CMP Proxy
ENTERPRISE This is an EJBCA Enterprise feature.
The following describes the CMP Proxy module. For more information about the Certificate Management Protocol (CMP) and how it works with EJBCA, see CMP.
In some installations it may be desirable to terminate the client connection in a DMZ before connecting further to the CA. In this case the client never has a direct network connection to the CA machine. In such a scenario you can use the CMP proxy module. Clients use the CMP proxy, as it would otherwise use EJBCA. The proxy in turn connects to EJBCA gets the answer and forwards it back to the client.
The proxy is a stand alone module that runs on another machine than the CA itself.
See EJBCA_HOME/modules/cmpProxy/resources/README for information how to build and use the proxy.
Backends
The CMP Proxy can use different connection backends to the CA. The most usable are:
Direct HTTP connection: The CMP proxy creates a new HTTP connection to the CA, and return the response to the client, through the client connection, after receiving the response from the CA.
External RA connection: The CMP proxy creates an external RA msg in an external RA database, which the CA polls. When the CA stores a return message in the external RA database, this is picked up by the CMP proxy and returned to the client.
CMP Proxy Message Validation
The CMP proxy have options for verifying CMP message protection in the proxy, before passing the message to the CA. Password based MAC and Signature protection can be verifies. These validations can be activated in _cmpProxy.properties{_}. CMP message headers only allow one form of protection per message, so activating both modes will allow messages to use either form. Rejected messages will never pass the CMP Proxy, but will rejected in the same form as if they had been rejected from the CA.
Password based MAC
Password based MAC verification can be activated by setting the following value to true in cmpProxy.properties:
cmp.backend.hmacPasswordValidationRequired=true
In addition to this, KeyId/password pairs need to be defined, where they KeyID is the name of the CA and the password is the CMP RA Authentication Secret for that CA.
cmp.backend.hmacPassword.keylist=[ca1:foo][ca2:bar]
Signature
This form can be activated by setting the following value:
cmp.backend.signatureRequired=true
In addition to this, the following value needs to be defined:
cmp.backend.issuerchainpath
This value can either be set to a single PEM file or to a directory containing multiple PEM files, representing one or more valid issuers of signing certificates.
CMP Proxy Error Messages
The CMP Proxy will return error messages, partly as a result of problems inherent to the proxy in itself, and partly due to evaluating CMP requests directly on the proxy before passing them on. The messages listed here are those returned by the proxy independently of the CA, as listed in the CMP Error Messages section.
Error Description |
Error Type |
Error Code |
The received request did not contain a DER object. |
Unsigned CMP |
BAD_REQUEST (2) |
Submitting a request with a URL that does not match an existing CMP alias |
HTTP |
404 Not Found |
Sending a response over TCP failed. |
HTTP |
500 Internal Server Error |
Signature/HMAC protection was required in configuration, but no protection was present. |
Unsigned CMP |
BAD_REQUEST (2) |
HMAC/Signature verification failed. |
Unsigned CMP |
BAD_REQUEST (2) |
Message signature was required, but no signing certificate was supplied. |
Unsigned CMP |
BAD_REQUEST (2) |
Message signature was required, but revocation check could not be performed. |
Unsigned CMP |
SYSTEM_UNAVAILABLE (24) |
Message signature was required, if a cache failure occurred during revocation check. |
Unsigned CMP |
SYSTEM_UNAVAILABLE (24) |
Message signature was required, but no certificate chains defined on proxy |
Unsigned CMP |
SYSTEM_UNAVAILABLE (24) |
Message signature was required, but signer certificate was revoked. |
Unsigned CMP |
BAD_REQUEST (2) |
Related Content
Page:CMP Interoperability
Page:CMP Error Messages
Page:Using CMP with 3GPP
Page:CMP