Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
D.4. Key Recovery Authority-Specific ACLs
This section covers the default access control configuration which apply specifically to the KRA. The KRA ACL configuration also includes all of the common ACLs listed in Section D.2, “Common ACLs”.
There are access control rules set for each of the KRA's interfaces (administrative console and agents and end-entities services pages) and for common operations like listing and downloading keys.
D.4.1. certServer.job.configuration
Copiar enlaceEnlace copiado en el portapapeles!
Controls who can configure jobs for the KRA.
allow (read) group="Administrators" || group="Key Recovery Authority Agents" || group="Auditors";allow (modify) group="Administrators"
allow (read) group="Administrators" || group="Key Recovery Authority Agents" || group="Auditors";allow (modify) group="Administrators"| Operations | Description | Allow/Deny Access | Targeted Users/Groups | |||
|---|---|---|---|---|---|---|
| read | View basic job settings, job instance settings, and job plug-in settings. List job plug-ins and job instances. | Allow |
| |||
| modify | Add and delete job plug-ins and job instances. Modify job plug-ins and job instances. | Allow | Administrators |
D.4.2. certServer.kra.certificate.transport
Copiar enlaceEnlace copiado en el portapapeles!
Controls who can view the transport certificate for the KRA.
allow (read) user="anybody"
allow (read) user="anybody"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View the transport certificate for the KRA instance. | Allow | Anyone |
D.4.3. certServer.kra.configuration
Copiar enlaceEnlace copiado en el portapapeles!
Controls who can configure and manage the setup for the KRA.
allow (read) group="Administrators" || group="Auditors" || group="Key Recovery Authority Agents" || allow (modify) group="Administrators"
allow (read) group="Administrators" || group="Auditors" || group="Key Recovery Authority Agents" || allow (modify) group="Administrators"| Operations | Description | Allow/Deny Access | Targeted Users/Groups | |||
|---|---|---|---|---|---|---|
| read | Read the number of required recovery agent approvals. | Allow |
| |||
| modify | Change the number of required recovery agent approvals. | Allow | Administrators |
D.4.4. certServer.kra.connector
Copiar enlaceEnlace copiado en el portapapeles!
Controls what entities can submit requests over a special connector configured on the CA to connect to the KRA. The default configuration is:
allow (submit) group="Trusted Managers"
allow (submit) group="Trusted Managers"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| submit | Submit a new key archival request (for non-TMS only). | Allow | Trusted Managers |
D.4.5. certServer.kra.GenerateKeyPair
Copiar enlaceEnlace copiado en el portapapeles!
Controls who can submit key recovery requests to the KRA. The default configuration is:
allow (execute) group="Key Recovery Authority Agents"
allow (execute) group="Key Recovery Authority Agents"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| Execute | Execute server-side key generation (TMS only). | Allow | KRA Agents |
D.4.6. certServer.kra.getTransportCert
Copiar enlaceEnlace copiado en el portapapeles!
Controls who can submit key recovery requests to the KRA. The default configuration is:
allow (download) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
allow (download) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| download | Retrieve KRA transport certificate. | Allow | Enterprise Administrators |
D.4.7. certServer.kra.group
Copiar enlaceEnlace copiado en el portapapeles!
Controls access to the internal database for adding users and groups for the KRA instance.
allow (modify,read) group="Administrators"
allow (modify,read) group="Administrators"| Operations | Description | Allow/Deny Access | Targeted Users/Groups | |
|---|---|---|---|---|
| modify | Create, edit, or delete user and group entries for the instance. | Allow | Administrators | |
| read | View user and group entries for the instance. | Allow |
|
D.4.8. certServer.kra.key
Copiar enlaceEnlace copiado en el portapapeles!
Controls who can access key information through viewing, recovering, or downloading keys. The default configuration is:
allow (read,recover,download) group="Key Recovery Authority Agents"
allow (read,recover,download) group="Key Recovery Authority Agents"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | Display public information about key archival record. | Allow | KRA Agents |
| recover | Retrieve key information from the database to perform a recovery operation. | Allow | KRA Agents |
| download | Download key information through the agent services pages. | Allow | KRA Agents |
D.4.9. certServer.kra.keys
Copiar enlaceEnlace copiado en el portapapeles!
Controls who can list archived keys through the agent services pages.
allow (list) group="Key Recovery Authority Agents"
allow (list) group="Key Recovery Authority Agents"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| list | Search for and list a range of archived keys. | Allow | KRA Agents |
D.4.10. certServer.kra.registerUser
Copiar enlaceEnlace copiado en el portapapeles!
Defines which group or user can create an agent user for the instance. The default configuration is:
allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| modify | Register a new user. | Allow | Enterprise Administrators |
| read | Read existing user info. | Allow | Enterprise Administrators |
D.4.11. certServer.kra.request
Copiar enlaceEnlace copiado en el portapapeles!
Controls who can view key archival and recovery requests in the agents services interface.
allow (read) group="Key Recovery Authority Agents"
allow (read) group="Key Recovery Authority Agents"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View a key archival or recovery request. | Allow | KRA Agents |
D.4.12. certServer.kra.request.status
Copiar enlaceEnlace copiado en el portapapeles!
Controls who can view the status for a key recovery request in the end-entities page.
allow (read) group="Key Recovery Authority Agents"
allow (read) group="Key Recovery Authority Agents"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | Retrieve the status of a key recovery request in the agents services pages. | Allow | KRA Agents |
D.4.13. certServer.kra.requests
Copiar enlaceEnlace copiado en el portapapeles!
Controls who can list key archival and recovery requests in the agents services interface.
allow (list) group="Key Recovery Authority Agents"
allow (list) group="Key Recovery Authority Agents"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| list | Retrieve details on a range of key archival and recovery requests. | Allow | KRA Agents |
D.4.14. certServer.kra.systemstatus
Copiar enlaceEnlace copiado en el portapapeles!
Controls who can view the statistics for the KRA instance.
allow (read) group="Key Recovery Authority Agents"
allow (read) group="Key Recovery Authority Agents"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View statistics. | Allow | KRA Agents |
D.4.15. certServer.kra.TokenKeyRecovery
Copiar enlaceEnlace copiado en el portapapeles!
Controls who can submit key recovery requests for a token to the KRA. This is a common request for replacing a lost token. The default configuration is:
allow (submit) group="Key Recovery Authority Agents"
allow (submit) group="Key Recovery Authority Agents"| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| submit | Submit or initiate key recovery requests for a token recovery. | Allow | KRA Agents |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}