D.4. Key Recovery Authority-Specific ACLs
This section covers the default access control configuration which apply specifically to the KRA. The KRA ACL configuration also includes all of the common ACLs listed in Section D.2, “Common ACLs”.
There are access control rules set for each of the KRA's interfaces (administrative console and agents and end-entities services pages) and for common operations like listing and downloading keys.
D.4.1. certServer.job.configuration
Controls who can configure jobs for the KRA.
allow (read) group="Administrators" || group="Key Recovery Authority Agents" || group="Auditors";allow (modify) group="Administrators"
Table D.43. certServer.job.configuration ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups | |||
|---|---|---|---|---|---|---|
| read | View basic job settings, job instance settings, and job plug-in settings. List job plug-ins and job instances. | Allow |
| |||
| modify | Add and delete job plug-ins and job instances. Modify job plug-ins and job instances. | Allow | Administrators |
D.4.2. certServer.kra.certificate.transport
Controls who can view the transport certificate for the KRA.
allow (read) user="anybody"
Table D.44. certServer.kra.certificate.transport ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View the transport certificate for the KRA instance. | Allow | Anyone |
D.4.3. certServer.kra.configuration
Controls who can configure and manage the setup for the KRA.
allow (read) group="Administrators" || group="Auditors" || group="Key Recovery Authority Agents" || allow (modify) group="Administrators"
Table D.45. certServer.kra.configuration ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups | |||
|---|---|---|---|---|---|---|
| read | Read the number of required recovery agent approvals. | Allow |
| |||
| modify | Change the number of required recovery agent approvals. | Allow | Administrators |
D.4.4. certServer.kra.connector
Controls what entities can submit requests over a special connector configured on the CA to connect to the KRA. The default configuration is:
allow (submit) group="Trusted Managers"
Table D.46. certServer.kra.connector ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| submit | Submit a new key archival request (for non-TMS only). | Allow | Trusted Managers |
D.4.5. certServer.kra.GenerateKeyPair
Controls who can submit key recovery requests to the KRA. The default configuration is:
allow (execute) group="Key Recovery Authority Agents"
Table D.47. certServer.kra.GenerateKeyPair ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| Execute | Execute server-side key generation (TMS only). | Allow | KRA Agents |
D.4.6. certServer.kra.getTransportCert
Controls who can submit key recovery requests to the KRA. The default configuration is:
allow (download) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
Table D.48. certServer.kra.getTransportCert ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| download | Retrieve KRA transport certificate. | Allow | Enterprise Administrators |
D.4.7. certServer.kra.group
Controls access to the internal database for adding users and groups for the KRA instance.
allow (modify,read) group="Administrators"
Table D.49. certServer.kra.group ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups | |
|---|---|---|---|---|
| modify | Create, edit, or delete user and group entries for the instance. | Allow | Administrators | |
| read | View user and group entries for the instance. | Allow |
|
D.4.8. certServer.kra.key
Controls who can access key information through viewing, recovering, or downloading keys. The default configuration is:
allow (read,recover,download) group="Key Recovery Authority Agents"
Table D.50. certServer.kra.key ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | Display public information about key archival record. | Allow | KRA Agents |
| recover | Retrieve key information from the database to perform a recovery operation. | Allow | KRA Agents |
| download | Download key information through the agent services pages. | Allow | KRA Agents |
D.4.9. certServer.kra.keys
Controls who can list archived keys through the agent services pages.
allow (list) group="Key Recovery Authority Agents"
Table D.51. certServer.kra.keys ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| list | Search for and list a range of archived keys. | Allow | KRA Agents |
D.4.10. certServer.kra.registerUser
Defines which group or user can create an agent user for the instance. The default configuration is:
allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
Table D.52. certServer.kra.registerUser ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| modify | Register a new user. | Allow | Enterprise Administrators |
| read | Read existing user info. | Allow | Enterprise Administrators |
D.4.11. certServer.kra.request
Controls who can view key archival and recovery requests in the agents services interface.
allow (read) group="Key Recovery Authority Agents"
Table D.53. certServer.kra.request ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View a key archival or recovery request. | Allow | KRA Agents |
D.4.12. certServer.kra.request.status
Controls who can view the status for a key recovery request in the end-entities page.
allow (read) group="Key Recovery Authority Agents"
Table D.54. certServer.kra.request.status ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | Retrieve the status of a key recovery request in the agents services pages. | Allow | KRA Agents |
D.4.13. certServer.kra.requests
Controls who can list key archival and recovery requests in the agents services interface.
allow (list) group="Key Recovery Authority Agents"
Table D.55. certServer.kra.requests ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| list | Retrieve details on a range of key archival and recovery requests. | Allow | KRA Agents |
D.4.14. certServer.kra.systemstatus
Controls who can view the statistics for the KRA instance.
allow (read) group="Key Recovery Authority Agents"
Table D.56. certServer.kra.systemstatus ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| read | View statistics. | Allow | KRA Agents |
D.4.15. certServer.kra.TokenKeyRecovery
Controls who can submit key recovery requests for a token to the KRA. This is a common request for replacing a lost token. The default configuration is:
allow (submit) group="Key Recovery Authority Agents"
Table D.57. certServer.kra.TokenKeyRecovery ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| submit | Submit or initiate key recovery requests for a token recovery. | Allow | KRA Agents |
