Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Appendix D. ACL reference


This section describes what each resource controls, lists the possible operations describing the outcome of those operations, and provides the default ACIs for each ACL resource defined. Each subsystem contains only those ACLs that are relevant to that subsystem.

D.1. About ACL configuration files

Access control is the method to set rules on who can access part of a server and the operations that user can perform. The four subsystems which depend on the LDAP directory service and use a Java console - the CA, KRA, OCSP, and TKS - all implement LDAP-style access control to access their resources. These access control lists (ACL) are located in the /var/lib/pki/instance_name/conf/subsystem/acl.ldif file.

NOTE

This section provides only a very brief overview of access control concepts. Access control is described in much more detail in the Managing Access Control chapter in the Red Hat Directory Server Administration Guide.

The Certificate System ACL files are LDIF files that are loaded by the internal database. The individual ACLs are defined as resourceACLS attributes which identify the area of the subsystem being protected and then a list of all of the specific access controls being set.

resourceACLS: class_name:all rights: allow|deny (rights) type=target description

Each rule which allows or denies access to a resource is called an access control instruction (ACI). (The sum of all of the ACIs for a resource is an access control list.) Before defining the actual ACI, the ACL attribute is first applied to a specific plugin class used by the Certificate System subsystem. This focuses each ACL to a specific function performed by the subsystem, providing both more security for the instance and better control over applying ACLs.

Example D.1. Default ACL to list certificate profiles

resourceACLS: certServer.ca.profiles:list:allow (list) group="Certificate Manager Agents":Certificate Manager agents may list profiles

Because each subsystem (CA, KRA, OCSP, and TKS) has different resources for its operations, each subsystem instance has its own acl.ldif file and its own defined ACLs.

Each ACI defines what access or behavior can be done (the right) and who the ACI applies to (the target). The basic format of an ACI is, then:

allow|deny (rights) user|group

Rights are types of operations that the ACI allows a user to perform. For LDAP ACIs, there is a relatively limited list of rights to directory entries, like search, read, write, and delete. The Certificate System uses additional rights that cover common PKI tasks, like revoke, submit, and assign.

If an operation is not explicitly allowed in an ACI, then it is implicitly denied. If an operation is explicitly denied in one ACI, then it trumps any ACI which explicitly allows it. Deny rules are always superior to allow rules to provide additional security.

Each ACI has to apply to specific users or groups. This is set using a couple of common conditions, usually user= or group=, though there are other options, like ipaddress= which defines client-based access rather than entry-based access. If there is more than one condition, the conditions can be composed using the double pipe (||) operator, signifying logical disjunction ("or"), and the double ampersand (&&) operator, signifying logical conjunction ("and"). For example, group="group1" || "group2".

Each area of the resourceACLS attribute value is defined in the below table.

Table D.1. Sections of the ACL attribute value
ValueDescription

class_name

The plugin class to which the ACI is applied.

all operations

The list of every operation covered in the ACI definition. There can be multiple operations in a single ACI and multiple ACIs in a single resourceACLS attribute.

allow|deny

Whether the action is being allowed for the target user or group or denied to the target user or group.

(operations)

The operations being allowed or denied.

type=target

The target to identify who this applies to. This is commonly a user (such as user="name") or a group (group="group"). If there is more than one condition, the conditions can be composed using the double pipe (||) operator (logical "or") and the double ampersand (&&) operator (logical "and"). For example, group="group1" || "group2".

description

A description of what the ACL is doing.

D.2. Common ACLs

This section covers the default access control configuration that is common for all four subsystem types. These access control rules manage access to basic and common configuration settings, such as logging and adding users and groups.

IMPORTANT

These ACLs are common in that the same ACLs occur in each subsystem instance’s acl.ldif file. These are not shared ACLs in the sense that the configuration files or settings are held in common by all subsystem instances. As with all other instance configuration, these ACLs are maintained independently of other subsystem instances, in the instance-specific acl.ldif file.

D.2.1. certServer.acl.configuration

Controls operations to the ACL configuration. The default configuration is:

allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"
Table D.2. certServer.acl.configuration ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

View ACL resources and list ACL resources, ACL listing evaluators, and ACL evaluator types.

Allow

  • Administrators
  • Agents
  • Auditors

modify

Add, delete, and update ACL evaluators.

Allow

Administrators

D.2.2. certServer.admin.certificate

Controls which users can import a certificate through a Certificate Manager. By default, this operation is allowed to everyone. The default configuration is:

allow (import) user="anybody"
NOTE

This entry is associated with the CA administration web interface which is used to configure the instance. This ACL is only available during instance configuration and is unavailable after the CA is running.

Table D.3. certServer.admin.certificate ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

import

Import a CA administrator certificate, and retrieve certificates by serial number.

Allow

Anyone

D.2.3. certServer.auth.configuration

Controls operations on the authentication configuration.

allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators
Table D.4. certServer.auth.configuration ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

View authentication plugins, authentication type, configured authentication manager plugins, and authentication instances. List authentication manager plugins and authentication manager instances.

Allow

  • Administrators
  • Agents
  • Auditors

modify

Add or delete authentication plugins and authentication instances. Modify authentication instances.

Allow

Administrators

D.2.4. certServer.clone.configuration

Controls who can read and modify the configuration information used in cloning. The default setting is:

allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators"
Table D.5. certServer.clone.configuration ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

View original instance configuration.

Allow

Enterprise Administrators

modify

Modify original instance configuration.

Allow

Enterprise Administrators

D.2.5. certServer.general.configuration

Controls access to the general configuration of the subsystem instance, including who can view and edit the CA’s settings.

allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators"
Table D.6. certServer.general.configuration ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

View the operating environment, LDAP configuration, SMTP configuration, server statistics, encryption, token names, subject name of certificates, certificate nicknames, all subsystems loaded by the server, CA certificates, and all certificates for management.

Allow

  • Administrators
  • Agents
  • Auditors

modify

Modify the settings for the LDAP database, SMTP, and encryption. Issue import certificates, install certificates, trust and untrust CA certificates, import cross-pair certificates, and delete certificates. Perform server restart and stop operations. Log in all tokens and check token status. Run self-tests on demand. Get certificate information. Process the certificate subject name. Validate the certificate subject name, certificate key length, and certificate extension.

Allow

Administrators

D.2.6. certServer.log.configuration

Controls access to the log configuration for the Certificate Manager, including changing the log settings.

allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators"
Table D.7. certServer.log.configuration ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

View log plugin information, log plugin configuration, and log instance configuration. List log plugins and log instances (excluding NTEventLog).

Allow

  • Administrators
  • Agents
  • Auditors

modify

Add and delete log plugins and log instances. Modify log instances, including log rollover parameters and log level.

Allow

Administrators

D.2.7. certServer.log.configuration.fileName

Restricts access to change the file name of a log for the instance.

allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody
Table D.8. certServer.log.configuration.fileName ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

View the value of the fileName parameter for a log instance.

Allow

  • Administrators
  • Agents
  • Auditors

modify

Change the value of the fileName parameter for a log instance.

Deny

Anyone

D.2.8. certServer.log.content.signedAudit

Controls who has access to the signed audit logs. The default setting is:

allow (read) group="Auditors"
Table D.9. certServer.log.content.signedAudit ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

View log content. List logs.

Allow

  • Auditors

D.2.9. certServer.registry.configuration

Controls access to the administration registry, the file that is used to register plugin modules. Currently, this is only used to register certificate profile plugins.

allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"
Table D.10. certServer.registry.configuration ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

View the administration registry, supported policy constraints, profile plugin configuration, and the list of profile plugins.

Allow

  • Administrators
  • Agents
  • Auditors

modify

Register individual profile implementation plugins.

Allow

Administrators

D.3. Certificate manager-specific ACLs

This section covers the default access control configuration attributes which are set specifically for the Certificate Manager. The CA ACL configuration also includes all of the common ACLs listed in Section D.2, “Common ACLs”.

There are access control rules set for each of the CA’s interfaces (administrative console and agents and end-entities services pages) and for common operations like listing and downloading certificates.

D.3.1. certServer.admin.ocsp

Limits access to the Certificate Manager’s OCSP configuration to members of the enterprise OCSP administrators group.

allow (modify,read) group="Enterprise OCSP Administrators"
Table D.11. certServer.admin.ocsp ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

modify

Modify the OCSP configuration, OCSP stores configuration, and default OCSP store.

Allow

Enterprise OCSP Administrators

read

Read the OCSP configuration.

Allow

Enterprise OCSP Administrators

D.3.2. certServer.ca.certificate

Controls basic management operations for certificates in the agents services interface, including importing and revoking certificates. The default configuration is:

allow (import,unrevoke,revoke,read) group="Certificate Manager Agents"
Table D.12. certServer.ca.certificate ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

import

Retrieve a certificate by serial number.

Allow

Certificate Manager Agents

unrevoke

Change the status of a certificate from revoked.

Allow

Certificate Manager Agents

revoke

Change the status of a certificate to revoked.

Allow

Certificate Manager Agents

read

Retrieve certificates based on the request ID, and display certificate details based on the request ID or serial number.

Allow

Certificate Manager Agents

D.3.3. certServer.ca.certificates

Controls operations for listing or revoking certificates through the agent services interface. The default configuration is:

allow (revoke,list) group="Certificate Manager Agents"|| group="Registration Manager Agents"
Table D.13. certServer.ca.certificates ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

revoke

Revoke a certificates, or approve certificate revocation requests. Revoke a certificate from the TPS. Prompt users for additional data about a revocation request.

Allow

  • Certificate Manager Agents
  • Registration Manager Agents

list

List certificates based on a search. Retrieve details about a range of certificates based on a range of serial numbers.

Allow

  • Certificate Manager Agents
  • Registration Manager Agents

D.3.4. certServer.ca.configuration

Controls operations on the general configuration for a Certificate Manager. The default configuration is:

allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"
Table D.14. certServer.ca.configuration ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

View CRL plugin information, general CA configuration, CA connector configuration, CRL issuing points configuration, CRL profile configuration, request notification configuration, revocation notification configuration, request in queue notification configuration, and CRL extensions configuration. List CRL extensions configuration and CRL issuing points configuration.

Allow

  • Administrators
  • Agents
  • Auditors

modify

Add and delete CRL issuing points. Modify general CA settings, CA connector configuration, CRL issuing points configuration, CRL configuration, request notification configuration, revocation notification configuration, request in queue notification configuration, and CRL extensions configuration.

Allow

Administrators

D.3.5. certServer.ca.connector

Controls operations to submit requests over a special connector to the CA. The default configuration is:

allow (submit) group="Trusted Managers"
Table D.15. certServer.ca.connector ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

submit

Submit requests from remote trusted managers.

Allow

Trusted Managers

D.3.6. certServer.ca.connectorInfo

Controls access to the connector information to manage trusted relationships between a CA and KRA. These trust relationships are special configurations which allow a CA and KRA to automatically connect to perform key archival and recovery operations. These trust relationships are configured through special connector plugins.

allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group"
Table D.16. certServer.ca.connectorInfo ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

Read connector plugin settings.

Allow

Enterprise KRA Administrators

modify

Modify connector plugin settings.

Allow

  • Enterprise KRA Administrators
  • Subsystem Group

D.3.7. certServer.ca.crl

Controls access to read or update CRLs through the agent services interface. The default setting is:

allow (read,update) group="Certificate Manager Agents"
Table D.17. certServer.ca.crl ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

Display CRLs and get detailed information about CA CRL processing.

Allow

Certificate Manager Agents

update

Update CRLs.

Allow

Certificate Manager Agents

D.3.8. certServer.ca.directory

Controls access to the LDAP directory used for publishing certificates and CRLs.

allow (update) group="Certificate Manager Agents"
Table D.18. certServer.ca.directory ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

update

Publish CA certificates, CRLs, and user certificates to the LDAP directory.

Allow

Certificate Manager Agents

D.3.9. certServer.ca.group

Controls access to the internal database for adding users and groups for the Certificate Manager instance.

allow (modify,read) group="Administrators"
Table D.19. certServer.ca.group ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

modify

Create, edit, or delete user and group entries for the instance. Add or modify a user certificate within attributes

Allow

Administrators

read

View user and group entries for the instance.

Allow

Administrators

D.3.10. certServer.ca.ocsp

Controls the ability to access and read OCSP information, such as usage statistics, through the agent services interface.

allow (read) group="Certificate Manager Agents"
Table D.20. certServer.ca.ocsp ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

Retrieve OCSP usage statistics.

Allow

Certificate Manager Agents

D.3.11. certServer.ca.profile

Controls access to certificate profile configuration in the agent services pages.

allow (read,approve) group="Certificate Manager Agents"
Table D.21. certServer.ca.profile ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

View the details of the certificate profiles.

Allow

Certificate Manager Agents

approve

Approve and enable certificate profiles.

Allow

Certificate Manager Agents

D.3.12. certServer.ca.profiles

Controls access to list certificate profiles in the agent services interface.

allow (list) group="Certificate Manager Agents"
Table D.22. certServer.ca.profiles ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

list

List certificate profiles.

Allow

Certificate Manager Agents

D.3.13. certServer.ca.registerUser

Defines which group or user can create an agent user for the instance. The default configuration is:

allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
Table D.23. certServer.ca.registerUser ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

modify

Register a new agent.

Allow

Enterprise Administrators

read

Read existing agent information.

Allow

Enterprise Administrators

D.3.14. certServer.ca.request.enrollment

Controls how the enrollment request are handled and assigned. The default setting is:

allow (submit) user="anybody";allow (read,execute,assign,unassign) group="Certificate Manager Agents"
Table D.24. certServer.ca.request.enrollment ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

View an enrollment request.

Allow

Certificate Manager Agents

execute

Modify the approval state of a request.

Allow

Certificate Manager Agents

submit

Sumbit a request.

Allow

Anybody

assign

Assign a request to a Certificate Manager agent.

Allow

Certificate Manager Agents

unassign

Change the assignment of a request.

Allow

Certificate Manager Agents

D.3.15. certServer.ca.request.profile

Controls the handling of certificate profile-based requests. The default setting is:

allow (approve,read) group="Certificate Manager Agents"
Table D.25. certServer.ca.request.profile ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

approve

Modify the approval state of a certificate profile-based certificate request.

Allow

Certificate Manager Agents

read

View a certificate profile-based certificate request.

Allow

Certificate Manager Agents

D.3.16. certServer.ca.requests

Controls who can list certificate requests in the agents services interface.

allow (list) group="Certificate Manager Agents"|| group="Registration Manager Agents"
Table D.26. certServer.ca.requests ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

list

Retrieve details on a range of requests, and search for certificates using a complex filter.

Allow

  • Certificate Manager Agents
  • Registration Manager Agents

D.3.17. certServer.ca.systemstatus

Controls who can view the statistics for the Certificate Manager instance.

allow (read) group="Certificate Manager Agents"
Table D.27. certServer.ca.systemstatus ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

View statistics.

Allow

Certificate Manager Agents

D.3.18. certServer.ee.certchain

Controls who can access the CA certificate chain in the end-entities page.

allow (download,read) user="anybody"
Table D.28. certServer.ee.certchain ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

download

Download the CA’s certificate chain.

Allow

Anyone

read

View the CA’s certificate chain.

Allow

Anyone

D.3.19. certServer.ee.certificate

Controls who can access certificates, for most operations like importing or revoking certificates, through the end-entities page.

allow (renew,revoke,read,import) user="anybody"
Table D.29. certServer.ee.certificate ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

renew

Submit a request to renew an existing certificate.

Allow

Anyone

revoke

Submit a revocation request for a user certificate.

Allow

Anyone

read

Retrieve and view certificates based on the certificate serial number or request ID.

Allow

Anyone

import

Import a certificate based on serial number.

Allow

Anyone

D.3.20. certServer.ee.certificates

Controls who can list revoked certificates or submit a revocation request in the end-entities page.

allow (revoke,list) user="anybody"
Table D.30. certServer.ee.certificates ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

revoke

Submit a list of certificates to revoke.

Allow

Subject of Certificate to be Revoked must match Certificate presented to authenticate to the CA.

list

Search for certificates matching specified criteria.

Allow

Anyone

D.3.21. certServer.ee.crl

Controls access to CRLs through the end-entities page.

allow (read,add) user="anybody"
Table D.31. certServer.ee.crl ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

Retrieve and view the certificate revocation list.

Allow

Anyone

add

Add CRLs to the OCSP server.

Allow

Anyone

D.3.22. certServer.ee.profile

Controls some access to certificate profiles in the end-entities page, including who can view details about a profile or submit a request through the profile.

allow (submit,read) user="anybody"
Table D.32. certServer.ee.profile ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

submit

Submit a certificate request through a certificate profile.

Allow

Anyone

read

Displaying details of a certificate profile.

Allow

Anyone

D.3.23. certServer.ee.profiles

Controls who can list active certificate profiles in the end-entities page.

allow (list) user="anybody"
Table D.33. certServer.ee.profiles ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

list

List certificate profiles.

Allow

Anyone

D.3.24. certServer.ee.request.ocsp

Controls access, based on IP address, on which clients submit OCSP requests.

allow (submit) ipaddress=".*"
Table D.34. certServer.ee.request.ocsp ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

submit

Submit OCSP requests.

Allow

All IP addresses

D.3.25. certServer.ee.request.revocation

Controls what users can submit certificate revocation requests in the end-entities page.

allow (submit) user="anybody"
Table D.35. certServer.ee.request.revocation ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

submit

Submit a request to revoke a certificate.

Allow

Anyone

D.3.26. certServer.ee.requestStatus

Controls who can view the status for a certificate request in the end-entities page.

allow (read) user="anybody"
Table D.36. certServer.ee.requestStatus ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

Retrieve the status of a request and serial numbers of any certificates that have been issued against that request.

Allow

Anyone

D.3.27. certServer.job.configuration

Controls who can configure jobs for the Certificate Manager.

allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"
Table D.37. certServer.job.configuration ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

View basic job settings, job instance settings, and job plugin settings. List job plugins and job instances.

Allow

  • Administrators
  • Agents
  • Auditors

modify

Add and delete job plugins and job instances. Modify job plugins and job instances.

Allow

Administrators

D.3.28. certServer.profile.configuration

Controls access to the certificate profile configuration. The default setting is:

allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"
Table D.38. certServer.profile.configuration ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

View certificate profile defaults and constraints, input, output, input configuration, output configuration, default configuration, policy constraints configuration, and certificate profile instance configuration. List certificate profile plugins and certificate profile instances.

Allow

  • Administrators
  • Agents
  • Auditors

modify

Add, modify, and delete certificate profile defaults and constraints, input, output, and certificate profile instances. Add and modify default policy constraints configuration.

Allow

Administrators

D.3.29. certServer.publisher.configuration

Controls who can view and edit the publishing configuration for the Certificate Manager. The default configuration is:

allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators"
Table D.39. certServer.publisher.configuration ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

View LDAP server destination information, publisher plugin configuration, publisher instance configuration, mapper plugin configuration, mapper instance configuration, rules plugin configuration, and rules instance configuration. List publisher plugins and instances, rules plugins and instances, and mapper plugins and instances.

Allow

  • Administrators
  • Agents
  • Auditors

modify

Add and delete publisher plugins, publisher instances, mapper plugins, mapper instances, rules plugins, and rules instances. Modify publisher instances, mapper instances, rules instances, and LDAP server destination information.

Allow

Administrators

D.3.30. certServer.securitydomain.domainxml

Controls access to the security domain information maintained in a registry by the domain host Certificate Manager. The security domain configuration is directly accessed and modified by subsystem instances during configuration, so appropriate access must always be allowed to subsystems, or configuration could fail.

allow (read) user="anybody";allow (modify) group="Subsystem Group"
Table D.40. certServer.securitydomain.domainxml ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

View the security domain configuration.

Allow

Anybody

modify

Modify the security domain configuration by changing instance information and adding and removing instances.

Allow

  • Subsystem Groups
  • Enterprise Administrators

D.4. Key Recovery Authority-specific ACLs

This section covers the default access control configuration which apply specifically to the KRA. The KRA ACL configuration also includes all of the common ACLs listed in Section D.2, “Common ACLs”.

There are access control rules set for each of the KRA’s interfaces (administrative console and agents and end-entities services pages) and for common operations like listing and downloading keys.

D.4.1. certServer.job.configuration

Controls who can configure jobs for the KRA.

allow (read) group="Administrators" || group="Key Recovery Authority Agents" ||  group="Auditors";allow (modify) group="Administrators"
Table D.41. certServer.job.configuration ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

View basic job settings, job instance settings, and job plugin settings. List job plugins and job instances.

Allow

  • Administrators
  • Agents
  • Auditors

modify

Add and delete job plugins and job instances. Modify job plugins and job instances.

Allow

Administrators

D.4.2. certServer.kra.certificate.transport

Controls who can view the transport certificate for the KRA.

allow (read) user="anybody"
Table D.42. certServer.kra.certificate.transport ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

View the transport certificate for the KRA instance.

Allow

Anyone

D.4.3. certServer.kra.configuration

Controls who can configure and manage the setup for the KRA.

allow (read) group="Administrators" || group="Auditors" || group="Key Recovery Authority Agents" || allow (modify) group="Administrators"
Table D.43. certServer.kra.configuration ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

Read the number of required recovery agent approvals.

Allow

  • Administrators
  • Agents
  • Auditors

modify

Change the number of required recovery agent approvals.

Allow

Administrators

D.4.4. certServer.kra.connector

Controls what entities can submit requests over a special connector configured on the CA to connect to the KRA. The default configuration is:

allow (submit) group="Trusted Managers"
Table D.44. certServer.kra.connector ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

submit

Submit a new key archival request (for non-TMS only).

Allow

Trusted Managers

D.4.5. certServer.kra.GenerateKeyPair

Controls who can submit key recovery requests to the KRA. The default configuration is:

allow (execute) group="Key Recovery Authority Agents"
Table D.45. certServer.kra.GenerateKeyPair ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

Execute

Execute server-side key generation (TMS only).

Allow

KRA Agents

D.4.6. certServer.kra.getTransportCert

Controls who can submit key recovery requests to the KRA. The default configuration is:

allow (download) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
Table D.46. certServer.kra.getTransportCert ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

download

Retrieve KRA transport certificate.

Allow

Enterprise Administrators

D.4.7. certServer.kra.group

Controls access to the internal database for adding users and groups for the KRA instance.

allow (modify,read) group="Administrators"
Table D.47. certServer.kra.group ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

modify

Create, edit, or delete user and group entries for the instance.

Allow

Administrators

read

View user and group entries for the instance.

Allow

  • Administrators

D.4.8. certServer.kra.key

Controls who can access key information through viewing, recovering, or downloading keys. The default configuration is:

allow (read,recover,download) group="Key Recovery Authority Agents"
Table D.48. certServer.kra.key ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

Display public information about key archival record.

Allow

KRA Agents

recover

Retrieve key information from the database to perform a recovery operation.

Allow

KRA Agents

download

Download key information through the agent services pages.

Allow

KRA Agents

D.4.9. certServer.kra.keys

Controls who can list archived keys through the agent services pages.

allow (list) group="Key Recovery Authority Agents"
Table D.49. certServer.kra.keys ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

list

Search for and list a range of archived keys.

Allow

KRA Agents

D.4.10. certServer.kra.registerUser

Defines which group or user can create an agent user for the instance. The default configuration is:

allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
Table D.50. certServer.kra.registerUser ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

modify

Register a new user.

Allow

Enterprise Administrators

read

Read existing user info.

Allow

Enterprise Administrators

D.4.11. certServer.kra.request

Controls who can view key archival and recovery requests in the agents services interface.

allow (read) group="Key Recovery Authority Agents"
Table D.51. certServer.kra.request ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

View a key archival or recovery request.

Allow

KRA Agents

D.4.12. certServer.kra.request.status

Controls who can view the status for a key recovery request in the end-entities page.

allow (read) group="Key Recovery Authority Agents"
Table D.52. certServer.kra.request.status ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

Retrieve the status of a key recovery request in the agents services pages.

Allow

KRA Agents

D.4.13. certServer.kra.requests

Controls who can list key archival and recovery requests in the agents services interface.

allow (list) group="Key Recovery Authority Agents"
Table D.53. certServer.kra.requests ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

list

Retrieve details on a range of key archival and recovery requests.

Allow

KRA Agents

D.4.14. certServer.kra.systemstatus

Controls who can view the statistics for the KRA instance.

allow (read) group="Key Recovery Authority Agents"
Table D.54. certServer.kra.systemstatus ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

View statistics.

Allow

KRA Agents

D.4.15. certServer.kra.TokenKeyRecovery

Controls who can submit key recovery requests for a token to the KRA. This is a common request for replacing a lost token. The default configuration is:

allow (submit) group="Key Recovery Authority Agents"
Table D.55. certServer.kra.TokenKeyRecovery ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

submit

Submit or initiate key recovery requests for a token recovery.

Allow

KRA Agents

D.5. Online Certificate Status Manager-specific ACLs

This section covers the default access control configuration attributes which are set specifically for the Online Certificate Status Manager. The OCSP responder’s ACL configuration also includes all of the common ACLs listed in Section D.2, “Common ACLs”.

There are access control rules set for each of the OCSP’s interfaces (administrative console and agents and end-entities services pages) and for common operations like listing and downloading CRLs.

D.5.1. certServer.ee.crl

Controls access to CRLs through the end-entities page.

allow (read) user="anybody"
Table D.56. certServer.ee.crl ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

Retrieve and view the certificate revocation list.

Allow

Anyone

D.5.2. certServer.ee.request.ocsp

Controls access, based on IP address, on which clients submit OCSP requests.

allow (submit) ipaddress=".*"
Table D.57. certServer.ee.request.ocsp ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

submit

Submit OCSP requests.

Allow

All IP addresses

D.5.3. certServer.ocsp.ca

Controls who can instruct the OCSP responder. The default setting is:

allow (add) group="Online Certificate Status Manager Agents"
Table D.58. certServer.ocsp.ca ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

Add

Instruct the OCSP responder to respond to OCSP requests for a new CA.

Allow

OCSP Manager Agents

D.5.4. certServer.ocsp.cas

Controls who can list, in the agent services interface, all of the Certificate Managers which publish CRLs to the Online Certificate Status Manager. The default setting is:

allow (list) group="Online Certificate Status Manager Agents"
Table D.59. certServer.ocsp.cas ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

list

Lists all of the Certificate Managers which publish CRLs to the OCSP responder.

Allow

Agents

D.5.5. certServer.ocsp.certificate

Controls who can validate the status of a certificate. The default setting is:

allow (validate) group="Online Certificate Status Manager Agents"
Table D.60. certServer.ocsp.certificate ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

validate

Verifies the status of a specified certificate.

Allow

OCSP Agents

D.5.6. certServer.ocsp.configuration

Controls who can access, view, or modify the configuration for the Certificate Manager’s OCSP services. The default configuration is:

allow (read) group="Administrators" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"
Table D.61. certServer.ocsp.configuration ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

View OCSP plugin information, OCSP configuration, and OCSP stores configuration. List OCSP stores configuration.

Allow

  • Administrators
  • Online Certificate Status Manager Agents
  • Auditors

modify

Modify the OCSP configuration, OCSP stores configuration, and default OCSP store.

Allow

Administrators

D.5.7. certServer.ocsp.crl

Controls access to read or update CRLs through the agent services interface. The default setting is:

allow (add) group="Online Certificate Status Manager Agents" || group="Trusted Managers"
Table D.62. certServer.ocsp.crl ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

add

Add new CRLs to those managed by the OCSP responder.

Allow

  • OCSP Agents
  • Trusted Managers

D.5.8. certServer.ocsp.group

Controls access to the internal database for adding users and groups for the Online Certificate Status Manager instance.

allow (modify,read) group="Administrators"
Table D.63. certServer.ocsp.group ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

modify

Create, edit or delete user and group entries for the instance.

Allow

Administrators

read

View user and group entries for the instance.

Allow

Administrators

D.5.9. certServer.ocsp.info

Controls who can read information about the OCSP responder.

allow (read) group="Online Certificate Status Manager Agents"
Table D.64. certServer.ocsp.info ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

read

View OCSP responder information.

Allow

OCSP Agents

D.6. Token Key Service-specific ACLs

This section covers the default access control configuration attributes which are set specifically for the Token Key Service (TKS). The TKS ACL configuration also includes all of the common ACLs listed in Section D.2, “Common ACLs”.

There are access control rules set for the TKS’s administrative console and for access by other subsystems to the TKS.

D.6.1. certServer.tks.encrypteddata

Controls who can encrypt data.

allow(execute) group="Token Key Service Manager Agents"
Table D.65. certServer.tks.encrypteddata ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

Execute

Encrypted data stored in the TKS.

Allow

TKS Agents

D.6.2. certServer.tks.group

Controls access to the internal database for adding users and groups for the TKS instance.

allow (modify,read) group="Administrators"
Table D.66. certServer.tks.group ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

modify

Create, edit, or delete user and group entries for the instance.

Allow

Administrators

read

View user and group entries for the instance.

Allow

Administrators

D.6.3. certServer.tks.importTransportCert

Controls who can import the transport certificate used by the TKS to deliver keys.

allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
Table D.67. certServer.tks.importTransportCert ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

modify

Update the transport certificate.

Allow

Enterprise Administrators

read

Import the transport certificate.

Allow

Enterprise Administrators

D.6.4. certServer.tks.keysetdata

Controls who can view information about key sets derived and stored by the TKS.

allow (execute) group="Token Key Service Manager Agents"
Table D.68. certServer.tks.keysetdata ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

Execute

Create diversified key set data.

Allow

TKS Agents

D.6.5. certServer.tks.registerUser

Defines which group or user can create an agent user for the instance. The default configuration is:

allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
Table D.69. certServer.tks.registerUser ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

modify

Register a new agent.

Allow

Enterprise Administrators

read

Read existing agent information.

Allow

Enterprise Administrators

D.6.6. certServer.tks.sessionkey

Controls who can create the session keys used by the TKS instance to connections to the TPS.

allow (execute) group="Token Key Service Manager Agents"
Table D.70. certServer.tks.sessionkey ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

Execute

Create session keys generated by the TKS.

Allow

TKS Agents

D.6.7. certServer.tks.randomdata

Controls who can create random data.

allow (execute) group="Token Key Service Manager Agents"
Table D.71. certServer.tks.randomdata ACL summary
OperationsDescriptionAllow/Deny AccessTargeted Users/Groups

Execute

Generate random data.

Allow

TKS Agents

Red Hat logoGithubRedditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

© 2024 Red Hat, Inc.