D.4. Key Recovery Authority-Specific ACLs

This section covers the default access control configuration which apply specifically to the KRA. The KRA ACL configuration also includes all of the common ACLs listed in Section D.2, “Common ACLs”.
There are access control rules set for each of the KRA's interfaces (administrative console and agents and end-entities services pages) and for common operations like listing and downloading keys.

D.4.1. certServer.job.configuration

Controls who can configure jobs for the KRA.
allow (read) group="Administrators" || group="Key Recovery Authority Agents" ||  group="Auditors";allow (modify) group="Administrators"

Table D.43. certServer.job.configuration ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View basic job settings, job instance settings, and job plug-in settings. List job plug-ins and job instances. Allow
Administrators
Agents
Auditors
modify Add and delete job plug-ins and job instances. Modify job plug-ins and job instances. Allow Administrators

D.4.2. certServer.kra.certificate.transport

Controls who can view the transport certificate for the KRA.
allow (read) user="anybody"

Table D.44. certServer.kra.certificate.transport ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View the transport certificate for the KRA instance. Allow Anyone

D.4.3. certServer.kra.configuration

Controls who can configure and manage the setup for the KRA.
allow (read) group="Administrators" || group="Auditors" || group="Key Recovery Authority Agents" || allow (modify) group="Administrators"

Table D.45. certServer.kra.configuration ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read Read the number of required recovery agent approvals. Allow
Administrators
Agents
Auditors
modify Change the number of required recovery agent approvals. Allow Administrators

D.4.4. certServer.kra.connector

Controls what entities can submit requests over a special connector configured on the CA to connect to the KRA. The default configuration is:
allow (submit) group="Trusted Managers"

Table D.46. certServer.kra.connector ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
submit Submit a new key archival request (for non-TMS only). Allow Trusted Managers

D.4.5. certServer.kra.GenerateKeyPair

Controls who can submit key recovery requests to the KRA. The default configuration is:
allow (execute) group="Key Recovery Authority Agents"

Table D.47. certServer.kra.GenerateKeyPair ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
Execute Execute server-side key generation (TMS only). Allow KRA Agents

D.4.6. certServer.kra.getTransportCert

Controls who can submit key recovery requests to the KRA. The default configuration is:
allow (download) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"

Table D.48. certServer.kra.getTransportCert ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
download Retrieve KRA transport certificate. Allow Enterprise Administrators

D.4.7. certServer.kra.group

Controls access to the internal database for adding users and groups for the KRA instance.
allow (modify,read) group="Administrators"

Table D.49. certServer.kra.group ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
modify Create, edit, or delete user and group entries for the instance. Allow Administrators
read View user and group entries for the instance. Allow
Administrators

D.4.8. certServer.kra.key

Controls who can access key information through viewing, recovering, or downloading keys. The default configuration is:
allow (read,recover,download) group="Key Recovery Authority Agents"

Table D.50. certServer.kra.key ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read Display public information about key archival record. Allow KRA Agents
recover Retrieve key information from the database to perform a recovery operation. Allow KRA Agents
download Download key information through the agent services pages. Allow KRA Agents

D.4.9. certServer.kra.keys

Controls who can list archived keys through the agent services pages.
allow (list) group="Key Recovery Authority Agents"

Table D.51. certServer.kra.keys ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
list Search for and list a range of archived keys. Allow KRA Agents

D.4.10. certServer.kra.registerUser

Defines which group or user can create an agent user for the instance. The default configuration is:
allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"

Table D.52. certServer.kra.registerUser ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
modify Register a new user. Allow Enterprise Administrators
read Read existing user info. Allow Enterprise Administrators

D.4.11. certServer.kra.request

Controls who can view key archival and recovery requests in the agents services interface.
allow (read) group="Key Recovery Authority Agents"

Table D.53. certServer.kra.request ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View a key archival or recovery request. Allow KRA Agents

D.4.12. certServer.kra.request.status

Controls who can view the status for a key recovery request in the end-entities page.
allow (read) group="Key Recovery Authority Agents"

Table D.54. certServer.kra.request.status ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read Retrieve the status of a key recovery request in the agents services pages. Allow KRA Agents

D.4.13. certServer.kra.requests

Controls who can list key archival and recovery requests in the agents services interface.
allow (list) group="Key Recovery Authority Agents"

Table D.55. certServer.kra.requests ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
list Retrieve details on a range of key archival and recovery requests. Allow KRA Agents

D.4.14. certServer.kra.systemstatus

Controls who can view the statistics for the KRA instance.
allow (read) group="Key Recovery Authority Agents"

Table D.56. certServer.kra.systemstatus ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View statistics. Allow KRA Agents

D.4.15. certServer.kra.TokenKeyRecovery

Controls who can submit key recovery requests for a token to the KRA. This is a common request for replacing a lost token. The default configuration is:
allow (submit) group="Key Recovery Authority Agents"

Table D.57. certServer.kra.TokenKeyRecovery ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
submit Submit or initiate key recovery requests for a token recovery. Allow KRA Agents