openOSI project




en - fr

Open source identity provider (x509 certificate services) for SOA, ESB and GRID


Identification and Autnetication


HTTPS - SSL configuration

Certificate Policy (CP)

Services configuration

    Clients configuration



SSO configuration





This project provides open source certificate services for class1 and class 2 level of assurance. We offer dedicated certificates profiles for persons, and virtual persons (pseudos).


Our run time environment is J2EE, a JAVA proving technology. Free automated support services are provided (LDAP public key check, OCSP responder, CRL publication, SSO authentication...).



There was a lack of implementation of Public Key Infrastructures due to their cost. Thanks to PRIMEKEY the community has now a powerful open source Java implementation. We also foresee a tight integration of X500-LDAP with X509 certificates.

    Our PKI (Public Key Infrastructure) environment is EJBCA. Our Certification Authorities (CA) public certificates are available here, as ones of our administrators (role based identifications). Daily updated CRLs are also provided here.  



Public certificates can then be checked against our LDAP directory. As part of Single Sign On (SSO) and federation identities, this directory is considered as a public resource for identification. The e-mail address is a global ID. It's on our roadmap to take advantage of a native tight integration of X400 messaging, based on RFC 2294 - 2164, with open source openOSI JMS. It will help for ESB implementation,


Our Directory environment is LDAP (a lightweight implementation of X500), using openLDAP, interworking with Microsoft active directory. Our universal address book and identity schema is here, with sample LDIF entry



Digital keys based on X509 certificates are the core of identity management and single sign on (SSO) when  using CAS server and java client with SHIBBOLETH.

    CAS is a central authentication system originally created by Yale University. It is now a JA-SIG project. Shibboleth is an open source software which provides Web Single Sign On. It complies with OASIS SAML specifications.  


GRID technology and specifically Semantic GRID is an area of interest for openOSI. We see a GRID as a large scale SOA (service oriented architecture) infrastructure, where many ESB (Enterprise service bus) could be interconnected. GRID Security is a key enabling service where x509 certificates with OID values are key elements. LDAP with UDDI support is also a key enabling technology (RFC 4403).  


Our targeted deployment environment is JAVA JBI: We are currently testing the PETALS environment. Testbed is open source biomedical GRID. We also consider the GRIDSHIB effort with


JBI environment



Security management is enhanced for ESB and GRID services when mapping openOSI JMS X400/x500 attributes to mandatory access control (MAC), multi level security (MLS) and multi categories security (MCS), handled at core operating system level.

    Our security environment is SELinux, as implemented by Redhat in Fedora. Note that it brings compliance with EAL3+ and EAL4 common criteria. For remote administration we use openSSH with X.509 certificate's enabler from Roumen PETROV