diff options
Diffstat (limited to 'base/ocsp/shared')
-rw-r--r-- | base/ocsp/shared/conf/CS.cfg.in | 1 | ||||
-rw-r--r-- | base/ocsp/shared/conf/acl.ldif | 1 | ||||
-rw-r--r-- | base/ocsp/shared/conf/db.ldif | 12 | ||||
-rw-r--r-- | base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml | 167 |
4 files changed, 181 insertions, 0 deletions
diff --git a/base/ocsp/shared/conf/CS.cfg.in b/base/ocsp/shared/conf/CS.cfg.in index 8c4d68dc7..65b8b4c22 100644 --- a/base/ocsp/shared/conf/CS.cfg.in +++ b/base/ocsp/shared/conf/CS.cfg.in @@ -48,6 +48,7 @@ ocsp.cert.signing.certusage=StatusResponder ocsp.cert.sslserver.certusage=SSLServer ocsp.cert.subsystem.certusage=SSLClient ocsp.cert.audit_signing.certusage=ObjectSigner +ocsp.standalone=[PKI_STANDALONE] preop.cert.ocsp_signing.enable=true preop.cert.sslserver.enable=true preop.cert.subsystem.enable=true diff --git a/base/ocsp/shared/conf/acl.ldif b/base/ocsp/shared/conf/acl.ldif index b1dbc4c5b..14221f8bb 100644 --- a/base/ocsp/shared/conf/acl.ldif +++ b/base/ocsp/shared/conf/acl.ldif @@ -10,6 +10,7 @@ cn: aclResources resourceACLS: certServer.general.configuration:read,modify,delete:allow (read) group="Administrators" || group="Auditors" || group="Online Certificate Status Manager Agents";allow (modify,delete) group="Administrators":Administrators, auditors, and agents are allowed to read CMS general configuration but only administrators are allowed to modify and delete resourceACLS: certServer.acl.configuration:read,modify:allow (read) group="Administrators" || group="Online Certificate Status Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read ACL configuration but only administrators allowed to modify resourceACLS: certServer.log.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Online Certificate Status Manager Agents";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read the log configuration but only administrators are allowed to modify +resourceACLS: certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise OCSP Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml resourceACLS: certServer.log.configuration.fileName:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify a fileName parameter #resourceACLS: certServer.log.configuration.signedAudit.expirationTime:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Online Certificate Status Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify an expirationTime parameter resourceACLS: certServer.log.content.signedAudit:read:allow (read) group="Auditors":Only auditor is allowed to read the signed audit log diff --git a/base/ocsp/shared/conf/db.ldif b/base/ocsp/shared/conf/db.ldif index ec159e02f..2e0eec44c 100644 --- a/base/ocsp/shared/conf/db.ldif +++ b/base/ocsp/shared/conf/db.ldif @@ -50,6 +50,18 @@ objectClass: groupOfUniqueNames cn: ClonedSubsystems description: People who can clone the master subsystem +dn: cn=Security Domain Administrators,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Security Domain Administrators +description: People who are the Security Domain administrators + +dn: cn=Enterprise OCSP Administrators,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Enterprise OCSP Administrators +description: People who are the administrators for the security domain for OCSP + dn: ou=requests,{rootSuffix} objectClass: top objectClass: organizationalUnit diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml index b9b874513..9c86fa1f1 100644 --- a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml +++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml @@ -404,6 +404,121 @@ <param-value> ocspGetStatus </param-value> </init-param> </servlet> + [PKI_OPEN_STANDALONE_COMMENT] + <servlet> + <servlet-name> ocspGetDomainXML </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.GetDomainXML </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ocsp </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> ocspGetDomainXML </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> ocspUpdateDomainXML </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.UpdateDomainXML </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> true </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ocsp </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> ocspUpdateDomainXML </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> agent </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> certUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.securitydomain.domainxml </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> ocspUpdateDomainXML-admin </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.UpdateDomainXML </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ocsp </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> ocspUpdateDomainXML </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> admin </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> TokenAuth </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.securitydomain.domainxml </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> ocspSecurityDomainLogin </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.SecurityDomainLogin </servlet-class> + <init-param> <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> </init-param> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ocsp </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> ocspSecurityDomainLogin </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.certificates </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> ocspGetCookie </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.GetCookie </servlet-class> + <init-param> <param-name>properties</param-name> + <param-value>/WEB-INF/velocity.properties</param-value> </init-param> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ocsp </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> ocspGetCookie </param-value> </init-param> + <init-param><param-name> AuthMgr </param-name> + <param-value> passwdUserDBAuthMgr </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /admin/ocsp/sendCookie.template </param-value> </init-param> + <init-param><param-name> errorTemplatePath </param-name> + <param-value> /admin/ocsp/securitydomainlogin.template </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> ocspTokenAuthenticate </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.TokenAuthenticate </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ocsp </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> ocspTokenAuthenticate </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> ocspTokenAuthenticate-admin </servlet-name> + <servlet-class> com.netscape.cms.servlet.csadmin.TokenAuthenticate </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> authority </param-name> + <param-value> ocsp </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> ocspTokenAuthenticate </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> admin </param-value> </init-param> + </servlet> + [PKI_CLOSE_STANDALONE_COMMENT] + <listener> <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class> </listener> @@ -576,6 +691,43 @@ <url-pattern> /admin/ocsp/getStatus </url-pattern> </servlet-mapping> + [PKI_OPEN_STANDALONE_COMMENT] + <servlet-mapping> + <servlet-name> ocspGetDomainXML </servlet-name> + <url-pattern> /admin/ocsp/getDomainXML </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> ocspUpdateDomainXML </servlet-name> + <url-pattern> /agent/ocsp/updateDomainXML </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> ocspUpdateDomainXML-admin </servlet-name> + <url-pattern> /admin/ocsp/updateDomainXML </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> ocspSecurityDomainLogin </servlet-name> + <url-pattern> /admin/ocsp/securityDomainLogin </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> ocspGetCookie </servlet-name> + <url-pattern> /admin/ocsp/getCookie </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> ocspTokenAuthenticate </servlet-name> + <url-pattern> /ee/ocsp/tokenAuthenticate </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> ocspTokenAuthenticate-admin </servlet-name> + <url-pattern> /admin/ocsp/tokenAuthenticate </url-pattern> + </servlet-mapping> + [PKI_CLOSE_STANDALONE_COMMENT] + <!-- ==================== Default Session Configuration =============== --> <!-- You can set the default session timeout (in minutes) for all newly --> @@ -613,6 +765,21 @@ </user-data-constraint> </security-constraint> + [PKI_OPEN_STANDALONE_COMMENT] + <security-constraint> + <web-resource-collection> + <web-resource-name>Security Domain Services</web-resource-name> + <url-pattern>/rest/securityDomain/installToken</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + [PKI_CLOSE_STANDALONE_COMMENT] + <login-config> <realm-name>Online Certificate Status Protocol Manager</realm-name> </login-config> |