D.5. Online Certificate Status Manager-Specific ACLs
This section covers the default access control configuration attributes which are set specifically for the Online Certificate Status Manager. The OCSP responder's ACL configuration also includes all of the common ACLs listed in Section D.2, “Common ACLs”.
There are access control rules set for each of the OCSP's interfaces (administrative console and agents and end-entities services pages) and for common operations like listing and downloading CRLs.
D.5.1. certServer.ee.crl
Controls access to CRLs through the end-entities page.
allow (read) user="anybody"
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
read | Retrieve and view the certificate revocation list. | Allow | Anyone |
D.5.2. certServer.ee.request.ocsp
Controls access, based on IP address, on which clients submit OCSP requests.
allow (submit) ipaddress=".*"
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
submit | Submit OCSP requests. | Allow | All IP addresses |
D.5.3. certServer.ocsp.ca
Controls who can instruct the OCSP responder. The default setting is:
allow (add) group="Online Certificate Status Manager Agents"
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
Add | Instruct the OCSP responder to respond to OCSP requests for a new CA. | Allow | OCSP Manager Agents |
D.5.4. certServer.ocsp.cas
Controls who can list, in the agent services interface, all of the Certificate Managers which publish CRLs to the Online Certificate Status Manager. The default setting is:
allow (list) group="Online Certificate Status Manager Agents"
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
list | Lists all of the Certificate Managers which publish CRLs to the OCSP responder. | Allow | Agents |
D.5.5. certServer.ocsp.certificate
Controls who can validate the status of a certificate. The default setting is:
allow (validate) group="Online Certificate Status Manager Agents"
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
validate | Verifies the status of a specified certificate. | Allow | OCSP Agents |
D.5.6. certServer.ocsp.configuration
Controls who can access, view, or modify the configuration for the Certificate Manager's OCSP services. The default configuration is:
allow (read) group="Administrators" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"
Operations | Description | Allow/Deny Access | Targeted Users/Groups | |||
---|---|---|---|---|---|---|
read | View OCSP plug-in information, OCSP configuration, and OCSP stores configuration. List OCSP stores configuration. | Allow |
| |||
modify | Modify the OCSP configuration, OCSP stores configuration, and default OCSP store. | Allow | Administrators |
D.5.7. certServer.ocsp.crl
Controls access to read or update CRLs through the agent services interface. The default setting is:
allow (add) group="Online Certificate Status Manager Agents" || group="Trusted Managers"
Operations | Description | Allow/Deny Access | Targeted Users/Groups | ||
---|---|---|---|---|---|
add | Add new CRLs to those managed by the OCSP responder. | Allow |
|
D.5.8. certServer.ocsp.group
Controls access to the internal database for adding users and groups for the Online Certificate Status Manager instance.
allow (modify,read) group="Administrators"
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
modify | Create, edit or delete user and group entries for the instance. | Allow | Administrators |
read | View user and group entries for the instance. | Allow | Administrators |
D.5.9. certServer.ocsp.info
Controls who can read information about the OCSP responder.
allow (read) group="Online Certificate Status Manager Agents"
Operations | Description | Allow/Deny Access | Targeted Users/Groups |
---|---|---|---|
read | View OCSP responder information. | Allow | OCSP Agents |