ADSS SCVP access control module allows you to restrict access to the service based on:

  • TLS client authentication certificates 
  • Request signing certificate 
  • Client IP address 

The following page is used to make the necessary configurations:


Items

Description

Allow Open Access

By selecting this option, any client can send request to the server from any IP and the request will be accepted for processing. 

Allow access based on TLS client certificates

This option has two sub-filters:

  • The access will be allowed only to those clients whose TLS client authentication certificate's issuers are registered within the Trust Manager
  • The access will be allowed or denied to those clients whose TLS client authentication certificate issuer is registered in the Trust Manager but additional restrictions are applied based on the client authentication certificate's DN. For example, by choosing the option to "Include following DN attributes" and set O=Ascertia. This allows access to TLS client certificates to SCVP service having the issuer is registered in Trust Manager but DN also contains "Ascertia" as its organization. Requests with TLS client certificates from any other issuer certificate will be rejected.

Allow requests based on requests being signed

This option also has two sub-filters as in above case:

  • The access will be allowed only to those clients whose SCVP request signing certificate's issuer is registered in the Trust Manager
  • The access will be allowed or denied to those clients whose SCVP request signing certificate issuer is registered in the Trust Manager but additional restrictions are applied based on the signer certificate's DN. For example, by choosing the option to "Include following DN attributes" and set O=Ascertia. This allows access to SCVP requests having the issuer is registered in Trust Manager but DN also contains "Ascertia" as its organization. Requests that does not pass the defined certeria based on the SCVP request signing certificate will be rejected.

Allow access based on IP addresses

This option allows or denies the client's access to the SCVP service based on the IP address. Wildcards “*” can also be used in the allowed or denied IP address strings. The list is processed top-down until a match is found.

  • Allow Access Example: Choose the option Include IP address and entering IP address e.g. 192.168.1.1 allows SCVP service access to this IP address only. Rest of the IPs will be allowed
  • Deny Access Example: Choose the option Exclude IP address and entering IP address e.g. 192.168.1.2 denies SCVP service access to this IP address only. Rest of the IPs will be rejected.
  • Wildcard Example: Choose any option i.e. Exclude IP address or Include IP address and enter IP address e.g. 192.168.*.* to deny/allow SCVP service access to any IP address falling in this IP range.


Choosing the option Allow access based on TLS client certificates or Allow access based on requests being signed and clicking Add/Edit button will show the following screen where filtering can be performed based on Issuer or Subject DN Attributes:

Also, choosing the option Allow access based on IP addresses and clicking Add/Edit button will show the following screen where filtering can be performed based on IP Address:


Note that at least one include entry must be entered before an exclude entry is specified in all the above cases. The SCVP service must be restarted for the changes to take into effect.


See also

Configuring the SCVP Service

Access Control
Transactions Log Viewer
Logs Archiving
Alerts
Management Reporting
Operating the SCVP Service in FIPS 201 Compliant Mode
SCVP Service Interface URLs