D.5. Online Certificate Status Manager-Specific ACLs

This section covers the default access control configuration attributes which are set specifically for the Online Certificate Status Manager. The OCSP responder's ACL configuration also includes all of the common ACLs listed in Section D.2, “Common ACLs”.
There are access control rules set for each of the OCSP's interfaces (administrative console and agents and end-entities services pages) and for common operations like listing and downloading CRLs.

D.5.1. certServer.ee.crl

Controls access to CRLs through the end-entities page.
allow (read) user="anybody"

Table D.58. certServer.ee.crl ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read Retrieve and view the certificate revocation list. Allow Anyone

D.5.2. certServer.ee.request.ocsp

Controls access, based on IP address, on which clients submit OCSP requests.
allow (submit) ipaddress=".*"

Table D.59. certServer.ee.request.ocsp ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
submit Submit OCSP requests. Allow All IP addresses

D.5.3. certServer.ocsp.ca

Controls who can instruct the OCSP responder. The default setting is:
allow (add) group="Online Certificate Status Manager Agents"

Table D.60. certServer.ocsp.ca ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
Add Instruct the OCSP responder to respond to OCSP requests for a new CA. Allow OCSP Manager Agents

D.5.4. certServer.ocsp.cas

Controls who can list, in the agent services interface, all of the Certificate Managers which publish CRLs to the Online Certificate Status Manager. The default setting is:
allow (list) group="Online Certificate Status Manager Agents"

Table D.61. certServer.ocsp.cas ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
list Lists all of the Certificate Managers which publish CRLs to the OCSP responder. Allow Agents

D.5.5. certServer.ocsp.certificate

Controls who can validate the status of a certificate. The default setting is:
allow (validate) group="Online Certificate Status Manager Agents"

Table D.62. certServer.ocsp.certificate ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
validate Verifies the status of a specified certificate. Allow OCSP Agents

D.5.6. certServer.ocsp.configuration

Controls who can access, view, or modify the configuration for the Certificate Manager's OCSP services. The default configuration is:
allow (read) group="Administrators" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators"

Table D.63. certServer.ocsp.configuration ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View OCSP plug-in information, OCSP configuration, and OCSP stores configuration. List OCSP stores configuration. Allow
Administrators
Online Certificate Status Manager Agents
Auditors
modify Modify the OCSP configuration, OCSP stores configuration, and default OCSP store. Allow Administrators

D.5.7. certServer.ocsp.crl

Controls access to read or update CRLs through the agent services interface. The default setting is:
allow (add) group="Online Certificate Status Manager Agents" || group="Trusted Managers"

Table D.64. certServer.ocsp.crl ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
add Add new CRLs to those managed by the OCSP responder. Allow
OCSP Agents
Trusted Managers

D.5.8. certServer.ocsp.group

Controls access to the internal database for adding users and groups for the Online Certificate Status Manager instance.
allow (modify,read) group="Administrators"

Table D.65. certServer.ocsp.group ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
modify Create, edit or delete user and group entries for the instance. Allow Administrators
read View user and group entries for the instance. Allow Administrators

D.5.9. certServer.ocsp.info

Controls who can read information about the OCSP responder.
allow (read) group="Online Certificate Status Manager Agents"

Table D.66. certServer.ocsp.info ACL Summary

Operations Description Allow/Deny Access Targeted Users/Groups
read View OCSP responder information. Allow OCSP Agents