Question and Answer (Personal Use)

Topic: EJBCA API

 

1. how to obtain private key using EJBCA API

 

See se.anatom.ejbca.keyrecovery.IKeyRecoverySessinBeanRemote.  
Mainly it's the methods addKeyRecoveryData and keyrecover that should be used

 

2.

Q:

I would to ask about ejbca Approval. I have notice that the ejbca webservices don't include Approval. Hence I would to try and do the Approval. I need some information on the Apporval part. 
1. Which Class is Responsible to list all the enduser to be approve? 
2. Which Table in ejbca Table responsible on saving the user waiting to be approve? 
3. Can this be done? 

 

A:

I think that the webservice calls do handle approvals. I.e. you can send a request with WS-api and the request requires approval to be executed.  
But perhaps you mean that it should be possible to approve requests using new ws-api calls?

 

3. How to interact with EJBCA

Hi, EJBCA has an extensive API using session beans (J2EE). The session bean API is normally not exposed to clients but firewalled and confined to the application server. This is because the API can be used to create new users etc, things normally not available to anyone :-) 
 
It is quite easy to use http from the java client do request certificates and to retrieve other users certificates. There is an old sample in src/java/se/anatom/ejbca/samples/HttpGetCert.java for requesting a cert programatically. The sample is old as I said, so it possibly needs some modification. 
Retrieveing another users certificate can be done by issuing the same GET request as used on the public web pages. 
 
We have a long standing feature request for a public SOAP API.  
http://jira.primekey.se/browse/ECA-135 
but there is no ETA on that. 

 

4.

 

Topic: integrate

 

1.How to integrate EJBCA to Applications fo

The most adapted is to separate the functions. User a server Tomcat for the Forum which appeals for request certificate directly to EJBCA (other server with JBOSS). To do it, create a Web page into your Forom to make a request (authenticated or not) towards democertreq ( see \src\ejbca\src\java\se\anatom\ejbca\apply ) by a method POST. 
 
For the customer authentification, EJBCA does not realize this function. You have to develop you even this part or to use application such as http: //  http://www.josso.org/.  

 

1 - To use EJBCA that you have to use at same time JBOSS and the Tomcat. JBOSS manages the application of PKI.  
Tomcat (catalina) manages the Web part of the PKI. You cannot use exclusively Tomcat with EJBCA. 
 
By default, EJBCA uses JKS for Tomcat, but it is possible to use file PKCS12 or PFX. 
EJBCA uses the file JKS in Tomcat for the SSL part. It has for function to be the certificate server.  
The specific management of the rights is managed by EJBCA (development in Java) and this has nothing  
to do with Tomcat. 
 
 
2- The keystore in JKS : keystoreFile=${jboss.server.home.dir}/conf/keystore/keystore.jks is installed by default  
during the installation process of EJBCA. It's the certificate server allowing the negotiation SSL between the customer(browser)  
and the server (tomcat). 
 
3 - Keystore JKS and P12 or PFX have nothing to do between them.  
P12, PFX, PVK, SPC, JKS, etc. They are differents formats for stocking certificates  
,privates keys, AC certificates. 
 
Otherwise, EJBCA PKI allows to make certificates server and customer in JKS or P12(PFX) format.  
 
I advise you strongly to study the bases of the PKI, the formats of stocking of the cryptographic data. 
Etc. You will find a lot of information on Google. 
 
Note : The use of EJBCA requires a culture in PKI, and external components (Mysql, LDAP, Jboss, etc) 
 
If you wish to make of the management of rights from certificates, Ejbca is not made for it. EJBCA  
is a PKI. She manages the cycle of life of certificates (generate,issue,revocation) not acces right to  
external application.  

    本文转自danni505 51CTO博客，原文链接：http://blog.51cto.com/danni505/154404，如需转载请自行联系原作者