Monday, 18 October 2010

Portuguese Citizens' Card authentication on glassfish v3

Intro


For enabling the authentication on the glasshfish server, the folowing steps are needed:

  1. Add the CA's used by the portuguese state to sing the certificates on the card.
  2. Consfigure the Client-Cert authentication realm
  3. Define the security constrains on the web.xml, in order to make use of the previous created realm.
Problems in java version 1.6.20.
   Oracle has temporary disabled the SSL Renegotiating as quick workground a security discloser, more info .
    In the glassfish web admin console, go to Configuration -> JVM Settings -> JVM Options and Add JVM Option-Dsun.security.ssl.allowUnsafeRenegotiation=true .
   Then restart the glassfish server.

1 - Adding the CA's certificates to the glassfish
  1. Download all .cer from the http://pki.cartaodecidadao.pt/ to cc_cert directory
  2. Use the keytool to import all the certificates to the domain keychain (default password = changeit) always use a different name to the alias of the certificate, and choose for all trust this certificate: Yes. 
keytool -import -trustcacerts -alias CC1 -file Cartao_de_Cidadao_001.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Sign_1 -file EC_de_Assinatura_Digital_Qualificada_do_Cartao_de_Cidadao_0001.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Sign_2 -file EC_de_Assinatura_Digital_Qualificada_do_Cartao_de_Cidadao_0002.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Sign_3 -file EC_de_Assinatura_Digital_Qualificada_do_Cartao_de_Cidadao_0003.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Sign_4 -file EC_de_Assinatura_Digital_Qualificada_do_Cartao_de_Cidadao_0004.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Auth_1 -file EC_de_Autenticacao_do_Cartao_de_Cidadao_0001.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Auth_2 -file EC_de_Autenticacao_do_Cartao_de_Cidadao_0002.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Auth_3 -file EC_de_Autenticacao_do_Cartao_de_Cidadao_0003.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;
keytool -import -trustcacerts -alias CC_Auth_4 -file EC_de_Autenticacao_do_Cartao_de_Cidadao_0004.cer -keystore ../glassfishv3/glassfish/domains/domain1/config/cacerts.jks;

2 - Configure the certificate realm

  1. Go to the admin web console and on the certificate realm, assign the group pteid to the assigned groups on the realm certificate.
  2. If there's is an error, insert directly the configuration on the file domain.xml on the domain1/config directory. Substitute the line where is the realm certificate (auth-realm name="certificate") by the following ones.
       
<auth-realm name="certificate"
classname="com.sun.enterprise.security.auth.realm.certificate.CertificateRealm">
         
<property name="assign-groups" value="pteid" />
       
</auth-realm>

3 - Define the security constrains on the application




In file web.xml should be defined the security constrains to the application, should be inserted the following configuration:

  <security-constraint>
    <display-name>Portuguese EID authenticationdisplay-name>
    <web-resource-collection>
      <web-resource-name>Entire applicationweb-resource-name>
      <url-pattern>/*url-pattern>
    web-resource-collection>
    <auth-constraint>
      <role-name>pteid_id_rolerole-name>
    auth-constraint>
    <user-data-constraint>
      <description />
      <transport-guarantee>CONFIDENTIALtransport-guarantee>
    user-data-constraint>
  security-constraint>
  <login-config>
    <auth-method>CLIENT-CERTauth-method>
  login-config>
  <security-role>
    <description>Certificate of portuguese id-cardsdescription>
    <role-name>pteid_id_rolerole-name>
  security-role>

In the file sun-web.xml is done the role mapping, it should be inserted the following configuration:


  <security-role-mapping>
    <role-name>pteid_id_rolerole-name>
    <group-name>pteidgroup-name>
  security-role-mapping>

  


Thursday, 13 May 2010

Journals in Medical Informatics

One of the most important task when making research in a new area is to identify the quality papers. One of the bests places to start to understand the trends and big players are journal publications.
I’ve found a very good list about Medical Informatics at http://www.informatics-review.com/journals/index.html . Please comment if you know others or you have a list with journals and conferences ordered by impact factor

Friday, 2 January 2009

Fighting Spam With Your Mail application

I've start to use a function on my email client that sends a message to the sender of the email that states that my mailbox is not valid.
If the sender exists, he will think that my mailbox doesn't exist and it will remove the address form the list.
In the Mail.app on MacOSX the function is bounce.