How to use client certificates for admin ui authentication

[aloeenmae]

Hi!

I'm trying to deploy dockerized EJBCA-CE solution with Nginx frontend. It works without problem, but the issue here is that anyone who have a valid client certificate (tusted by nginx frontend) has full admin access to Admin UI.
# docker exec -ti ejbca ejbca.sh roles listadmins --role "Super Administrator Role"
2023-11-01 14:04:54,838+0000 INFO [org.ejbca.ui.cli.roles.ListAdminsCommand] (main) [Admin not bound to CA or provider] USERNAME TYPE_EQUALCASE "ejbca" ""
2023-11-01 14:04:54,838+0000 INFO [org.ejbca.ui.cli.roles.ListAdminsCommand] (main) [Admin not bound to CA or provider] TRANSPORT_ANY TYPE_UNUSED "" ""
when I remove the TRANSPORT_ANY TYPE_UNUSED from the Super Administrator Role

# docker exec -ti ejbca ejbca.sh roles removeadmin --role "Super Administrator Role" --value "" --with PublicAccessAuthenticationToken:TRANSPORT_ANY --caname ""

and added my client certificate with serial number:

# docker exec -ti ejbca ejbca.sh roles listadmins --role "Super Administrator Role"
2023-11-01 14:04:54,838+0000 INFO [org.ejbca.ui.cli.roles.ListAdminsCommand] (main) 'ManagmentCA' WITH_SERIALNUMBER TYPE_EQUALCASEINS "XXXXXXXXXXXXXXXXXXXXX "My test client cert for auth"
2023-11-01 14:04:54,838+0000 INFO [org.ejbca.ui.cli.roles.ListAdminsCommand] (main) [Admin not bound to CA or provider] USERNAME TYPE_EQUALCASE "ejbca" ""

now if I trying to access Admin UI via browser I get error msg: "Authorization Denied" Cause: You are not authorized to view this page.

Maybe anyone could help me with this problem?

Thanks
Alo

[svenska-primekey]

I've ran into this issue in the past. The only way I have gotten past this is to restart the EJBCA container after removing the public access token from the super admin role and adding an entry to the super admin role to authenticate with a certificate. After restarting the container this should work to login now with the certificate configured in the super admin role.

[aloeenmae]

Restarting EJBCA container didn't help much. Now I get
Authorization Denied No client certificate was presented If you did not get prompted to select a client certificate, please check that you have the correct certificate.

I do have the correct client certificate serial in my Super Admin role

# docker exec -ti ejbca ejbca.sh roles listadmins --role "Super Administrator Role"

2023-11-07 07:24:24,077+0000 INFO [org.ejbca.ui.cli.roles.ListAdminsCommand] (main) 'ManagmentCA' WITH_SERIALNUMBER TYPE_EQUALCASEINS "3473E218215AE868592A4C9635237C9905169901" "My test client cert"

In the EJBCA frontend log (Nginx log):
Nov 07 07:23:13 my-test-ejbc-host docker-ejbca_frontend[748999]: 192.168.1.2 - - [07/Nov/2023:07:23:13 +0000] "GET /ejbca//adminweb/themes/default_theme.css HTTP/1.1" 200 33443 "https://my-ejbca-test-01.example.com/ejbca/adminweb/" "Mozilla/5.0 (XXXXXXXXXXXXXXXXXXX" "-" "SSL: SUCCESS / CN=My test client cert" "Cert fingerprint: d7915a5a6fc806cf4807b73243b6dedc31e16a34"

Nov 07 07:23:13 my-test-ejbc-host docker-ejbca_frontend[748999]: 192.168.1.2 - - [07/Nov/2023:07:23:13 +0000] "GET /ejbca/adminweb/javax.faces.resource/components.css.xhtml?ln=primefaces&v=12.0.0 HTTP/1.1" 200 108200 "https://my-ejbca-test-01.example.com/ejbca/adminweb/" "Mozilla/5.0 (XXXXXXXXXXXXXXXXXXX) Gecko/20100101 Firefox/119.0" "-" "SSL: SUCCESS / CN=My test client cert" "Cert fingerprint: d7915a5a6fc806cf4807b73243b6dedc31e16a34"

Nov 07 07:23:13 my-test-ejbc-host docker-ejbca_frontend[748999]: 192.168.1.2 - - [07/Nov/2023:07:23:13 +0000] "GET /favicon.ico HTTP/1.1" 404 146 "https://my-ejbca-test-01.example.com/ejbca/adminweb/" "Mozilla/5.0 (XXXXXXXXXXXXXXXXXXX) Gecko/20100101 Firefox/119.0" "-" "SSL: SUCCESS / CN=My test client cert" "Cert fingerprint: d7915a5a6fc806cf4807b73243b6dedc31e16a34"

My test client cert fingerprint:

# openssl x509 -in my_test_client_cert.pem -noout -fingerprint | tr '[:upper:]' '[:lower:]' | tr -d ':'
sha1 fingerprint=d7915a5a6fc806cf4807b73243b6dedc31e16a34

My rest client cert serial:

# openssl x509 -in my_test_client_cert.pem -noout -serial
serial=3473E218215AE868592A4C9635237C9905169901

This is my EJBCA frontend (nginx) configuration file:

user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
  worker_connections 1024;
}

http {

  map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
  }

  include /etc/nginx/mime.types;
  default_type application/octet-stream;
  log_format main '$remote_addr - $remote_user [$time_local] "$request" '
  '$status $body_bytes_sent "$http_referer" '
  '"$http_user_agent" "$http_x_forwarded_for" '
  '"SSL: $ssl_client_verify / $ssl_client_s_dn" '
  '"Cert fingerprint: $ssl_client_fingerprint"';
  access_log /var/log/nginx/access.log main;
  sendfile on;
  keepalive_timeout 65;

  # HTTP (port 80) server
  server {
    listen 80;
    server_tokens off;

    # Redirect HTTP request to HTTPS
    location / {
      return 301 https://$host$request_uri;
    }

    # Allow EJBCA application level healthcheck over plain HTTP
    location = /ejbca/publicweb/healthcheck/ejbcahealth {
      proxy_pass http://ejbca:8081;
    }
  }

  # HTTPS
  server {
    listen 443 ssl;
    server_tokens off;

    if ($http_x_forwarded_proto = '') {
      set $http_x_forwarded_proto $scheme;
    }

    ssl_certificate /etc/nginx/ssl/server.crt.pem;
    ssl_certificate_key /etc/nginx/ssl/server.key.pem;

    ssl_session_cache shared:SSL:1m;

    # Mozilla Intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

    # Set client verification optional so not authenticated users sees 403
    ssl_verify_client optional;

    # trusted client certificate authorities
    ssl_client_certificate /etc/nginx/ssl/ca_auth.pem;

    # Set the verification depth on the chain
    ssl_verify_depth 1;

    # restrict methods - only allow GET, POST, PUT and HEAD
    if ($request_method !~ ^(GET|POST|PUT|HEAD)$) {
      return '405';
    }

    # favicon.ico
    location = /favicon.ico {
      log_not_found off;
    }

    location / {
      # Check that TLS verification is OK, otherwise return 403
      if ($ssl_client_verify != SUCCESS) {
        return 403;
      }

      proxy_pass http://ejbca:8082/;
      proxy_set_header Host $http_host;
      proxy_http_version 1.1;
      proxy_pass_header Server;

      # Proxy headers
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $connection_upgrade;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header SSL_CLIENT_CERT $ssl_client_verify;
      proxy_set_header X-Forwarded-Host $host;
    }
  }
}

Any additional ideas about this "Authorization Denied" issue?

Thank
Alo

[svenska-primekey]

The only thing that is standing out to me from my nginx config compared to yours is that in mine I have:

proxy_set_header SSL_CLIENT_CERT $ssl_client_cert;

Can you try switching the variable for SSL_CLIENT_CERT to what I am using?

[aloeenmae]

@svenska-primekey thank you! this is nice blind spot for me ;) I just don't see it :D

[aloeenmae]

Any ideas?