EJBCA supports multiple protocols for certificate enrollment, status and web services. The protocols and services can be separately disabled per EJBCA instance in order to reduce the attack surface. For example, an instance serving as an OCSP responder probably has no use for enrollment protocols, and these protocols may thus be disabled for that instance. Any request to a disabled protocol or service is rejected immediately and an error code is returned.
Local Configuration
The following protocols and services can be disabled:
- ACME: ACME protocol /ejbca/acme
- Certstore: Certificate store servlet /certificates
- CMP: CMP protocol servlet /ejbca/publicweb/cmp
- CRLstore: CRL Store servlet /crls
- EST: EST protocol servlet /.well-known/est
- OCSP: OCSP Servlet /ejbca/publicweb/status/ocsp
- REST: All REST resources /ejbca/ejbca-rest-api
- SCEP: SCEP protocol servlet /ejbca/publicweb/apply/scep
- Webdist: Web dist servlet /ejbca/publicweb/webdist
- Web Service: All web service calls requiring authentication /ejbca/ejbcaws
All configurable protocols and services added prior to EJBCA 6.11.0 are enabled by default.
To disable or re-enable protocols using the Admin GUI:
- Go to Admin GUI>System Configuration.
- Select the tab Protocol Configuration.
- Enable or disable the desired protocol or service.
Protocol Configuration Over Peers
In addition to disabling protocols locally per instance, an administrator may disable protocols for each outgoing Peer connection using access rules, making it possible to control protocol access of remote instances.
Disabling a protocol locally or for a Peer connection will always override an enabled configuration. For example, if an external RA has web services disabled locally, and the outgoing Peer connection from the CA has configured web services as Allowed, any web service call to the external RA would be rejected.
Currently, only external instances using RA proxying and protocols supporting it (ACME, CMP, EST, REST, SCEP and Web services) are remotely configurable using access rules, i.e. external RAs. For a Peer connected VA instance, protocols may only be disabled locally on that instance.
To configure protocols for an outgoing Peer connection using the Admin GUI:
- Go to Admin GUI>Peer Systems.
- Select Authorized Requests for the outgoing Peer (the Peer has to be enabled first)
- Under Process requests from protocols, select to enable protocols or clear to disable protocols.
All protocols implemented prior to EJBCA 6.11.0 are enabled by default for outgoing Peers. The access rules for /protocol/*, only apply to Peer connector roles. Denying a protocol for a specific administrator has no effect.