ConfigDump Export and Audit Tool

ENTERPRISE EDITION This is an EJBCA Enterprise Edition (EE) feature.

Overview

Configdump serves as a partial replacement for the Statedump configuration management tool. While Statedump did (and still does) its primary task well (exporting and importing full EJBCA configurations on new instances), the export format is in now antiquated XML and it not meant to be human readable. This leads to two points of frustration for many customers, as they can't hand-modify exports, and lack of readability makes Statedump poorly suited as an audit tool. In order to alleviate this pain point PrimeKey developed the Configdump tool, which instead produces a human readable YAML output. Configdump is EJBCA version independent, unlike Statedump, where you can run into trouble if you do the export and import on different versions of EJBCA.

ConfigDump is still under construction, and the import functionality is still in development. In the meanwhile, the export functionality serves as an excellent auditing tool.

Comparison between Configdump and Statedump

 

Configdump

Statedump

Output format

YAML[1]

XML

Can be easily edited

Yes

No

Export

Yes

Yes

Import

No, but on the roadmap

Yes

EJBCA version independent

Yes

No

Ability to add comments to output files

Yes

No

Folder Structure and Output

Each EJBCA object is exported into its own file. Objects of different types will be put in different folders.

The directory structure created by Configdump is as follows:

Directory structure
> tree
.
├── Certification Authorities
│ ├── PrimeKey TestNet.yml
├── Validators
│ ├── My CAA Validator.yml
│ ├── My RSA Key Validator.yml

Here is an example of what the output from Configdump may look like:

'Type': 'PARTITIONED_APPROVAL'
'Name': 'Partitioned approval profile test'
'Approval expiration period': '1d'
'Request expiration period': '2d'
'Max extension time': '3d'
'Allow self-approved request editing': !!bool 'true'
'Steps':
- 'Partitions':
- 'Title': 'Partition 1'
'Can approve':
- 'Super Administrator'
- 'RA Administrator 1'
'Can view':
- 'Super Administrator'
- 'CA Administrator'
- 'RA Administrator 1'
- 'RA Administrator 2'
- 'Supervisor'
'Components':
- 'Type': 'Text field'
'Label': 'Text test'
'Content': 'This is a multiline string.'
- 'Type': 'Checkbox'
'Label': 'Checkbox test'
'Is checked?': !!bool 'true'
- 'Type': 'Radio group'
'Label': 'Radio test'
'Selected choice': 'Blue'
'Possible choices':
- 'Green'
- 'Blue'
- 'Red'
- 'Title': 'Partition 2'
'Can approve':
- 'Super Administrator'
- 'RA Administrator 2'
'Can view':
- 'Anybody'
'Administrator notification':
'Sender': 'no-reply@admin.notification'
'Recipients':
- 'recipient1@admin.com'
- 'recipient2.admin.com'
'Subject': 'Admin notification subject'
'Body': 'Admin notification body'
'User notification':
'Sender': 'no-reply@user.notification'
'Subject': 'User notification subject'
'Body': 'User notification body'
'Components':
- 'Type': 'Number'
'Label': 'Integer test'
'Value': !!int '42'
- 'Type': 'Big number'
'Label': 'Long test'
'Value': !!int '9223372036854775807'

As we can see, this YAML-file corresponds to a partitioned approval profile with one step and two partitions. Partition 1 contains a text field, a checkbox and a radio group with three radio buttons. Partition 2 contains a user notification, an administrator notification and two number fields.

Building

The ConfigDump tool can be built and run from the command line, using the build argument

$ ant configdump

which will result in a standalone JAR library which will be deployed to dist/configdump/configdump.jar. To run it, use the following command:

$ java -jar dist/configdump/configdump.jar <command name>

Commands

ConfigDump is split into several subcommands, which are listed here. So far only the export command has been implemented.

Export

$ java -jar dist/configdump/configdump.jar export --help

To see the full manual file for the export command, run

The export command will produce a complete YAML-based export of an EJBCA installation, meant to be human readable - this primarily means that ID references for objects will be replaced with their proper names. Certificates and end entity information will not be included in this export.

Mandatory Parameters

Switch

Description

-l (may be omitted of this value is added first)

The output directory where Yaml files will be written. It will be created automatically if non-existent. Provide absolute path to the directory e.g. /home/user/configdumpresult etc. Any existing dump files will be overwritten.

Optional Parameters

Switch

Description

--exclude

Names of items/types to exclude in the export, separated by semicolon. Type and name is separated by a colon, and wildcards "*" are allowed. Both are case-insensitive. E.g. --exclude "*:Example CA; cryptotoken:Example*; systemconfiguration:*"

Supported types are: ACMECONFIG, CA, CRYPTOTOKEN, PUBLISHER, APPROVALPROFILE, CERTPROFILE, EEPROFILE, SERVICE, ROLE, KEYBINDING, ENDENTITY, SYSCONFIG, ADMINPREFS, CMPCONFIG, OCSPCONFIG, PEERCONNECTOR, PEERCONFIG, SCEPCONFIG, ESTCONFIG, VALIDATOR, CTLOG, EXTENDEDKEYUSAGE, CERTEXTENSION

--ignore-errors

Print a warning instead of aborting and throwing an exception on errors.

--ignore-warnings

No warnings will be printed in the cli output.

--include

Names of items/types to include in the export. The syntax is identical to that of --exclude. For items of types that aren't listed, everything is included.

--include-external-cas

Enables export of external CAs (i.e. CAs where there's only a certificate and nothing else)

Troubleshooting

If EJBCA is running as a different user than Configdump (which may happen whenever you login as foo but EJBCA is running as e.g. wildfly) you may run into the following problem when exporting:

Exporting to directory: /home/foo/configdump
java.nio.file.AccessDeniedException: /home/foo/configdump
[....]

The solution is to create the folder manually with the proper group ownership

mkdir ~/configdump
sudo chown foo:wildfly ~/configdump