How to restore EJBCA CLI user's access?

[aloeenmae]

I created a dump of my EJBCA MariaDB database and imported it into a new MariaDB database within a container. When I point the new EJBCA in my container to this new database, EJBCA starts up fine, but for some reason, the EJBCA CLI user no longer has permissions. Running the command

docker exec -i ejbca /opt/keyfactor/ejbca/bin/ejbca.sh roles listadmins --role "Super Administrator Role" 

gives me the following error:

2024-07-04 08:17:01,228+0000 ERROR [org.ejbca.ui.cli.roles.ListAdminsCommand] (main) Not authorized to role 'Super Administrator Role'.

How can I restore the CLI user's permissions?

Thanks

[aloeenmae]

Does anyone have any good ideas on how to restore CLI user permissions, as the official documentation currently does not cover this.

[aloeenmae]

@primetomas the username and password are the same as in the working EJBCA virtual machine. Unfortunately, I cannot access the web interface because the client certificate has expired. Is it possible to change the EJBCA CLI user's password, or should this be done via the database?

[primetomas]

It is in the database yes, UserData table. You could just set back the system clocks and fix it in the UI as well.

[aloeenmae]

@primetomas ok, but how I can generate the new passwordHash?

select username,cAId,passwordHash from UserData where username='ejbca';
+----------+------+--------------------------------------------------------------+
| username | cAId | passwordHash                                                 |
+----------+------+--------------------------------------------------------------+
| ejbca    |    0 | $2a$08$L7K09oAPVIUGijzXXXXXXXXXXXXXXXXXX                     |
+----------+------+--------------------------------------------------------------+

[aloeenmae]

Ok, seems that my password change works:

python3 -c "import bcrypt; password = 'ejbca'; hashed = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt()); print(hashed)"

MariaDB side:

UPDATE UserData SET passwordHash = '$2a$12$MY_NEW_HASH' WHERE username = 'ejbca';

docker exec -i ejbca /opt/keyfactor/ejbca/bin/ejbca.sh roles listadmins --role "Super Administrator Role"
Exception in thread "main" javax.ejb.EJBException: java.lang.IllegalArgumentException: Provided string is not a BCrypt hash.

it seems that EJBCA supports only BCrypt 2a, not 2b, so I replaced $2b with $2a and got the EJBCA CLI working again.

docker exec -i ejbca /opt/keyfactor/ejbca/bin/ejbca.sh roles listadmins --role "Super Administrator Role"
2024-07-29 11:44:36,456+0000 INFO  [org.ejbca.ui.cli.roles.ListAdminsCommand] (main) [Admin not bound to CA or provider] USERNAME TYPE_EQUALCASE "ejbca" ""

[primetomas]

That's awesome!

[aloeenmae]

But now I have another issue ;)

ejbca.sh ra addendentity --username my_test_user --dn "UID=112,CN=My test client cert,OU=My OU,O=My company,C=EE" --caname MyCA --type 1 --token P12
Exception in thread "main" java.lang.NullPointerException
	at org.ejbca.ui.cli.ra.AddEndEntityCommand.getAuthenticationCode(AddEndEntityCommand.java:370)
	at org.ejbca.ui.cli.ra.AddEndEntityCommand.execute(AddEndEntityCommand.java:148)
	at org.ejbca.ui.cli.infrastructure.command.PasswordUsingCommandBase.execute(PasswordUsingCommandBase.java:201)
	at org.ejbca.ui.cli.infrastructure.library.CommandLibrary$Branch.execute(CommandLibrary.java:309)
	at org.ejbca.ui.cli.infrastructure.library.CommandLibrary$Branch.execute(CommandLibrary.java:320)
	at org.ejbca.ui.cli.infrastructure.library.CommandLibrary.findAndExecuteCommandFromParameters(CommandLibrary.java:88)
	at org.ejbca.ui.cli.EjbcaEjbCli.main(EjbcaEjbCli.java:38)
2024-07-29 13:23:34,466+0000 INFO  [org.ejbca.ui.cli.ra.AddEndEntityCommand] (main) Enter password:
2024-07-29 13:23:34,466+0000 INFO  [org.ejbca.ui.cli.ra.AddEndEntityCommand] (main)

Do I need modify any other DB table(s) as well?

[aloeenmae]

When I added the --password flag, it worked, but without it, it did not. I tried to execute the same command on my working EJBCA instance (EJBCA CE 7.x version), and it asked for a password as it should.

ejbca.sh ra addendentity --username my_test_user --dn "UID=112,CN=My test client cert,OU=My OU,O=My company,C=EE" --caname MyCA --type 1 --token P12 --verbose --password testpw
2024-07-29 13:36:54,991+0000 ERROR [org.ejbca.ui.cli.infrastructure.parameter.ParameterHandler] (main) SETTING: --username as my_test_user
2024-07-29 13:36:54,992+0000 ERROR [org.ejbca.ui.cli.infrastructure.parameter.ParameterHandler] (main) SETTING: --dn as UID=112,CN=My test client cert,OU=My OU,O=My company,C=EE
2024-07-29 13:36:54,992+0000 ERROR [org.ejbca.ui.cli.infrastructure.parameter.ParameterHandler] (main) SETTING: --caname as MyCA
2024-07-29 13:36:54,992+0000 ERROR [org.ejbca.ui.cli.infrastructure.parameter.ParameterHandler] (main) SETTING: --type as 1
2024-07-29 13:36:54,992+0000 ERROR [org.ejbca.ui.cli.infrastructure.parameter.ParameterHandler] (main) SETTING: --token as P12
2024-07-29 13:36:54,992+0000 ERROR [org.ejbca.ui.cli.infrastructure.parameter.ParameterHandler] (main) SETTING: --password as testpw
2024-07-29 13:36:55,932+0000 INFO  [org.ejbca.ui.cli.ra.AddEndEntityCommand] (main) Using certificate profile: ENDUSER, with id: 1
2024-07-29 13:36:55,939+0000 INFO  [org.ejbca.ui.cli.ra.AddEndEntityCommand] (main) Trying to add end entity:
2024-07-29 13:36:55,940+0000 INFO  [org.ejbca.ui.cli.ra.AddEndEntityCommand] (main) Username: my_test_user
2024-07-29 13:36:55,940+0000 INFO  [org.ejbca.ui.cli.ra.AddEndEntityCommand] (main) Password: <password hidden>
2024-07-29 13:36:55,940+0000 INFO  [org.ejbca.ui.cli.ra.AddEndEntityCommand] (main) DN: UID=112,CN=My test client cert,OU=My OU,O=My company,C=EE
2024-07-29 13:36:55,940+0000 INFO  [org.ejbca.ui.cli.ra.AddEndEntityCommand] (main) CA Name: MyCA
2024-07-29 13:36:55,940+0000 INFO  [org.ejbca.ui.cli.ra.AddEndEntityCommand] (main) SubjectAltName: null
2024-07-29 13:36:55,941+0000 INFO  [org.ejbca.ui.cli.ra.AddEndEntityCommand] (main) Email: null
2024-07-29 13:36:55,941+0000 INFO  [org.ejbca.ui.cli.ra.AddEndEntityCommand] (main) Type: 1
2024-07-29 13:36:55,943+0000 INFO  [org.ejbca.ui.cli.ra.AddEndEntityCommand] (main) Token: P12
2024-07-29 13:36:55,943+0000 INFO  [org.ejbca.ui.cli.ra.AddEndEntityCommand] (main) Certificate profile: 1
2024-07-29 13:36:55,943+0000 INFO  [org.ejbca.ui.cli.ra.AddEndEntityCommand] (main) End entity profile: 1
2024-07-29 13:36:57,319+0000 INFO  [org.ejbca.ui.cli.ra.AddEndEntityCommand] (main) User 'my_test_user' has been added.
2024-07-29 13:36:57,319+0000 INFO  [org.ejbca.ui.cli.ra.AddEndEntityCommand] (main) Note: If batch processing should be possible, also use 'ra setclearpwd my_test_user <pwd>'

[primetomas]

Sounds like you may have had something in ejbca.properties? This is where it reads default values from, when you don't specify the --password. i.e.
ejbca.cli.defaultusername=ejbca
ejbca.cli.defaultpassword=ejbca