Re: [Ejbca-develop] Trust between EJBCA CA's

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi again

This is definitly erronious behaviour the 'PI' administrator group should not
have access to the superadmin group at all.

If you want to have CA administrators for the 'S' CA to define their own
administrators, you have to make an exception to the 'server cert only' rule and
have the 'S' CA issuing the 'S' administrators certificates. Or you can have the
superadministrator group to define all 'S' administrators since there will
probably be fever 'S' administrators than 'PI' administrators.

I will look into the problem the comming days and come back to you with a
solutions

Philip

Gerard Gagliano <ge...@si...> said:

> Phillip,
>
> As I said earlier, I do have access.  However, I am seeing some peculiar
> behavior.
>
> Using the same example as below, and noting that all three certs
> (SuperAdmin, PI and S) were signed with 'PI', and there are three groups
> (one for each cert):
>
> ) If I use the cert for SuperAdmin, I see all three Administrator Groups
> (which I would expect).
> ) If I use the cert for 'S', I see no Administrator Groups (which I
> would expect).
> ) If I use the cert for 'PI', I see the SuperAdmin and the 'PI'
> Administrator Groups (which I
>   would NOT expect).
>
> Furthermore, using the 'PI' cert, I can:
> ) Add Administrators for the 'PI' and SuperAdmin groups
> ) Change the Access Rules for 'PI' and SuperAdmin groups (Though I have
> to
>   switch to Advanced mode first for SuperAdmin)
> ) Not change the Access Role for 'PI' to SuperAdmin
>
> Can you advise me as to if I should post this to the group or address
> with you?  Also, if needed I can do a mysqldump of the database state
> describing this.
>
> Thanks in advance.
>
> Gerard
>
> On Tue, 2004-04-06 at 12:17, Philip Vendil wrote:
>
> > Hi
> >
> > I asume you are using EJBCA beta 2.
> >
> > As I can see you need three administrator groups:
> >
> > One SuperAdministrator group, One 'PI' CA administrator group, and one S
> > administrator group.
> >
> > What you should do is the following:
> >
> > For the 'PI' administrator group:
> > 1. Create one group called something like 'PI CA administrators' and choose
> > 'PI' in the drop down list beside the name. The drop down list says which CA
> > signer the administrators have.
> >
> > 2. In the 'Administrators' page, add your administrators.
> >
> > 3. In the Basic Access Rules Page. Choose Role 'CA Administrator' and in the CA
> > field, mark 'PI'. This field tells which CA:s the administrator group is
> > authorized to manage.
> >
> >
> > For the 'S' administrator group:
> > 1. Create one group called something like 'S CA administrators' and choose
> > 'PI' also here in the drop down list beside the name.
> >
> > 2. In the 'Administrators' page, add your administrators.
> >
> > 3. In the Basic Access Rules List. Choose Role 'CA Administrator' and in the CA
> > field, mark 'S'
> >
> > Now It will hopefully work as you want it to.
> >
> >
> > // Philip
> >
> > Gerard Gagliano <ge...@si...> said:
> >
> > > Hi,
> > >
> > > We are getting into the architecture of permissions within a multiple CA
> > > EJBCA instance.  The layout of what we have planned is something like 2
> > > CA's - 1 for personal identity (PI), 1 for servers (S).  I want to
> > > create a CA Administrator for each CA.  In this scenario, all CA
> > > Administrator Certificates should be signed by 'PI'.
> > >
> > > I can create a CA Administrator for PI (given 'PI' is the signer of my
> > > initial superadmin cert) that gives me access to the 'PI' CA.  It
> > > appears as though I cannot create a similar cert for a CA administrator
> > > of 'S' (without also giving it administrator authority over 'PI') and
> > > EJBCA reports 'Access Denied'.
> > >
> > > Recognizing that I don't know the internals of EJBCA at all, a possible
> > > solution to this would be to add a drop down pick or select list of
> > > 'Trusted Signers' on the page 'Edit Administrators', on the same line as
> > > 'Match with', 'Match Type', and 'Administrator'.
> > >
> > > Can you give any much needed guidance?
> > >
> > > Thanks
> > >
> > > Gerard
> > >
> >
> >
>