5.1 Certificate Access Control List

Learn how you can refine communication security.

The communication security accepts a valid certificate during the connection handshake process. The certificate must be signed by the server or for CA it must trusted by the server. However, you may need to filter and reject otherwise valid certificates based on internal policies. To support this additional validation, the MA extends the standard certificate validation by adding a post-verification certificate Access Control List (ACL) management. This certificate ACL follows the general model used for network ACLs where the ACL is a map with the key identifying the governed element and a value indicating whether the element is allowed or denied. The certACL entry has a scopespecification that allows the ACL entry to be applied to specific identification elements within a certificate.

The configuration of a certificate ACL takes the form of an array of certACL entry configuration specification. Each specification minimally contains a permission statement indicating whether it allows or denies client connections from the specified address. The certACL entry specifications are processed in order and terminate as soon as the specified address is qualified. If the specified address does not qualify, processing continues with the next specification. Once a certificate is qualified, the certACL permissions dictate whether the certificate is allowed or denied. If a no certACL entry specification qualify the certificate of the client requesting connection, a default resolution of 'allow is assumed and the certificate is accepted.

CertACL Entry Syntax

certACL := '[' aclSpec [, aclSpec] ']'
  aclSpec    := '{' perm [',' name [',' scope '}'
  perm       := "permission" ':' [ "deny" | "allow" ]
  name       := "name"       ':' regex 
  scope      := "scope"      ':' [ "subject-name" | "issuer-name" ]
  regex      :=  ** Uses the dynamic regular expression syntax. 

The regex syntax follows the ECMAScript definition. Defining a regular expression as a JSON node value requires that the any meta symbols used (like \s) have the \character escaped. You should take care when specifying name regular expression patterns to ensure that only the full match with the intended target pattern is matched. In the syntax, the patterns only full match with the intended target pattern CN=AdminClnt not CN=AdminClnt1, CN=AdminClntOther, CN=OtherAdminClnt, or CCN=OtherAdminClnt because the match pattern includes delimiter specifications that bound the pattern. These patterns assume a standard distinguished name format that allows no whitespace between the keyname and the value. The CN = AdminClnt non-standard pattern would not match.

Example 5-1 Allow All Certificates Example

 "CertACL" : [ { "name" : "^(?:(?:\\s*,?)|.*[\\s,]+)(CN=AdminClnt)(?:(?:\\s*(,+\\s*.*))$|\\s$)", "permission" : "deny" } ]

Or

"CertACL" : [ { "name" : "^(?:(?:\\s*,?)|.*[\\s,]+)(CN=AdminClnt)(?:(?:\\s*(,+\\s*.*))$|\\s$)", "scope" : "subject-name", "permission" : "deny" } ]

Example 5-2 Deny certificates issued from Deploy2

 "CertACL" : [ { "name" : "^(?:(?:\\s*,?)|.*[\\s,]+)(CN=Deploy2)(?:(?:\\s*(,+\\s*.*))$|\\s$)", "scope" : "issuer-name", "permission" : "deny" } ]
 

Example 5-3 Certificates Issued to Suspect or Any Certificate Issued ByDeploy2

 "CertACL" : [ { "name" : "^(?:(?:\\s*,?)|.*[\\s,]+)(CN=Suspect)(?:(?:\\s*(,+\\s*.*))$|\\s$)", "scope" : "subject-name", "permission" : "deny" }, { "name" : "^(?:(?:\\s*,?)|.*[\\s,]+)(CN=Deploy2)(?:(?:\\s*(,+\\s*.*))$|\\s$)", "scope" : "issuer-name",  "permission" : "deny" } ]