| Table of Contents | ||||||
|---|---|---|---|---|---|---|
|
Security Policy
SecurityPolicy defines security attributes and behaivour applied to the profileName or KeyStore.
This policy is applied during the profile initialization, but sometimes it's also used during the installation of the certificate, so it must be informed on several methods of the certificate provider.
There are specific policies for each kind of keystore, but not all the keystores have an specific policy. Sometimes is not possible to change some default valued defined by the keystore or profile by themselve. In this kind of cases, a default policy, using an empty JSON file, must be used.
Following there are a list of specific policy and values that can be used:
Microsoft CryptoAPI security policy
| Code Block | ||||
|---|---|---|---|---|
| ||||
{
"exportable": true,
"protectionLevel": 1,
"description": "John Doe - Digicert",
"friendlyName": "Sign and Authenticate services",
"title": "Digital Certificate"
} |
| Field | Description | Default |
|---|---|---|
| exportable | Indicates if the certificate can be exported from this repository. | true |
| protectionLevel | Value [ 0 .. 2 ] used to indicate the level of protection to access the private key. Value==1 requires that users approve access to the key. Value==2, user must protect the key with a password. | 0 |
| description | Name of the keystore where the certificate will be stored. | |
| friendlyName | Friendly name to identify the certificate in an easier mode. | |
| title | Title of the certificate to protect. |
Password security policy
Used by PFX keystores
| Code Block | ||||
|---|---|---|---|---|
| ||||
{
"passComplexity" : 2,
"passMinLength" : 5
} |
| Field | Description | Default |
|---|---|---|
| passComplexity | integer value [1..4]. It indicates how many different kinds of letters must be used to generate a password that protects the certificate. Possible groups are uppercase, lowercase, number, symbol. | 2 |
| passMinLength | minimum length of characters. | 6 |
Device security policy
Used by some kind of devices
| Code Block | ||||
|---|---|---|---|---|
| ||||
{
"installDummy" : false,
"generateOnBoard" : true
} |
| Field | Description | Default |
|---|---|---|
| generateOnBoard | Used to indicate if the generation of keypair must be done inside of the device. | true |
| installDummy | After the keypair generation, a dummy certificate is created and installed into the device to register the key. This certificate is overwritten when the final certificate is issued and installed. | false |
PKCS11 security policy
Used by PKCS11 keystores
| Code Block | ||||
|---|---|---|---|---|
| ||||
{
"passComplexity" : 2,
"passMinLength" : 5,
"installDummy" : false,
"generateOnBoard" : true
} |
It combines the features of Password and Device security policies. This policy is used when the device can be initialized during the generation of keypair, and a new password must be entered to protect the key.
CSK security policy
Used on Alison KeyStore profiles.
| Code Block | ||||
|---|---|---|---|---|
| ||||
{
"id": "polIdv-A",
"passComplexity": 3,
"passMinLength": 8,
"passExpiration": 365,
"passLockCount": 10,
"lockTimeout": 15,
"idleTimeout": 10,
"certExport": 15
} |
| Field | Description | Default |
|---|---|---|
| id | Unique ID used to identify the security password applied. | |
| passComplexity | integer value [1..4]. It indicates how many different kinds of letters must be used to generate a password that protects the certificate. Possible groups are uppercase, lowercase, number, symbol. | 2 |
| passMinLength | Minimum length of characters. | 6 |
| passExpiration | Days of password validity. 30 days before, profile returns a warning code (CLOSE_TO_EXPIRE). Use 0 to disable this feature. | 0 |
| passLockCount | Invalid login tries before of lock the profile. | 10 |
| lockTimeout | Minutes to wait when the profile is locked. After unlocking the profile, the user can try 1 more time. 0 value indicates that the profile must be locked permanently if the user fails passLockCount times. | 20 |
| idleTimeout | Minutes during the profile are maintained open without requires a new password. | 10 |
| certExport | Mask used to indicate if the certificate can be exportable. 0 indicates that certificates installed on the profile can't be exported. 15 for enabled exportable to PKCS12 files and other kinds of devices. | 15 |