How to enable DMR for EJBCA

The 3Key DMR add-on to PrimeKey EJBCA Enterprise for dashboarding, monitoring, and reporting provides
a comprehensive solution to visualize certificate-related operations and its attributes in time. You can focus on PKI management and provide necessary information to IT managers, executives, or your customers.

It helps you for example to quickly see and identify:

  • Overall count of the activity in EJBCA, providing information about the peaks and unusual increase or decrease of activity.
  • Activities and events that happened in time with all related attributes.
  • Number of issued or revoked certificates in time.
  • Algorithms used in order to quickly identify and resolve non-compliant certificates and private keys.
  • OCSP responder operations statistics

Enabling DMR for your EJBCA

There are few steps in order to enable your EJBCA to use DMR and access all its features. We are not going to describe the part of the DMR, which is expected to be available for you. In case you do not have DMR environment yet, do not hesitate to contact us!

These steps should be followed by anyone who has access to EJBCA deployment and is skilled enough to change the configuration of the EJBCA and underlying application server. In case you do not want to do that, or you do not have enough experience, you can use pre-configured instances of EJBCA using Docker or using the appliance. Anyway, you can always ask us.

To enable the DMR, you need to do the following simple steps, which are described further:

  • Install 3Key Extended Publisher Plugin
  • Configure Syslog Appender in Wildfly

Install 3Key Extended Publisher

Although 3Key Extended Publisher is not mandatory component for the DMR to work, it is recommended in order to enable enhanced dashboard and information such as Certificate Extended Dashboard where you can manage certificate inventory based on Certificate or End Entity profile.

Using the 3Key Extended Publisher you can also have the flexibility to decide which certification authorities and profiles will be using it. It does not mean that you must have to use it globally.

As it comes as a plugin to EJBCA, it is very easy to install it:

1. Download the 3Key Extended Publisher plugin
2. Configure EJBCA to use plugins if you haven’t done it yet

Create a directory, where you will place the plugin file, for example ejbca/plugins.

Configure the ejbca/conf/plugins/plugin.properties to include external JARs on the classpath from the ejbca/plugins directory:

plugin.ejbca.lib.dir=ejbca/plugins/
3. Deploy the EJBCA with the 3Key Extended Publisher

From now on, you can configure the publisher in the EJBCA:

Ship the information to DMR

Application server, Wildfly, should be configured to ship required information to DMR through the syslog.

There are also other options how to ship the information to DMR, for example directly from the Extended Publisher, through Kafka streaming platform. Syslog is out-of-the box available on the Wildfly. In case you would like to use different method, get in touch with us.

The following method of configuration of syslog on Wildlfy uses command line interface. However, it can be configured also through the management web, or through direct modification of configuration file.

The only information you need is DMR server and port, where the information will be shipped.

1. Open the Wildlfy command line interface
2. Run the following command (with appropriate value according to your environment)
/subsystem=logging/custom-handler=SYSLOG:add(class=org.jboss.logmanager.handlers.SyslogHandler, module=org.jboss.logmanager, properties={serverHostname="lab04.3key.company", hostname="lab01.3key.company", port="5143", protocol="TCP", appName="ejbca", facility="LOCAL_USE_7", encoding="US-ASCII", syslogType="RFC3164", maxLength="65000"})

/subsystem=logging/custom-handler=SYSLOG:write-attribute(name=level, value=INFO) 
 
/subsystem=logging/logger=org.ejbca:add
/subsystem=logging/logger=org.ejbca:write-attribute(name=level, value=INFO)
/subsystem=logging/logger=org.ejbca:assign-handler(name="SYSLOG")

/subsystem=logging/logger=org.cesecore:add
/subsystem=logging/logger=org.cesecore:write-attribute(name=level, value=INFO)
/subsystem=logging/logger=org.cesecore:assign-handler(name="SYSLOG")

# required for the Extended certificate information
/subsystem=logging/logger=company.threekey.ejbca:add
/subsystem=logging/logger=company.threekey.ejbca:write-attribute(name=level, value=INFO)
/subsystem=logging/logger=company.threekey.ejbca:assign-handler(name="SYSLOG")

# required for the OCSP
/subsystem=logging/logger=org.cesecore.certificates.ocsp.logging:add
/subsystem=logging/logger=org.cesecore.certificates.ocsp.logging:write-attribute(name=level, value=INFO)
/subsystem=logging/logger=org.cesecore.certificates.ocsp.logging:assign-handler(name="SYSLOG")

Login and use DMR

From now on, you can start using the DMR to see the dashboards, create reports, monitor your certificates and operations, automate tasks, and many more.

All the information is available in the DRM in almost real time.

If you would like to have the DMR deployed, or you would like to see the demonstration of the solution, you have questions regarding your specific use case, do not hesitate and contact us!

Need help?

Do not hesitate to get in touch with us!

Get in touch with us!

security | data intelligence | consulting

Contact us!