Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 10 Current »

Security Policy

SecurityPolicy defines security attributes and behavior applied to the profileName or KeyStore.

This policy is applied during the profile initialization, but sometimes it's also used during the installation of the certificate, so it must be informed on several methods of the certificate provider.

There are specific policies for each kind of Keystore, but not all the keystores have a specific policy. Sometimes is not possible to change some default values defined by the Keystore or profile by themselves.  In this kind of case, a default policy, using an empty JSON file, must be used.

Following there is a list of specific policy and values that can be used:

Microsoft CryptoAPI security policy


CAPI Security Policy
{
	"exportable": true,
	"protectionLevel": 1,
	"description": "John Doe - Digicert",
	"friendlyName": "Sign and Authenticate services",
	"title": "Digital Certificate"
}


FieldDescriptionDefault
exportableIndicates if the certificate can be exported from this repository.true
protectionLevel

Value  [ 0 .. 2 ] used to indicate the level of protection to access the private key.

Value==1 requires that users approve access to the key.

Value==2, user must protect the key with a password.

0
descriptionName of the keystore where the certificate will be stored.
friendlyNameFriendly name to identify the certificate in an easier mode.
titleTitle of the certificate to protect.


Password security policy

Used by PFX/P12 keystores

Password Security Policy
{
	"passComplexity" : 2,
	"passMinLength" : 5 
}


FieldDescriptionDefault
passComplexityinteger value [1..4]. It indicates how many different kinds of letters must be used to generate a password that protects the certificate. Possible groups are uppercase, lowercase, number, symbol.2
passMinLengthminimum length of characters.6


Device security policy

Used by some kind of devices

Device Security Policy
{
	"installDummy" : false,
	"generateOnBoard" : true 
	"modelTemplate" : "RIJKSPAS-qsign" 
}


FieldDescriptionDefault
generateOnBoardUsed to indicate if the generation of keypair must be done inside of the device.true
installDummyAfter the keypair generation, a dummy certificate is created and installed into the device to register the key. This certificate is overwritten when the final certificate is issued and installed.false
 modelTemplate

Overwrite the default model template to generate or import keys. A programmer can select a model template specific for a smartcard model and behaviors.

If none model is selected, then "TOKEN-default" is applied. This is for generic smartcards. Check the list of available models.

null
ModelTemplateDescriptionFrom version
TOKEN-defaultGeneral pkcs11 device.Desktop 3.2.1
RIJKSPAS-defaultFor IDEMIA smartcard, Multi-PIN mode enabled.Desktop 3.2.1
RIJKSPAS-protectedFor IDEMIA smartcard, Multi-PIN mode enabled.Desktop 3.2.1
RIJKSPAS-qsignFor IDEMIA smartcard, Multi-PIN mode enabled, QSign enabled.Desktop 3.2.1


PKCS11 security policy

Used by PKCS11 keystores

CAPI Security Policy
{
	"passComplexity" : 2,
	"passMinLength" : 5,
	"installDummy" : false,
	"generateOnBoard" : true 
}


It combines the features of Password and Device security policies. This policy is used when the device can be initialized during the generation of keypair, and a new password must be entered to protect the key.


CSK security policy

Used on Alison KeyStore profiles.

CAPI Security Policy
{
	"id": "polIdv-A",
	"passComplexity": 3,
	"passMinLength": 8,
	"passExpiration": 365,
	"passLockCount": 10, 
	"lockTimeout": 15,
	"idleTimeout": 10, 
	"certExport": 15
}


FieldDescriptionDefault
idUnique ID used to identify the security password applied.
passComplexityinteger value [1..4]. It indicates how many different kinds of letters must be used to generate a password that protects the certificate. Possible groups are uppercase, lowercase, number, symbol.2
passMinLengthMinimum length of characters.6
passExpiration

Days of password validity. 30 days before, the profile returns a warning code (CLOSE_TO_EXPIRE).

Use 0 to disable this feature.

0
passLockCountInvalid login tries before of lock the profile.10
lockTimeout

Minutes to wait when the profile is locked. After unlocking the profile, the user can try 1 more time.

0 value indicates that the profile must be locked permanently if the user fails passLockCount times.

20
idleTimeoutMinutes during the profile are maintained open without requires a new password.10
certExportMask used to indicate if the certificate can be exportable. 0 indicates that certificates installed on the profile can't be exported. 15 for enabled exportable to PKCS12 files and other kinds of devices.15

Related Product

AlisonJS

Alison SDK allows a developer to integrate Alison Desktop in its pages in an easier way. Go to the AlisonJS documentation.

Alison Wizard

You can obtain the current version of Alison Desktop from ACME Alison Wizard site.

For developers, go to the Alison Desktop documentation.


  • No labels