Internal Architecture
For developers and other interested parties, the following diagrams show an outline of the internal architecture of EJBCA, and dependencies between different modules.
Model View Controller Design
All the web modules are packaged as Web Archives (WAR) and packaged inside an Enterprise Archive (EAR) together with EJB modules for business logic, code for mapping Java objects to database rows and additional libraries need by the application that isn’t provided by the application server.
Sample Flow
Let’s say you run the pkcs10 ClientToolBox command, on a system with an RA and a CA, where the RA responds to WebService (SOAP) requests.
The flow would then start from PKCS10ReqCommand in ClientToolBox and finally reach X509CAImpl.generateCertificate, where the certificate is actually generated. The following displays an overview of how the call would flow between classes:
EJBCA Module Descriptions
This is a list of all modules in the modules directory. Unit tests directories (src-test) are excluded from this list.
Color key: WAR/RAR FILES, EJB STATELESS SESSION BEANS, ENTITY BEANS, and STANDALONE APPLICATION.
| Module | Build artifacts, by source directory | Edition | Description |
| acme | src: JAR file with implementation | Enterprise | ACME protocol (RFC 8555) service. |
| SRC-COMMON: WAR FILE | |||
| admin-gui | SRC: WAR FILE | Admin Web interface. | |
| appserver-ext | src: Two JAR files with log classes | App server “extensions”. Currently, it contains classes that extend log4j. | |
| batchenrollment-gui | SRC: STANDALONE APPLICATION | A GUI application to mass enroll certificates. | |
| caa | src: JAR file with implementation | Enterprise | Certification Authority Authorization (RFC 6844) validation. |
| SRC-CLI: STANDALONE APPLICATION | |||
| certificatestore | SRC: WAR FILE | The certificate store servlet, allowing certificates to be downloaded. | |
| cesecore-common | src: Common classes JAR | Common classes for the CESeCore framework. | |
| cesecore-cvca | src: JAR file with implementation | Implementation of CVC CA. Excluded in RA-only and VA-only builds. | |
| cesecore-ejb | SRC: EJB SSBS | Implementations of CESeCore Statless Session Beans. | |
| cesecore-ejb-interface | SRC: EJB SSB INTERFACES | Interfaces for cesecore-ejb | |
| cesecore-entity | SRC: JAR FILE WITH ENTITY CLASSES | Entity classes for the CESeCore framework. These correspond to tables in the database. | |
| cesecore-p11 | src: JAR file | Security fix for old versions of the SunPKCS11 implementation. | |
| cesecore-x509ca | src: JAR file with implementation | Implementation of X509CA. Excluded in RA-only and VA-only builds. | |
| clearcache-war | SRC: WAR FILE | WAR file that allows clearing caches by an HTTP request from localhost. | |
| clientToolBox | SRC: STANDALONE APPLICATION | Command line utility to manage HSM keys, send Web Service requests, run stress test, etc. | |
| cli-util | src: JAR file with common classes | Common classes shared by the command line utilities in EJBCA. | |
| cmpclient | SRC: STANDALONE APPLICATION | Enterprise | Command line CMP client. |
| cmpProxy | SRC: STANDALONE WAR FILE (HTTP OR TCP) | Enterprise | Standaone WAR file. |
| common | No build artifact | Default log4j configuration for CLI utilities and tests. | |
| configdump | SRC-CLI: STANDALONE APPLICATION | Enterprise | Configdump lets you export a YAML file of your EJBCA configuration. Certificates or keys are not exported. |
| src-common: JAR file with interfaces | |||
| SRC-EJB: EJB SSBS | |||
| crlstore | SRC: WAR FILE | The CRL store servlet. It allows CRLs to be downloaded. | |
| ct | src: JAR with implementation and OCSP extension | Enterprise | Certificate Transparency (RFC 6962) submission. |
| editition-specific | SRC-EJB: EJB SSBS (placeholders for CE) | Interfaces and placeholders for Enterprise Edition specific functionality. | |
| SRC-INTERFACE: EJB SSB INTERFACES | |||
| editition-specific-ee | SRC-EJB: EJB SSBS (actual implementations) | Enterprise | Enterprise Edition only EJBs. |
| ejbca-cmp-tcp | SRC: WAR FILE | CMP TCP server. Runs inside the app server if configured. | |
| ejbca-cmp-war | SRC: WAR FILE | CMP HTTP interface. Contains a servlet. | |
| ejbca-common | src: JAR file with utility classes | Utility classes specific to EJBCA, and not used in other products that use CESeCore. | |
| ejbca-common-web | src: JAR file with utility classes | Utility classes that are specific to the EJBCA web interfaces. | |
| ejbca-ejb | SRC: EJB SSBS | Implementations of EJBCA specific Stateless Session Beans. | |
| ejbca-ejb-cli | SRC: STANDALONE APPLICATION | Command line utility to operate EJBCA via the Remote EJB interface. | |
| ejbca-ejb-interface | SRC: EJB SSB INTERFACES | Interfaces for ejbca-ejb. | |
| ejbca-entity | SRC: JAR FILE WITH ENTITY CLASSES | Entity classes specific to EJBCA. These correspond to tables in the database. | |
| SRC-CLI: STANDALONE APPLICATION (EJBCA-DB-CLI.JAR) | Enterprise | Database CLI tool for migrating between databases and for handling database protection. | |
| ejbca-properties | JAR file with properties | The properties files from conf/, conf/plugins/ and src/upgrade/ | |
| ejbca-renew-war | SRC: WAR FILE | Self-service certificate renewal in public web. | |
| ejbca-rest-api | SRC: WAR FILE | Enterprise | WAR with entry point for the REST API. |
| ejbca-rest-* | src: JAR file with REST Resource | Enterprise | REST Resource for different parts of the API (common, camanagement, cryptotoken). |
| ejbca-scep-war | SRC: WAR FILE | SCEP protocol for creating and renewing certificate. | |
| ejbca-webdist-war | SRC: WAR FILE | CertDistServlet which implements download of certificates and CRL. | |
| ejbca-webtest | No build artifact | This module contains Selenium tests for the AdminWeb, PublicWeb and RA Web. | |
| ejbca-ws | src: JAR files with interface and implementation | This is the module for the WebService (SOAP) interface. | |
| ejbca-ws-cli | src: JAR files with WS module of ClientToolBox | This module is included in ClientToolBox, and provides a WebService (SOAP) client. | |
| est | SRC-WAR: WAR FILE | Enterprise | Provides an EST protocol interface to EJBCA. |
| externalra | src: JAR files for client and service | Enterprise | The ExternalRA is a legacy module for running an external Registration Authority. It consists of a service built into EJBCA, and an external web GUI. |
| SRC: STANDALONE APPLICATION (EXTERNALRA-CLI.JAR) | |||
| externalra-gui | SRC: WAR FILE | Enterprise | The web GUI part of ExternalRA, to be deployed on a remote server. |
| externalra-scep | SRC: STANDALONE APPLICATION | Enterprise | SCEP client for ExternalRA. |
| healthcheck-war | SRC: WAR FILE | Provides a Health Check URL to check CA status. | |
| oldlogexport-cli | SRC: STANDALONE APPLICATION | Tool to export legacy LogEntryData database table to a file. | |
| peerconnector | src-cli: JAR files with subcommands for ejbca-ejb-cli | Enterprise | Module for handling peer connections, such as CA-RA or CA-VA. |
| src-common: JAR file with common classes | |||
| SRC-EJB: EJB SSBS | |||
| SRC-INTERFACE: EJB SSB INTERFACE | |||
| src-publ: JAR file with classes for handling peer publisher communication | |||
| src-ra: JAR file with classes for handling RA peer communication | |||
| SRC-RAR: RAR FILE | |||
| SRC-WAR: WAR FILE | |||
| plugins-ee | src: JAR file | Extra plugins, such as Publishers, included in Enterprise Edition only. | |
| publicweb-gui | SRC: WAR FILE | The EJBCA Public Web pages (/ejbca/ URL). | |
| ra-gui | SRC: WAR FILE | The EJBCA RA Web pages (/ejbca/ra/ URL). | |
| statedump | SRC-CLI: STANDALONE APPLICATION | Internal | Statedump is a PrimeKey internal tool, not included in EJBCA releases. It is the predecessor of Configdump. |
| src-common: JAR file with common classes | |||
| SRC-EJB: EJB SSB | |||
| systemtests | SRC: EJB SSBS | Contains functional tests of EJBCA. These require an app server to be running.
The EJBs provide additional Remote EJB access that is required by the test, and are only built into the app server when productionmode is set to false. | |
| SRC-INTERFACE: EJB SSB INTERFACES | |||
| unidfnr | SRC-EJB: EJB SSB AND ENTITY | Enterprise | UNID-FNR allows authenticated OCSP clients to obtain personal information from a certificate identifier. |
| va | SRC-WAR: WAR FILE | OCSP responder servlet. | |
| validationtool | SRC: STANDALONE APPLICATION | Enterprise | Command line application for validating certificates. |
EJB Stateless Session Beans Dependencies
The following diagram shows the internal relations between the Stateless Session Beans as they are injected. An updated version of this diagram can be generated by running “ant gen-depgraph” on a machine where the “dot” application is available.
Database Diagram
This is generated with MySQL / MariaDB Workbench, by using the Tools → Reverse Engineer tool and then selecting Arrange → Autolayout.
- Model View Controller Design
- Sample Flow
- EJBCA Module Descriptions
- EJB Stateless Session Beans Dependencies
- Database Diagram
