Policies
CipherTrust Manager uses an Attribute-Based Access Control (ABAC) model to authorize operations. ABAC essentially means that access-control policies can be expressed in terms of the attributes of the things involved in the request. The "things" involved are usually a user, a target (like a "key"), and the "environment" of the request, which includes things like the time, source IP, source geo-region, incoming port, etc.
Warning
Modifying the policy is an advanced operation that can result in lockouts and render a system unusable. It is strongly recommended that policy only be modified in consultation with Technical Support.
CipherTrust Manager ABAC system is inspired by XACML and Amazon AWS policies.
An ABAC policy can use the attributes of any of these things to decide if the policy applies to the request. For example, an ABAC policy can say, "Allow reading Key XYZ, but only at night, if the Key is 'enabled', and if the user is the 'hr' department, and the user is an admin, and the request comes from the internal port".
ABAC is nice because it is a super-set of other commonly used, access control systems, such as Role-Based Access Control (RBAC). RBAC is essentially just ABAC policies defined in terms of the user's "role" attribute.
CipherTrust Manager ABAC policies are expressed in terms of two resources: Policies and Policy Attachments.
Policy composition
A Policy is composed of:
a set of actions (i.e. operations)
a set of targets
a rule, either "allow" or "deny"
a set of conditions (optional)
The conditions are matching rules, which are tested against the request, to further refine the set of requests a Policy applies to. For example, a simple policy might be:
allow read and write to key ABC and key XYZ
Conditions can further refine this policy:
allow read and write to key ABC and key XYZ, under the following conditions:
the key is for document signing
the user is in the "Signers" group
the request is from an internal IP address
Policy attachments
Policies on their own are not enforced. Policies have to be attached to a set of users first. This is done by creating Policy Attachments.
A Policy Attachment refers to a single policy, and set of users. The set of users is expressed as matching rule (sort of like policy conditions) which is tested against the user information contained the API token. For example, policy attachments can match a single user, or all users in a group, or users contain some flag in their metadata, or can match all users.
For example, say I named the Policy above "Internal HR Key Usage". I could enforce that policy by attaching it to users in the HR department. The Policy Attachment would look like:
Policy: Internal HR Key Usage
Attached To: Users in the HR department
This is a bit confusing, since the policy's conditions can refer to user attributes as well. For example, I could have moved the "Signers" group condition from the policy to the policy attachment, and have the same effect. This redundancy is intentional: it allows some added flexibility with the expression and application of policies.
Default policies
On launch, CipherTrust Manager is pre-installed with a set of Policies and Policy Attachments, which define a default set of group based access controls. However, admins can add to, revise, or replace these Policies with their own, to implement almost any kind of access control regime.
Warning
Modifying the policy is an advanced operation that can result in lockouts and render a system unusable. It is strongly recommended that policy only be modified in consultation with Technical Support.
The default policies enforce the following access control rules:
The "admin" user can do anything
Members of the "admin" group can do anything
All users can create keys
Users may perform any operation on keys they created
Users can grant group permissions to the keys they created
Users in the "global" group can perform most operations to keys with the "global" flag set
Taken together, these policies implement an authorization model that mimics SafeNet KeySecure Classic:
All Users can create keys, which they "own"
Users have admin privileges to the keys they own
Key owners can grant user groups limited usage privileges to their keys
Usage
Policies are currently somewhat dangerous primitives; it is possible to create policies that will lock out all access to CipherTrust Manager. Plans are to provide some canned policy sets for common access control regimes (such as RBAC), and some safety measures to prevent users from applying policies that would lock out admins irreversibly.
Managing login authentication for local users using policies
The CipherTrust Manager allows you to create policies to manage local user authentication based on the parameters of Interfaces, Client IP, and client applications. Policies cannot be automatically enforced, you must assign them to a set of users/groups using the policy attachment.
Interfaces
To create a policy, use any of the option:
Interface name - specify the
path
ascontext.environment.interface.name
and specify the required values in thevalues
parameter, for example, "values": ["nae_all_123"].Interface port - specify the
path
ascontext.environment.interface.port
and specify the required values in thevalues
parameter, for example, "values": [1234].Interface type - specify the
path
ascontext.environment.interface.type
and specify the required values in thevalues
parameter, for example, "values": ["nae"]The CipherTrust Manager supports the following values for Interface type -
nae
for NAE interfacekmip
for KMIP interfaceweb
for any interface other than NAE and KMIP
Example - Block users in a group from logging in to Web interface using policies
Web interface implies the login requests from UI, API playground, ksctl, and any API request from the external clients. To block a set of users from logging to Web interface, perform the following steps:
Create a policy
Let's create a policy with the group name "Blocked Web Users".
{
"name": "Blocked Web Users",
"effect": "deny",
"resources": [],
"actions": [
"IssueJWT"
],
"conditions": [
{
"op": "equals",
"path": "context.environment.interface.type",
"values": [
"web"
]
}
]
}
Create a policy attachment
{
"policy": "id-of-the-policy-from-previous-api",
"principalSelector": {
"cust": {
"groups": ["Blocked Web Users"]
}
}
}
Client IP
Caution
Be extremely cautious while allowlisting IP addresses. If an incorrect IP address is allowlisted, all the users, including the admin, will be locked, and the entire cluster will become inaccessible and non-modifiable. Even the Admin Disaster Recovery feature does not address this scenario. Contact Thales Customer Support for assistance.
Make sure to consider the entire set of client IPs communicating to any node in the CipherTrust Manager cluster when creating the allowlisting policies. Because the added policies are applied to the entire cluster and not only to a specific node.
Note
Policies created to manage authentication based on the Client IP parameter don't apply to the requests coming to the NAE and KMIP interfaces with "anonymous login" mode enabled.
The CipherTrust Manager enables you to allow or block client IPs to authenticate local users. Only the allowed users can access the CipherTrust Manager using the JWT.
For client IPs, specify the following parameters:
effect
: set the value to "deny".path
: specify the path ascontext.environment.client_ip
. For specific ports, specify the path ascontext.environment.interface.port
.values
: specify the IPs to be allowed or blocked.negate
: set value totrue
to allow the IPs. Default value isfalse
.Note
For client IPs, it is mandatory to set the value of
effect
todeny
("effect": "deny"). It blocks all the IPs defined in thevalues
field from logging on to the CipherTrust Manager. However, if you want certain IPs to be allowed, set the value ofnegate
totrue
("negate": true) andeffect
todeny
("effect": "deny").
Create a policy to allow client IPs
To create a policy to allow client IPs:
Syntax
ksctl policy create --jsonfile <json-file>
Example Request
ksctl policy create --json-file example.json
example.json
{
"name": "Allow Certain ip",
"effect": "deny",
"resources": [],
"actions": [ "IssueJWT"],
"conditions": [ {
"negate":true,
"op": "equals",
"path": "context.environment.client_ip",
"values": [
"192.168.1.5","192.168.5.2"
]
}]
}
Example Response
{
"id": "07d10481-7d88-4a48-ad2a-8dc2efd6b40f",
"uri": "kylo:kylo:admin:policies:allow-certain-ip-07d10481-7d88-4a48-ad2a-8dc2efd6b40f",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2023-07-26T07:58:45.006746Z",
"name": "Allow Certain ip",
"deletedAt": null,
"updatedAt": "2023-07-26T07:58:45.006746Z",
"actions": [
"IssueJWT"
],
"resources": [],
"allow": false,
"effect": "deny",
"conditions": [
{
"path": "context.environment.client_ip",
"op": "equals",
"values": [
"192.168.1.5",
"192.168.5.2"
],
"negate": true
}
]
}
Create policy attachment
Now to attach the above created policy, use the "id" of the policy created.
Syntax
ksctl polattach create --prinjson <principal-selector-json-file>
Example Request
ksctl polattach create --prinjson attachment.json
attachment.json
{
"policy": "07d10481-7d88-4a48-ad2a-8dc2efd6b40f",
"principalSelector": {},
"jurisdiction": ""
}
Example Response
{
"id": "4deb1d53-31d7-452a-8b55-0400d502e8ee",
"uri": "kylo:kylo:admin:policy-attachments:4deb1d53-31d7-452a-8b55-0400d502e8ee",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2023-07-26T07:59:02.935252Z",
"updatedAt": "2023-07-26T07:59:02.935252Z",
"policy": "kylo:kylo:admin:policies:allow-certain-ip-07d10481-7d88-4a48-ad2a-8dc2efd6b40f",
"jurisdiction": "kylo:kylo:admin:accounts:kylo",
"principalSelector": {},
"includeExternalPrincipals": false,
"name": "Allow Certain ip",
"actions": [
"IssueJWT"
],
"resources": [],
"allow": false,
"effect": "deny",
"conditions": [
{
"path": "context.environment.client_ip",
"op": "equals",
"values": [
"192.168.1.5",
"192.168.5.2"
],
"negate": true
}
]
}
Create a policy to block client IPs
To create a policy to block client IPs:
Syntax
ksctl policy create --jsonfile <json-file>
Example Request
ksctl policy create --json-file block-example.json
block-example.json
{
"name": "Block ips",
"effect": "deny",
"resources": [],
"actions": [
"IssueJWT"
],
"conditions": [
{
"op": "equals",
"path": "context.environment.client_ip",
"values": [
"192.168.1.5",
"192.168.5.2"
]
}
]
}
Example Response
{
"id": "bbc6e24a-fdae-44c6-bd1d-dacb1a3ef874",
"uri": "kylo:kylo:admin:policies:block-aman-bbc6e24a-fdae-44c6-bd1d-dacb1a3ef874",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2023-07-25T09:46:01.863493Z",
"name": "Block ips",
"deletedAt": null,
"updatedAt": "2023-07-25T09:46:01.863493Z",
"actions": [
"IssueJWT"
],
"resources": [],
"allow": false,
"effect": "deny",
"conditions": [
{
"path": "context.environment.client_ip",
"op": "equals",
"values": [
"192.168.1.5",
"192.168.5.2"
]
}
]
}
Create policy attachment
Now to attach the above created policy, use the "id" of the policy created.
Syntax
ksctl polattach create --prinjson <principal-selector-json-file>
Example Request
ksctl polattach create --prinjson block-attachment.json
block-attachment.json
{
"policy": "bbc6e24a-fdae-44c6-bd1d-dacb1a3ef874",
"principalSelector": {},
"jurisdiction": ""
}
Example Response
{
"id": "5e188e61-78c9-4711-851f-025363214cbc",
"uri": "kylo:kylo:admin:policy-attachments:5e188e61-78c9-4711-851f-025363214cbc",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2023-07-25T09:47:22.751751Z",
"updatedAt": "2023-07-25T09:47:22.751751Z",
"policy": "kylo:kylo:admin:policies:block-aman-bbc6e24a-fdae-44c6-bd1d-dacb1a3ef874",
"jurisdiction": "kylo:kylo:admin:accounts:kylo",
"principalSelector": {},
"includeExternalPrincipals": false,
"name": "Block ip",
"actions": [
"IssueJWT"
],
"resources": [],
"allow": false,
"effect": "deny",
"conditions": [
{
"path": "context.environment.client_ip",
"op": "equals",
"values": [
"192.168.1.5",
"192.168.5.2"
]
}
]
}
Create a policy to allow client IPs of a subnet
To create a policy to allow client IPs of a specific subnet:
Syntax
ksctl policy create --jsonfile <json-file>
Example Request
ksctl policy create --json-file example.json
example.json
{
"name": "Allow IPs of a Subnet",
"effect": "deny",
"resources": [],
"actions": [ "IssueJWT"],
"conditions": [ {
"negate": true,
"op": "regex",
"path": "context.environment.client_ip",
"values": [
"165.225.*"
]
}]
}
Example Response
{
"id": "367969df-e591-4497-a7e6-55ecfa3e9c08",
"uri": "kylo:kylo:admin:policies:allow-certain-ip-367969df-e591-4497-a7e6-55ecfa3e9c08",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2023-11-17T09:11:56.05426Z",
"name": "Allow IPs of a Subnet",
"deletedAt": null,
"updatedAt": "2023-11-17T09:11:56.05426Z",
"actions": [
"IssueJWT"
],
"resources": [],
"allow": false,
"effect": "deny",
"conditions": [
{
"path": "context.environment.client_ip",
"op": "regex",
"values": [
"165.225.*"
],
"negate": true
}
]
}
In the above example, all the IPs of the subnet 165.225.0.0/16
will be allowed.
Create policy attachment
Now to attach the above created policy, use the "id" of the policy created.
Syntax
ksctl polattach create --prinjson <principal-selector-json-file>
Example Request
ksctl polattach create --prinjson attachment.json
attachment.json
{
"policy": "367969df-e591-4497-a7e6-55ecfa3e9c08",
"principalSelector": {},
"jurisdiction": ""
}
Create a policy to block client IPs of a subnet
To create a policy to block client IPs of a specific subnet:
Syntax
ksctl policy create --jsonfile <json-file>
Example Request
ksctl policy create --json-file example.json
example.json
{
"name": "Block IPs of a Subnet",
"effect": "deny",
"resources": [],
"actions": [ "IssueJWT"],
"conditions": [ {
"op": "regex",
"path": "context.environment.client_ip",
"values": [
"165.225.*"
]
}]
}
Example Response
{
"id": "21c8cfe4-cba2-436a-85fc-2df7b22afbd7",
"uri": "kylo:kylo:admin:policies:block-certain-ip-21c8cfe4-cba2-436a-85fc-2df7b22afbd7",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2023-11-17T09:12:24.23122Z",
"name": "Block IPs of a Subnet",
"deletedAt": null,
"updatedAt": "2023-11-17T09:12:24.23122Z",
"actions": [
"IssueJWT"
],
"resources": [],
"allow": false,
"effect": "deny",
"conditions": [
{
"path": "context.environment.client_ip",
"op": "regex",
"values": [
"165.225.*"
]
}
]
}
In the above example, all the IPs of the subnet 165.225.0.0/16
will be blocked.
Create policy attachment
Now to attach the above created policy, use the "id" of the policy created.
Syntax
ksctl polattach create --prinjson <principal-selector-json-file>
Example Request
ksctl polattach create --prinjson block-attachment.json
block-attachment.json
{
"policy": "21c8cfe4-cba2-436a-85fc-2df7b22afbd7",
"principalSelector": {},
"jurisdiction": ""
}
Create a policy to allow specific client IPs for ports
To create a policy to allow specific client IPs for ports:
Syntax
ksctl policy create --jsonfile <json-file>
Example Request
ksctl policy create --json-file example.json
example.json
{
"name": "Allow ip for a specific port",
"effect": "deny",
"resources": [],
"actions": [ "IssueJWT"],
"conditions": [ {
"op": "equals",
"path": "context.environment.interface.port",
"values": [
"9001","9902","9903"
]
},
{
"negate" : true,
"op": "equals",
"path": "context.environment.client_ip",
"values": [
"122.185.33.186"
]
}]
}
Example Response
{
"id": "282b2e01-02f7-429a-aaa6-a7e9af939dee",
"uri": "kylo:kylo:admin:policies:allow-certain-ip2-282b2e01-02f7-429a-aaa6-a7e9af939dee",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2023-11-17T09:08:46.127197Z",
"name": "Allow ip for a specific port",
"deletedAt": null,
"updatedAt": "2023-11-17T09:08:46.127197Z",
"actions": [
"IssueJWT"
],
"resources": [],
"allow": false,
"effect": "deny",
"conditions": [ {
"op": "equals",
"path": "context.environment.interface.port",
"values": [
"9001","9902","9903"
]
},
{
"path": "context.environment.client_ip",
"op": "equals",
"values": [
"122.185.33.186"
],
"negate": true
}
]
}
In the above example, only 122.185.33.186
IP will be allowed for ports "9001, 9902, and 9903".
Create policy attachment
Now to attach the above created policy, use the "id" of the policy created.
Syntax
ksctl polattach create --prinjson <principal-selector-json-file>
Example Request
ksctl polattach create --prinjson attachment.json
attachment.json
{
"policy": "282b2e01-02f7-429a-aaa6-a7e9af939dee",
"principalSelector": {},
"jurisdiction": ""
}
Create a policy to block specific client IPs for ports
To create a policy to block specific client IPs for ports:
Syntax
ksctl policy create --jsonfile <json-file>
Example Request
ksctl policy create --json-file example.json
example.json
{
"name": "Block ips for a specific port",
"effect": "deny",
"resources": [],
"actions": [ "IssueJWT"],
"conditions": [ {
"op": "equals",
"path": "context.environment.interface.port",
"values": [
"9001","9902","9903"
]
},
{
"op": "equals",
"path": "context.environment.client_ip",
"values": [
"122.185.33.186"
]
}]
}
Example Response
{
"id": "ae705635-056a-47a4-801c-0bdf8681b74a",
"uri": "kylo:kylo:admin:policies:block-certain-ip2-ae705635-056a-47a4-801c-0bdf8681b74a",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2023-11-17T07:43:35.614821Z",
"name": "Block ips for a specific port",
"deletedAt": null,
"updatedAt": "2023-11-17T07:43:35.614821Z",
"actions": [
"IssueJWT"
],
"resources": [],
"allow": false,
"effect": "deny",
"conditions": [ {
"op": "equals",
"path": "context.environment.interface.port",
"values": [
"9001","9902","9903"
]
},
{
"path": "context.environment.client_ip",
"op": "equals",
"values": [
"122.185.33.186"
]
}
]
}
In the above example, only 122.185.33.186
IP will be blocked for "9001, 9902, and 9903" ports.
Create policy attachment
Now to attach the above created policy, use the "id" of the policy created.
Syntax
ksctl polattach create --prinjson <principal-selector-json-file>
Example Request
ksctl polattach create --prinjson attachment.json
attachment.json
{
"policy": "ae705635-056a-47a4-801c-0bdf8681b74a",
"principalSelector": {},
"jurisdiction": ""
}
Client applications
For client applications, specify the path
as context.environment.principal.client_app
and specify the required values in the values
parameter, for example "values": ["nae"]. The supported values for the values
parameter are:
nae
kmip
Example - Login to nae and kmip interfaces using policies
To allow login to nae and kmip interfaces irrespective of the authentication methods set for the user, perform the following steps:
Create a policy
{
"name": "Allow Login to NAE/KMIP",
"effect": "allow",
"resources": [],
"actions": [
"IssueJWT"
],
"conditions": [
{
"op": "equals",
"path": "context.environment.principal.client_app",
"values": [
"nae",
"kmip"
]
}
]
}
Create a policy attachment
{
"policy": "id-of-the-policy-from-previous-api",
"principalSelector": {}
}