Hello,
I'm running EJBCA 7.4.3.2 CE.
Now I detected that 2 values in all CA definitions are filled with values:
- "CA issuer Default URI" filled with random hex number and is marked with a yellow background
- "CMP RA Authentication Secret" filled with a hidden value and is marked with a yellow background
I have never set these values.
In addition I have running an older copy of the database as a testing system. In this system all these
fields are empty.
After clearing the fields and saving the CA, the fields are filled again automatically. It is not possible to renew such an CA.
How can I get rid of these values?
Kind regards,
Torsten
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I run my database that is many years old. I could not reproduce this. And have not heard about it before, so it doesn't seem to be anything that generally affects updates.
You should be able to edit these values. CA Issuer Default URI, should be a URL. Authentication secret is a normal string.
Are you running any custom code?
Just go there next time. I just tested again on an on-kine instance I have.
First I set CA issuer Default URI to "http://abc.se/" and CMP RA Authentication Secret to qwerty. Then I edited the CA again.
CMP RA Authentication Secret is a bit special, since it is a secret the value is not reflected back
I could remove CA issuer Default URI without problem, and it's blank after saving.
Saving the CA without value in CMP RA Authentication Secret removed it from the database.
Neither of these fields does anything with the CA, unless configured to do so in a certificate profile of CMP alias. So they can be at any random value without trouble.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I tried it again and created 3 screenshots:
1. open CA for editing and showing current state
2. clear the 2 fields in question and press save
3. open the CA again for editing -> the 2 fields in question are filled again
Is it dangerous to clear the fields directly in the database? In my case the fields should be empty.
Okay, my testing environment is running 7.11.0.
My plan is now to upgrade the production PKI to 7.11.0. So If I understand you right I can have the hope that the problem will be gone after upgrading.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You can hope. No guarantees, as I can not understand what your issue is. Did you try enabling debug log and see what is logged is you remove only "CA issuer Default URI" and press save?
Can you save any values on the CA, or do the yellow fields prevent saving anything? I.e. values in those fields do no harm, but if it prevents you editing anything else on the CA it would be a problem.
What browser are you using btw? I'm using Firefox.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Other values like "OCSP service Default URI" can be changed and saved. No, I haven't enabled debug log.
The yellow fields prevent renewing a CA. But it worked when the fields were cleared. When you look into the CA configuration after renewing it, the content of the 2 fields in question appear again.
I'm using firefox.
I guess first I upgrade my production environment to 7.11.0 and check the situation again.
Many thanks so far!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello,
I'm running EJBCA 7.4.3.2 CE.
Now I detected that 2 values in all CA definitions are filled with values:
- "CA issuer Default URI" filled with random hex number and is marked with a yellow background
- "CMP RA Authentication Secret" filled with a hidden value and is marked with a yellow background
I have never set these values.
In addition I have running an older copy of the database as a testing system. In this system all these
fields are empty.
After clearing the fields and saving the CA, the fields are filled again automatically. It is not possible to renew such an CA.
How can I get rid of these values?
Kind regards,
Torsten
I run my database that is many years old. I could not reproduce this. And have not heard about it before, so it doesn't seem to be anything that generally affects updates.
You should be able to edit these values. CA Issuer Default URI, should be a URL. Authentication secret is a normal string.
Are you running any custom code?
See here for the latest updates: https://github.com/Keyfactor/ejbca-ce/discussions
In general should it be possible to clear both values?
No, we do not run any custom code.
It is a default deployment and it has been running for over 10 years.
Do you mean I should post my question again in https://github.com/Keyfactor/ejbca-ce/discussions?
Just go there next time. I just tested again on an on-kine instance I have.
First I set CA issuer Default URI to "http://abc.se/" and CMP RA Authentication Secret to qwerty. Then I edited the CA again.
CMP RA Authentication Secret is a bit special, since it is a secret the value is not reflected back
I could remove CA issuer Default URI without problem, and it's blank after saving.
Saving the CA without value in CMP RA Authentication Secret removed it from the database.
Neither of these fields does anything with the CA, unless configured to do so in a certificate profile of CMP alias. So they can be at any random value without trouble.
I tried it again and created 3 screenshots:
1. open CA for editing and showing current state
2. clear the 2 fields in question and press save
3. open the CA again for editing -> the 2 fields in question are filled again
Is it dangerous to clear the fields directly in the database? In my case the fields should be empty.
Kind regards,
Torsten
Thanks. Since I tried on EJBCA 7.10 (and later), the first thing I can recommend is to upgrade in a test environment.
Okay, my testing environment is running 7.11.0.
My plan is now to upgrade the production PKI to 7.11.0. So If I understand you right I can have the hope that the problem will be gone after upgrading.
You can hope. No guarantees, as I can not understand what your issue is. Did you try enabling debug log and see what is logged is you remove only "CA issuer Default URI" and press save?
Can you save any values on the CA, or do the yellow fields prevent saving anything? I.e. values in those fields do no harm, but if it prevents you editing anything else on the CA it would be a problem.
What browser are you using btw? I'm using Firefox.
Other values like "OCSP service Default URI" can be changed and saved. No, I haven't enabled debug log.
The yellow fields prevent renewing a CA. But it worked when the fields were cleared. When you look into the CA configuration after renewing it, the content of the 2 fields in question appear again.
I'm using firefox.
I guess first I upgrade my production environment to 7.11.0 and check the situation again.
Many thanks so far!