Upload
doantram
View
227
Download
4
Embed Size (px)
Citation preview
PKI Competition andEJBCA Integration
5th February 2009
Marco Reichwald, LVMMichael Pollmeier, S&N AG
2February 2009 S&N AG, LVM Versicherungen
Agenda
LVM and S&N
The PKI-Study
Why did EJBCA win?
Integration in our large environment
Experiences
3February 2009
LVM and S&N
S&N AG, LVM Versicherungen
LVM Versicherungen
Founded in 1896
One of the 20 largest insurers in Germany
About 3m customers and 9m contracts
Head office in Münster, approx. 2100 agencies all over Germany
4February 2009
LVM and S&N
S&N AG, LVM Versicherungen
S&N
Established in 1991
Private limited company since 1999
Head office in Paderborn
Subsidiaries in Berlin, Frankfurt/Main, München
Approx. 150 employees (S&N Group)
Network of partners worldwide
5February 2009
LVM and S&N
S&N AG, LVM Versicherungen
Financial statements- Balance sheets, compilation, acquisition - Transfer, valuation, rating
Financing- Basel II and credit processes- Consumer credits, object financing
Business Process Management- DWH, data bases, data mining,- Data modelling, reporting and OLAP
Process optimisation- Process integration, connection- Analysis, modelling, prototyping
Multi Channel Support- Branch, mobile, iInternet- Self service terminals
Output management- Design, forms- Print management AFP
IT Infrastructure - Citrix Terminal Server, data bases- Web and application servers, monitoring
SOA Expertise- Process evaluation from the business side - Introduction of SOA architecture
Groupware and Messaging- Infrastructure, migration, roll out- System operations / application development
Open Source for Enterprises- Portals, customised/verified products- Service and Support
SAP Projects- SAP R/3, SAP BW, SAP EP, SAP IS-U,- Insurance AddOn InSTRA
Banking periphery- Device integration and architecture- Solutions for cash processes
Quality management – Project implementation – Application management
IT OperationsIT DevelopmentBusiness
InnovationBusiness
ConsultingReali-sation
Initiali-sation Operations
Preparation for operation
6February 2009
The PKI-Study
S&N AG, LVM Versicherungen
Starting point
History: IBM Tivoli PKI
Afterwards: "Self made" PKI based on OpenSSLintended to be used for a transitional period
needed: standard software
consulting project started
7February 2009
The PKI-Study
S&N AG, LVM Versicherungen
Requirements analysis
current architecture and technologies
expected future developments
weighted requirements matrix
8February 2009
The PKI-Study
S&N AG, LVM Versicherungen
Market study
Open Source and commercial products
Contacted all major players
First round: filtering out with requirements matrixMS Windows Server 2008
Entrust Authority
Novell
OpenXPKI
9February 2009
The PKI-Study
S&N AG, LVM Versicherungen
Duel
EJBCA
Red Hat Certificate Server
Prototyping
Marketing vs. reality
10February 2009
Duelling Results
S&N AG, LVM Versicherungen
Usability
Both have separate UIs for admins and users
Script support
Red Hat lacks ofInconsistent usability: admin console
History not usable
11February 2009
Duelling Results
S&N AG, LVM Versicherungen
Documentation
EJBCAquite lean, but handles all major points
Red HatVery detailed, not very deep
BothAdditional support needed
12February 2009
Duelling Results
S&N AG, LVM Versicherungen
Architecture
EJBCAJEE Technology
Tidy, well structured
Using standard libs
Red Hat:Technology mix: Java, C, Perl
Untidy and outdated
Many netscape relics
13February 2009
Duelling Results
S&N AG, LVM Versicherungen
Outview
EJBCAEvolution instead of revolution
Future-safe architecture
Web Services
Red HatVersion 8 should fix many architectural issues
Integration into RHEL5
FreeIPA
14February 2009
Duelling Results
S&N AG, LVM Versicherungen
Why did EJBCA win?
EJBCAlively open source project
good architecture
support directly from the core devolopers
Red HatCertificate Server
FreeIPA: good vision, but not ready yet
15February 2009
Infrastructure
S&N AG, LVM Versicherungen
Linux Clients
LDAP Reverse Proxy
BackendsBackends
BackendsBackends
16February 2009 S&N AG, LVM Versicherungen
We needed a new solution due to requirements of our networking team:
"We want to test VPN devices that get their certificates via SCEP“
Benefit of open source: If you find a working solution, just download and install
A new PKI
17February 2009
A new PKI
S&N AG, LVM Versicherungen
First contact with EJBCA
1. Edit some config files,
2. Deploy into JBoss,
3. There is no step 3!
You have a running PKI to play around with
18February 2009
EJBCA
S&N AG, LVM Versicherungen
After the official decision
Individual training direct from the developers: You get a basic understanding of how everything works
you have a good feeling
19February 2009
EJBCA
S&N AG, LVM Versicherungen
Transition from old to new
Existing setup works with webservices and LDAP EJBCA works with webservices and LDAP (and everything is
open)
Solution: Write some wrappers and we're done.No need to touch clients, allows simple drop-in replacement
20February 2009
EJBCA
S&N AG, LVM Versicherungen
Architecture
Based on Enterprise Java Beans, EJBCA supports a wide range of platforms
We are using Linux on x86 (RHEL) and DB/2
...but DB/2 on z/OS
21February 2009
EJBCA
S&N AG, LVM Versicherungen
Support
Official support partner is S&N (German contract) Technical support from PrimeKey Direct contact to developers, no arguing with 1st-level support
DB/2 on z/OS support was working after 2 days
22February 2009 S&N AG, LVM Versicherungen
Thank you!