Dear All, I am facing very strange issue while adding end entity whoes username already exists in database. The issue is e.g. I have an entity with username 12345 Under EE profile 1 with a certificate After sometime if I create same username under EE profile 2 it updates previously issued EE under 2nd profile and also allows the certificate to be created under that 2nd profile and it is happening very rarely because username itself is a primary key in user data table. So can anyone help if this is a bug or where we are doing wrong.
It sounds like an expected behavior. You are editing the existing end entity. Don't know how you are doing this, but most API calls are designed like this, add end entity if it doesn't exist, edit end entity if it exists.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Let me rephrase the question. I created an entity in profile 1 whose issuing ca is ca1. After some time if I create same entity with same user name but with different subjectDN under profile 2 whose issuing CA is also different then how come the same user gets updated in profile 2 when it already exists in profile 1.
See the excel file I attached for clear understanding
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You are getting the concepts wrong. A user does not belong to a profile. A user uses a profile. You can edit the user to switch from profile 1 to profile 2. You are not adding a new user, you are editing the existing user. As username is primary key, there can only exist one user with a specific username. But if you have the privileges to edit users, you can edit it and issue multiple certificates from different profiles and different CAs to this user.
It is not uncommon that a single user have multiple certificates, from different CAs. Say for example one authentication certificate and one signature certificates for human users.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Dear Thomas, I got your point but we designed the access control in a way that only one RA can have access to one ca, one end entity profile and one certificate profile so that is what confusing us that how come the user restricted under one profile jumped to other profile
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I can not reproduce that. If I try to add an end entity with the same username, I get an error message as you can see in the screenshot. If the end entity profile I have access to only have "one" as allowed certificate profile and CA, it's the only options available.
Your version is very old though. If you upgrade you will see many improvements.
As a last resort how can I update database to resolve this issue because I need to create the report for my department. Can I create new entity and do update the database directly. I hope their is no serious consequences
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You can edit the database directly. You an also edit the end entity with superadmin (with access to both profiles/CAs). But I don't think you can changed user ee profile in 6.11?, you can in 7.11. You can also use the WS API, clientToolBox to edit the user. Many ways, no serious consequences to edit an end entity.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Dear All, I am facing very strange issue while adding end entity whoes username already exists in database. The issue is e.g. I have an entity with username 12345 Under EE profile 1 with a certificate After sometime if I create same username under EE profile 2 it updates previously issued EE under 2nd profile and also allows the certificate to be created under that 2nd profile and it is happening very rarely because username itself is a primary key in user data table. So can anyone help if this is a bug or where we are doing wrong.
See Audit log deatilsin excel attachment.
It sounds like an expected behavior. You are editing the existing end entity. Don't know how you are doing this, but most API calls are designed like this, add end entity if it doesn't exist, edit end entity if it exists.
Let me rephrase the question. I created an entity in profile 1 whose issuing ca is ca1. After some time if I create same entity with same user name but with different subjectDN under profile 2 whose issuing CA is also different then how come the same user gets updated in profile 2 when it already exists in profile 1.
See the excel file I attached for clear understanding
You are getting the concepts wrong. A user does not belong to a profile. A user uses a profile. You can edit the user to switch from profile 1 to profile 2. You are not adding a new user, you are editing the existing user. As username is primary key, there can only exist one user with a specific username. But if you have the privileges to edit users, you can edit it and issue multiple certificates from different profiles and different CAs to this user.
It is not uncommon that a single user have multiple certificates, from different CAs. Say for example one authentication certificate and one signature certificates for human users.
Dear Thomas, I got your point but we designed the access control in a way that only one RA can have access to one ca, one end entity profile and one certificate profile so that is what confusing us that how come the user restricted under one profile jumped to other profile
How do you add/edit the end entity? SOAP API?
No using Admin web portal For entity addition and updation while public web for certificate creation
I can not reproduce that. If I try to add an end entity with the same username, I get an error message as you can see in the screenshot. If the end entity profile I have access to only have "one" as allowed certificate profile and CA, it's the only options available.
Your version is very old though. If you upgrade you will see many improvements.
Last edit: Tomas Gustavsson 2023-01-19
Yes I totally agree and understand your point. Same is happening at our side also that is why we got worried how does that happened.
As a last resort how can I update database to resolve this issue because I need to create the report for my department. Can I create new entity and do update the database directly. I hope their is no serious consequences
You can edit the database directly. You an also edit the end entity with superadmin (with access to both profiles/CAs). But I don't think you can changed user ee profile in 6.11?, you can in 7.11. You can also use the WS API, clientToolBox to edit the user. Many ways, no serious consequences to edit an end entity.
We are using EJBCA 6.1.1 community edition not 6.11 by the way
Secondly I posted one more question in open discussion forum so please that also. Thank you for your time and kind help