Skip to main content
Version: 4.12.x.x LTS

Securing nevisAdmin 4

Using HTTPS

After installing nevisAdmin 4, perform the following steps to configure HTTPS:

  1. Configure the key material.
  2. Use standard port 443.

Configuring Key Material

Follow the next instructions to configure the key material:

  1. Install the private key and the host certificate that you want to use on the machine where nevisAdmin 4 runs.

For convenience, you can use nevisKeybox to create the key material for HTTPS. For more information, see How to create a secure, trusted connection between two nodes in the nevisKeybox technical documentation. 2. Verify whether the ownership of the key and certificate files is set correctly, so that the admin4 process is able to read these files. It should be chown. Correct the settings, if necessary. 3. Configure nevisAdmin 4 to use the key material via /var/opt/nevisadmin4/conf/nevisadmin4.yml:

server:
port: 8443
tls:
keystore: /var/opt/neviskeybox/default/default/node_keystore.p12
keystore-passphrase: password
keystore-type: pkcs12
key-alias: node
  1. To test your settings, temporarily stop the nevisAdmin 4 systemd service. Follow the testing instructions in [Initial Setup].

Using Standard Port 443

nevisAdmin 4 runs as nvbuser. However, this user cannot listen on port 443. Use iptables to redirect port 443 to 8443:

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443
iptables-save > /etc/sysconfig/iptables
systemctl enable iptables
systemctl start iptables

In some CentOS versions, the iptables service is not installed by default. In these cases, you need to install the iptables service first, with this command:

yum install iptables-services

Protecting the Default admin Account

The admin user's password also protects the encryption key (backup master key) that allows you to recover access to secrets. Therefore, store the admin password in a safe place, to make recovery via the backup master key possible.

For background information, see Encryption and Storage of Secrets.

To configure a secure password for the default admin user:

  1. Log in using your web browser.
  2. Change the admin password with the top right User menu.

Configuring further User Accounts

We recommend that you avoid using the admin account for your daily work.

Instead, set up further accounts as follows: to create user accounts locally or manage groups and permissions to automatically create users from Active Directory data when they log in