000021737 - How to limit Keon Certificate Authority administrative access via certificates and Web ACLs

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000021737
Applies ToKeon Certificate Authority 6.5.1
Microsoft Windows 2000 Advanced Server SP4
IssueHow to limit Keon Certificate Authority administrative access via certificates and Web ACLs
Setting up an Web ACLs
CauseA requirement exists where one of more administrators need to be given a very limited access to some Keon Certificate Authority (KCA) functionality
Resolution

The documentation (and online help pages) give extensive information about the use of an ACL. The following steps show one simple example of assigning one single function to one specific user.

 

For example, let's say we want a person to be able to run the report to check on expiring certificates using the URL:

https://caserver.acme.com:444/ca/cert-ops/cert-expiry-notify.xuda

 

Consider we have an administrator who has been issued a certificate with an MD5 of eb58dfec5304396e3460a5d3303. All other administrative functionality should be excluded. By using the System Configuration workbench we can set up two ACL rules; first a rule to deny access: 


 

Now a second rule to allow the single functionality required:


 

The combination of the two will limit our administrator to the one single function.


NOTE: This example uses the MD5 of the certificate; in practical terms, a better rule should be used, since this is very limiting in scope; if the administrator ever renewed their certificate, then these rules would not longer be applicable.

You will probably find that it is more appropriate to have a rule based on an O or OU value of the certificate along with the signing CA, which will then allow a much more flexible approach.


See the solution regarding 
How to configure WebSentry for different certificate accessHow to configure RSA Keon Web Sentry for different certificate access  for other examples.

Legacy Article IDa24709

Attachments

    Outcomes