Roles#

OS administrator:

  • allowed to access the server machine locally

  • belongs to super-user group

PKI administrator:

  • allowed to access the server machine locally

  • belongs to pkiuser group

  • not allowed to access audit logs

PKI auditors:

  • not allowed to access the server machine locally

  • allowed to access audit logs remotely via CLI/UI

Configuration Files#

drwxrwx--- pkiuser pkiuser /etc/pki/pki-tomcat
-rw-rw---- pkiuser.pkiuser /etc/pki/pki-tomcat/*

Notes:

  • accessible by pkiuser user and group

  • not accessible by others

NSS Database#

drwxrwx--- pkiuser pkiuser /etc/pki/pki-tomcat/alias
-rw------- pkiuser pkiuser /etc/pki/pki-tomcat/alias/*

Notes:

  • the folder is accessible by pkiuser user and group, but not others

  • the files are only accessible by pkuser user, but not the group or others

Audit Logs#

drwx------ pkiuser.pkiuser /var/log/pki/pki-tomcat/ca/signedAudit
-rw------- pkiuser.pkiuser /var/log/pki/pki-tomcat/ca/signedAudit/*
drwx------ pkiuser.pkiuser /var/log/pki/pki-tomcat/kra/signedAudit
-rw------- pkiuser.pkiuser /var/log/pki/pki-tomcat/kra/signedAudit/*
drwx------ pkiuser.pkiuser /var/log/pki/pki-tomcat/ocsp/signedAudit
-rw------- pkiuser.pkiuser /var/log/pki/pki-tomcat/ocsp/signedAudit/*
drwx------ pkiuser.pkiuser /var/log/pki/pki-tomcat/tks/signedAudit
-rw------- pkiuser.pkiuser /var/log/pki/pki-tomcat/tks/signedAudit/*
drwx------ pkiuser.pkiuser /var/log/pki/pki-tomcat/tps/signedAudit
-rw------- pkiuser.pkiuser /var/log/pki/pki-tomcat/tps/signedAudit/*

Notes:

  • accessible by pkiuser user

  • not accessible pkiuser group and others

  • PKI auditors can accesss via CLI/UI since the server is running as pkiuser user