diff options
-rw-r--r-- | base/ca/shared/conf/acl.ldif | 1 | ||||
-rw-r--r-- | base/ca/shared/conf/acl.properties | 2 | ||||
-rw-r--r-- | base/ca/shared/webapps/ca/WEB-INF/web.xml | 13 | ||||
-rw-r--r-- | base/kra/shared/conf/acl.ldif | 1 | ||||
-rw-r--r-- | base/kra/shared/conf/acl.properties | 2 | ||||
-rw-r--r-- | base/kra/shared/webapps/kra/WEB-INF/web.xml | 13 | ||||
-rw-r--r-- | base/ocsp/shared/conf/acl.ldif | 1 | ||||
-rw-r--r-- | base/ocsp/shared/conf/acl.properties | 2 | ||||
-rw-r--r-- | base/ocsp/shared/conf/auth-method.properties | 1 | ||||
-rw-r--r-- | base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml | 13 | ||||
-rw-r--r-- | base/tks/shared/conf/acl.ldif | 1 | ||||
-rw-r--r-- | base/tks/shared/conf/acl.properties | 2 | ||||
-rw-r--r-- | base/tks/shared/webapps/tks/WEB-INF/web.xml | 13 |
13 files changed, 65 insertions, 0 deletions
diff --git a/base/ca/shared/conf/acl.ldif b/base/ca/shared/conf/acl.ldif index d5385e8e2..0da10939f 100644 --- a/base/ca/shared/conf/acl.ldif +++ b/base/ca/shared/conf/acl.ldif @@ -55,4 +55,5 @@ resourceACLS: certServer.ca.account:login,logout:allow (login,logout) user="anyb resourceACLS: certServer.ca.certrequests:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert request operations resourceACLS: certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations resourceACLS: certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations +resourceACLS: certServer.ca.selftests:read,execute:allow (read,execute) group="Administrators":Only admins can access selftests. resourceACLS: certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations diff --git a/base/ca/shared/conf/acl.properties b/base/ca/shared/conf/acl.properties index 1c6651e4f..d14d1832c 100644 --- a/base/ca/shared/conf/acl.properties +++ b/base/ca/shared/conf/acl.properties @@ -18,4 +18,6 @@ profiles.list = certServer.ee.profiles,list profiles.modify = certServer.profile.configuration,modify profiles.read = certServer.profile.configuration,read securityDomain.installToken = certServer.securitydomain.domainxml,read +selftests.read = certServer.ca.selftests,read +selftests.execute = certServer.ca.selftests,execute users = certServer.ca.users,execute diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml index 32f5786a1..6bf137ca7 100644 --- a/base/ca/shared/webapps/ca/WEB-INF/web.xml +++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml @@ -2463,6 +2463,19 @@ <security-constraint> <web-resource-collection> + <web-resource-name>Self Tests</web-resource-name> + <url-pattern>/rest/selftests/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <security-constraint> + <web-resource-collection> <web-resource-name>Profile Services</web-resource-name> <url-pattern>/rest/profiles/*</url-pattern> </web-resource-collection> diff --git a/base/kra/shared/conf/acl.ldif b/base/kra/shared/conf/acl.ldif index 76da45db3..24e738216 100644 --- a/base/kra/shared/conf/acl.ldif +++ b/base/kra/shared/conf/acl.ldif @@ -34,4 +34,5 @@ resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) gro resourceACLS: certServer.kra.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout resourceACLS: certServer.kra.groups:execute:allow (execute) group="Administrators":Admins may execute group operations resourceACLS: certServer.kra.keyrequests:execute:allow (execute) group="Data Recovery Manager Agents":Agents may execute key request operations +resourceACLS: certServer.kra.selftests:read,execute:allow (read,execute) group="Administrators":Only admins can access selftests. resourceACLS: certServer.kra.users:execute:allow (execute) group="Administrators":Admins may execute user operations diff --git a/base/kra/shared/conf/acl.properties b/base/kra/shared/conf/acl.properties index 8f6ff5e7a..3fde90465 100644 --- a/base/kra/shared/conf/acl.properties +++ b/base/kra/shared/conf/acl.properties @@ -10,4 +10,6 @@ account.logout = certServer.kra.account,logout groups = certServer.kra.groups,execute keys = certServer.kra.keys,execute keyrequests = certServer.kra.keyrequests,execute +selftests.read = certServer.kra.selftests,read +selftests.execute = certServer.kra.selftests,execute users = certServer.kra.users,execute diff --git a/base/kra/shared/webapps/kra/WEB-INF/web.xml b/base/kra/shared/webapps/kra/WEB-INF/web.xml index 12f18848e..d27d88d71 100644 --- a/base/kra/shared/webapps/kra/WEB-INF/web.xml +++ b/base/kra/shared/webapps/kra/WEB-INF/web.xml @@ -1159,6 +1159,19 @@ </security-constraint> [PKI_CLOSE_STANDALONE_COMMENT] + <security-constraint> + <web-resource-collection> + <web-resource-name>Self Tests</web-resource-name> + <url-pattern>/rest/selftests/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + <login-config> <realm-name>Key Recovery Authority</realm-name> </login-config> diff --git a/base/ocsp/shared/conf/acl.ldif b/base/ocsp/shared/conf/acl.ldif index 14221f8bb..b66478b07 100644 --- a/base/ocsp/shared/conf/acl.ldif +++ b/base/ocsp/shared/conf/acl.ldif @@ -30,4 +30,5 @@ resourceACLS: certServer.ocsp.group:read,modify:allow (modify,read) group="Admin resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration. resourceACLS: certServer.ocsp.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout resourceACLS: certServer.ocsp.groups:execute:allow (execute) group="Administrators":Admins may execute group operations +resourceACLS: certServer.ocsp.selftests:read,execute:allow (read,execute) group="Administrators":Only admins can access selftests. resourceACLS: certServer.ocsp.users:execute:allow (execute) group="Administrators":Admins may execute user operations diff --git a/base/ocsp/shared/conf/acl.properties b/base/ocsp/shared/conf/acl.properties index 67c68b37f..9528f11fa 100644 --- a/base/ocsp/shared/conf/acl.properties +++ b/base/ocsp/shared/conf/acl.properties @@ -8,4 +8,6 @@ account.login = certServer.ocsp.account,login account.logout = certServer.ocsp.account,logout groups = certServer.ocsp.groups,execute +selftests.read = certServer.ocsp.selftests,read +selftests.execute = certServer.ocsp.selftests,execute users = certServer.ocsp.users,execute diff --git a/base/ocsp/shared/conf/auth-method.properties b/base/ocsp/shared/conf/auth-method.properties index 5718fc6da..9f5a7a1d3 100644 --- a/base/ocsp/shared/conf/auth-method.properties +++ b/base/ocsp/shared/conf/auth-method.properties @@ -9,4 +9,5 @@ default = * account = certUserDBAuthMgr,passwdUserDBAuthMgr groups = certUserDBAuthMgr +selftests = certUserDBAuthMgr users = certUserDBAuthMgr diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml index 9c86fa1f1..8002f749b 100644 --- a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml +++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml @@ -780,6 +780,19 @@ </security-constraint> [PKI_CLOSE_STANDALONE_COMMENT] + <security-constraint> + <web-resource-collection> + <web-resource-name>Self Tests</web-resource-name> + <url-pattern>/rest/selftests/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + <login-config> <realm-name>Online Certificate Status Protocol Manager</realm-name> </login-config> diff --git a/base/tks/shared/conf/acl.ldif b/base/tks/shared/conf/acl.ldif index bed8ba7cb..cd4229542 100644 --- a/base/tks/shared/conf/acl.ldif +++ b/base/tks/shared/conf/acl.ldif @@ -30,4 +30,5 @@ resourceACLS: certServer.tks.importTransportCert:read,modify:allow (modify,read) resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration. resourceACLS: certServer.tks.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout resourceACLS: certServer.tks.groups:execute:allow (execute) group="Administrators":Admins may execute group operations +resourceACLS: certServer.tks.selftests:read,execute:allow (read,execute) group="Administrators":Only admins can access selftests. resourceACLS: certServer.tks.users:execute:allow (execute) group="Administrators":Admins may execute user operations diff --git a/base/tks/shared/conf/acl.properties b/base/tks/shared/conf/acl.properties index db13b08a1..d2c237290 100644 --- a/base/tks/shared/conf/acl.properties +++ b/base/tks/shared/conf/acl.properties @@ -8,4 +8,6 @@ account.login = certServer.tks.account,login account.logout = certServer.tks.account,logout groups = certServer.tks.groups,execute +selftests.read = certServer.tks.selftests,read +selftests.execute = certServer.tks.selftests,execute users = certServer.tks.users,execute diff --git a/base/tks/shared/webapps/tks/WEB-INF/web.xml b/base/tks/shared/webapps/tks/WEB-INF/web.xml index f817baf99..652736217 100644 --- a/base/tks/shared/webapps/tks/WEB-INF/web.xml +++ b/base/tks/shared/webapps/tks/WEB-INF/web.xml @@ -443,6 +443,19 @@ </user-data-constraint> </security-constraint> + <security-constraint> + <web-resource-collection> + <web-resource-name>Self Tests</web-resource-name> + <url-pattern>/rest/selftests/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + <login-config> <realm-name>Token Key Service</realm-name> </login-config> |