| Table of Contents | ||||||
|---|---|---|---|---|---|---|
|
Security Policy
SecurityPolicy defines attributes of security applied to the profileName or KeyStore.
This policy is applied during initializacion of the profile, but sometimes it's also used during the installation of the certificate, so it must be informed on several methods of the certificate provider.
There are specific policies for each kind of keystore, like:
Microsoft CryptoAPI security policy
| Code Block | ||||
|---|---|---|---|---|
| ||||
{
"exportable": true,
"protectionLevel": 1,
"description": "John Doe - Digicert",
"friendlyName": "Sign and Authenticate services",
"title": "Digital Certificate"
} |
| Field | Description | Default |
|---|---|---|
| exportable | Indicates if the certificate can be exported from this repository. | true |
| protectionLevel | Value [ 0 .. 2 ] used to indicate the level of protection to access the private key. Value==1 requires that user approve access to the key. Value==2, user must protect key with a password. | 0 |
| description | Name of the keystore where the certificate will be stored. | |
| friendlyName | Friendly name to identify the certificate in a easier mode. | |
| title | Title of certificate to protect. |
Password security policy
Used by PFX keystores
| Code Block | ||||
|---|---|---|---|---|
| ||||
{
"passComplexity" : 2,
"passMinLength" : 5
} |
| Field | Description | Default |
|---|---|---|
| passComplexity | integer value [1..4]. It indicates how many different kind of letter must be used to generate the password that protect the certificate. Possible groups are: uppercase, lowercase, number, symbol. | 2 |
| passMinLength | minimun length of charactes. | 6 |
Device security policy
Used by some kind of devices
| Code Block | ||||
|---|---|---|---|---|
| ||||
{
"installDummy" : false,
"generateOnBoard" : true
} |
| Field | Description | Default |
|---|---|---|
| generateOnBoard | Used to indicate if the generation of keypair must be done inside of the device. | true |
| installDummy | After keypair generation, a dummy certificate is created and installed into the device to register que key. This certificate is overwrited when the final certificate is issued and installed. | false |
PKCS11 security policy
Used by PFX keystores
| Code Block | ||||
|---|---|---|---|---|
| ||||
{
"passComplexity" : 2,
"passMinLength" : 5,
"installDummy" : false,
"generateOnBoard" : true
} |
It combines the features of Password and Device security policies. This policy is used when the device can be initialized during the generation of keypair, and a new password must be entered to protect the key.
CSK security policy
Used on Alison KeyStore profiles.
| Code Block | ||||
|---|---|---|---|---|
| ||||
{
"id": "polIdv-A",
"passComplexity": 3,
"passMinLength": 8,
"passExpiration": 365,
"passLockCount": 10,
"lockTimeout": 15,
"idleTimeout": 10,
"certExport": 15
} |
| Field | Description | Default |
|---|---|---|
| id | Unique ID used to identify the security password applied. | |
| passComplexity | integer value [1..4]. It indicates how many different kind of letter must be used to generate the password that protect the certificate. Possible groups are: uppercase, lowercase, number, symbol. | 2 |
| passMinLength | Minimun length of charactes. | 6 |
| passExpiration | Days of password validity. 30 days before, profile return a warning code (CLOSE_TO_EXPIRE). Use 0 to disable this feature. | 0 |
| passLockCount | Invalid login tries before of lock the profile. | 10 |
| lockTimeout | Minutes to wait when the profile is locked. After unlock the profile, user can try 1 more time. 0 value indicates that the profile must be locked permanently if user fails passLockCount times. | 20 |
| idleTimeout | Minutes during the profile is maintained open without requires a new password. | 10 |
| certExport | Mask used to indicate if the certificate can be exportable. 0 indicates that certificates installed on the profile can't be exported. 15 for enabled exportable to PKCS12 files and other kind of devices. | 15 |