Security Policy

SecurityPolicy defines attributes of security applied to the profileName or KeyStore.

This policy is applied during initializacion of the profile, but sometimes it's also used during the installation of the certificate, so it must be informed on several methods of the certificate provider.

There are specific policies for each kind of keystore, like:

Microsoft CryptoAPI security policy

CAPI Security Policy

{
	"exportable": true,
	"protectionLevel": 1,
	"description": "John Doe - Digicert",
	"friendlyName": "Sign and Authenticate services",
	"title": "Digital Certificate"
}

Field	Description	Default
exportable	Indicates if the certificate can be exported from this repository.	true
protectionLevel	Value [ 0 .. 2 ] used to indicate the level of protection to access the private key. Value==1 requires that user approve access to the key. Value==2, user must protect key with a password.	0
description	Name of the keystore where the certificate will be stored.
friendlyName	Friendly name to identify the certificate in a easier mode.
title	Title of certificate to protect.

Password security policy

Used by PFX keystores

Password Security Policy

{
	"passComplexity" : 2,
	"passMinLength" : 5 
}

Field	Description	Default
passComplexity	integer value [1..4]. It indicates how many different kind of letter must be used to generate the password that protect the certificate. Possible groups are: uppercase, lowercase, number, symbol.	2
passMinLength	minimun length of charactes.	6

Device security policy

Used by some kind of devices

Device Security Policy

{
	"installDummy" : false,
	"generateOnBoard" : true 
}

Field	Description	Default
generateOnBoard	Used to indicate if the generation of keypair must be done inside of the device.	true
installDummy	After keypair generation, a dummy certificate is created and installed into the device to register que key. This certificate is overwrited when the final certificate is issued and installed.	false

PKCS11 security policy

Used by PFX keystores

CAPI Security Policy

{
	"passComplexity" : 2,
	"passMinLength" : 5,
	"installDummy" : false,
	"generateOnBoard" : true 
}

It combines the features of Password and Device security policies. This policy is used when the device can be initialized during the generation of keypair, and a new password must be entered to protect the key.

CSK security policy

Used on Alison KeyStore profiles.

CAPI Security Policy

{
	"id": "polIdv-A",
	"passComplexity": 3,
	"passMinLength": 8,
	"passExpiration": 365,
	"passLockCount": 10, 
	"lockTimeout": 15,
	"idleTimeout": 10, 
	"certExport": 15
}

Field	Description	Default
id	Unique ID used to identify the security password applied.
passComplexity	integer value [1..4]. It indicates how many different kind of letter must be used to generate the password that protect the certificate. Possible groups are: uppercase, lowercase, number, symbol.	2
passMinLength	Minimun length of charactes.	6
passExpiration	Days of password validity. 30 days before, profile return a warning code (CLOSE_TO_EXPIRE). Use 0 to disable this feature.	0
passLockCount	Invalid login tries before of lock the profile.	10
lockTimeout	Minutes to wait when the profile is locked. After unlock the profile, user can try 1 more time. 0 value indicates that the profile must be locked permanently if user fails passLockCount times.	20
idleTimeout	Minutes during the profile is maintained open without requires a new password.	10
certExport	Mask used to indicate if the certificate can be exportable. 0 indicates that certificates installed on the profile can't be exported. 15 for enabled exportable to PKCS12 files and other kind of devices.	15

Related Product

Alison SDK js

Alison SDK allows developer to integrate Alison Desktop in its pages in a easier way. Go to the Alison SDK documentation.

Alison Wizard

You can obtain current version of Alison Desktop from ACME Alison Wizard site.

For developers, go to the Alison Desktop documentation.