief Demonstration M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
OpenCA – Graphical Installer  Graphical installer for binary installation  Donation by BitRock  Available for Fedora, Ubuntu, OpenSolaris, etc...  Useful for 99% of common installations  Runs in both graphical and text mode for remote installation  Not available for every platform  New distributions  More resources needed  Community support  Dependencies  OpenCA-Tools M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
OpenCA – Graphical Installer (cont.) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
OpenCA – Graphical Installer (cont.) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Installing OpenCA from Sources-1  Source package installation  Suitable for many UNIX systems  BSD, Solaris, Linux, etc..  More flexible (allows many options to be set at installation time)  Requires more expertise in solving configuration issues  Dependencies  OpenSSL  OpenCA-Tools M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Installing OpenCA from Sources-2  Example: $ ./configure --prefix=/opt/openca --with-openssl-prefix=/opt/openca-openssl --with-httpd-user=apache ... $ make ... $ make install-offline ... $ make install-online M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Installing OpenCA: what's Next ?  Many Options to fit your CA  System Configuration(s)  Certificate Profiles and Certificate Policies  Service(s) configuration  Web Server  LDAP  Data Exchange device(s) or scripts  Core Configuration file  PREFIX/etc/openca/config.xml  Activate changes: restart OpenCA! M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Online Daemons  On-Line daemons to ease Grid operations  On-Line CA support  Supported CA Operations  Automatic Certificate Issuing  Automatic CRL issuing  Supported RA Operations  Automatic E-Mail warning to Users M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Auto Certificate Issuing  CA Interface  CA Operations -> Auto Certificate Issuing -> Enable  RA Options  Registration Authority (Requested by the User or setup in the request)  RA Operator that approved the request  Singed Requests only  Request Details  Requested Role  Level of Assurance  Accepted Algorithms and Key Sizes M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Auto CRL Issuing System  CA Interface  CA Operations -> Auto CRL Issuing -> Enable  CRL Options  Issue CRL Every Period  CRL Validity is Period  CRL Extension  Where Period can be:  Days, Hours, Minutes, Seconds (for Issuing Period)  Days, Hours (for Validity – Limitation of OpenSSL) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Auto E-Mail System  RA Interface  RA Operations -> Auto E-Mail -> Enable  Daemon Process Options  Check Period for outgoing mail  Days, Hours, Minutes, Seconds  E-Mail Options  Warn for Expiring Certificates  Filter Certificates by:  Role, LOA, Validity Period (minimum lifespan)  Up to two warning E-Mails  Certificates expiring within (Days, Hours) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Browser Request  Unified Request for different browsers  Mozilla, Firefox, Konqueror, Opera, IE6, IE7  Support Server Side Key and Request Generation  XML configuration  PREFIX/etc/openca/browser_request.xml  Different Sections supported  User, Certificate, Keygen, Agreement  Subsections (Groups of Input fields)  Base DN added automatically to the request  Final Request Status (eg., NEW, APPROVED)  Full Input fields configuration M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Browser Request (cont.)  $EXEC::[function] - Executes a function and uses the output to populate the input object  loadDataSources() - generates the list of the configured datasources in datasources.xml.template (**)  loadRoles() - generates the list of Roles (or profiles)  loadLoa() - generates the list of Levels Of Assurance  loadKeygenMode() - generates the list of Key Generation Modes allowed for the currently used browser (check the loa.xml config file as well)  loadKeyTypes() - generates the list of allowed Key Types. Currently supported are RSA, DSA, ECDSA; the list can be shorter depending on the capabilities of the browser and the type of current request.  loadKeyStrengths() - generates the list of allowed Key Strengths (check the loa.xml config file for more explanation) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Browser Request Configuration ... <input> <!-- Name of the Input Field --> <name>loa</name> <!-- Label displayed to the User --> <label>Level of Assurance</label> <!-- Info Image and Link (right of Input) --> <info img=quot;bulb.pngquot;>?cmd=viewLoas</info> <!-- Type of input (eg., textfield, select, popup_menu, checkbox, etc...) --> <type>select</type> <charset>UTF8_LETTERS</charset> <value></value> <minlen>1</minlen> <required>YES</required> </input> ... M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Authenticated Browser Request  Same Characteristics as the normal Request  Requires authentication to a Data Source  Currently Supported only LDAP  XML configuration  PREFIX/etc/openca/auth_browser_request.xml.template  Uses Datasources to determine the list of available data source for authentication and data retireval purposes  $DATA::[FIELD] - substitute the value with the FIELD value gathered from the chosen datasource:  e.g., 'givenName' available as $DATA::giveName. M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
LOAs and License Agreements  Level of Assurance  Different LOAs require different request properties  Different LOAs require different user behaviors  LOA configuration  Level, Name, Description  <Requires>  <Strength>  <Name>  <Allowed>ALGOR+MINKEYSIZE</Allowed>  Keygen  <Mode>Server (or Browser)</Mode>  <Agreement>agreement_file</Agreement>  Cert (i.e. CP and CPS) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Cryptographic Updates  Support for ECDSA  Only with ECDSA enabled openssl  No encryption is supported (as in DSA)  Smaller Keysizes (124 -> 521 bits)  Subset of curves supported (standard curves – NIST)  Support for SHA256  Enabled by default on OpenCA 1.0.x  No browsers support ECDSA requests  use Server Side generation  Support for ECDSA certificates in browsers still to be fully tested  Absolutely needed – 2010 is deadline for SHA1! M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
OpenCA: Next Steps  Integrating openca-tools with libpki  Take advantage of the extended support of algorithms and token interface  Adding PRQP web interface to OpenCA  Discovery of services for clients  Start of the OpenCA-DigiSign project  Beginning in April 2009  New C-Based codebase  Integrated with LibPKI  Commercial Support available M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Questions M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
Questions contribute contribute contribute contribute contribute contribute Thank You! contribute contribute contribute contribute contribute contribute M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
OpenCA References  OpenCA HomePage: https://www.openca.org  Main Contact: project dot manager at openca dot org M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina

Recommended

Window International Network Prayer Points
Window International Network Prayer PointsWindow International Network Prayer Points
Window International Network Prayer Pointswin1040
 
Customer Service
Customer ServiceCustomer Service
Customer Servicesbeissner
 
Vinod Rebello
Vinod RebelloVinod Rebello
Vinod Rebelloprensacespi
 
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCacheClustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCacheCris Holdorph
 
What's New with Windows Phone - FoxCon Talk
What's New with Windows Phone - FoxCon TalkWhat's New with Windows Phone - FoxCon Talk
What's New with Windows Phone - FoxCon TalkSam Basu
 
Oracle database appliance my first 90 days
Oracle database appliance my first 90 daysOracle database appliance my first 90 days
Oracle database appliance my first 90 daysRogerio Bacchi Eguchi
 
Api Design
Api DesignApi Design
Api Designsumithra jonnalagadda
 
Aioug ha day oct2015 goldengate- High Availability Day 2015
Aioug ha day oct2015 goldengate- High Availability Day 2015Aioug ha day oct2015 goldengate- High Availability Day 2015
Aioug ha day oct2015 goldengate- High Availability Day 2015aioughydchapter
 

Recommended

Window International Network Prayer Points
Window International Network Prayer PointsWindow International Network Prayer Points
Window International Network Prayer Pointswin1040
 
Customer Service
Customer ServiceCustomer Service
Customer Servicesbeissner
 
Vinod Rebello
Vinod RebelloVinod Rebello
Vinod Rebelloprensacespi
 
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCacheClustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCacheCris Holdorph
 
What's New with Windows Phone - FoxCon Talk
What's New with Windows Phone - FoxCon TalkWhat's New with Windows Phone - FoxCon Talk
What's New with Windows Phone - FoxCon TalkSam Basu
 
Oracle database appliance my first 90 days
Oracle database appliance my first 90 daysOracle database appliance my first 90 days
Oracle database appliance my first 90 daysRogerio Bacchi Eguchi
 
Api Design
Api DesignApi Design
Api Designsumithra jonnalagadda
 
Aioug ha day oct2015 goldengate- High Availability Day 2015
Aioug ha day oct2015 goldengate- High Availability Day 2015Aioug ha day oct2015 goldengate- High Availability Day 2015
Aioug ha day oct2015 goldengate- High Availability Day 2015aioughydchapter
 
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our ServersHTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our ServersJean-Frederic Clere
 
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...Dennis Martin
 
Systems Automation with Puppet
Systems Automation with PuppetSystems Automation with Puppet
Systems Automation with Puppetelliando dias
 
Leveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN PerformanceLeveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN Performancebrettallison
 
Cowboy dating with big data TechDays at Lohika-2020
Cowboy dating with big data TechDays at Lohika-2020Cowboy dating with big data TechDays at Lohika-2020
Cowboy dating with big data TechDays at Lohika-2020b0ris_1
 
Nagios 3
Nagios 3Nagios 3
Nagios 3rajni_kant
 
Apache Commons Overview
Apache Commons OverviewApache Commons Overview
Apache Commons Overviewghessler
 
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9Nuno Godinho
 
Ethernet summit 2011_toe
Ethernet summit 2011_toeEthernet summit 2011_toe
Ethernet summit 2011_toeintilop
 
Wikilims Road4
Wikilims Road4Wikilims Road4
Wikilims Road4guestcc22df
 
OAuth FTW
OAuth FTWOAuth FTW
OAuth FTWChris Messina
 
How OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris MessinaHow OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris MessinaCarsonified Team
 
NFF-GO (YANFF) - Yet Another Network Function Framework
NFF-GO (YANFF) - Yet Another Network Function FrameworkNFF-GO (YANFF) - Yet Another Network Function Framework
NFF-GO (YANFF) - Yet Another Network Function FrameworkMichelle Holley
 
Stackato Presentation Techzone 2013
Stackato Presentation Techzone 2013Stackato Presentation Techzone 2013
Stackato Presentation Techzone 2013Martin Kenneth Michalsky
 
Running PHP on a Java container
Running PHP on a Java containerRunning PHP on a Java container
Running PHP on a Java containernetinhoteixeira
 
JSON-RPC Proxy Generation with PHP 5
JSON-RPC Proxy Generation with PHP 5JSON-RPC Proxy Generation with PHP 5
JSON-RPC Proxy Generation with PHP 5Stephan Schmidt
 
Real-time Streaming Pipelines with FLaNK
Real-time Streaming Pipelines with FLaNKReal-time Streaming Pipelines with FLaNK
Real-time Streaming Pipelines with FLaNKData Con LA
 
Jboss World 2011 Infinispan
Jboss World 2011 InfinispanJboss World 2011 Infinispan
Jboss World 2011 Infinispancbo_
 
elk_stack_alexander_szalonnas
elk_stack_alexander_szalonnaselk_stack_alexander_szalonnas
elk_stack_alexander_szalonnasAlexander Szalonnas
 
Fluentd and Embulk Game Server 4
Fluentd and Embulk Game Server 4Fluentd and Embulk Game Server 4
Fluentd and Embulk Game Server 4N Masahiro
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 

More Related Content

Similar to Massimiliano Pala

HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our ServersHTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our ServersJean-Frederic Clere
 
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...Dennis Martin
 
Systems Automation with Puppet
Systems Automation with PuppetSystems Automation with Puppet
Systems Automation with Puppetelliando dias
 
Leveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN PerformanceLeveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN Performancebrettallison
 
Cowboy dating with big data TechDays at Lohika-2020
Cowboy dating with big data TechDays at Lohika-2020Cowboy dating with big data TechDays at Lohika-2020
Cowboy dating with big data TechDays at Lohika-2020b0ris_1
 
Apache Commons Overview
Apache Commons OverviewApache Commons Overview
Apache Commons Overviewghessler
 
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9Nuno Godinho
 
Ethernet summit 2011_toe
Ethernet summit 2011_toeEthernet summit 2011_toe
Ethernet summit 2011_toeintilop
 
How OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris MessinaHow OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris MessinaCarsonified Team
 
NFF-GO (YANFF) - Yet Another Network Function Framework
NFF-GO (YANFF) - Yet Another Network Function FrameworkNFF-GO (YANFF) - Yet Another Network Function Framework
NFF-GO (YANFF) - Yet Another Network Function FrameworkMichelle Holley
 
Running PHP on a Java container
Running PHP on a Java containerRunning PHP on a Java container
Running PHP on a Java containernetinhoteixeira
 
JSON-RPC Proxy Generation with PHP 5
JSON-RPC Proxy Generation with PHP 5JSON-RPC Proxy Generation with PHP 5
JSON-RPC Proxy Generation with PHP 5Stephan Schmidt
 
Real-time Streaming Pipelines with FLaNK
Real-time Streaming Pipelines with FLaNKReal-time Streaming Pipelines with FLaNK
Real-time Streaming Pipelines with FLaNKData Con LA
 
Jboss World 2011 Infinispan
Jboss World 2011 InfinispanJboss World 2011 Infinispan
Jboss World 2011 Infinispancbo_
 
Fluentd and Embulk Game Server 4
Fluentd and Embulk Game Server 4Fluentd and Embulk Game Server 4
Fluentd and Embulk Game Server 4N Masahiro
 

Similar to Massimiliano Pala (20)

HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our ServersHTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
HTTP/2, HTTP/3 and SSL/TLS State of the Art in Our Servers
 
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...
Demartek Flash Memory Summit 2014 - Real-World Performance of Flash-Based Sto...
 
Systems Automation with Puppet
Systems Automation with PuppetSystems Automation with Puppet
Systems Automation with Puppet
 
Leveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN PerformanceLeveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN Performance
 
Cowboy dating with big data TechDays at Lohika-2020
Cowboy dating with big data TechDays at Lohika-2020Cowboy dating with big data TechDays at Lohika-2020
Cowboy dating with big data TechDays at Lohika-2020
 
Nagios 3
Nagios 3Nagios 3
Nagios 3
 
Apache Commons Overview
Apache Commons OverviewApache Commons Overview
Apache Commons Overview
 
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
TechDays 2010 Portugal - Scaling your data tier with app fabric 16x9
 
Ethernet summit 2011_toe
Ethernet summit 2011_toeEthernet summit 2011_toe
Ethernet summit 2011_toe
 
Wikilims Road4
Wikilims Road4Wikilims Road4
Wikilims Road4
 
OAuth FTW
OAuth FTWOAuth FTW
OAuth FTW
 
How OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris MessinaHow OAuth and portable data can revolutionize your web app - Chris Messina
How OAuth and portable data can revolutionize your web app - Chris Messina
 
NFF-GO (YANFF) - Yet Another Network Function Framework
NFF-GO (YANFF) - Yet Another Network Function FrameworkNFF-GO (YANFF) - Yet Another Network Function Framework
NFF-GO (YANFF) - Yet Another Network Function Framework
 
Stackato Presentation Techzone 2013
Stackato Presentation Techzone 2013Stackato Presentation Techzone 2013
Stackato Presentation Techzone 2013
 
Running PHP on a Java container
Running PHP on a Java containerRunning PHP on a Java container
Running PHP on a Java container
 
JSON-RPC Proxy Generation with PHP 5
JSON-RPC Proxy Generation with PHP 5JSON-RPC Proxy Generation with PHP 5
JSON-RPC Proxy Generation with PHP 5
 
Real-time Streaming Pipelines with FLaNK
Real-time Streaming Pipelines with FLaNKReal-time Streaming Pipelines with FLaNK
Real-time Streaming Pipelines with FLaNK
 
Jboss World 2011 Infinispan
Jboss World 2011 InfinispanJboss World 2011 Infinispan
Jboss World 2011 Infinispan
 
elk_stack_alexander_szalonnas
elk_stack_alexander_szalonnaselk_stack_alexander_szalonnas
elk_stack_alexander_szalonnas
 
Fluentd and Embulk Game Server 4
Fluentd and Embulk Game Server 4Fluentd and Embulk Game Server 4
Fluentd and Embulk Game Server 4
 

Recently uploaded

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Recently uploaded (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

Massimiliano Pala

  • 1. Supported by Interoperability and Usability of PKI Dartmouth College http://www.openca.org OpenCA v1.0.2+ (ten-ten2) Massimiliano Pala <project.manager@openca.org>
  • 2. Outline  Basic Installation Procedures  Graphical Installer vs Source code Installer  New Features Overview  Auto CA, Auto CRL, and Auto E-Mail  Browser Request & Authenticated Browser Request  Level of Assurance and License Agreements  Cryptographic Updates  ECDSA support  Upgrading to SHA256  Brief Demonstration M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 3. OpenCA – Graphical Installer  Graphical installer for binary installation  Donation by BitRock  Available for Fedora, Ubuntu, OpenSolaris, etc...  Useful for 99% of common installations  Runs in both graphical and text mode for remote installation  Not available for every platform  New distributions  More resources needed  Community support  Dependencies  OpenCA-Tools M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 4. OpenCA – Graphical Installer (cont.) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 5. OpenCA – Graphical Installer (cont.) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 6. Installing OpenCA from Sources-1  Source package installation  Suitable for many UNIX systems  BSD, Solaris, Linux, etc..  More flexible (allows many options to be set at installation time)  Requires more expertise in solving configuration issues  Dependencies  OpenSSL  OpenCA-Tools M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 7. Installing OpenCA from Sources-2  Example: $ ./configure --prefix=/opt/openca --with-openssl-prefix=/opt/openca-openssl --with-httpd-user=apache ... $ make ... $ make install-offline ... $ make install-online M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 8. Installing OpenCA: what's Next ?  Many Options to fit your CA  System Configuration(s)  Certificate Profiles and Certificate Policies  Service(s) configuration  Web Server  LDAP  Data Exchange device(s) or scripts  Core Configuration file  PREFIX/etc/openca/config.xml  Activate changes: restart OpenCA! M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 9. Online Daemons  On-Line daemons to ease Grid operations  On-Line CA support  Supported CA Operations  Automatic Certificate Issuing  Automatic CRL issuing  Supported RA Operations  Automatic E-Mail warning to Users M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 10. Auto Certificate Issuing  CA Interface  CA Operations -> Auto Certificate Issuing -> Enable  RA Options  Registration Authority (Requested by the User or setup in the request)  RA Operator that approved the request  Singed Requests only  Request Details  Requested Role  Level of Assurance  Accepted Algorithms and Key Sizes M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 11. Auto CRL Issuing System  CA Interface  CA Operations -> Auto CRL Issuing -> Enable  CRL Options  Issue CRL Every Period  CRL Validity is Period  CRL Extension  Where Period can be:  Days, Hours, Minutes, Seconds (for Issuing Period)  Days, Hours (for Validity – Limitation of OpenSSL) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 12. Auto E-Mail System  RA Interface  RA Operations -> Auto E-Mail -> Enable  Daemon Process Options  Check Period for outgoing mail  Days, Hours, Minutes, Seconds  E-Mail Options  Warn for Expiring Certificates  Filter Certificates by:  Role, LOA, Validity Period (minimum lifespan)  Up to two warning E-Mails  Certificates expiring within (Days, Hours) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 13. Browser Request  Unified Request for different browsers  Mozilla, Firefox, Konqueror, Opera, IE6, IE7  Support Server Side Key and Request Generation  XML configuration  PREFIX/etc/openca/browser_request.xml  Different Sections supported  User, Certificate, Keygen, Agreement  Subsections (Groups of Input fields)  Base DN added automatically to the request  Final Request Status (eg., NEW, APPROVED)  Full Input fields configuration M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 14. Browser Request (cont.)  $EXEC::[function] - Executes a function and uses the output to populate the input object  loadDataSources() - generates the list of the configured datasources in datasources.xml.template (**)  loadRoles() - generates the list of Roles (or profiles)  loadLoa() - generates the list of Levels Of Assurance  loadKeygenMode() - generates the list of Key Generation Modes allowed for the currently used browser (check the loa.xml config file as well)  loadKeyTypes() - generates the list of allowed Key Types. Currently supported are RSA, DSA, ECDSA; the list can be shorter depending on the capabilities of the browser and the type of current request.  loadKeyStrengths() - generates the list of allowed Key Strengths (check the loa.xml config file for more explanation) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 15. Browser Request Configuration ... <input> <!-- Name of the Input Field --> <name>loa</name> <!-- Label displayed to the User --> <label>Level of Assurance</label> <!-- Info Image and Link (right of Input) --> <info img=quot;bulb.pngquot;>?cmd=viewLoas</info> <!-- Type of input (eg., textfield, select, popup_menu, checkbox, etc...) --> <type>select</type> <charset>UTF8_LETTERS</charset> <value></value> <minlen>1</minlen> <required>YES</required> </input> ... M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 16. Authenticated Browser Request  Same Characteristics as the normal Request  Requires authentication to a Data Source  Currently Supported only LDAP  XML configuration  PREFIX/etc/openca/auth_browser_request.xml.template  Uses Datasources to determine the list of available data source for authentication and data retireval purposes  $DATA::[FIELD] - substitute the value with the FIELD value gathered from the chosen datasource:  e.g., 'givenName' available as $DATA::giveName. M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 17. LOAs and License Agreements  Level of Assurance  Different LOAs require different request properties  Different LOAs require different user behaviors  LOA configuration  Level, Name, Description  <Requires>  <Strength>  <Name>  <Allowed>ALGOR+MINKEYSIZE</Allowed>  Keygen  <Mode>Server (or Browser)</Mode>  <Agreement>agreement_file</Agreement>  Cert (i.e. CP and CPS) M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 18. Cryptographic Updates  Support for ECDSA  Only with ECDSA enabled openssl  No encryption is supported (as in DSA)  Smaller Keysizes (124 -> 521 bits)  Subset of curves supported (standard curves – NIST)  Support for SHA256  Enabled by default on OpenCA 1.0.x  No browsers support ECDSA requests  use Server Side generation  Support for ECDSA certificates in browsers still to be fully tested  Absolutely needed – 2010 is deadline for SHA1! M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 19. OpenCA: Next Steps  Integrating openca-tools with libpki  Take advantage of the extended support of algorithms and token interface  Adding PRQP web interface to OpenCA  Discovery of services for clients  Start of the OpenCA-DigiSign project  Beginning in April 2009  New C-Based codebase  Integrated with LibPKI  Commercial Support available M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 20. Questions M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 21. Questions contribute contribute contribute contribute contribute contribute Thank You! contribute contribute contribute contribute contribute contribute M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina
  • 22. OpenCA References  OpenCA HomePage: https://www.openca.org  Main Contact: project dot manager at openca dot org M.Pala @ 8th TagPMA F2F Meeting, Nov 2008, La Plata, Argentina