Admin WS Interface
The SignServer Administration Web Services can be used for remote administration of SignServer over client authenticated HTTPS.
Access is granted based on a list of certificate serial number and issuer distinguished name pairs. Currently there is only one access level and all administrators granted access will be able to perform all operations.
The WSDL file is located at the following URL: http://<hostname>:8080/signserver/AdminWSService/AdminWS?wsdl.
To authorize administrators using the Admin CLI, use the wsadmins
command:
bin
/signserver
wsadmins
Usage:
Usage: signserver wsadmins -add -certserialno <certificate serial number (
in
hex)> -issuerdn <issuer DN>
Usage: signserver wsadmins -add -cert <PEM or DER
file
>
Usage: signserver wsadmins -remove -certserialno <certificate serial number (
in
hex)> -issuerdn <issuer DN>
Usage: signserver wsadmins -list
Usage: signserver wsadmins -allowany [
true
|
false
]
Example 1: signserver wsadmins -add -certserialno 123ABCDEF -issuerdn
"CN=Neo Morpheus, C=SE"
Example 2: signserver wsadmins -add -cert wsadmin.pem
Example 3: signserver wsadmins -remove -certserialno 123ABCDEF -issuerdn
"CN=Neo Morpheus, C=SE"
Example 4: signserver wsadmins -list
Example 5: signserver wsadmins -allowany
Example 6: signserver wsadmins -allowany
false
The certificate serial number should be entered as the hexadecimal representation (leading zeros and upper/lowercase is not significant).
The issuer DN currently should be entered in the reversed order and with spaces after each component. In the example above, the issuer DN from the certificate actually is "CN=Neo Morpheus, C=SE".
An administrator can also be added by supplying a client certificate as an argument. The serial number and issuer DN is then taken from that certificate.
To troubleshoot an "Administrator not authorized to resource", refer to the logs for how SignServer interprets the serialnumber and subject DN. Example:
19
:
00
:
33
,
946
INFO [AdminWS] ADMIN OPERATION; subjectDN=C=SE, O=Markus Organization, OU=Internal Testing
1
, CN=External RA Admin
1
; serialNumber=4a3442e98e3ce428; issuerDN=C=SE, O=Markus Organization, OU=Internal Testing
1
, CN=MarkusAdminCA1; authorized=
false
; operation=getWorkers; arguments=