This repository is part of the open-source project CZERTAINLY. You can find more information about the project at CZERTAINLY repository, including the contribution guide.
EJBCA NG Connector
is the implementation of the following Function Groups
and Kinds
:
Function Group | Kind |
---|---|
Authority Provider |
EJBCA |
Discovery Provider |
EJBCA , EJBCA_SCHEDULE |
EJBCA NG Connector
is the implementation of certificate management for EJBCA that is compatible with the v2 client operations interface. The Connector
is developed to work with SOAP Web Services calls.
It is expected that the REST API calls will be implemented as option in the future release, because of some limitations of the EJBCA Web Service, for example limiting the number of end entities and certificates, that can be fetched.
EJBCA NG Connector
allows you to perform the following operations:
Authority Provider
Discovery Provider
EJBCA NG Connector
requires the PostgreSQL database to store the data.
EJBCA NG works under the principle of RA Profiles
. The Connector
provides the pathway for communication with the instances of EJBCA Certification Authorities. Multiple Authorities
can be added using the same Connector
. Once the Authorities
are added, RA Profiles
will be created on top of the Authorities
.
With the help of RA Profiles
and the CSR information provided by the Client
using the REST API, the Connector
communicates with the Authority
to get the Certificate
.
To know more about the Core
, refer to CZERTAINLY Core
The Certificate
discovery in the EJBCA NG Connector
works with the V2 Certificate
Search API from EJBCA. Older versions of EJBCA that do not support V2 Search API are not supported.
There are two types of Discovery
:
EJBCA
EJBCA_SCHEDULE
RA Profile
attributesThe attributes for creating a new RA Profile
includes:
Certificate
attributesFor issuing of new Certificate
, you can use the following optional attributes for the End Entity:
The EJBCA username and attributes for to issue Certificate
are written as Metadata
in the Certificate
object and can be used in future operations.
Certificate
attributesFor discovering Certificates
from the EJBCA, the following attributes can be used:
EJBCA NG Connector
implements v2 Authority Provider
and Discovery Provider
interfaces. To learn more about the interfaces and end points, refer to the CZERTAINLY Interfaces.
For more information, please refer to the CZERTAINLY documentation.
EJBCA NG Connector
is provided as a Docker container. Use the docker pull czertainly/czertainly-ejbca-ng-connector:tagname
to pull the required image from the repository. It can be configured using the following environment variables:
Variable | Description | Required | Default value |
---|---|---|---|
JDBC_URL |
JDBC URL for database access | N/A |
|
JDBC_USERNAME |
Username to access the database | N/A |
|
JDBC_PASSWORD |
Password to access the database | N/A |
|
DB_SCHEMA |
Database schema to use | ejbca |
|
PORT |
Port where the service is exposed | 8080 |
|
TRUSTED_CERTIFICATES |
List of PEM encoded additional trusted certificates | N/A |
|
REMOTE_DEBUG |
Enables JVM remote debug on port 5005 | false |
|
MAX_PAYLOAD_SIZE |
Maximum payload size in bytes | 2000000 |
|
EJBCA_SEARCH_PAGE_SIZE |
Maximum number of certificates to fetch in one request | 100 |
You may need to configure proxy to allow communication with external systems. To enable proxy, use the following environment variables:
Variable | Description | Required | Default value |
---|---|---|---|
HTTP_PROXY |
The proxy URL to use for http connections. Format: <protocol>://<proxy_host>:<proxy_port> or <protocol>://<user>:<password>@<proxy_host>:<proxy_port> |
N/A |
|
HTTPS_PROXY |
The proxy URL to use for https connections. Format: <protocol>://<proxy_host>:<proxy_port> or <protocol>://<user>:<password>@<proxy_host>:<proxy_port> |
N/A |
|
NO_PROXY |
A comma-separated list of host names that shouldn't go through any proxy | N/A |
Example values:
HTTP_PROXY=http://user:password@proxy.example.com:3128
HTTPS_PROXY=http://user:password@proxy.example.com:3128
NO_PROXY=localhost,127.0.0.1,0.0.0.0,10.0.0.0/8,cattle-system.svc,.svc,.cluster.local,my-domain.local