Fwd: Re: [Ejbca-develop] Trust between EJBCA CA's

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi

I have now corrected the bugg and have set up a similar administrative scenario
with a PI CA and a S one. And now it seems to work correctly.

You can fetch the updated files from CVS.

The files are:

src/adminweb/administratorpriviledges/editbasicaccessrules.jsp
src/java/se/anatom/ejbca/authorization/BasicAccessRulesEncoder.java
src/java/se/anatom/ejbca/authorization/LocalAuthorizationSessionBean.java

// Philip

>
> Hi again
>
> This is definitly erronious behaviour the 'PI' administrator group should not
> have access to the superadmin group at all.
>
> If you want to have CA administrators for the 'S' CA to define their own
> administrators, you have to make an exception to the 'server cert only' rule and
> have the 'S' CA issuing the 'S' administrators certificates. Or you can have the
> superadministrator group to define all 'S' administrators since there will
> probably be fever 'S' administrators than 'PI' administrators.
>
> I will look into the problem the comming days and come back to you with a
> solutions
>
> Philip
>
> Gerard Gagliano <ge...@si...> said:
>
> > Phillip,
> >
> > As I said earlier, I do have access.  However, I am seeing some peculiar
> > behavior.
> >
> > Using the same example as below, and noting that all three certs
> > (SuperAdmin, PI and S) were signed with 'PI', and there are three groups
> > (one for each cert):
> >
> > ) If I use the cert for SuperAdmin, I see all three Administrator Groups
> > (which I would expect).
> > ) If I use the cert for 'S', I see no Administrator Groups (which I
> > would expect).
> > ) If I use the cert for 'PI', I see the SuperAdmin and the 'PI'
> > Administrator Groups (which I
> >   would NOT expect).
> >
> > Furthermore, using the 'PI' cert, I can:
> > ) Add Administrators for the 'PI' and SuperAdmin groups
> > ) Change the Access Rules for 'PI' and SuperAdmin groups (Though I have
> > to
> >   switch to Advanced mode first for SuperAdmin)
> > ) Not change the Access Role for 'PI' to SuperAdmin
> >
> > Can you advise me as to if I should post this to the group or address
> > with you?  Also, if needed I can do a mysqldump of the database state
> > describing this.
> >
> > Thanks in advance.
> >
> > Gerard
> >
> > On Tue, 2004-04-06 at 12:17, Philip Vendil wrote:
> >
> > > Hi
> > >
> > > I asume you are using EJBCA beta 2.
> > >
> > > As I can see you need three administrator groups:
> > >
> > > One SuperAdministrator group, One 'PI' CA administrator group, and one S
> > > administrator group.
> > >
> > > What you should do is the following:
> > >
> > > For the 'PI' administrator group:
> > > 1. Create one group called something like 'PI CA administrators' and choose
> > > 'PI' in the drop down list beside the name. The drop down list says which CA
> > > signer the administrators have.
> > >
> > > 2. In the 'Administrators' page, add your administrators.
> > >
> > > 3. In the Basic Access Rules Page. Choose Role 'CA Administrator' and in the CA
> > > field, mark 'PI'. This field tells which CA:s the administrator group is
> > > authorized to manage.
> > >
> > >
> > > For the 'S' administrator group:
> > > 1. Create one group called something like 'S CA administrators' and choose
> > > 'PI' also here in the drop down list beside the name.
> > >
> > > 2. In the 'Administrators' page, add your administrators.
> > >
> > > 3. In the Basic Access Rules List. Choose Role 'CA Administrator' and in the CA
> > > field, mark 'S'
> > >
> > > Now It will hopefully work as you want it to.
> > >
> > >
> > > // Philip
> > >
> > > Gerard Gagliano <ge...@si...> said:
> > >
> > > > Hi,
> > > >
> > > > We are getting into the architecture of permissions within a multiple CA
> > > > EJBCA instance.  The layout of what we have planned is something like 2
> > > > CA's - 1 for personal identity (PI), 1 for servers (S).  I want to
> > > > create a CA Administrator for each CA.  In this scenario, all CA
> > > > Administrator Certificates should be signed by 'PI'.
> > > >
> > > > I can create a CA Administrator for PI (given 'PI' is the signer of my
> > > > initial superadmin cert) that gives me access to the 'PI' CA.  It
> > > > appears as though I cannot create a similar cert for a CA administrator
> > > > of 'S' (without also giving it administrator authority over 'PI') and
> > > > EJBCA reports 'Access Denied'.
> > > >
> > > > Recognizing that I don't know the internals of EJBCA at all, a possible
> > > > solution to this would be to add a drop down pick or select list of
> > > > 'Trusted Signers' on the page 'Edit Administrators', on the same line as
> > > > 'Match with', 'Match Type', and 'Administrator'.
> > > >
> > > > Can you give any much needed guidance?
> > > >
> > > > Thanks
> > > >
> > > > Gerard
> > > >
> > >
> > >
> >
>
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>