Appendix D. ACL reference
This section describes what each resource controls, lists the possible operations describing the outcome of those operations, and provides the default ACIs for each ACL resource defined. Each subsystem contains only those ACLs that are relevant to that subsystem.
D.1. About ACL configuration files
Access control is the method to set rules on who can access part of a server and the operations that user can perform. The four subsystems which depend on the LDAP directory service and use a Java console - the CA, KRA, OCSP, and TKS - all implement LDAP-style access control to access their resources. These access control lists (ACL) are located in the /var/lib/pki/instance_name/conf/subsystem/acl.ldif file.
This section provides only a very brief overview of access control concepts. Access control is described in much more detail in the Managing Access Control chapter in the Red Hat Directory Server Administration Guide.
The Certificate System ACL files are LDIF files that are loaded by the internal database. The individual ACLs are defined as resourceACLS attributes which identify the area of the subsystem being protected and then a list of all of the specific access controls being set.
resourceACLS: class_name:all rights: allow|deny (rights) type=target description
Each rule which allows or denies access to a resource is called an access control instruction (ACI). (The sum of all of the ACIs for a resource is an access control list.) Before defining the actual ACI, the ACL attribute is first applied to a specific plugin class used by the Certificate System subsystem. This focuses each ACL to a specific function performed by the subsystem, providing both more security for the instance and better control over applying ACLs.
Example D.1. Default ACL to list certificate profiles
resourceACLS: certServer.ca.profiles:list:allow (list) group="Certificate Manager Agents":Certificate Manager agents may list profiles
Because each subsystem (CA, KRA, OCSP, and TKS) has different resources for its operations, each subsystem instance has its own acl.ldif file and its own defined ACLs.
Each ACI defines what access or behavior can be done (the right) and who the ACI applies to (the target). The basic format of an ACI is, then:
allow|deny (rights) user|group
Rights are types of operations that the ACI allows a user to perform. For LDAP ACIs, there is a relatively limited list of rights to directory entries, like search, read, write, and delete. The Certificate System uses additional rights that cover common PKI tasks, like revoke, submit, and assign.
If an operation is not explicitly allowed in an ACI, then it is implicitly denied. If an operation is explicitly denied in one ACI, then it trumps any ACI which explicitly allows it. Deny rules are always superior to allow rules to provide additional security.
Each ACI has to apply to specific users or groups. This is set using a couple of common conditions, usually user= or group=, though there are other options, like ipaddress= which defines client-based access rather than entry-based access. If there is more than one condition, the conditions can be composed using the double pipe (||) operator, signifying logical disjunction ("or"), and the double ampersand (&&) operator, signifying logical conjunction ("and"). For example, group="group1" || "group2".
Each area of the resourceACLS attribute value is defined in the below table.
| Value | Description |
|---|---|
| class_name | The plugin class to which the ACI is applied. |
| all operations |
The list of every operation covered in the ACI definition. There can be multiple operations in a single ACI and multiple ACIs in a single |
| allow|deny | Whether the action is being allowed for the target user or group or denied to the target user or group. |
| (operations) | The operations being allowed or denied. |
| type=target |
The target to identify who this applies to. This is commonly a user (such as |
| description | A description of what the ACL is doing. |
D.2. Common ACLs
This section covers the default access control configuration that is common for all four subsystem types. These access control rules manage access to basic and common configuration settings, such as logging and adding users and groups.
These ACLs are common in that the same ACLs occur in each subsystem instance’s acl.ldif file. These are not shared ACLs in the sense that the configuration files or settings are held in common by all subsystem instances. As with all other instance configuration, these ACLs are maintained independently of other subsystem instances, in the instance-specific acl.ldif file.
D.2.1. certServer.acl.configuration
Controls operations to the ACL configuration. The default configuration is:
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View ACL resources and list ACL resources, ACL listing evaluators, and ACL evaluator types. | Allow |
|
| modify | Add, delete, and update ACL evaluators. | Allow | Administrators |
D.2.2. certServer.admin.certificate
Controls which users can import a certificate through a Certificate Manager. By default, this operation is allowed to everyone. The default configuration is:
allow (import) user="anybody"
This entry is associated with the CA administration web interface which is used to configure the instance. This ACL is only available during instance configuration and is unavailable after the CA is running.
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| import | Import a CA administrator certificate, and retrieve certificates by serial number. | Allow | Anyone |
D.2.3. certServer.auth.configuration
Controls operations on the authentication configuration.
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View authentication plugins, authentication type, configured authentication manager plugins, and authentication instances. List authentication manager plugins and authentication manager instances. | Allow |
|
| modify | Add or delete authentication plugins and authentication instances. Modify authentication instances. | Allow | Administrators |
D.2.4. certServer.clone.configuration
Controls who can read and modify the configuration information used in cloning. The default setting is:
allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View original instance configuration. | Allow | Enterprise Administrators |
| modify | Modify original instance configuration. | Allow | Enterprise Administrators |
D.2.5. certServer.general.configuration
Controls access to the general configuration of the subsystem instance, including who can view and edit the CA’s settings.
allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View the operating environment, LDAP configuration, SMTP configuration, server statistics, encryption, token names, subject name of certificates, certificate nicknames, all subsystems loaded by the server, CA certificates, and all certificates for management. | Allow |
|
| modify | Modify the settings for the LDAP database, SMTP, and encryption. Issue import certificates, install certificates, trust and untrust CA certificates, import cross-pair certificates, and delete certificates. Perform server restart and stop operations. Log in all tokens and check token status. Run self-tests on demand. Get certificate information. Process the certificate subject name. Validate the certificate subject name, certificate key length, and certificate extension. | Allow | Administrators |
D.2.6. certServer.log.configuration
Controls access to the log configuration for the Certificate Manager, including changing the log settings.
allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View log plugin information, log plugin configuration, and log instance configuration. List log plugins and log instances (excluding NTEventLog). | Allow |
|
| modify | Add and delete log plugins and log instances. Modify log instances, including log rollover parameters and log level. | Allow | Administrators |
D.2.7. certServer.log.configuration.fileName
Restricts access to change the file name of a log for the instance.
allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read |
View the value of the | Allow |
|
| modify |
Change the value of the | Deny | Anyone |
D.2.8. certServer.log.content.signedAudit
Controls who has access to the signed audit logs. The default setting is:
allow (read) group="Auditors"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View log content. List logs. | Allow |
|
D.2.9. certServer.registry.configuration
Controls access to the administration registry, the file that is used to register plugin modules. Currently, this is only used to register certificate profile plugins.
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View the administration registry, supported policy constraints, profile plugin configuration, and the list of profile plugins. | Allow |
|
| modify | Register individual profile implementation plugins. | Allow | Administrators |
D.3. Certificate manager-specific ACLs
This section covers the default access control configuration attributes which are set specifically for the Certificate Manager. The CA ACL configuration also includes all of the common ACLs listed in Section D.2, “Common ACLs”.
There are access control rules set for each of the CA’s interfaces (administrative console and agents and end-entities services pages) and for common operations like listing and downloading certificates.
D.3.1. certServer.admin.ocsp
Limits access to the Certificate Manager’s OCSP configuration to members of the enterprise OCSP administrators group.
allow (modify,read) group="Enterprise OCSP Administrators"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| modify | Modify the OCSP configuration, OCSP stores configuration, and default OCSP store. | Allow | Enterprise OCSP Administrators |
| read | Read the OCSP configuration. | Allow | Enterprise OCSP Administrators |
D.3.2. certServer.ca.certificate
Controls basic management operations for certificates in the agents services interface, including importing and revoking certificates. The default configuration is:
allow (import,unrevoke,revoke,read) group="Certificate Manager Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| import | Retrieve a certificate by serial number. | Allow | Certificate Manager Agents |
| unrevoke | Change the status of a certificate from revoked. | Allow | Certificate Manager Agents |
| revoke | Change the status of a certificate to revoked. | Allow | Certificate Manager Agents |
| read | Retrieve certificates based on the request ID, and display certificate details based on the request ID or serial number. | Allow | Certificate Manager Agents |
D.3.3. certServer.ca.certificates
Controls operations for listing or revoking certificates through the agent services interface. The default configuration is:
allow (revoke,list) group="Certificate Manager Agents"|| group="Registration Manager Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| revoke | Revoke a certificates, or approve certificate revocation requests. Revoke a certificate from the TPS. Prompt users for additional data about a revocation request. | Allow |
|
| list | List certificates based on a search. Retrieve details about a range of certificates based on a range of serial numbers. | Allow |
|
D.3.4. certServer.ca.configuration
Controls operations on the general configuration for a Certificate Manager. The default configuration is:
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View CRL plugin information, general CA configuration, CA connector configuration, CRL issuing points configuration, CRL profile configuration, request notification configuration, revocation notification configuration, request in queue notification configuration, and CRL extensions configuration. List CRL extensions configuration and CRL issuing points configuration. | Allow |
|
| modify | Add and delete CRL issuing points. Modify general CA settings, CA connector configuration, CRL issuing points configuration, CRL configuration, request notification configuration, revocation notification configuration, request in queue notification configuration, and CRL extensions configuration. | Allow | Administrators |
D.3.5. certServer.ca.connector
Controls operations to submit requests over a special connector to the CA. The default configuration is:
allow (submit) group="Trusted Managers"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| submit | Submit requests from remote trusted managers. | Allow | Trusted Managers |
D.3.6. certServer.ca.connectorInfo
Controls access to the connector information to manage trusted relationships between a CA and KRA. These trust relationships are special configurations which allow a CA and KRA to automatically connect to perform key archival and recovery operations. These trust relationships are configured through special connector plugins.
allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | Read connector plugin settings. | Allow | Enterprise KRA Administrators |
| modify | Modify connector plugin settings. | Allow |
|
D.3.7. certServer.ca.crl
Controls access to read or update CRLs through the agent services interface. The default setting is:
allow (read,update) group="Certificate Manager Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | Display CRLs and get detailed information about CA CRL processing. | Allow | Certificate Manager Agents |
| update | Update CRLs. | Allow | Certificate Manager Agents |
D.3.8. certServer.ca.directory
Controls access to the LDAP directory used for publishing certificates and CRLs.
allow (update) group="Certificate Manager Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| update | Publish CA certificates, CRLs, and user certificates to the LDAP directory. | Allow | Certificate Manager Agents |
D.3.9. certServer.ca.group
Controls access to the internal database for adding users and groups for the Certificate Manager instance.
allow (modify,read) group="Administrators"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| modify | Create, edit, or delete user and group entries for the instance. Add or modify a user certificate within attributes | Allow | Administrators |
| read | View user and group entries for the instance. | Allow | Administrators |
D.3.10. certServer.ca.ocsp
Controls the ability to access and read OCSP information, such as usage statistics, through the agent services interface.
allow (read) group="Certificate Manager Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | Retrieve OCSP usage statistics. | Allow | Certificate Manager Agents |
D.3.11. certServer.ca.profile
Controls access to certificate profile configuration in the agent services pages.
allow (read,approve) group="Certificate Manager Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View the details of the certificate profiles. | Allow | Certificate Manager Agents |
| approve | Approve and enable certificate profiles. | Allow | Certificate Manager Agents |
D.3.12. certServer.ca.profiles
Controls access to list certificate profiles in the agent services interface.
allow (list) group="Certificate Manager Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| list | List certificate profiles. | Allow | Certificate Manager Agents |
D.3.13. certServer.ca.registerUser
Defines which group or user can create an agent user for the instance. The default configuration is:
allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| modify | Register a new agent. | Allow | Enterprise Administrators |
| read | Read existing agent information. | Allow | Enterprise Administrators |
D.3.14. certServer.ca.request.enrollment
Controls how the enrollment request are handled and assigned. The default setting is:
allow (submit) user="anybody";allow (read,execute,assign,unassign) group="Certificate Manager Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View an enrollment request. | Allow | Certificate Manager Agents |
| execute | Modify the approval state of a request. | Allow | Certificate Manager Agents |
| submit | Sumbit a request. | Allow | Anybody |
| assign | Assign a request to a Certificate Manager agent. | Allow | Certificate Manager Agents |
| unassign | Change the assignment of a request. | Allow | Certificate Manager Agents |
D.3.15. certServer.ca.request.profile
Controls the handling of certificate profile-based requests. The default setting is:
allow (approve,read) group="Certificate Manager Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| approve | Modify the approval state of a certificate profile-based certificate request. | Allow | Certificate Manager Agents |
| read | View a certificate profile-based certificate request. | Allow | Certificate Manager Agents |
D.3.16. certServer.ca.requests
Controls who can list certificate requests in the agents services interface.
allow (list) group="Certificate Manager Agents"|| group="Registration Manager Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| list | Retrieve details on a range of requests, and search for certificates using a complex filter. | Allow |
|
D.3.17. certServer.ca.systemstatus
Controls who can view the statistics for the Certificate Manager instance.
allow (read) group="Certificate Manager Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View statistics. | Allow | Certificate Manager Agents |
D.3.18. certServer.ee.certchain
Controls who can access the CA certificate chain in the end-entities page.
allow (download,read) user="anybody"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| download | Download the CA’s certificate chain. | Allow | Anyone |
| read | View the CA’s certificate chain. | Allow | Anyone |
D.3.19. certServer.ee.certificate
Controls who can access certificates, for most operations like importing or revoking certificates, through the end-entities page.
allow (renew,revoke,read,import) user="anybody"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| renew | Submit a request to renew an existing certificate. | Allow | Anyone |
| revoke | Submit a revocation request for a user certificate. | Allow | Anyone |
| read | Retrieve and view certificates based on the certificate serial number or request ID. | Allow | Anyone |
| import | Import a certificate based on serial number. | Allow | Anyone |
D.3.20. certServer.ee.certificates
Controls who can list revoked certificates or submit a revocation request in the end-entities page.
allow (revoke,list) user="anybody"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| revoke | Submit a list of certificates to revoke. | Allow | Subject of Certificate to be Revoked must match Certificate presented to authenticate to the CA. |
| list | Search for certificates matching specified criteria. | Allow | Anyone |
D.3.21. certServer.ee.crl
Controls access to CRLs through the end-entities page.
allow (read,add) user="anybody"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | Retrieve and view the certificate revocation list. | Allow | Anyone |
| add | Add CRLs to the OCSP server. | Allow | Anyone |
D.3.22. certServer.ee.profile
Controls some access to certificate profiles in the end-entities page, including who can view details about a profile or submit a request through the profile.
allow (submit,read) user="anybody"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| submit | Submit a certificate request through a certificate profile. | Allow | Anyone |
| read | Displaying details of a certificate profile. | Allow | Anyone |
D.3.23. certServer.ee.profiles
Controls who can list active certificate profiles in the end-entities page.
allow (list) user="anybody"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| list | List certificate profiles. | Allow | Anyone |
D.3.24. certServer.ee.request.ocsp
Controls access, based on IP address, on which clients submit OCSP requests.
allow (submit) ipaddress=".*"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| submit | Submit OCSP requests. | Allow | All IP addresses |
D.3.25. certServer.ee.request.revocation
Controls what users can submit certificate revocation requests in the end-entities page.
allow (submit) user="anybody"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| submit | Submit a request to revoke a certificate. | Allow | Anyone |
D.3.26. certServer.ee.requestStatus
Controls who can view the status for a certificate request in the end-entities page.
allow (read) user="anybody"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | Retrieve the status of a request and serial numbers of any certificates that have been issued against that request. | Allow | Anyone |
D.3.27. certServer.job.configuration
Controls who can configure jobs for the Certificate Manager.
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View basic job settings, job instance settings, and job plugin settings. List job plugins and job instances. | Allow |
|
| modify | Add and delete job plugins and job instances. Modify job plugins and job instances. | Allow | Administrators |
D.3.28. certServer.profile.configuration
Controls access to the certificate profile configuration. The default setting is:
allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View certificate profile defaults and constraints, input, output, input configuration, output configuration, default configuration, policy constraints configuration, and certificate profile instance configuration. List certificate profile plugins and certificate profile instances. | Allow |
|
| modify | Add, modify, and delete certificate profile defaults and constraints, input, output, and certificate profile instances. Add and modify default policy constraints configuration. | Allow | Administrators |
D.3.29. certServer.publisher.configuration
Controls who can view and edit the publishing configuration for the Certificate Manager. The default configuration is:
allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Key Recovery Authority Agents" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View LDAP server destination information, publisher plugin configuration, publisher instance configuration, mapper plugin configuration, mapper instance configuration, rules plugin configuration, and rules instance configuration. List publisher plugins and instances, rules plugins and instances, and mapper plugins and instances. | Allow |
|
| modify | Add and delete publisher plugins, publisher instances, mapper plugins, mapper instances, rules plugins, and rules instances. Modify publisher instances, mapper instances, rules instances, and LDAP server destination information. | Allow | Administrators |
D.3.30. certServer.securitydomain.domainxml
Controls access to the security domain information maintained in a registry by the domain host Certificate Manager. The security domain configuration is directly accessed and modified by subsystem instances during configuration, so appropriate access must always be allowed to subsystems, or configuration could fail.
allow (read) user="anybody";allow (modify) group="Subsystem Group"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View the security domain configuration. | Allow | Anybody |
| modify | Modify the security domain configuration by changing instance information and adding and removing instances. | Allow |
|
D.4. Key Recovery Authority-specific ACLs
This section covers the default access control configuration which apply specifically to the KRA. The KRA ACL configuration also includes all of the common ACLs listed in Section D.2, “Common ACLs”.
There are access control rules set for each of the KRA’s interfaces (administrative console and agents and end-entities services pages) and for common operations like listing and downloading keys.
D.4.1. certServer.job.configuration
Controls who can configure jobs for the KRA.
allow (read) group="Administrators" || group="Key Recovery Authority Agents" || group="Auditors";allow (modify) group="Administrators"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View basic job settings, job instance settings, and job plugin settings. List job plugins and job instances. | Allow |
|
| modify | Add and delete job plugins and job instances. Modify job plugins and job instances. | Allow | Administrators |
D.4.2. certServer.kra.certificate.transport
Controls who can view the transport certificate for the KRA.
allow (read) user="anybody"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View the transport certificate for the KRA instance. | Allow | Anyone |
D.4.3. certServer.kra.configuration
Controls who can configure and manage the setup for the KRA.
allow (read) group="Administrators" || group="Auditors" || group="Key Recovery Authority Agents" || allow (modify) group="Administrators"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | Read the number of required recovery agent approvals. | Allow |
|
| modify | Change the number of required recovery agent approvals. | Allow | Administrators |
D.4.4. certServer.kra.connector
Controls what entities can submit requests over a special connector configured on the CA to connect to the KRA. The default configuration is:
allow (submit) group="Trusted Managers"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| submit | Submit a new key archival request (for non-TMS only). | Allow | Trusted Managers |
D.4.5. certServer.kra.GenerateKeyPair
Controls who can submit key recovery requests to the KRA. The default configuration is:
allow (execute) group="Key Recovery Authority Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| Execute | Execute server-side key generation (TMS only). | Allow | KRA Agents |
D.4.6. certServer.kra.getTransportCert
Controls who can submit key recovery requests to the KRA. The default configuration is:
allow (download) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| download | Retrieve KRA transport certificate. | Allow | Enterprise Administrators |
D.4.7. certServer.kra.group
Controls access to the internal database for adding users and groups for the KRA instance.
allow (modify,read) group="Administrators"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| modify | Create, edit, or delete user and group entries for the instance. | Allow | Administrators |
| read | View user and group entries for the instance. | Allow |
|
D.4.8. certServer.kra.key
Controls who can access key information through viewing, recovering, or downloading keys. The default configuration is:
allow (read,recover,download) group="Key Recovery Authority Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | Display public information about key archival record. | Allow | KRA Agents |
| recover | Retrieve key information from the database to perform a recovery operation. | Allow | KRA Agents |
| download | Download key information through the agent services pages. | Allow | KRA Agents |
D.4.9. certServer.kra.keys
Controls who can list archived keys through the agent services pages.
allow (list) group="Key Recovery Authority Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| list | Search for and list a range of archived keys. | Allow | KRA Agents |
D.4.10. certServer.kra.registerUser
Defines which group or user can create an agent user for the instance. The default configuration is:
allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| modify | Register a new user. | Allow | Enterprise Administrators |
| read | Read existing user info. | Allow | Enterprise Administrators |
D.4.11. certServer.kra.request
Controls who can view key archival and recovery requests in the agents services interface.
allow (read) group="Key Recovery Authority Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View a key archival or recovery request. | Allow | KRA Agents |
D.4.12. certServer.kra.request.status
Controls who can view the status for a key recovery request in the end-entities page.
allow (read) group="Key Recovery Authority Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | Retrieve the status of a key recovery request in the agents services pages. | Allow | KRA Agents |
D.4.13. certServer.kra.requests
Controls who can list key archival and recovery requests in the agents services interface.
allow (list) group="Key Recovery Authority Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| list | Retrieve details on a range of key archival and recovery requests. | Allow | KRA Agents |
D.4.14. certServer.kra.systemstatus
Controls who can view the statistics for the KRA instance.
allow (read) group="Key Recovery Authority Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View statistics. | Allow | KRA Agents |
D.4.15. certServer.kra.TokenKeyRecovery
Controls who can submit key recovery requests for a token to the KRA. This is a common request for replacing a lost token. The default configuration is:
allow (submit) group="Key Recovery Authority Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| submit | Submit or initiate key recovery requests for a token recovery. | Allow | KRA Agents |
D.5. Online Certificate Status Manager-specific ACLs
This section covers the default access control configuration attributes which are set specifically for the Online Certificate Status Manager. The OCSP responder’s ACL configuration also includes all of the common ACLs listed in Section D.2, “Common ACLs”.
There are access control rules set for each of the OCSP’s interfaces (administrative console and agents and end-entities services pages) and for common operations like listing and downloading CRLs.
D.5.1. certServer.ee.crl
Controls access to CRLs through the end-entities page.
allow (read) user="anybody"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | Retrieve and view the certificate revocation list. | Allow | Anyone |
D.5.2. certServer.ee.request.ocsp
Controls access, based on IP address, on which clients submit OCSP requests.
allow (submit) ipaddress=".*"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| submit | Submit OCSP requests. | Allow | All IP addresses |
D.5.3. certServer.ocsp.ca
Controls who can instruct the OCSP responder. The default setting is:
allow (add) group="Online Certificate Status Manager Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| Add | Instruct the OCSP responder to respond to OCSP requests for a new CA. | Allow | OCSP Manager Agents |
D.5.4. certServer.ocsp.cas
Controls who can list, in the agent services interface, all of the Certificate Managers which publish CRLs to the Online Certificate Status Manager. The default setting is:
allow (list) group="Online Certificate Status Manager Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| list | Lists all of the Certificate Managers which publish CRLs to the OCSP responder. | Allow | Agents |
D.5.5. certServer.ocsp.certificate
Controls who can validate the status of a certificate. The default setting is:
allow (validate) group="Online Certificate Status Manager Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| validate | Verifies the status of a specified certificate. | Allow | OCSP Agents |
D.5.6. certServer.ocsp.configuration
Controls who can access, view, or modify the configuration for the Certificate Manager’s OCSP services. The default configuration is:
allow (read) group="Administrators" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View OCSP plugin information, OCSP configuration, and OCSP stores configuration. List OCSP stores configuration. | Allow |
|
| modify | Modify the OCSP configuration, OCSP stores configuration, and default OCSP store. | Allow | Administrators |
D.5.7. certServer.ocsp.crl
Controls access to read or update CRLs through the agent services interface. The default setting is:
allow (add) group="Online Certificate Status Manager Agents" || group="Trusted Managers"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| add | Add new CRLs to those managed by the OCSP responder. | Allow |
|
D.5.8. certServer.ocsp.group
Controls access to the internal database for adding users and groups for the Online Certificate Status Manager instance.
allow (modify,read) group="Administrators"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| modify | Create, edit or delete user and group entries for the instance. | Allow | Administrators |
| read | View user and group entries for the instance. | Allow | Administrators |
D.5.9. certServer.ocsp.info
Controls who can read information about the OCSP responder.
allow (read) group="Online Certificate Status Manager Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View OCSP responder information. | Allow | OCSP Agents |
D.6. Token Key Service-specific ACLs
This section covers the default access control configuration attributes which are set specifically for the Token Key Service (TKS). The TKS ACL configuration also includes all of the common ACLs listed in Section D.2, “Common ACLs”.
There are access control rules set for the TKS’s administrative console and for access by other subsystems to the TKS.
D.6.1. certServer.tks.encrypteddata
Controls who can encrypt data.
allow(execute) group="Token Key Service Manager Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| Execute | Encrypted data stored in the TKS. | Allow | TKS Agents |
D.6.2. certServer.tks.group
Controls access to the internal database for adding users and groups for the TKS instance.
allow (modify,read) group="Administrators"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| modify | Create, edit, or delete user and group entries for the instance. | Allow | Administrators |
| read | View user and group entries for the instance. | Allow | Administrators |
D.6.3. certServer.tks.importTransportCert
Controls who can import the transport certificate used by the TKS to deliver keys.
allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| modify | Update the transport certificate. | Allow | Enterprise Administrators |
| read | Import the transport certificate. | Allow | Enterprise Administrators |
D.6.4. certServer.tks.keysetdata
Controls who can view information about key sets derived and stored by the TKS.
allow (execute) group="Token Key Service Manager Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| Execute | Create diversified key set data. | Allow | TKS Agents |
D.6.5. certServer.tks.registerUser
Defines which group or user can create an agent user for the instance. The default configuration is:
allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| modify | Register a new agent. | Allow | Enterprise Administrators |
| read | Read existing agent information. | Allow | Enterprise Administrators |
D.6.6. certServer.tks.sessionkey
Controls who can create the session keys used by the TKS instance to connections to the TPS.
allow (execute) group="Token Key Service Manager Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| Execute | Create session keys generated by the TKS. | Allow | TKS Agents |
D.6.7. certServer.tks.randomdata
Controls who can create random data.
allow (execute) group="Token Key Service Manager Agents"
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| Execute | Generate random data. | Allow | TKS Agents |
