EJBCA – Internal Architecture

Internal Architecture

For developers and other interested parties, the following diagrams show an outline of the internal architecture of EJBCA, and dependencies between different modules.

Model View Controller Design

All the web modules are packaged as Web Archives (WAR) and packaged inside an Enterprise Archive (EAR) together with EJB modules for business logic, code for mapping Java objects to database rows and additional libraries need by the application that isn’t provided by the application server.

 

The latest version of the Dia file is attached to ECA-8193.

Sample Flow

Let’s say you run the pkcs10 ClientToolBox command, on a system with an RA and a CA, where the RA responds to WebService (SOAP) requests.

The flow would then start from PKCS10ReqCommand in ClientToolBox and finally reach X509CAImpl.generateCertificate, where the certificate is actually generated. The following displays an overview of how the call would flow between classes:

EJBCA Module Descriptions

This is a list of all modules in the modules directory. Unit tests directories (src-test) are excluded from this list.

Color key: WAR/RAR FILESEJB STATELESS SESSION BEANSENTITY BEANS, and STANDALONE APPLICATION.

Module Build artifacts, by source directory Edition Description
acme src: JAR file with implementation Enterprise ACME protocol (RFC 8555) service.
SRC-COMMON: WAR FILE
admin-gui SRC: WAR FILE Admin Web interface.
appserver-ext src: Two JAR files with log classes App server “extensions”. Currently, it contains classes that extend log4j.
batchenrollment-gui SRC: STANDALONE APPLICATION A GUI application to mass enroll certificates.
caa src: JAR file with implementation Enterprise Certification Authority Authorization (RFC 6844) validation.
SRC-CLI: STANDALONE APPLICATION
certificatestore SRC: WAR FILE The certificate store servlet, allowing certificates to be downloaded.
cesecore-common src: Common classes JAR Common classes for the CESeCore framework.
cesecore-cvca src: JAR file with implementation Implementation of CVC CA. Excluded in RA-only and VA-only builds.
cesecore-ejb SRC: EJB SSBS Implementations of CESeCore Statless Session Beans.
cesecore-ejb-interface SRC: EJB SSB INTERFACES Interfaces for cesecore-ejb
cesecore-entity SRC: JAR FILE WITH ENTITY CLASSES Entity classes for the CESeCore framework. These correspond to tables in the database.
cesecore-p11 src: JAR file Security fix for old versions of the SunPKCS11 implementation.
cesecore-x509ca src: JAR file with implementation Implementation of X509CA. Excluded in RA-only and VA-only builds.
clearcache-war SRC: WAR FILE WAR file that allows clearing caches by an HTTP request from localhost.
clientToolBox SRC: STANDALONE APPLICATION Command line utility to manage HSM keys, send Web Service requests, run stress test, etc.
cli-util src: JAR file with common classes Common classes shared by the command line utilities in EJBCA.
cmpclient SRC: STANDALONE APPLICATION Enterprise Command line CMP client.
cmpProxy SRC: STANDALONE WAR FILE (HTTP OR TCP) Enterprise Standaone WAR file.
common No build artifact Default log4j configuration for CLI utilities and tests.
configdump SRC-CLI: STANDALONE APPLICATION Enterprise Configdump lets you export a YAML file of your EJBCA configuration. Certificates or keys are not exported.
src-common: JAR file with interfaces
SRC-EJB: EJB SSBS
crlstore SRC: WAR FILE The CRL store servlet. It allows CRLs to be downloaded.
ct src: JAR with implementation and OCSP extension Enterprise Certificate Transparency (RFC 6962) submission.
editition-specific SRC-EJB: EJB SSBS (placeholders for CE) Interfaces and placeholders for Enterprise Edition specific functionality.
SRC-INTERFACE: EJB SSB INTERFACES
editition-specific-ee SRC-EJB: EJB SSBS (actual implementations) Enterprise Enterprise Edition only EJBs.
ejbca-cmp-tcp SRC: WAR FILE CMP TCP server. Runs inside the app server if configured.
ejbca-cmp-war SRC: WAR FILE CMP HTTP interface. Contains a servlet.
ejbca-common src: JAR file with utility classes Utility classes specific to EJBCA, and not used in other products that use CESeCore.
ejbca-common-web src: JAR file with utility classes Utility classes that are specific to the EJBCA web interfaces.
ejbca-ejb SRC: EJB SSBS Implementations of EJBCA specific Stateless Session Beans.
ejbca-ejb-cli SRC: STANDALONE APPLICATION Command line utility to operate EJBCA via the Remote EJB interface.
ejbca-ejb-interface SRC: EJB SSB INTERFACES Interfaces for ejbca-ejb.
ejbca-entity SRC: JAR FILE WITH ENTITY CLASSES Entity classes specific to EJBCA. These correspond to tables in the database.
SRC-CLI: STANDALONE APPLICATION (EJBCA-DB-CLI.JAR) Enterprise Database CLI tool for migrating between databases and for handling database protection.
ejbca-properties JAR file with properties The properties files from conf/, conf/plugins/ and src/upgrade/
ejbca-renew-war SRC: WAR FILE Self-service certificate renewal in public web.
ejbca-rest-api SRC: WAR FILE Enterprise WAR with entry point for the REST API.
ejbca-rest-* src: JAR file with REST Resource Enterprise REST Resource for different parts of the API (common, camanagement, cryptotoken).
ejbca-scep-war SRC: WAR FILE SCEP protocol for creating and renewing certificate.
ejbca-webdist-war SRC: WAR FILE CertDistServlet which implements download of certificates and CRL.
ejbca-webtest No build artifact This module contains Selenium tests for the AdminWeb, PublicWeb and RA Web.
ejbca-ws src: JAR files with interface and implementation This is the module for the WebService (SOAP) interface.
ejbca-ws-cli src: JAR files with WS module of ClientToolBox This module is included in ClientToolBox, and provides a WebService (SOAP) client.
est SRC-WAR: WAR FILE Enterprise Provides an EST protocol interface to EJBCA.
externalra src: JAR files for client and service Enterprise The ExternalRA is a legacy module for running an external Registration Authority. It consists of a service built into EJBCA, and an external web GUI.
SRC: STANDALONE APPLICATION (EXTERNALRA-CLI.JAR)
externalra-gui SRC: WAR FILE Enterprise The web GUI part of ExternalRA, to be deployed on a remote server.
externalra-scep SRC: STANDALONE APPLICATION Enterprise SCEP client for ExternalRA.
healthcheck-war SRC: WAR FILE Provides a Health Check URL to check CA status.
oldlogexport-cli SRC: STANDALONE APPLICATION Tool to export legacy LogEntryData database table to a file.
peerconnector src-cli: JAR files with subcommands for ejbca-ejb-cli Enterprise Module for handling peer connections, such as CA-RA or CA-VA.
src-common: JAR file with common classes
SRC-EJB: EJB SSBS
SRC-INTERFACE: EJB SSB INTERFACE
src-publ: JAR file with classes for handling peer publisher communication
src-ra: JAR file with classes for handling RA peer communication
SRC-RAR: RAR FILE
SRC-WAR: WAR FILE
plugins-ee src: JAR file Extra plugins, such as Publishers, included in Enterprise Edition only.
publicweb-gui SRC: WAR FILE The EJBCA Public Web pages (/ejbca/ URL).
ra-gui SRC: WAR FILE The EJBCA RA Web pages (/ejbca/ra/ URL).
statedump SRC-CLI: STANDALONE APPLICATION Internal Statedump is a PrimeKey internal tool, not included in EJBCA releases. It is the predecessor of Configdump.
src-common: JAR file with common classes
SRC-EJB: EJB SSB
systemtests SRC: EJB SSBS Contains functional tests of EJBCA. These require an app server to be running.

 

The EJBs provide additional Remote EJB access that is required by the test, and are only built into the app server when productionmode is set to false.

SRC-INTERFACE: EJB SSB INTERFACES
unidfnr SRC-EJB: EJB SSB AND ENTITY Enterprise UNID-FNR allows authenticated OCSP clients to obtain personal information from a certificate identifier.
va SRC-WAR: WAR FILE OCSP responder servlet.
validationtool SRC: STANDALONE APPLICATION Enterprise Command line application for validating certificates.

EJB Stateless Session Beans Dependencies

The following diagram shows the internal relations between the Stateless Session Beans as they are injected. An updated version of this diagram can be generated by running “ant gen-depgraph” on a machine where the “dot” application is available.

Database Diagram

This is generated with MySQL / MariaDB Workbench, by using the Tools → Reverse Engineer tool and then selecting Arrange → Autolayout.

  1. Model View Controller Design
  2. Sample Flow
  3. EJBCA Module Descriptions
  4. EJB Stateless Session Beans Dependencies
  5. Database Diagram

 

Registration

Forgotten Password?