PreviousNextUp[Front page] [Index]

Editing the Administration Service

The Administration Service is a mandatory service in SSH Tectia Certifier, since it is used to provide the web-based administration interface for the administrators. An Administration Service is created as a part of the Certifier installation.

It is recommended that instead of configuring the one and only Administration Service, a new service is created. The old one could then be removed, after the function of the new service has been validated. This is a precaution, to avoid a situation where the administrator has selected the security settings of the Administration Service, and cannot access the system any more since she has not enrolled an administrator certificate for herself. Also if there are problems in the administration configurations, similar problems may arise.

Basic Settings

Service description is a free-form description of the Service and its function.

Service status can be either Active or Disabled. If the service is Disabled, it does not perform its function. This option can be used to take the service temporarily out of use.


gui-editconfigurationforadministrationservice-33.gif
Figure : Editing the Administration Service configuration

The Service bind address is the address where the Administration Service listens to incoming HTTP and HTTPS connections. Remember to include the port number in the address. For example, http://0.0.0.0:8083/ is an address for a service running on the local host listening to port 8083. Note that the Service bind address needs to begin with http instead of https even if TLS is being used.

Template Set and Access Level

The Template set is the set of HTML templates used by this service. Unless new templates have been customized by the customer, only one template set is available (Administration Interface). The template sets are located in the SSH Tectia Certifier installation directory under admin-templates/ (the default set is in the admin-templates/admin-html/ sub-directory).

The Access level is the maximum operator access level through this Administration Service. If Normal Operators Only is selected, the Service allows write operations (this corresponds to operator Write access level). If Full Super User Access is selected, the Service allows all operations.

Each operator has an access level as described in Section Operator Access Control Levels. If the operator has lower access level than the Service, the operator's access level sets the limits. If the operator has higher access level than the Service, the Server's access level sets the limits. That is, operators with super-user access can log in to an Administration Service that allows Normal Operators Only, but they are limited to Write access while using that Service.

Security Settings

The Security Settings option defines whether the HTTP server is protected with TLS or not. If Unprotected HTTP connection is selected, all connections between an administrator's browser and the server are in plain text. By selecting TLS Protected HTTP connection, the server has a certificate that it uses for authentication. All connections are encrypted when using this option. However, the client (administrator) has to use a login name and password to authenticate itself to the server.

When TLS with client authentication is selected, also the client has to have a certificate in order to connect to the server. If this mode is being used, administrator passwords are not mandatory, since the client private key is used for the authentication instead of password. You should also make sure there are no other Administration Services in the system that would allow login without client authentication.

The CA that is used for issuing TLS server certificates has to be selected in the TLS Server Certificate CA field. SSH Certifier Internal CA, which is created during the installation, can be used, unless a dedicated CA is wanted for this purpose. In the latter case, the same CA that is used for a protected Web Enrollment Service can be used. See Section Editing the Web Enrollment Service.

When the TLS settings of the Administration Service are turned on, the service creates a private key and enrolls a TLS server certificate for itself. Validity period length and Key size can be selected in the TLS Server Certificate Settings. The validity period will be included in the certification request. You can later re-issue the TLS server certificate with new parameters, for example, if you want to edit the certificate fields further, which is typically the case.

When TLS protection with client authentication is used, Client Authentication CAs must be set. These are the CAs that are accepted for issuing TLS client certificates for connecting to the Administration Service. If all CAs are trusted, click Trust all CAs. If only some CAs are trusted for this purpose, click Trust only selected CAs, select the CAs from the drop-down list, and click Add. Or click Trust all except selected CAs, select the CAs that are not trusted for this purpose, and click Add.

If TLS is used, Certificate status shows the status of the TLS certificate of the Service, and the certificate can be viewed by clicking View Certificate.

Commiting Changes

Click the Continue button to accept changes made to the Service settings, or click Cancel to discard them. After clicking Continue, remember to Commit Changes on the Edit Server Entity page.


PreviousNextUp[Front page] [Index]