Table Of Contents
Managing Certificate ACLs
Viewing Certificate ACLs
Assigning Certificate ACLs to Trustpoints
Viewing Associated Trustpoints
Adding Certificate ACL
Editing Certificate ACLs
Deleting Certificate ACLs
Managing Certificate ACLs
Certificates are used to identify an entity (a user or device) and, using fields within the certificate, to associate attributes with that entity. The certificates include several fields that determine whether the entity is authorized to perform a specified action. The Certificate Security Attribute-Based Access Control feature adds a new command, crypto CA certificate ACL, and new fields to the certificate that create the certificate-based access control list (ACL).
The certificate-based ACL specifies one or more fields within the certificate and an acceptable value for each specified field. You can specify which fields within a certificate should be checked and which values those fields may or may not have. There are six logical tests for comparing the field with the value:
•
equal
•not equal
•contains
•does not contain
•less than
•greater than or equal
If more than one field is specified within a single certificate-based ACL, the tests of all of the fields within the ACL must succeed to match the ACL.
The same field may be specified multiple times within the same ACL.
More than one ACL may be specified. Each ACL will be processed in turn until a match is found or all of the ACLs have been processed.
CVDM-SSLSM allows you to define certificates (Attribute-Based Access Control) / Certificate ACLs based on the peer certificate attributes.
These topics describe usage of certificate-based ACLs in CVDM-SSLSM:
• Viewing Certificate ACLs
• Adding Certificate ACL
• Editing Certificate ACLs
• Assigning Certificate ACLs to Trustpoints
• Deleting Certificate ACLs
Viewing Certificate ACLs
You can view all certificate ACLs configured in the device.
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Certificate Trustpoints > Certificate ACLs from the object selector.
The following fields appear:
Field
|
Description
|
Name
|
Name or tag associated with the Certificate ACL
|
Number of ACL Entries
|
Number of ACL entries
|
Number of Trustpoints (Use Count)
|
Number of Trustpoints.
|
To view the details of a certificate ACL, select a certificate ACL from the table. The following details are displayed at the lower section of the content pane:
Field
|
Description
|
Certificate ACL Details: <Certificate ACL name>
|
Certificate ACL Entries and Criteria
|
|
Sequence
|
The sequence numbers of the Certificate ACL entries.
|
Select a certificate ACL entry by selecting the corresponding sequence number to view the details.
Field
|
Description
|
Certificate Field
|
The Certificate Field to be examined for Access Control.
The field name is one of the following case-insensitive name strings or a date:
•subject-name
•issuer-name
•unstructured-subject-name
•alt-subject-name
•name
•valid-start
•expires-on
|
Match Condition
|
The following match conditions are supported:
•Equals (eq)
•Not Equals (neq)
•Contains (co)
•Not Contains (nc)
•Less than (lt)
•Greater than or Equals (ge)
|
Match Value
|
The name or date to test with the logical operator assigned by match criteria.
|
Select a certificate ACL from the list, then click Assign to Trustpoints to assign a certificate ACL to a trustpoint.
Click Add to add a certificate ACL.
To edit a certificate ACL, select a certificate ACL and click Edit.
To delete a certificate ACL, select a certificate ACL and click Delete.
To view Trustpoints associated with a certificate ACL, select a certificate ACL and click View Associated Trustpoints.
Assigning Certificate ACLs to Trustpoints
You can view all certificate ACLs configured in the device.
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Trustpoints > Certificate ACLs from the object selector.
Step 2 Select a Certificate ACL from the list, and click Assign to Trustpoints. The Assign to Trustpoint dialog box appears.
The following fields appear:
Field
|
Description
|
Certificate ACL Name
|
The ACL name of the certificate.
|
Trustpoint Name
|
The trustpoint associated with the Certificate ACL.
|
CA Name
|
The CA name of the associated trustpoint
|
Subject Name
|
The subject name of the certificate.
|
Selected Trustpoints
|
Trustpoint associated with the certificates.
|
Step 3 Select the Trustpoints from the list, and click Add>> to assign the certificate ACL. Click << Remove to remove the trustpoint from the selected list.
Viewing Associated Trustpoints
To view the Trustpoints associated with a Certificate ACL:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Trustpoints > Certificate ACLs from the object selector.
Step 2 Select a Certificate Map from the table. The Certificate ACL details appear at the lower section of the content window.
Step 3 Select a sequence from the sequence list, then click View Associated Trustpoints.
The following details appear for the associated Trustpoints:
Field
|
Description
|
Trustpoint Name
|
The trustpoint associated with the Certificate ACL.
|
CA Name
|
The CA name of the associated trustpoint.
|
Subject Name
|
The subject of the associated trustpoint.
|
Adding Certificate ACL
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Trustpoints > Certificate ACLs from the object selector. The Certificate ACLs page appears.
Step 2 Click Add. The Add Certificate ACL dialog box appears.
Using this dialog box you can:
• Add a new ACL entry
•Remove an existing ACL entry
•Add new criteria to an existing ACL entry
•Remove criteria from an existing ACL entry.
The dialog box displays following fields:
Field
|
Action/Description
|
Certificate ACL Name
|
Name or Tag associated with the Certificate Map.
|
Certificate ACL Entries and Criteria
|
Certificate ACL Entry
|
To add a new ACL Entry, enter the ACL sequence number in the New ACL Entry field, then click >> Add.
To remove an ACL Entry, select the ACL entry from the sequence list, then click << Remove.
|
Sequence
|
The sequence number of the ACL entry.
Valid range is from 1 to 65535.
|
Certificate Field
|
Select one of the following certificate field to be examined for Access Control:
•Subject Name
•Alternate Subject Name
•Any subject name field
•Unstructured subject name
•Issuer name
•Valid start date
•Expiry date
|
Match Condition
|
The following match conditions are supported:
•Equals (eq)
•Not Equals (neq)
•Contains (co)
•Not Contains (nco)
•Less than (lt)
•Greater than or Equals (ge)
|
Match Value
|
Certificate Field value
|
To add new criteria to the ACL entry, select a certificate field and match condition, then enter the match value and click Add. The values you entered appears in the table. To remove a criteria from the ACL entry, select a row in the table, then click Remove.
Step 3 Click OK to complete the task.
Editing Certificate ACLs
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Trustpoints > Certificate ACLs from the object selector. The Certificate ACLs page appears.
Step 2 Select a Certificate ACL from the list, then click Edit. The Edit Certificate Map dialog box appears.
Using this dialog box you can:
• Add a new ACL entry
•Remove an existing ACL entry
•Add new criteria to an existing ACL entry
•Remove criteria from an existing ACL entry.
The page displays following fields:
Field
|
Description
|
Certificate ACL Name
|
Name associated to the Certificate ACL
|
Certificate ACL Entries and Criteria
|
Certificate ACL Entry
|
To add a new ACL Entry, enter the ACL sequence number in the New ACL Entry field, then click ADD.
To remove an ACL Entry, select the ACL entry from the sequence list, then click Remove.
|
Sequence
|
The sequence number of the ACL entry.
Valid range is from 1 to 65535.
|
Certificate Field
|
Select one of the following certificate field to be examined for Access Control:
•Subject Name
•Alternate Subject Name
•Any subject name field
•Unstructured subject name
•Issuer name
•Valid start date
•Expiry date
|
Match Condition
|
The following match conditions are supported:
•Equals (eq)
•Not Equals (neq)
•Contains (co)
•Not Contains (nco)
•Less than (lt)
•Greater than or Equals (ge)
|
Match Value
|
Certificate Field value
|
To add new criteria to the ACL entry, select a certificate field and match condition, then enter the match value and click Add. The values you entered appears in the table. To remove a criteria from the ACL entry, select a row in the table, then click Remove.
Step 3 Click OK to add the certificate ACL.
Deleting Certificate ACLs
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Trustpoints > Certificate ACLs from the object selector. The Certificate ACLs page appears.
Step 2 Select a certificate ACL, then click Delete.
•
