This section covers the default access control configuration attributes which are set specifically for the Certificate Manager. The CA ACL configuration also includes all of the common ACLs listed in
Section D.2, “Common ACLs”.
There are access control rules set for each of the CA's interfaces (administrative console and agents and end-entities services pages) and for common operations like listing and downloading certificates.
D.3.1. certServer.admin.ocsp
Limits access to the Certificate Manager's OCSP configuration to members of the enterprise OCSP administrators group.
allow (modify,read) group="Enterprise OCSP Administrators"
Table D.13. certServer.admin.ocsp ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| modify | Modify the OCSP configuration, OCSP stores configuration, and default OCSP store. | Allow | Enterprise OCSP Administrators |
| read | Read the OCSP configuration. | Allow | Enterprise OCSP Administrators |
D.3.2. certServer.ca.certificate
Controls basic management operations for certificates in the agents services interface, including importing and revoking certificates. The default configuration is:
allow (import,unrevoke,revoke,read) group="Certificate Manager Agents"
Table D.14. certServer.ca.certificate ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| import | Retrieve a certificate by serial number. | Allow | Certificate Manager Agents |
| unrevoke | Change the status of a certificate from revoked. | Allow | Certificate Manager Agents |
| revoke | Change the status of a certificate to revoked. | Allow | Certificate Manager Agents |
| read | Retrieve certificates based on the request ID, and display certificate details based on the request ID or serial number. | Allow | Certificate Manager Agents |
D.3.3. certServer.ca.certificates
Controls operations for listing or revoking certificates through the agent services interface. The default configuration is:
allow (revoke,list) group="Certificate Manager Agents"|| group="Registration Manager Agents"
Table D.15. certServer.ca.certificates ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| revoke | Revoke a certificates, or approve certificate revocation requests. Revoke a certificate from the TPS. Prompt users for additional data about a revocation request. | Allow | | Certificate Manager Agents | | Registration Manager Agents |
|
| list | List certificates based on a search. Retrieve details about a range of certificates based on a range of serial numbers. | Allow | | Certificate Manager Agents | | Registration Manager Agents |
|
D.3.4. certServer.ca.configuration
Controls operations on the general configuration for a Certificate Manager. The default configuration is:
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"
Table D.16. certServer.ca.configuration ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| read | View CRL plug-in information, general CA configuration, CA connector configuration, CRL issuing points configuration, CRL profile configuration, request notification configuration, revocation notification configuration, request in queue notification configuration, and CRL extensions configuration. List CRL extensions configuration and CRL issuing points configuration. | Allow | | Administrators | | Agents | | Auditors |
|
| modify | Add and delete CRL issuing points. Modify general CA settings, CA connector configuration, CRL issuing points configuration, CRL configuration, request notification configuration, revocation notification configuration, request in queue notification configuration, and CRL extensions configuration. | Allow | Administrators |
D.3.5. certServer.ca.connector
Controls operations to submit requests over a special connector to the CA. The default configuration is:
allow (submit) group="Trusted Managers"
Table D.17. certServer.ca.connector ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| submit | Submit requests from remote trusted managers. | Allow | Trusted Managers |
D.3.6. certServer.ca.connectorInfo
Controls access to the connector information to manage trusted relationships between a CA and KRA. These trust relationships are special configurations which allow a CA and KRA to automatically connect to perform key archival and recovery operations. These trust relationships are configured through special connector plug-ins.
allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group"
Table D.18. certServer.ca.connectorInfo ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| read | Read connector plug-in settings. | Allow | Enterprise KRA Administrators |
| modify | Modify connector plug-in settings. | Allow | | Enterprise KRA Administrators | | Subsystem Group |
|
Controls access to read or update CRLs through the agent services interface. The default setting is:
allow (read,update) group="Certificate Manager Agents"
Table D.19. certServer.ca.crl ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| read | Display CRLs and get detailed information about CA CRL processing. | Allow | Certificate Manager Agents |
| update | Update CRLs. | Allow | Certificate Manager Agents |
D.3.8. certServer.ca.directory
Controls access to the LDAP directory used for publishing certificates and CRLs.
allow (update) group="Certificate Manager Agents"
Table D.20. certServer.ca.directory ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| update | Publish CA certificates, CRLs, and user certificates to the LDAP directory. | Allow | Certificate Manager Agents |
D.3.9. certServer.ca.group
Controls access to the internal database for adding users and groups for the Certificate Manager instance.
allow (modify,read) group="Administrators"
Table D.21. certServer.ca.group ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| modify | Create, edit, or delete user and group entries for the instance. Add or modify a user certificate within attributes | Allow | Administrators |
| read | View user and group entries for the instance. | Allow | Administrators |
D.3.10. certServer.ca.ocsp
Controls the ability to access and read OCSP information, such as usage statistics, through the agent services interface.
allow (read) group="Certificate Manager Agents"
Table D.22. certServer.ca.ocsp ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| read | Retrieve OCSP usage statistics. | Allow | Certificate Manager Agents |
D.3.11. certServer.ca.profile
Controls access to certificate profile configuration in the agent services pages.
allow (read,approve) group="Certificate Manager Agents"
Table D.23. certServer.ca.profile ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| read | View the details of the certificate profiles. | Allow | Certificate Manager Agents |
| approve | Approve and enable certificate profiles. | Allow | Certificate Manager Agents |
D.3.12. certServer.ca.profiles
Controls access to list certificate profiles in the agent services interface.
allow (list) group="Certificate Manager Agents"
Table D.24. certServer.ca.profiles ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| list | List certificate profiles. | Allow | Certificate Manager Agents |
D.3.13. certServer.ca.registerUser
Defines which group or user can create an agent user for the instance. The default configuration is:
allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
Table D.25. certServer.ca.registerUser ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| modify | Register a new agent. | Allow | Enterprise Administrators |
| read | Read existing agent information. | Allow | Enterprise Administrators |
D.3.14. certServer.ca.request.enrollment
Controls how the enrollment request are handled and assigned. The default setting is:
allow (submit) user="anybody";allow (read,execute,assign,unassign) group="Certificate Manager Agents"
Table D.26. certServer.ca.request.enrollment ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| read | View an enrollment request. | Allow | Certificate Manager Agents |
| execute | Modify the approval state of a request. | Allow | Certificate Manager Agents |
| submit | Sumbit a request. | Allow | Anybody |
| assign | Assign a request to a Certificate Manager agent. | Allow | Certificate Manager Agents |
| unassign | Change the assignment of a request. | Allow | Certificate Manager Agents |
D.3.15. certServer.ca.request.profile
Controls the handling of certificate profile-based requests. The default setting is:
allow (approve,read) group="Certificate Manager Agents"
Table D.27. certServer.ca.request.profile ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| approve | Modify the approval state of a certificate profile-based certificate request. | Allow | Certificate Manager Agents |
| read | View a certificate profile-based certificate request. | Allow | Certificate Manager Agents |
D.3.16. certServer.ca.requests
Controls who can list certificate requests in the agents services interface.
allow (list) group="Certificate Manager Agents"|| group="Registration Manager Agents"
Table D.28. certServer.ca.requests ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| list | Retrieve details on a range of requests, and search for certificates using a complex filter. | Allow | | Certificate Manager Agents | | Registration Manager Agents |
|
D.3.17. certServer.ca.systemstatus
Controls who can view the statistics for the Certificate Manager instance.
allow (read) group="Certificate Manager Agents"
Table D.29. certServer.ca.systemstatus ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| read | View statistics. | Allow | Certificate Manager Agents |
D.3.18. certServer.ee.certchain
Controls who can access the CA certificate chain in the end-entities page.
allow (download,read) user="anybody"
Table D.30. certServer.ee.certchain ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| download | Download the CA's certificate chain. | Allow | Anyone |
| read | View the CA's certificate chain. | Allow | Anyone |
D.3.19. certServer.ee.certificate
Controls who can access certificates, for most operations like importing or revoking certificates, through the end-entities page.
allow (renew,revoke,read,import) user="anybody"
Table D.31. certServer.ee.certificate ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| renew | Submit a request to renew an existing certificate. | Allow | Anyone |
| revoke | Submit a revocation request for a user certificate. | Allow | Anyone |
| read | Retrieve and view certificates based on the certificate serial number or request ID. | Allow | Anyone |
| import | Import a certificate based on serial number. | Allow | Anyone |
D.3.20. certServer.ee.certificates
Controls who can list revoked certificates or submit a revocation request in the end-entities page.
allow (revoke,list) user="anybody"
Table D.32. certServer.ee.certificates ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| revoke | Submit a list of certificates to revoke. | Allow |
Subject of Certificate to be Revoked must match Certificate presented to authenticate to the CA.
|
| list | Search for certificates matching specified criteria. | Allow | Anyone |
D.3.21. certServer.ee.crl
Controls access to CRLs through the end-entities page.
allow (read,add) user="anybody"
Table D.33. certServer.ee.crl ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| read | Retrieve and view the certificate revocation list. | Allow | Anyone |
| add | Add CRLs to the OCSP server. | Allow | Anyone |
D.3.22. certServer.ee.profile
Controls some access to certificate profiles in the end-entities page, including who can view details about a profile or submit a request through the profile.
allow (submit,read) user="anybody"
Table D.34. certServer.ee.profile ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| submit | Submit a certificate request through a certificate profile. | Allow | Anyone |
| read | Displaying details of a certificate profile. | Allow | Anyone |
D.3.23. certServer.ee.profiles
Controls who can list active certificate profiles in the end-entities page.
allow (list) user="anybody"
Table D.35. certServer.ee.profiles ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| list | List certificate profiles. | Allow | Anyone |
D.3.24. certServer.ee.request.ocsp
Controls access, based on IP address, on which clients submit OCSP requests.
allow (submit) ipaddress=".*"
Table D.36. certServer.ee.request.ocsp ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| submit | Submit OCSP requests. | Allow | All IP addresses |
D.3.25. certServer.ee.request.revocation
Controls what users can submit certificate revocation requests in the end-entities page.
allow (submit) user="anybody"
Table D.37. certServer.ee.request.revocation ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| submit | Submit a request to revoke a certificate. | Allow | Anyone |
D.3.26. certServer.ee.requestStatus
Controls who can view the status for a certificate request in the end-entities page.
allow (read) user="anybody"
Table D.38. certServer.ee.requestStatus ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| read | Retrieve the status of a request and serial numbers of any certificates that have been issued against that request. | Allow | Anyone |
D.3.27. certServer.job.configuration
Controls who can configure jobs for the Certificate Manager.
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"
Table D.39. certServer.job.configuration ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| read | View basic job settings, job instance settings, and job plug-in settings. List job plug-ins and job instances. | Allow | | Administrators | | Agents | | Auditors |
|
| modify | Add and delete job plug-ins and job instances. Modify job plug-ins and job instances. | Allow | Administrators |
D.3.28. certServer.profile.configuration
Controls access to the certificate profile configuration. The default setting is:
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"
Table D.40. certServer.profile.configuration ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| read | View certificate profile defaults and constraints, input, output, input configuration, output configuration, default configuration, policy constraints configuration, and certificate profile instance configuration. List certificate profile plug-ins and certificate profile instances. | Allow | | Administrators | | Agents | | Auditors |
|
| modify | Add, modify, and delete certificate profile defaults and constraints, input, output, and certificate profile instances. Add and modify default policy constraints configuration. | Allow | Administrators |
D.3.29. certServer.publisher.configuration
Controls who can view and edit the publishing configuration for the Certificate Manager. The default configuration is:
allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators"
Table D.41. certServer.publisher.configuration ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| read | View LDAP server destination information, publisher plug-in configuration, publisher instance configuration, mapper plug-in configuration, mapper instance configuration, rules plug-in configuration, and rules instance configuration. List publisher plug-ins and instances, rules plug-ins and instances, and mapper plug-ins and instances. | Allow | | Administrators | | Agents | | Auditors |
|
| modify | Add and delete publisher plug-ins, publisher instances, mapper plug-ins, mapper instances, rules plug-ins, and rules instances. Modify publisher instances, mapper instances, rules instances, and LDAP server destination information. | Allow | Administrators |
D.3.30. certServer.securitydomain.domainxml
Controls access to the security domain information maintained in a registry by the domain host Certificate Manager. The security domain configuration is directly accessed and modified by subsystem instances during configuration, so appropriate access must always be allowed to subsystems, or configuration could fail.
allow (read) user="anybody";allow (modify) group="Subsystem Group"
Table D.42. certServer.securitydomain.domainxml ACL Summary| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|
| read | View the security domain configuration. | Allow | Anybody |
| modify | Modify the security domain configuration by changing instance information and adding and removing instances. | Allow | | Subsystem Groups | | Enterprise Administrators |
|
