The access control module enables requests to the TSA service to be controlled. The default option is open access, however filters can be set that restrict access based on TLS client certificates or by IP address. Username and password authentication is considered very weak and is not supported. Signed requests are currently not supported but could be on request.

The following screen is used to make the necessary configurations:

The configuration items are as follows:

Items

Description

Allow open access

If this option is checked, it allows open access and all requests are accepted.

Allow access based on TLS client certificates

This option has two sub-filters:

  • Allow access only to the certificates issued by CAs which are registered in the Trust Manager
  • Allow/deny access to certificates issued by CAs registered in the Trust Manager with defined key words such as common name, organisation etc. in them. E.g. choose the option include following DN attributes and set Common Name = CA1, Organisation = Ascertia for Issuer Certificate. This allows access to TLS client certificates to TSA service having "CA1" as its common name and "Ascertia" as its organization. Requests with TLS client certs from any other issuer certificate will be rejected.

Allow access based on IP addresses

This option allows you to list IP addresses to allow/deny. Wildcards “*” can also be used. The list is process top-down until a match is found.

  • Allow Access Example: Choose the option Include IP address and enter IP address e.g. 192.168.1.1 to give TSA service access to this IP address only.
  • Deny Access Example: Choose the option Exclude IP address and enter IP address e.g. 192.168.1.1 to deny TSA service access to this IP address only.
  • Wildcard Example: Choose any option i.e. Exclude IP address or Include IP address and give IP address e.g. 192.168.*.* to deny/allow TSA service access to any IP address falling in this IP range.


Choosing the option Allow access based on TLS client certificates and clicking Add/Edit button will show the following screen where filtering can be performed based on Issuer or Subject DN Attributes:

Also, choosing the option Allow access based on IP addresses and clicking Add/Edit button will show the following screen where such IP addresses can be defined:

At least one include entry must be entered before an exclude entry can be specified in all the above cases. The TSA service must be restarted or reloaded after changes made to the access control rules.


See also

Configuring the TSA Service
Transactions Log Viewer
Logs Archiving
Alerts
Management Reporting
Timestamp Service Interface URLs
Optimising ADSS TSA Server Performance