D.6. Token Key Service-Specific ACLs


This section covers the default access control configuration attributes which are set specifically for the Token Key Service (TKS). The TKS ACL configuration also includes all of the common ACLs listed in Section D.2, “Common ACLs”.
There are access control rules set for the TKS's administrative console and for access by other subsystems to the TKS.

D.6.1. certServer.tks.encrypteddata

Controls who can encrypt data.
allow(execute) group="Token Key Service Manager Agents"
Table D.67. certServer.tks.encrypteddata ACL Summary
Operations Description Allow/Deny Access Targeted Users/Groups
Execute Encrypted data stored in the TKS. Allow TKS Agents

D.6.2. certServer.tks.group

Controls access to the internal database for adding users and groups for the TKS instance.
allow (modify,read) group="Administrators"
Table D.68. certServer.tks.group ACL Summary
Operations Description Allow/Deny Access Targeted Users/Groups
modify Create, edit, or delete user and group entries for the instance. Allow Administrators
read View user and group entries for the instance. Allow Administrators

D.6.3. certServer.tks.importTransportCert

Controls who can import the transport certificate used by the TKS to deliver keys.
allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
Table D.69. certServer.tks.importTransportCert ACL Summary
Operations Description Allow/Deny Access Targeted Users/Groups
modify Update the transport certificate. Allow Enterprise Administrators
read Import the transport certificate. Allow Enterprise Administrators

D.6.4. certServer.tks.keysetdata

Controls who can view information about key sets derived and stored by the TKS.
allow (execute) group="Token Key Service Manager Agents"
Table D.70. certServer.tks.keysetdata ACL Summary
Operations Description Allow/Deny Access Targeted Users/Groups
Execute Create diversified key set data. Allow TKS Agents

D.6.5. certServer.tks.registerUser

Defines which group or user can create an agent user for the instance. The default configuration is:
allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
Table D.71. certServer.tks.registerUser ACL Summary
Operations Description Allow/Deny Access Targeted Users/Groups
modify Register a new agent. Allow Enterprise Administrators
read Read existing agent information. Allow Enterprise Administrators

D.6.6. certServer.tks.sessionkey

Controls who can create the session keys used by the TKS instance to connections to the TPS.
allow (execute) group="Token Key Service Manager Agents"
Table D.72. certServer.tks.sessionkey ACL Summary
Operations Description Allow/Deny Access Targeted Users/Groups
Execute Create session keys generated by the TKS. Allow TKS Agents

D.6.7. certServer.tks.randomdata

Controls who can create random data.
allow (execute) group="Token Key Service Manager Agents"
Table D.73. certServer.tks.randomdata ACL Summary
Operations Description Allow/Deny Access Targeted Users/Groups
Execute Generate random data. Allow TKS Agents
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.