Securing nevisAdmin 4
Using HTTPS
After installing nevisAdmin 4, perform the following steps to configure HTTPS:
- Configure the key material.
- Use standard port 443.
Configuring Key Material
Follow the next instructions to configure the key material:
- Install the private key and the host certificate that you want to use on the machine where nevisAdmin 4 runs.
For convenience, you can use nevisKeybox to create the key material for HTTPS. For more information, see How to create a secure, trusted connection between two nodes in the nevisKeybox technical documentation. 2. Verify whether the ownership of the key and certificate files is set correctly, so that the admin4 process is able to read these files. It should be chown. Correct the settings, if necessary. 3. Configure nevisAdmin 4 to use the key material via /var/opt/nevisadmin4/conf/nevisadmin4.yml:
server:
port: 8443
tls:
keystore: /var/opt/neviskeybox/default/default/node_keystore.p12
keystore-passphrase: password
keystore-type: pkcs12
key-alias: node
- To test your settings, temporarily stop the nevisAdmin 4 systemd service. Follow the testing instructions in [Initial Setup].
Using Standard Port 443
nevisAdmin 4 runs as nvbuser. However, this user cannot listen on port 443. Use iptables to redirect port 443 to 8443:
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443
iptables-save > /etc/sysconfig/iptables
systemctl enable iptables
systemctl start iptables
In some CentOS versions, the iptables service is not installed by default. In these cases, you need to install the iptables service first, with this command:
yum install iptables-services
Protecting the Default admin Account
The admin user's password also protects the encryption key (backup master key) that allows you to recover access to secrets. Therefore, store the admin password in a safe place, to make recovery via the backup master key possible.
For background information, see Encryption and Storage of Secrets.
To configure a secure password for the default admin user:
- Log in using your web browser.
- Change the admin password with the top right User menu.
Configuring further User Accounts
We recommend that you avoid using the admin account for your daily work.
Instead, set up further accounts as follows: to create user accounts locally or manage groups and permissions to automatically create users from Active Directory data when they log in