PKI Competition andEJBCA Integration

5th February 2009

Marco Reichwald, LVMMichael Pollmeier, S&N AG

2February 2009 S&N AG, LVM Versicherungen

Agenda

LVM and S&N

The PKI-Study

Why did EJBCA win?

Integration in our large environment

Experiences

3February 2009

LVM and S&N

S&N AG, LVM Versicherungen

LVM Versicherungen

Founded in 1896

One of the 20 largest insurers in Germany

About 3m customers and 9m contracts

Head office in Münster, approx. 2100 agencies all over Germany

4February 2009

LVM and S&N

S&N AG, LVM Versicherungen

S&N

Established in 1991

Private limited company since 1999

Head office in Paderborn

Subsidiaries in Berlin, Frankfurt/Main, München

Approx. 150 employees (S&N Group)

Network of partners worldwide

5February 2009

LVM and S&N

S&N AG, LVM Versicherungen

Financial statements- Balance sheets, compilation, acquisition - Transfer, valuation, rating

Financing- Basel II and credit processes- Consumer credits, object financing

Business Process Management- DWH, data bases, data mining,- Data modelling, reporting and OLAP

Process optimisation- Process integration, connection- Analysis, modelling, prototyping

Multi Channel Support- Branch, mobile, iInternet- Self service terminals

Output management- Design, forms- Print management AFP

IT Infrastructure - Citrix Terminal Server, data bases- Web and application servers, monitoring

SOA Expertise- Process evaluation from the business side - Introduction of SOA architecture

Groupware and Messaging- Infrastructure, migration, roll out- System operations / application development

Open Source for Enterprises- Portals, customised/verified products- Service and Support

SAP Projects- SAP R/3, SAP BW, SAP EP, SAP IS-U,- Insurance AddOn InSTRA

Banking periphery- Device integration and architecture- Solutions for cash processes

Quality management – Project implementation – Application management

IT OperationsIT DevelopmentBusiness

InnovationBusiness

ConsultingReali-sation

Initiali-sation Operations

Preparation for operation

6February 2009

The PKI-Study

S&N AG, LVM Versicherungen

Starting point

History: IBM Tivoli PKI

Afterwards: "Self made" PKI based on OpenSSLintended to be used for a transitional period

needed: standard software

consulting project started

7February 2009

The PKI-Study

S&N AG, LVM Versicherungen

Requirements analysis

current architecture and technologies

expected future developments

weighted requirements matrix

8February 2009

The PKI-Study

S&N AG, LVM Versicherungen

Market study

Open Source and commercial products

Contacted all major players

First round: filtering out with requirements matrixMS Windows Server 2008

Entrust Authority

Novell

OpenXPKI

9February 2009

The PKI-Study

S&N AG, LVM Versicherungen

Duel

EJBCA

Red Hat Certificate Server

Prototyping

Marketing vs. reality

10February 2009

Duelling Results

S&N AG, LVM Versicherungen

Usability

Both have separate UIs for admins and users

Script support

Red Hat lacks ofInconsistent usability: admin console

History not usable

11February 2009

Duelling Results

S&N AG, LVM Versicherungen

Documentation

EJBCAquite lean, but handles all major points

Red HatVery detailed, not very deep

BothAdditional support needed

12February 2009

Duelling Results

S&N AG, LVM Versicherungen

Architecture

EJBCAJEE Technology

Tidy, well structured

Using standard libs

Red Hat:Technology mix: Java, C, Perl

Untidy and outdated

Many netscape relics

13February 2009

Duelling Results

S&N AG, LVM Versicherungen

Outview

EJBCAEvolution instead of revolution

Future-safe architecture

Web Services

Red HatVersion 8 should fix many architectural issues

Integration into RHEL5

FreeIPA

14February 2009

Duelling Results

S&N AG, LVM Versicherungen

Why did EJBCA win?

EJBCAlively open source project

good architecture

support directly from the core devolopers

Red HatCertificate Server

FreeIPA: good vision, but not ready yet

15February 2009

Infrastructure

S&N AG, LVM Versicherungen

Linux Clients

LDAP Reverse Proxy

BackendsBackends

BackendsBackends

16February 2009 S&N AG, LVM Versicherungen

We needed a new solution due to requirements of our networking team:

"We want to test VPN devices that get their certificates via SCEP“

Benefit of open source: If you find a working solution, just download and install

A new PKI

17February 2009

A new PKI

S&N AG, LVM Versicherungen

First contact with EJBCA

1. Edit some config files,

2. Deploy into JBoss,

3. There is no step 3!

You have a running PKI to play around with

18February 2009

EJBCA

S&N AG, LVM Versicherungen

After the official decision

Individual training direct from the developers: You get a basic understanding of how everything works

you have a good feeling

19February 2009

EJBCA

S&N AG, LVM Versicherungen

Transition from old to new

Existing setup works with webservices and LDAP EJBCA works with webservices and LDAP (and everything is

open)

Solution: Write some wrappers and we're done.No need to touch clients, allows simple drop-in replacement

20February 2009

EJBCA

S&N AG, LVM Versicherungen

Architecture

Based on Enterprise Java Beans, EJBCA supports a wide range of platforms

We are using Linux on x86 (RHEL) and DB/2

...but DB/2 on z/OS

21February 2009

EJBCA

S&N AG, LVM Versicherungen

Support

Official support partner is S&N (German contract) Technical support from PrimeKey Direct contact to developers, no arguing with 1st-level support

DB/2 on z/OS support was working after 2 days

22February 2009 S&N AG, LVM Versicherungen

Thank you!