summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--base/ca/shared/conf/acl.ldif1
-rw-r--r--base/ca/shared/conf/acl.properties2
-rw-r--r--base/ca/shared/webapps/ca/WEB-INF/web.xml13
-rw-r--r--base/kra/shared/conf/acl.ldif1
-rw-r--r--base/kra/shared/conf/acl.properties2
-rw-r--r--base/kra/shared/webapps/kra/WEB-INF/web.xml13
-rw-r--r--base/ocsp/shared/conf/acl.ldif1
-rw-r--r--base/ocsp/shared/conf/acl.properties2
-rw-r--r--base/ocsp/shared/conf/auth-method.properties1
-rw-r--r--base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml13
-rw-r--r--base/tks/shared/conf/acl.ldif1
-rw-r--r--base/tks/shared/conf/acl.properties2
-rw-r--r--base/tks/shared/webapps/tks/WEB-INF/web.xml13
13 files changed, 65 insertions, 0 deletions
diff --git a/base/ca/shared/conf/acl.ldif b/base/ca/shared/conf/acl.ldif
index d5385e8e2..0da10939f 100644
--- a/base/ca/shared/conf/acl.ldif
+++ b/base/ca/shared/conf/acl.ldif
@@ -55,4 +55,5 @@ resourceACLS: certServer.ca.account:login,logout:allow (login,logout) user="anyb
resourceACLS: certServer.ca.certrequests:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert request operations
resourceACLS: certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations
resourceACLS: certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations
+resourceACLS: certServer.ca.selftests:read,execute:allow (read,execute) group="Administrators":Only admins can access selftests.
resourceACLS: certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations
diff --git a/base/ca/shared/conf/acl.properties b/base/ca/shared/conf/acl.properties
index 1c6651e4f..d14d1832c 100644
--- a/base/ca/shared/conf/acl.properties
+++ b/base/ca/shared/conf/acl.properties
@@ -18,4 +18,6 @@ profiles.list = certServer.ee.profiles,list
profiles.modify = certServer.profile.configuration,modify
profiles.read = certServer.profile.configuration,read
securityDomain.installToken = certServer.securitydomain.domainxml,read
+selftests.read = certServer.ca.selftests,read
+selftests.execute = certServer.ca.selftests,execute
users = certServer.ca.users,execute
diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml
index 32f5786a1..6bf137ca7 100644
--- a/base/ca/shared/webapps/ca/WEB-INF/web.xml
+++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml
@@ -2463,6 +2463,19 @@
<security-constraint>
<web-resource-collection>
+ <web-resource-name>Self Tests</web-resource-name>
+ <url-pattern>/rest/selftests/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>*</role-name>
+ </auth-constraint>
+ <user-data-constraint>
+ <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+ </user-data-constraint>
+ </security-constraint>
+
+ <security-constraint>
+ <web-resource-collection>
<web-resource-name>Profile Services</web-resource-name>
<url-pattern>/rest/profiles/*</url-pattern>
</web-resource-collection>
diff --git a/base/kra/shared/conf/acl.ldif b/base/kra/shared/conf/acl.ldif
index 76da45db3..24e738216 100644
--- a/base/kra/shared/conf/acl.ldif
+++ b/base/kra/shared/conf/acl.ldif
@@ -34,4 +34,5 @@ resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) gro
resourceACLS: certServer.kra.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout
resourceACLS: certServer.kra.groups:execute:allow (execute) group="Administrators":Admins may execute group operations
resourceACLS: certServer.kra.keyrequests:execute:allow (execute) group="Data Recovery Manager Agents":Agents may execute key request operations
+resourceACLS: certServer.kra.selftests:read,execute:allow (read,execute) group="Administrators":Only admins can access selftests.
resourceACLS: certServer.kra.users:execute:allow (execute) group="Administrators":Admins may execute user operations
diff --git a/base/kra/shared/conf/acl.properties b/base/kra/shared/conf/acl.properties
index 8f6ff5e7a..3fde90465 100644
--- a/base/kra/shared/conf/acl.properties
+++ b/base/kra/shared/conf/acl.properties
@@ -10,4 +10,6 @@ account.logout = certServer.kra.account,logout
groups = certServer.kra.groups,execute
keys = certServer.kra.keys,execute
keyrequests = certServer.kra.keyrequests,execute
+selftests.read = certServer.kra.selftests,read
+selftests.execute = certServer.kra.selftests,execute
users = certServer.kra.users,execute
diff --git a/base/kra/shared/webapps/kra/WEB-INF/web.xml b/base/kra/shared/webapps/kra/WEB-INF/web.xml
index 12f18848e..d27d88d71 100644
--- a/base/kra/shared/webapps/kra/WEB-INF/web.xml
+++ b/base/kra/shared/webapps/kra/WEB-INF/web.xml
@@ -1159,6 +1159,19 @@
</security-constraint>
[PKI_CLOSE_STANDALONE_COMMENT]
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Self Tests</web-resource-name>
+ <url-pattern>/rest/selftests/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>*</role-name>
+ </auth-constraint>
+ <user-data-constraint>
+ <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+ </user-data-constraint>
+ </security-constraint>
+
<login-config>
<realm-name>Key Recovery Authority</realm-name>
</login-config>
diff --git a/base/ocsp/shared/conf/acl.ldif b/base/ocsp/shared/conf/acl.ldif
index 14221f8bb..b66478b07 100644
--- a/base/ocsp/shared/conf/acl.ldif
+++ b/base/ocsp/shared/conf/acl.ldif
@@ -30,4 +30,5 @@ resourceACLS: certServer.ocsp.group:read,modify:allow (modify,read) group="Admin
resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration.
resourceACLS: certServer.ocsp.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout
resourceACLS: certServer.ocsp.groups:execute:allow (execute) group="Administrators":Admins may execute group operations
+resourceACLS: certServer.ocsp.selftests:read,execute:allow (read,execute) group="Administrators":Only admins can access selftests.
resourceACLS: certServer.ocsp.users:execute:allow (execute) group="Administrators":Admins may execute user operations
diff --git a/base/ocsp/shared/conf/acl.properties b/base/ocsp/shared/conf/acl.properties
index 67c68b37f..9528f11fa 100644
--- a/base/ocsp/shared/conf/acl.properties
+++ b/base/ocsp/shared/conf/acl.properties
@@ -8,4 +8,6 @@
account.login = certServer.ocsp.account,login
account.logout = certServer.ocsp.account,logout
groups = certServer.ocsp.groups,execute
+selftests.read = certServer.ocsp.selftests,read
+selftests.execute = certServer.ocsp.selftests,execute
users = certServer.ocsp.users,execute
diff --git a/base/ocsp/shared/conf/auth-method.properties b/base/ocsp/shared/conf/auth-method.properties
index 5718fc6da..9f5a7a1d3 100644
--- a/base/ocsp/shared/conf/auth-method.properties
+++ b/base/ocsp/shared/conf/auth-method.properties
@@ -9,4 +9,5 @@
default = *
account = certUserDBAuthMgr,passwdUserDBAuthMgr
groups = certUserDBAuthMgr
+selftests = certUserDBAuthMgr
users = certUserDBAuthMgr
diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
index 9c86fa1f1..8002f749b 100644
--- a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
+++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
@@ -780,6 +780,19 @@
</security-constraint>
[PKI_CLOSE_STANDALONE_COMMENT]
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Self Tests</web-resource-name>
+ <url-pattern>/rest/selftests/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>*</role-name>
+ </auth-constraint>
+ <user-data-constraint>
+ <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+ </user-data-constraint>
+ </security-constraint>
+
<login-config>
<realm-name>Online Certificate Status Protocol Manager</realm-name>
</login-config>
diff --git a/base/tks/shared/conf/acl.ldif b/base/tks/shared/conf/acl.ldif
index bed8ba7cb..cd4229542 100644
--- a/base/tks/shared/conf/acl.ldif
+++ b/base/tks/shared/conf/acl.ldif
@@ -30,4 +30,5 @@ resourceACLS: certServer.tks.importTransportCert:read,modify:allow (modify,read)
resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration.
resourceACLS: certServer.tks.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout
resourceACLS: certServer.tks.groups:execute:allow (execute) group="Administrators":Admins may execute group operations
+resourceACLS: certServer.tks.selftests:read,execute:allow (read,execute) group="Administrators":Only admins can access selftests.
resourceACLS: certServer.tks.users:execute:allow (execute) group="Administrators":Admins may execute user operations
diff --git a/base/tks/shared/conf/acl.properties b/base/tks/shared/conf/acl.properties
index db13b08a1..d2c237290 100644
--- a/base/tks/shared/conf/acl.properties
+++ b/base/tks/shared/conf/acl.properties
@@ -8,4 +8,6 @@
account.login = certServer.tks.account,login
account.logout = certServer.tks.account,logout
groups = certServer.tks.groups,execute
+selftests.read = certServer.tks.selftests,read
+selftests.execute = certServer.tks.selftests,execute
users = certServer.tks.users,execute
diff --git a/base/tks/shared/webapps/tks/WEB-INF/web.xml b/base/tks/shared/webapps/tks/WEB-INF/web.xml
index f817baf99..652736217 100644
--- a/base/tks/shared/webapps/tks/WEB-INF/web.xml
+++ b/base/tks/shared/webapps/tks/WEB-INF/web.xml
@@ -443,6 +443,19 @@
</user-data-constraint>
</security-constraint>
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Self Tests</web-resource-name>
+ <url-pattern>/rest/selftests/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>*</role-name>
+ </auth-constraint>
+ <user-data-constraint>
+ <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+ </user-data-constraint>
+ </security-constraint>
+
<login-config>
<realm-name>Token Key Service</realm-name>
</login-config>
generated by cgit (git 2.34.1) at 2024-06-22 00:30:39 +0000