Replies: 1 comment 3 replies
-
|
If you do not trust the host your application is running on, we advice that you disabled CLI access. This can be done in the admin UI->System configuration. I.e. you have role separation so that your superadmin can control if the people that can login to the host can use the CLI. |
Beta Was this translation helpful? Give feedback.
-
|
You can also set another password for the existing CLI user (ejbca), or create new CLI users with other access and other passwords. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for your respose. It is not clear to me how disabling the CLI access can be an option - if a node is restarted for some reason the startup scripts will require CLI access in order to get EJBCA up and running again. If CLI access is disabled the startup will fail, won't it? Morten |
Beta Was this translation helpful? Give feedback.
-
|
I got around to testing this now. I also added some more documentation for stopping/starting containers with an external database: You are correct, when doing this the CLI is needed in order to create a new TLS server certificate for the instance being started. Using TLS_SETUP_ENABLED="later" and a TLS proxy should do the trick though, as the CLI is not needed to generate a TLS server certificate then. I didn't test much with it though... |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
we are running EJBCA CE on Kubernetes and want to see if it is possible to limit the permissions of the CLI user during normal operation in order to prevent unauthorized operations. However, the CLI user obviously needs a lot of permissions during startup of an EJBCA instance, and in case of problems with the installation we would need the CLI user to have sufficient access to resolve the issues.
An attempt at creating a new role with some restrictions and assigning the CLI user to this new role was only partially successful. We could get the instance up and running and apparently working but lost the ability to log on to EJBCA Admin GUI using the smartcard we had set up for this purpose. This does however work if we assign the CLI user to the Super Administrator Role. Even if we allow all permissions on this new role we get this problem, so it seems to be related to the CLI user not being a Super Administrator Role member somehow.
Anyone having experience with this? Are there any recommendations related to limiting the permissions of the CLI user?
Regards,
Morten
Beta Was this translation helpful? Give feedback.
All reactions