Skip to main content
Version: 8.2411.x.x RR

Securing nevisAdmin 4

Using HTTPS

After installing nevisAdmin 4, perform the following steps to configure HTTPS:

  1. Configure the key material.
  2. Use standard port 443.

Configuring Key Material

Follow the next instructions to configure the key material:

  1. Install the private key and the host certificate that you want to use on the machine where nevisAdmin 4 runs. For convenience, you can use nevisKeybox to create the key material for HTTPS. For more information, see How to create a secure, trusted connection between two nodes.

  2. Verify whether the ownership of the key and certificate files is set correctly, so that the admin4 process is able to read these files. It should be readable by nvbuser. Correct the settings, if necessary.

  3. Configure nevisAdmin 4 to use the key material via /var/opt/nevisadmin4/conf/nevisadmin4.yml:

    server:
    port: 8443
    tls:
    keystore: /var/opt/neviskeybox/default/default/node_keystore.p12
    keystore-passphrase: password
    keystore-type: pkcs12
    key-alias: node
  4. To test your settings, restart the nevisAdmin 4 systemd service as follows:

nevisadmin4 stopService
nevisadmin4 startService

Using Standard Port 443

nevisAdmin 4 runs as nvbuser. However, this user cannot listen on port 443. You can use iptables to redirect port 443 to 8443:

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443
iptables-save > /etc/sysconfig/iptables
systemctl enable iptables
systemctl start iptables

In some CentOS versions, the iptables service is not installed by default. In these cases, you need to install the iptables service first, with this command:

yum install iptables-services

Protecting the Default admin Account

The admin user's password also protects the encryption key (backup master key) that allows you to recover access to secrets. Therefore, store the admin password in a safe place, to make recovery via the backup master key possible.

For background information, see Encryption and Storage of Secrets.

To configure a secure password for the default admin user:

  1. Log in using your web browser.
  2. Change the admin password with the top right User menu.

Configuring further User Accounts

We recommend that you avoid using the admin account for your daily work.

Instead, set up further accounts as follows: