Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
D.4. Key Recovery Authority-Specific ACLs
This section covers the default access control configuration which apply specifically to the KRA. The KRA ACL configuration also includes all of the common ACLs listed in Section D.2, “Common ACLs”.
There are access control rules set for each of the KRA's interfaces (administrative console and agents and end-entities services pages) and for common operations like listing and downloading keys.
D.4.1. certServer.job.configuration
Link kopierenLink in die Zwischenablage kopiert!
Controls who can configure jobs for the KRA.
allow (read) group="Administrators" || group="Key Recovery Authority Agents" || group="Auditors";allow (modify) group="Administrators"
allow (read) group="Administrators" || group="Key Recovery Authority Agents" || group="Auditors";allow (modify) group="Administrators"| Operations | Description | Allow/Deny Access | Targeted Users/Groups | |||
|---|---|---|---|---|---|---|
| read | View basic job settings, job instance settings, and job plug-in settings. List job plug-ins and job instances. | Allow |
| |||
| modify | Add and delete job plug-ins and job instances. Modify job plug-ins and job instances. | Allow | Administrators |
D.4.2. certServer.kra.certificate.transport
Link kopierenLink in die Zwischenablage kopiert!
Controls who can view the transport certificate for the KRA.
allow (read) user="anybody"
allow (read) user="anybody"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View the transport certificate for the KRA instance. | Allow | Anyone |
D.4.3. certServer.kra.configuration
Link kopierenLink in die Zwischenablage kopiert!
Controls who can configure and manage the setup for the KRA.
allow (read) group="Administrators" || group="Auditors" || group="Key Recovery Authority Agents" || allow (modify) group="Administrators"
allow (read) group="Administrators" || group="Auditors" || group="Key Recovery Authority Agents" || allow (modify) group="Administrators"| Operations | Description | Allow/Deny Access | Targeted Users/Groups | |||
|---|---|---|---|---|---|---|
| read | Read the number of required recovery agent approvals. | Allow |
| |||
| modify | Change the number of required recovery agent approvals. | Allow | Administrators |
D.4.4. certServer.kra.connector
Link kopierenLink in die Zwischenablage kopiert!
Controls what entities can submit requests over a special connector configured on the CA to connect to the KRA. The default configuration is:
allow (submit) group="Trusted Managers"
allow (submit) group="Trusted Managers"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| submit | Submit a new key archival request (for non-TMS only). | Allow | Trusted Managers |
D.4.5. certServer.kra.GenerateKeyPair
Link kopierenLink in die Zwischenablage kopiert!
Controls who can submit key recovery requests to the KRA. The default configuration is:
allow (execute) group="Key Recovery Authority Agents"
allow (execute) group="Key Recovery Authority Agents"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| Execute | Execute server-side key generation (TMS only). | Allow | KRA Agents |
D.4.6. certServer.kra.getTransportCert
Link kopierenLink in die Zwischenablage kopiert!
Controls who can submit key recovery requests to the KRA. The default configuration is:
allow (download) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
allow (download) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| download | Retrieve KRA transport certificate. | Allow | Enterprise Administrators |
D.4.7. certServer.kra.group
Link kopierenLink in die Zwischenablage kopiert!
Controls access to the internal database for adding users and groups for the KRA instance.
allow (modify,read) group="Administrators"
allow (modify,read) group="Administrators"| Operations | Description | Allow/Deny Access | Targeted Users/Groups | |
|---|---|---|---|---|
| modify | Create, edit, or delete user and group entries for the instance. | Allow | Administrators | |
| read | View user and group entries for the instance. | Allow |
|
D.4.8. certServer.kra.key
Link kopierenLink in die Zwischenablage kopiert!
Controls who can access key information through viewing, recovering, or downloading keys. The default configuration is:
allow (read,recover,download) group="Key Recovery Authority Agents"
allow (read,recover,download) group="Key Recovery Authority Agents"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | Display public information about key archival record. | Allow | KRA Agents |
| recover | Retrieve key information from the database to perform a recovery operation. | Allow | KRA Agents |
| download | Download key information through the agent services pages. | Allow | KRA Agents |
D.4.9. certServer.kra.keys
Link kopierenLink in die Zwischenablage kopiert!
Controls who can list archived keys through the agent services pages.
allow (list) group="Key Recovery Authority Agents"
allow (list) group="Key Recovery Authority Agents"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| list | Search for and list a range of archived keys. | Allow | KRA Agents |
D.4.10. certServer.kra.registerUser
Link kopierenLink in die Zwischenablage kopiert!
Defines which group or user can create an agent user for the instance. The default configuration is:
allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| modify | Register a new user. | Allow | Enterprise Administrators |
| read | Read existing user info. | Allow | Enterprise Administrators |
D.4.11. certServer.kra.request
Link kopierenLink in die Zwischenablage kopiert!
Controls who can view key archival and recovery requests in the agents services interface.
allow (read) group="Key Recovery Authority Agents"
allow (read) group="Key Recovery Authority Agents"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View a key archival or recovery request. | Allow | KRA Agents |
D.4.12. certServer.kra.request.status
Link kopierenLink in die Zwischenablage kopiert!
Controls who can view the status for a key recovery request in the end-entities page.
allow (read) group="Key Recovery Authority Agents"
allow (read) group="Key Recovery Authority Agents"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | Retrieve the status of a key recovery request in the agents services pages. | Allow | KRA Agents |
D.4.13. certServer.kra.requests
Link kopierenLink in die Zwischenablage kopiert!
Controls who can list key archival and recovery requests in the agents services interface.
allow (list) group="Key Recovery Authority Agents"
allow (list) group="Key Recovery Authority Agents"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| list | Retrieve details on a range of key archival and recovery requests. | Allow | KRA Agents |
D.4.14. certServer.kra.systemstatus
Link kopierenLink in die Zwischenablage kopiert!
Controls who can view the statistics for the KRA instance.
allow (read) group="Key Recovery Authority Agents"
allow (read) group="Key Recovery Authority Agents"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View statistics. | Allow | KRA Agents |
D.4.15. certServer.kra.TokenKeyRecovery
Link kopierenLink in die Zwischenablage kopiert!
Controls who can submit key recovery requests for a token to the KRA. This is a common request for replacing a lost token. The default configuration is:
allow (submit) group="Key Recovery Authority Agents"
allow (submit) group="Key Recovery Authority Agents"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| submit | Submit or initiate key recovery requests for a token recovery. | Allow | KRA Agents |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}