summaryrefslogtreecommitdiffstats
path: root/pki/base/kra/shared/conf
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base/kra/shared/conf')
-rw-r--r--pki/base/kra/shared/conf/acl.ldif10
-rw-r--r--pki/base/kra/shared/conf/server.xml50
2 files changed, 60 insertions, 0 deletions
diff --git a/pki/base/kra/shared/conf/acl.ldif b/pki/base/kra/shared/conf/acl.ldif
index 4c219eaaa..38a9a088c 100644
--- a/pki/base/kra/shared/conf/acl.ldif
+++ b/pki/base/kra/shared/conf/acl.ldif
@@ -30,3 +30,13 @@ resourceACLS: certServer.kra.TokenKeyRecovery:submit:allow (submit) group="Data
resourceACLS: certServer.kra.registerUser:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to register a new agent
resourceACLS: certServer.kra.getTransportCert:read:allow (read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to retrieve the transport cert
resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration.
+resourceACLS: certServer.kra.pki.key.retrieve:execute:allow (execute) group="Data Recovery Manager Agents":Data Recovery Manager Agents may retrieve archived key
+resourceACLS: certServer.kra.pki.keyrequests:read:allow (read) group="Data Recovery Manager Agents":Data Recovery Manager Agents may read keyrequests data
+resourceACLS: certServer.kra.pki.keyrequest:read:allow (read) group="Data Recovery Manager Agents":Data Recovery Manager Agents may read keyrequest data
+resourceACLS: certServer.kra.pki.keyrequest.archive:execute:allow (execute) group="Data Recovery Manager Agents":Data Recovery Manager Agents may issue archival request
+resourceACLS: certServer.kra.pki.keyrequest.recover:execute:allow (execute) group="Data Recovery Manager Agents":Data Recovery Manager Agents may issue recovery request
+resourceACLS: certServer.kra.pki.keyrequest.approve:execute:allow (execute) group="Data Recovery Manager Agents":Data Recovery Manager Agents may approve security data request
+resourceACLS: certServer.kra.pki.keyrequest.reject:execute:allow (execute) group="Data Recovery Manager Agents":Data Recovery Manager Agents may reject key security data request
+resourceACLS: certServer.kra.pki.keyrequest.cancel:execute:allow (execute) group="Data Recovery Manager Agents":Data Recovery Manager Agents may cancel security data request
+resourceACLS: certServer.kra.pki.keys:read:allow (read) group="Data Recovery Manager Agents":Data Recovery Manager Agents may read security data
+resourceACLS: certServer.kra.pki.config.cert.transport:read:allow (read) group="Data Recovery Manager Agents":Data Recovery Manager Agents may read transport cert data
diff --git a/pki/base/kra/shared/conf/server.xml b/pki/base/kra/shared/conf/server.xml
index fcd849ef2..58121d448 100644
--- a/pki/base/kra/shared/conf/server.xml
+++ b/pki/base/kra/shared/conf/server.xml
@@ -229,8 +229,58 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
+
+ <!--
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
+ -->
+
+ <!-- Custom PKIJNDI realm
+
+ Example:
+
+ <Realm className="com.netscape.cmscore.realm.PKIJNDIRealm" : classpath to realm
+ connectionURL="ldap://localhost:389" : standard JNDI connection URL
+ userBase="ou=people,dc=localhost-pki-kra" : standard JNDI userBase property
+ userSearch="(description={0})" : Attribute to search for user of incoming client auth certificate
+ : Use userSearch="(UID={0})" if wanting to search isolate user based on UID
+ : Also set the following: certUIDLabel="UID" or whatever the field containing
+ : the user's UID happens to be. This will cause the incoming's cert dn to be
+ : be searched for <certUIDLabel>=<uid value>
+
+ certAttrName="userCertificate" : Attribute containing user's client auth certificate
+ roleBase="ou=groups,dc=localhost-pki-kra" : Standard JNDI search base for roles or groups
+ roleName="cn" : Standard attribute name containg roles or groups
+ roleSubtree="true" : Standard JNDI roleSubtree property
+ roleSearch="(uniqueMember={0})" : How to search for a user in a specific role or group
+ connectionName="cn=Directory Manager" : Connection name, needs elevated privileges
+ connectionPassword="secret123" : Password for elevated user
+ aclBase ="cn=aclResources,dc=localhost-pki-kra" : Custom base location of PKI ACL's in directory
+ aclAttrName="resourceACLS" : Name of attribute containing PKI ACL's
+ />
+
+ Uncomment and customize below to activate Realm.
+ Also umcomment Security Constraints and login config values
+ in WEB-INF/web.xml as well.
+ -->
+
+ <!--
+ <Realm className="com.netscape.cmscore.realm.PKIJNDIRealm"
+ connectionURL="ldap://localhost:389"
+ userBase="ou=people,dc=localhost-pki-kra"
+ userSearch="(description={0})"
+ certAttrName="userCertificate"
+ roleBase="ou=groups,dc=localhost-pki-kra"
+ roleName="cn"
+ roleSubtree="true"
+ roleSearch="(uniqueMember={0})"
+ connectionName="cn=Directory Manager"
+ connectionPassword="netscape"
+ aclBase ="cn=aclResources,dc=localhost-pki-kra"
+ aclAttrName="resourceACLS"
+ />
+
+ -->
<!-- Define the default virtual host
Note: XML Schema validation will not work with Xerces 2.2.
generated by cgit (git 2.34.1) at 2024-06-19 15:18:41 +0000