Skip to content

Create a policy folder in TLS Protect Datacenter

To manage Firefly from TLS Protect Datacenter, two separate policy folders must be used to adhere to best practices for the principle of least privilege. The first policy folder will store Firefly’s security configuration. This folder must be configured to allow only authorized members of the security team to modify its contents. Additionally, Firefly instances that will use this security configuration must only have read access, with no permission to modify it.

It is recommended to follow your organizational pattern for the policy structure. In this example, a simplified structure is used where a new policy folder, Firefly, contains the security configuration object and a sub-folder for the subordinate CA certificates that your Firefly will use.

πŸ“‚ Policy
└── πŸ“‚ firefly
      β”œβ”€β”€ πŸ“‚ SubCA
      β”‚   β”œβ”€β”€ πŸ“„ subca-cert-1
      β”‚   β”œβ”€β”€ πŸ“„ subca-cert-2
      β”‚   └── πŸ“„ subca-cert-3
      └── πŸ”‘ security-config

Create a policy folder for the Firefly’s security configuration

Follow the instructions to add a new policy folder for firefly, Adding objects to the policy tree.

Once the firefly policy folder is created, set the permissions outlined in Assigning permissions to an object in Policy Tree.

Policy folder: firefly

  • User: firefly - Permissions: View, Read

  • Group: security-team - Permissions: View, Read, Write, Create, Delete, Rename

Policy folder for the subordinate CA certificates used by Firefly

  1. Follow the instructions to add a new policy folder for Firefly Adding objects to the policy tree.

  2. Once the firefly\SubCA policy folder is created, set the following permissions as outlined in Assigning permissions to an object in Policy Tree.

    Policy folder: firefly\SubCA

    • User: firefly - Permissions: Read, Write, and Create

    • Group: security-team - Permissions: View, Read, Write, Create, Delete, Rename

  3. In addition to the permission, you need to configure the policy folder for the subordinate CA to have the following certificate configuration:

    • Set Management Type to Enrollment.

    • Set CSR Generation to User Generated CSR.

    • Set Allow Duplicate Common and Subject Alternative Names to Yes.

    • A CA template is configured to issue valid subordinate CA certificates that follows the requirements described in Requirements for the subordinate CA certificate.

What's next?