Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-7050

Detect and warn about various misconfigurations

    Details

    • Type: Epic
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Epic Name:
      EJBCA Configuration Checker
    • Issue discovered during:
      Ad Hoc

      Description

      An issue tracking system (also ITS, trouble ticket system, support ticket, request management or incident ticket system) is a computer software package that manages and maintains lists of issues, as needed by an organization.

      EJBCA can be configured in a million ways but not all configurations make sense. We should implement an issue tracking system which scans for known misconfigurations to help administrators detect problems with their EJBCA installation. Issues can be shown in the CA Web (e.g. as notifications), be provided over the REST API or logged using Log4j.

      An issue checker can be represented with the following interfaces:

      /**
        * An issue is a type of problem which can be tracked by the EJBCA issue checker. Each issue has
        * a priority and a description. An issue can produce one or more tickets if present on the system.
        */
      interface Issue {
          List<Ticket> getTickets();
          Priority getPriority();
          String getDescriptionLanguageKey();
          String getDatabaseValue();
      }
      
      /**
       * A ticket is the <i>realisation of an issue</i>. A ticket has a priority, a description
       * and optionally a target. An issue may only produce one ticket, in which case the ticket
       * may have a target, or multiple tickets, in which case each individual ticket must have
       * a unique target.
       *
       * <p>For example, one issue could be a specific misconfiguration in a certificate profile.
       * The issue would then produce one ticket per misconfigured certificate profile, where the
       * certificate profile is the target of the ticket.
       *
       * <p>Tickets can be displayed in the GUI, logged to disk, propagated to a separate
       * log management solution or exposed through an API for monitoring purposes.
       */
      
      interface Ticket {
          Issue getIssue();
          String getDescriptionLanguageKey();
          Optional<String> getTarget();
          Priority getPriority();
      }
      
      /**
       * An issue set groups issues that belong together. Each issue set contains a set of issues,
       * a title and a description. Issue sets can be enabled and disabled in the system configuration.
       *
       * <p>Each issue set can contain any number of issues, and an issue may reside in more than one
       * issue set.
       *
       * <p>An example of an issue set could be "Certificate Transparency" enabled by CAs publishing
       * to CT logs, or the issue set "CA/B Forum Baseline Requirements" enabled by CAs adhering to the
       * Baseline Requirements.
       */
      interface IssueSet {
          Set<Class<? extends Issue>> getIssues();
          String getTitleLanguageString();
          String getDescriptionLanguageString();
          String getDatabaseValue();
      }
      

      Examples of issues we could implement are:

      • Warn if CT is not enabled
      • Warn if the minimum number of SCTs for a certificate profile is less than the value mandated by Google's CT policy
      • Warn if ECC or RSA key validators are missing
      • Warn if there is no CRL Updater Service
      • Warn if there are External VAs present but no Validation Authority Peer Publisher
      • Warn if the queue of a publisher is filling up
      • Warn if there are missing indices in the database (is this possible?)
      • Warn if database protection is disabled or a test key is used
      • Warn if a root CA is not offline (exclude Management CA)
      • Warn if the disk is filling up
      • Warn if the server certificate is about to expire.
      • Warn about role members (that are matching by serial numbers) whose certificates are about to expire, and there's no more recent certificate with the same Subject DN or username.
      • Warn about Internal Key Bindings' bound certificates that are about to expire
      • Warn if the server certificate does not have a DNS Name, or if the hostname is "localhost", and incoming peer connections are enabled.

      There should be some smart strategy to apply filtering, test for high-priority issues first and do some caching in the UI to avoid scanning for issues to often.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                bastianf Bastian Fredriksson
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated: