Re: [Ejbca-develop] debug log ejbca.sh

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Tomas Gustavsson wrote:
> That password should use a non brutable length.

Yes, of course.

> If you wish you can disable the command line interface completely even.

I deliberately keep this enabled until it's sure that the admins take care of
renewing their admin certs in time.

> Anyhow, the cli password is only usable for the cli. If you manage to get
> hold of it, you also need to manage to get access to the command line of
> your CA, not so easy I hope.

I also hope this and of course the operators are doing their best to harden
the machines. But given all the really serious security threats in Java during
the last 2 years I'm really concerned that I have to allow direct HTTPS access
to adminweb for individual authentication/authorization with client certs.

Letting components run under different OS accounts communicating over Unix
Domain Sockets (or other OS pipes) would be really great.

Ciao, Michael.