ejbca admin gui - download.primekey.com
TRANSCRIPT
25/09/09 © 2009 PrimeKey Solutions AB 1
EJBCA Admin GUI
PrimeKey Solutions AB
Tomas Gustavssonhttp://[email protected]
25/09/09 © 2009 PrimeKey Solutions AB 2
Why?Technical reasons Written in 2002 years technology Hard to understand Hard to modify and improve Hard to maintain
Usability reasons Lacking functionlity (relates back to modify/improve) Does not look modern Complicated – too technical
25/09/09 © 2009 PrimeKey Solutions AB 3
When?Currently scheduled for EJBCA v4.1. Which will be after the refactoring to ejb3/jpa. With ejb3 it's easier to integrate web with beans. 2010
25/09/09 © 2009 PrimeKey Solutions AB 4
Inspiration?Make the simple things easy!
The user is not you!
Find out the common administration tasks to produce good work flows.
Don't make things that are easy today hard.
Make things that are hard today easy.
25/09/09 © 2009 PrimeKey Solutions AB 5
Mock up?...
25/09/09 © 2009 PrimeKey Solutions AB 6
Mock up
25/09/09 © 2009 PrimeKey Solutions AB 7
Mock up
25/09/09 © 2009 PrimeKey Solutions AB 8
Mock up
25/09/09 © 2009 PrimeKey Solutions AB 9
Mock up
25/09/09 © 2009 PrimeKey Solutions AB 10
Tasks – token mgmtToken management for Cas In Edit CAs, separate function to manage CA token. Button Create/Edit CA Token
New page with parameters, not determining keys used though. Generate keys, remove keys etc.
On edit CA page, select which keys to use from the token, from a list. Lots of unused keys can exist on the token (a pkcs#11 slot on HSM)
Sensible defaults
You can in quiet time generate new keys etc on the token, then select them for usage.
How about dual authentication? Edit CAs can require dual authentication. Generate keys etc should require token password.
Documentation...
25/09/09 © 2009 PrimeKey Solutions AB 11
Tasks – Edit CAs, CA functionsFunctionality to renew CA etc should be moved from Edit CAs, it's not editing.
New function to Manage CAs with renew, generate CRL, activate etc. Includes link to Edit CA
25/09/09 © 2009 PrimeKey Solutions AB 12
Tasks – ProfilesGood and plenty of default profiles.
Possibility to import profiles in GUI, where profiles can be prebuilt in ejbca.ear or located on file in file system (upload).
Common profiles always available: CA, Server, End user, VPN.
Less common profiles prebuilt for import: ePassport Document Signer, Inspection System, etc.
25/09/09 © 2009 PrimeKey Solutions AB 13
Tasks – Search end entitiesQuery language?
Define your own queries like ”select from UserData where subjectDN like '%$1'”. You get an input field for $1.
select from UserData where lastUpdated > 'now1week'
Save favourite queries in favourites list. Pre built list with good queries.
Old basic and advanced search needed?
25/09/09 © 2009 PrimeKey Solutions AB 14
Tasks – Search certificatesNot possible today. A big miss.
25/09/09 © 2009 PrimeKey Solutions AB 15
Tasks – view logSame query functions as for end entities.
Possibility of output to screen, xml, pdf, csv, …
25/09/09 © 2009 PrimeKey Solutions AB 16
Tasks – add entities and edit profiles
When adding an en end entity, links to jump to add/edit certificate/eeprofiles.
When editing end entity profiles, links to jump to add/edit certificate profile.
When saving added/edited profile, goes back to page you came from.
25/09/09 © 2009 PrimeKey Solutions AB 17
Tasks – administrationNew part in the GUI – Administration Create/edit end entity and certificate profiles Export/import profiles Administrators Backup/restore from mysql View Jboss log Stop/restart application server (call sudo c /etc/init.d/jboss restart)
Check/think nodecontrol Set paths and properties
if mysqldump should be called for database backup we have to configure the right command to do it.
25/09/09 © 2009 PrimeKey Solutions AB 18
ProfilesHaving different certificate profiles and end entity profiles is logical from PKI point of view.
Is it too hard? Too confusing?
Should they be hidden in a single wizard called ”jurisdiction” or similar?
Make the simple things easy! What are the simple things? What is easy?