I am trying to replace HSM(s) with my software-only application and integrate with PKCS11. The problem I have with that is all of PKCS api functions deal with slots and tokens which are not a part of my software application. Are there examples out there that I can look up to see how a software application can be used to imitate an HSM and integrate with PKCS ?
When you are dealing with HSM's you have to deal with slots and tokens. You have to modify your software slightly to accommodate this.
There are 2 ways you can use the PKCS#11, PKCS#11 Wrapper or PKCS#11 Provider. The Wrapper is the api that calls the native functions of the HSM library (.dll or .so) directly. The Provider uses the Wrapper under the hood, but gives you the convenience of using it with Java KeyStore api.
Considering your case, the Wrapper might not be fit for you, because it involves writing new classes to integrate with the HSM. You could use the provider.
Java has very good documentation of the PKCS11 Provider here. There is also a very good third-party library called IAIK, here is their provider documentation. Even though you use the Provider in your software application, trivial code changes are inevitable.
Where ever you have used the KeyStore api, you may have to make changes there. And initially, when your software loads, you have to load a configuration file for the PKCS11 provider that tells which slot number and the token to connect to.
IAIK has very good examples too, and their provider library is only free for development purposes.
Related
We are in the process of designing a front-end application with Angular which will call a jBASE server through RESTful APIs. APIs are created from jBASE component called jAgent.
Does jAgent support creating and verifying JWTs?
If not, what is the best way to handle authentication/authorization for the Angular application?
If we need to use JWTs, do we have to use a authentication middleware application (.NET Core or node.js) for that?
Great question! At the moment there is no handler within jAgent and our recommendation is to implement this, and advanced web server/API gateway technology by way of other applications like HAproxy or Kong.
An expansion of jAgent functionality to include things like this is something we're still considering but keep in mind, the power of jBASE lies in its native interactions with the host OS. Since there is no virtual OS layer it can be easier to plug and play off the shelf things to fill in for additional functionality, which gives you the flexibility to bring your own tooling.
In summary:
Not at the moment
Using an off the shelf package to act as your API gateway
Subject to the package you choose
That relegates jAgent to management of the API layer as it exists on the PICK/jBASE side while the off the shelf package manages your API security layer.
One other note for you--I noticed that you included a link to the old jBASE docs hosted on HelpJuice. It's worth mentioning that we've migrated those docs to docs.zumasys.com. You'll find the docs there to be more up to date, and also completely open sourced--part of the migration included their move to a GitHub repo, where we're happy to take community contributions.
For reference, the article you mentioned is available at https://docs.zumasys.com/jbase/connectivity/jagent/introduction-to-jagent-rest-services/.
Update:
One of our engineers has a program that will use openssl to generate the tokens for you, which you can find at https://github.com/patrickp/wjwt.
You will need openssl installed on the machine and in the path.
The WJWT.TEST program shows the usage. The important piece is the SECRET.KEY which is your internal KEY you use to sign the payloads.
When a user first authenticates you create the token with SIGN. Claims are any items/fields you wish to save/store. Do NOT put sensitive data in here as it is viewable by anybody. The concept is we sign this with our key, give it back to the client. On future calls the client sends the token and we pull it and call the VERIFY function which basically re-signs the payload and validates the signatures match. This validates the payload was not manipulated.
Activities such as expiration you would build into your code.
Long term we plan to take this library and refactor the code into our MVDB Toolkit library with more functionality. That library is something we provide to jBASE customers at no additional charge.
I have a java codebase that seems to be using "com.google.api.services.cloudkms.v1.CloudKMS" to call KMS. The online docs says to use "com.google.cloud.kms.v1.KeyManagementServiceClient"
When i looked up both packages seem to be updated, however the reference docs recommend using the latter.
https://developers.google.com/resources/api-libraries/documentation/cloudkms/v1/java/latest/com/google/api/services/cloudkms/v1/CloudKMS.html
https://cloud.google.com/kms/docs/reference/libraries
Could someone tell me what is the difference between these 2 clients packages and if i should move to the one the reference links to?
In general, you should prefer the library referenced on the Reference Libraries page, currently com.google.cloud.kms. The examples and tutorials on the website will use this client library.
Probably more history than you need to know, but we have two client libraries because they run over different protocols. The new libraries (the one's listed on the reference page) use gRPC to communicate. This means less bandwidth and less time spent serializing/de-serializing JSON. On the flip side, gRPC requires HTTP/2, and some organizations can't/won't support HTTP/2 yet. As a result, we still publish and maintain legacy libraries that are REST over HTTP/1. It is strongly recommended you use the gRPC ones unless you can't use HTTP/2.
You can read more about the background and technical details in Kickstart your cryptography with new Cloud KMS client libraries and samples.
Is it possible to leverage the Amazon Web Services SDK for iOS in a server-side Swift app developed using the Perfect framework? I'd like to be able to deploy my Perfect app to AWS and make calls to DynamoDB, S3, etc. from the app. However, I haven't found any examples showing if that is even possible. Can the AWS SDK be used server-side, even though it says "for iOS"? Does it support the Swift Package Manager, which Perfect seems to use for integrating with 3rd party libraries? If not, does Perfect support CocoaPods for dependency management?
If what I'm attempting feasible, or would I have to write my own integration code using Amazon's RESTful services directly?
"Original" AWS library does not support Swift Package Manager in that moment, and also uses some Obj-c code (as far as I know), so you can't use it on linux. But there is feature suggestion, so maybe it would be there in future
Now you can use AWS services with that library: https://github.com/noppoMan/aws-sdk-swift though its a bit hacky :)
I use that one in my current projects and it's look like all the basic needs are implemented :)
As far as I know, you would probably using Perfect-CURL to perform such tasks; Perfect-MySQL supports RDS, however, you can easily add all SPM compatible 3rd party components as many as need, just edit Package.swift to include; a better idea is to user Perfect Assistant to safely import different components and quickly build / test & deploy to AWS EC2:
http://www.perfect.org/en/assistant/
About Perfect-CURL, there are many examples about Server Side Operations, such as
https://github.com/PerfectExamples/Perfect-Cloudinary-ImageUploader-Demo
which contains how to generate a digital signature in posting files,
also
https://github.com/PerfectServers/SlackBot
with curling API
I am trying to write a Javascript client for a web application which provides a REST API to interact with the application. I want to do this in a very advanced way like with a proven stack of tools and methodologies available in Javascript.
Most of the guides about javascript client library development I found in the web are application oriented which have a view part( I mean HTML part ). What I needed is like a client library with some methods which can be used to develop web applications. So I don't want to depend this library with any other javascript library like JQuery, Backbone etc.
I have gone through lot of design patterns available in javascript, especially patterns mentioned in Learning JavaScript Design Patterns a book by Addy Osmani. And after all I got confused, I couldn't decide which one to follow.
What I have in mind is like following:
Initialize the library with some key and secret (This can be compared to declaring object for a class in php).
There will be a data persistence unit which will keep the authenticated user's identity over a predefined amount of time like sessions in php. User data will be stored in cookies or local-storage. Also there will be provisions to override the methods of this unit so that user can implement their own storage mechanism. A reference to this unit will also be passed during library initialization.
Keep a global request method which handles all the API requests associated with the library(This can be compared to a method of the main class in php)
Define all the API methods encapsulated into different units according to the area of application it dealing with. This each unit will have a constructor method which defines some default properties to the unit( This can be compared to defining models in php which will fetch or save data from the application with API ). Each of this unit can be inherited from a super unit which provides some default properties and methods.
After reading some blogs and articles I have decided to use yeoman for library development. May be I can use some yeoman community javascript library generators to start the development.
As I described above I think what I needed is like: a class which keeps a single instance throughout the application which can be used to refer all the models and functions in the models. For this may be I can go with the singleton module pattern, but I am not fully sure about how to make use of it to my requirement.
Any advice is greatly appreciated!
Greetings!
I've spent some time researching how to communicate with SAP from a PHP web application, but the documentation is more than spare. The ways I found are:
Creating IDoc files, some sort of proprietary plain-text format. But how do I stick them in SAP when they are created on the webserver?
Coding a Windows Application using the SAP BAPI. This way, you have full control and access - but also a lot of pain.
Accessing the RFC (Remote Function Calls), preferrably via SOAP. This would be the best way to connect to a web app.
What I could not find out is: what is the easiest way to connect? Which versions of SAP support SOAP? Anything I've missed?
Thanks for your help!
How you connect to SAP is dependent on what version of SAP, your SAP license and what you're connecting with and what you are trying to do.
If you are trying to access SAP standard functionality - i.e. Read or Update a SAP Service Order, the standard BAPI should allow you to do what you need. (Note that a BAPI is just an RFC with a standard API, which is released for customer use by SAP).
There are various connectors to SAP, but for newer releases of SAP (2004s and later) many RFC function modules are exposed as webservices, which should be ideal for your purposes.
You may have to ask an ABAP developer (or even a non-developer with SAP experience) to help you find which RFC's are available and whether they are exposed as webservices. (If not an ABAP developer should be able to wrap BAPI as a webservice with a simplified interface).
If you are trying to do something that SAP have not provided prior functionality for, or perhaps access custom developed objects you will definitely need the assistance of an ABAP developer to exposes an RFC to you.
Depending on your system setup there may be some system administration tasks to be done in order to allow you to access the SAP system. Whether by RFC or otherwise. (Useful transactions to search for are SICF and SOAMANAGER). The SAP Basis administrator may also need to set up some RFC connections for you.
If your company uses SAP PI/XI or a non-SAP integration engine, it may be easier to connect but that would be in very limited cases.
I've used IDOCs before for single message transfer, but I'm not sure that it would have any advantage over BAPI's or webservices for any Business Type transactions. Although IDOCs have been around for a while and may be quite stable if standard ones exist.
I have to admit that I've only scratched the surface around connecting to SAP, but I hope this is useful.
The third option is the easiest.
Accessing the RFC (Remote Function
Calls), preferrably via SOAP.