5.1 Certificate Access Control List
Learn how you can refine communication security.
The communication security accepts a valid certificate during the connection
handshake process. The certificate must be signed by the server or
for CA it must trusted by the server.
However, you may need to filter and reject otherwise valid
certificates based on internal policies. To support this additional
validation, the MA extends the standard
certificate validation by adding a post-verification certificate
Access Control List (ACL) management. This certificate ACL follows
the general model used for network ACLs where the ACL is a map with
the key identifying the governed element and a value indicating
whether the element is allowed or denied. The
certACL
entry has a
scope
specification that allows the ACL entry to be
applied to specific identification elements within a
certificate.
The configuration of a certificate ACL takes the form of an array of certACL
entry configuration specification. Each specification minimally contains a permission statement indicating whether it allows or denies client connections from the specified address. The certACL
entry specifications are processed in order and terminate as soon as the specified address is qualified. If the specified address does not qualify, processing continues with the next specification. Once a certificate is qualified, the certACL
permissions dictate whether the certificate is allowed or denied. If a no certACL
entry specification qualify the certificate of the client requesting connection, a default resolution of 'allow is assumed and the certificate is accepted.
CertACL
Entry Syntax
certACL := '[' aclSpec [, aclSpec] ']' aclSpec := '{' perm [',' name [',' scope '}' perm := "permission" ':' [ "deny" | "allow" ] name := "name" ':' regex scope := "scope" ':' [ "subject-name" | "issuer-name" ] regex := ** Uses the dynamic regular expression syntax.
The regex
syntax follows the ECMAScript definition. Defining a regular expression as a JSON node value requires that the any meta symbols used (like \s) have the \
character escaped. You should take care when specifying name regular expression patterns to ensure that only the full match with the intended target pattern is matched. In the syntax, the patterns only full match with the intended target pattern CN=AdminClnt
not CN=AdminClnt1
, CN=AdminClntOther
, CN=OtherAdminClnt
, or CCN=OtherAdminClnt
because the match pattern includes delimiter specifications that bound the pattern. These patterns assume a standard distinguished name format that allows no whitespace between the keyname and the value. The CN = AdminClnt
non-standard pattern would not match.
Example 5-1 Allow All Certificates Example
"CertACL" : [ { "name" : "^(?:(?:\\s*,?)|.*[\\s,]+)(CN=AdminClnt)(?:(?:\\s*(,+\\s*.*))$|\\s$)", "permission" : "deny" } ]
Or
"CertACL" : [ { "name" : "^(?:(?:\\s*,?)|.*[\\s,]+)(CN=AdminClnt)(?:(?:\\s*(,+\\s*.*))$|\\s$)", "scope" : "subject-name", "permission" : "deny" } ]
Example 5-2 Deny certificates issued from Deploy2
"CertACL" : [ { "name" : "^(?:(?:\\s*,?)|.*[\\s,]+)(CN=Deploy2)(?:(?:\\s*(,+\\s*.*))$|\\s$)", "scope" : "issuer-name", "permission" : "deny" } ]
Example 5-3 Certificates Issued to Suspect
or Any Certificate Issued ByDeploy2
"CertACL" : [ { "name" : "^(?:(?:\\s*,?)|.*[\\s,]+)(CN=Suspect)(?:(?:\\s*(,+\\s*.*))$|\\s$)", "scope" : "subject-name", "permission" : "deny" }, { "name" : "^(?:(?:\\s*,?)|.*[\\s,]+)(CN=Deploy2)(?:(?:\\s*(,+\\s*.*))$|\\s$)", "scope" : "issuer-name", "permission" : "deny" } ]
Parent topic: TLS and Secure Network Protocols