D.6. Token Key Service-Specific ACLs
This section covers the default access control configuration attributes which are set specifically for the Token Key Service (TKS). The TKS ACL configuration also includes all of the common ACLs listed in Section D.2, “Common ACLs”.
There are access control rules set for the TKS's administrative console and for access by other subsystems to the TKS.
D.6.1. certServer.tks.encrypteddata
Controls who can encrypt data.
allow(execute) group="Token Key Service Manager Agents"
Table D.67. certServer.tks.encrypteddata ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| Execute | Encrypted data stored in the TKS. | Allow | TKS Agents |
D.6.2. certServer.tks.group
Controls access to the internal database for adding users and groups for the TKS instance.
allow (modify,read) group="Administrators"
Table D.68. certServer.tks.group ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| modify | Create, edit, or delete user and group entries for the instance. | Allow | Administrators |
| read | View user and group entries for the instance. | Allow | Administrators |
D.6.3. certServer.tks.importTransportCert
Controls who can import the transport certificate used by the TKS to deliver keys.
allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
Table D.69. certServer.tks.importTransportCert ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| modify | Update the transport certificate. | Allow | Enterprise Administrators |
| read | Import the transport certificate. | Allow | Enterprise Administrators |
D.6.4. certServer.tks.keysetdata
Controls who can view information about key sets derived and stored by the TKS.
allow (execute) group="Token Key Service Manager Agents"
Table D.70. certServer.tks.keysetdata ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| Execute | Create diversified key set data. | Allow | TKS Agents |
D.6.5. certServer.tks.registerUser
Defines which group or user can create an agent user for the instance. The default configuration is:
allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
Table D.71. certServer.tks.registerUser ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| modify | Register a new agent. | Allow | Enterprise Administrators |
| read | Read existing agent information. | Allow | Enterprise Administrators |
D.6.6. certServer.tks.sessionkey
Controls who can create the session keys used by the TKS instance to connections to the TPS.
allow (execute) group="Token Key Service Manager Agents"
Table D.72. certServer.tks.sessionkey ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| Execute | Create session keys generated by the TKS. | Allow | TKS Agents |
D.6.7. certServer.tks.randomdata
Controls who can create random data.
allow (execute) group="Token Key Service Manager Agents"
Table D.73. certServer.tks.randomdata ACL Summary
| Operations | Description | Allow/Deny Access | Targeted Users/Groups |
|---|---|---|---|
| Execute | Generate random data. | Allow | TKS Agents |