Appliance Firewall Rules
This document describes the network services offered by the appliance.
Service | Interface | Direction | Protocol | Destination Port | Comment |
|---|---|---|---|---|---|
| EJBCA | |||||
| EJBCA CA web | APP, MGMT | in | HTTPS | 443 | http[s]://{hostname}/ejbca/adminweb |
| EJBCA RA web | APP, MGMT | in | HTTPS | 80, 443 | http[s]://{hostname}/ejbca/ra |
| EJBCA documentation | APP, MGMT | in | HTTP, HTTPS | 80, 443 | http[s]://{hostname}/ejbca/doc |
| EJBCA CRL distribution | APP, MGMT | in | HTTP, HTTPS | 80, 443 | http[s]://{hostname}/ejbca/publicweb/webdist/certdist?cmd=[crl|deltacrl]&issuer={subjectDn} |
| EJBCA CA certificate distribution | APP, MGMT | in | HTTP, HTTPS | 80, 443 | http[s]://{hostname}/ejbca/publicweb/certificates/search.cgi |
| EJBCA healthcheck | APP,MGMT | in | HTTP, HTTPS | 80, 443 | http://{hostname}/ejbca/publicweb/healthcheck/ejbcahealth http://{hostname}/ejbca/publicweb/healthcheck/vastatus |
| EJBCA web service API | APP, MGMT | in | HTTPS | 443 | https://{hostname}/ejbca/ejbcaws/ejbcaws?wsdl |
| EJBCA OCSP responder | APP, MGMT | in | HTTP, HTTPS | 80, 443 | http[s]://{hostname}/ejbca/publicweb/status/ocsp |
| EJBCA SCEP | APP, MGMT | in | HTTP, HTTPS | 80, 443 | http[s]://{hostname}/ejbca/publicweb/apply/scep/[{alias}/]pkiclient.exe |
| EJBCA CMP | APP, MGMT | in | HTTP, HTTPS | 80, 443 | http[s]://{hostname}/ejbca/publicweb/cmp[/{alias}] |
| EJBCA ACME | APP, MGMT | in | HTTP, HTTPS | 80, 443 | http[s]://{hostname]/ejbca/acme/[{alias}/] |
| EJBCA EST | APP, MGMT | in | HTTPS | 443 | https://{hostname}/ejbca/.well-known/est/[{alias}/] |
| EJBCA REST API | APP; MGMT | in | HTTP, HTTPS | 80, 443 | http[s]://{hostname}/ejbca/ejbca-rest-api |
| SCT submission | APP | out | HTTPS | configurable | CT log server configured in EJBCA's system configuration. |
| DNS lookups | APP | out | DNS | configurable | DNS server configured in EJBCA. Used for ACME domain validation and CAA. |
| Peer systems | APP | out (from CA), in (to RA and VA) | HTTPS | 443 | https://{hostname}/ejbca/peer/v1 |
| EJBCA LDAP publisher | APP | out | HTTP, HTTPS | configurable | LDAP server configured in EJBCA. |
| EJBCA AD publisher | APP | out | HTTP, HTTPS | configurable | AD server configured in EJBCA. |
| EJBCA SCP publisher | APP | out | SSH | 22 | SSH server configured in EJBCA. |
| SignServer | |||||
| SignServer administration web | APP, MGMT | in | HTTPS | 443 | http[s]://{hostname}/signserver/adminweb |
| SignServer public web | APP, MGMT | in | HTTP, HTTPS | 80, 443 | http[s]://{hostname}/signserver |
| Time monitoring | APP | out | NTP | 53 | NTP server configured in the Time Monitor worker. |
| SignServer web service API | APP, MGMT | in | HTTPS | 443 | https://{hostname}/signserver/AdminWSService/AdminWS https://{hostname}/signserver/ClientWSService/ClientWS |
| SignServer healthcheck | APP, MGMT | in | HTTP, HTTPS | 80, 443 | http://{hostname}/signserver/healthcheck/signserverhealth |
| Timestamping | APP | in | HTTP, HTTPS | 80, 443 | http[s]://{hostname}/signserver/process?workerId={workerId} |
Certificate renewal using peer systems | APP | in | HTTPS | 443 | https://{hostname}/ejbca/peer/v1 |
| Appliance | |||||
| Cluster communication | APP | out, in | GRE | N/A | If clustering is used. |
| WebConf | MGMT | in | HTTPS | 443 | https://{hostname}/webconf |
| NTP | MGMT | out | UDP | 123 | If NTP is enabled in WebConf. |
| SNMP | APP, MGMT | in | SNMP v2 SNMP v3 | 161 | |
| Syslog shipping | APP, MGMT | out | UDP | 514 | If syslog shipping is enabled in WebConf. |
| DNS | APP | out | DNS | 53 | If DNS is enabled in WebConf. |
| SSH | MGMT | in | SSH v2 | 22 | If SSH is enabled in WebConf. |
| Backups | MGMT | out | NFS v3/v4 | 111, 2049 | |
| Email notifications | APP | out | SMTP | 25 | Only if DNS is enabled and email notifications are used in EJBCA. |