updating EJBCA docker container config.v2.json file

[merryo11]

Dear All,

I created Keyfactor/ejbca-ce 8.0 docker container on ubuntu 22 with mysql (on separate VM) and web access ports 80/443 and now I want to add one more port to access wildfly management console and also want to change SMTP user password.

Can anyone confirm if just editing config.v2.json file under the container through nano/vi text editor shall reflect the changes after container restart or I have to using docker compose only for this.

Actually there is a need of port addition and SMTP user password change without disturbing my installed EJBCA setup and database. Creating new container is not an option because I already created few CAs, certificate profiles, end entity profiles with active users and certificates.

Thanks

[aloeenmae]

If you use an external database, all important information is stored there, and during the start/stop of the EJBCA container, the data in the existing database is used.

The container, by its very nature, is not intended for you to change some kind of parameters inside the container and hope that it will remain during start/stop, because in this case the entire logic of the containers would disappear.

https://hub.docker.com/r/keyfactor/ejbca-ce - describes the variables that can be used.
For example:

SMTP_DESTINATION: The hostname/IP of the SMTP server that should be used for sending email, default localhost (there is no SMTP server in the container though).

SMTP_DESTINATION_PORT: the SMTP port to use on the host, default 25.

You can set the variables with an argument with a '-e' argument on the command line, see Quick Start for example usage. Other variables relevant for SMTP settings are SMTP_TLS_ENABLED (default true), SMTP_SSL_ENABLED (default true), SMTP_USERNAME, SMTP_PASSWORD, SMTP_FROM.

[merryo11]

Well I used these variables already but now my requirement is to just add a new port like translate port 8442 to just 442 for public web without client authentication and secondly I need to change my smtp user password only. How can I address this problem at hand. Do I need to create a new container using same managementca and superadmin. Thanks

…

On Thu, Oct 19, 2023, 11:51 PM aloeenmae ***@***.***> wrote: If you use an external database, all important information is stored there, and during the start/stop of the EJBCA container, the data in the existing database is used. The container, by its very nature, is not intended for you to change some kind of parameters inside the container and hope that it will remain during start/stop, because in this case the entire logic of the containers would disappear. https://hub.docker.com/r/keyfactor/ejbca-ce - describes the variables that can be used. For example: SMTP_DESTINATION: The hostname/IP of the SMTP server that should be used for sending email, default localhost (there is no SMTP server in the container though). SMTP_DESTINATION_PORT: the SMTP port to use on the host, default 25. You can set the variables with an argument with a '-e' argument on the command line, see Quick Start for example usage. Other variables relevant for SMTP settings are SMTP_TLS_ENABLED (default true), SMTP_SSL_ENABLED (default true), SMTP_USERNAME, SMTP_PASSWORD, SMTP_FROM. — Reply to this email directly, view it on GitHub <#387 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BCLN37DTLHLLCVMWSSJKS53YAFZC5AVCNFSM6AAAAAA6HPVDYOVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TGMZRGU3DE> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[primetomas]

If you need to change your SMTP password, you restart the container chaning your password in the environment variable you passed into it.
Changing ports is something you don't do in the container again. Taking the simple case, you start a quick container with:
docker run -it --rm -p 80:8080 -p 443:8443 -h mycahostname etc etc
You have your post mapping right there. The way the container is set up, port 443/84543 is with optional client certificate authentication. So public web (or RA web since public web is removed) is accessible without client certificate using port 443 (standard TLS port).
If you want something different, you run a ingress (apache front-end) where you can do any type of mapping that you like.

You never change anything inside the container, you restart it, or start another one, with different environment variable settings.

[merryo11]

Dear Tomas, Actually my great worry is that by changing few of environment variables I don't want my rest of all the running settings like DB, CryptoTokens, CAs and end certificates to be disturb.

Correct me if I am wrong that by running the command docker run -it --rm -p 80:8080 -p 443:8443 -h mycahostname with updated environment variables and new ports doesn't create a new container, management CA and local SSL.

[primetomas]

No, when you use an external database nothing new will be created by EJBCA. A Management CA and such are only created when you connect to an empty database the first time. A new container for sure, that is the idea of it. You can run multiple containers at the same time using the same database. That is how you handle scaling and high availability. You can run multiple containers in different availability zones to spread load and ensure availability. As long as all containers use the same database.