CMP Proxy

ENTERPRISE This is an EJBCA Enterprise feature.

The following describes the CMP Proxy module. For more information about the Certificate Management Protocol (CMP) and how it works with EJBCA, see CMP.

In some installations it may be desirable to terminate the client connection in a DMZ before connecting further to the CA. In this case the client never has a direct network connection to the CA machine. In such a scenario you can use the CMP proxy module. Clients use the CMP proxy, as it would otherwise use EJBCA. The proxy in turn connects to EJBCA gets the answer and forwards it back to the client.

The proxy is a stand alone module that runs on another machine than the CA itself.

See EJBCA_HOME/modules/cmpProxy/resources/README for information how to build and use the proxy.

Backends

The CMP Proxy can use different connection backends to the CA. The most usable are:

  • Direct HTTP connection: The CMP proxy creates a new HTTP connection to the CA, and return the response to the client, through the client connection, after receiving the response from the CA.

  • External RA connection: The CMP proxy creates an external RA msg in an external RA database, which the CA polls. When the CA stores a return message in the external RA database, this is picked up by the CMP proxy and returned to the client.

CMP Proxy Message Validation

The CMP proxy have options for verifying CMP message protection in the proxy, before passing the message to the CA. Password based MAC and Signature protection can be verifies. These validations can be activated in _cmpProxy.properties{_}. CMP message headers only allow one form of protection per message, so activating both modes will allow messages to use either form. Rejected messages will never pass the CMP Proxy, but will rejected in the same form as if they had been rejected from the CA.

Password based MAC

Password based MAC verification can be activated by setting the following value to true in cmpProxy.properties:

cmp.backend.hmacPasswordValidationRequired=true

In addition to this, KeyId/password pairs need to be defined, where they KeyID is the name of the CA and the password is the CMP RA Authentication Secret for that CA.

cmp.backend.hmacPassword.keylist=[ca1:foo][ca2:bar]

Signature

This form can be activated by setting the following value:

cmp.backend.signatureRequired=true

In addition to this, the following value needs to be defined:

cmp.backend.issuerchainpath

This value can either be set to a single PEM file or to a directory containing multiple PEM files, representing one or more valid issuers of signing certificates.

CMP Proxy Error Messages

The CMP Proxy will return error messages, partly as a result of problems inherent to the proxy in itself, and partly due to evaluating CMP requests directly on the proxy before passing them on. The messages listed here are those returned by the proxy independently of the CA, as listed in the CMP Error Messages section.

Error Description

Error Type

Error Code

The received request did not contain a DER object.

Unsigned CMP

BAD_REQUEST (2)

Submitting a request with a URL that does not match an existing CMP alias

HTTP

404 Not Found

Sending a response over TCP failed.

HTTP

500 Internal Server Error

Signature/HMAC protection was required in configuration, but no protection was present.

Unsigned CMP

BAD_REQUEST (2)

HMAC/Signature verification failed.

Unsigned CMP

BAD_REQUEST (2)

Message signature was required, but no signing certificate was supplied.

Unsigned CMP

BAD_REQUEST (2)

Message signature was required, but revocation check could not be performed.

Unsigned CMP

SYSTEM_UNAVAILABLE (24)

Message signature was required, if a cache failure occurred during revocation check.

Unsigned CMP

SYSTEM_UNAVAILABLE (24)

Message signature was required, but no certificate chains defined on proxy

Unsigned CMP

SYSTEM_UNAVAILABLE (24)

Message signature was required, but signer certificate was revoked.

Unsigned CMP

BAD_REQUEST (2)

Related Content