Security Guide : Security Properties for C++

Security Properties for C++
 
Controls the degree of logging. Acceptable values are: LEVEL_WARN, LEVEL_NOTICE, LEVEL_INFO, and LEVEL_DEBUG strings.
By default, log output is to std::cerr. You can use this property to redirect the log output to a named file.
vbroker.security.
secureTransport
Note: To use secure transport only, the secureTransport property must also be set to true.
This is a server-side only property. It defines whether the server transport is: CLEAR_ONLY, SECURE_ONLY or ALL. This property will not take effect when the secureTransport property is set to false.
If this property is set to true, it disables all security services.
vbroker.security.
requireAuthentication
vbroker.security.
authentication.
callbackHandler
CmdLineCallbackHandler has password echo on, while HostCallbackHandler has password echo off. For more information, see “VisiSecure for C++ APIs”.
vbroker.security.
authentication.config
vbroker.security.
authentication.retryCount
If set to true at initialization-time this property tries to login to all the realms listed by property vbroker.security.login.realms.
When set to true, the security service behaves as follows. If the security service cannot find an identity for any of the targets supported by a server it is attempting to communicate with, it then attempts to acquire credentials for one of the targets in the target object's IOR. If a corresponding authentication realm is available for this target (that the user chooses to provide credentials for), then authentication is also attempted locally.
vbroker.security.domain.
<domain-name>.rolemap_path
vbroker.security.domain.
<domain_name>.
rolemap_enableRefresh
When set to true, enables dynamic loading of the RoleDB file specified in vbroker.security.domain.<domain_name>.rolemap_path property. The interval of dynamic loading is specified by property vbroker.security.domain.<domain_name>.rolemap_refreshTimeInSeconds.
vbroker.security.domain.
<domain_name>.
rolemap_refreshTimeInSeconds
vbroker.security.domain.
<domain_name>.
defaultAccessRule
vbroker.security.cert.
basicConstraintCritical
vbroker.security.
identityAssertion
Value can be true or false.
vbroker.security.
peerAuthenticationMode
REQUIRE—Peer certificates are required to establish a connection. If the peer does not present its certificates, the connection will be refused. Peer certificates will also be authenticated, if not valid, the connection will be refused. If required, transport identity can be established using these certificates. In this mode, peer certificates are not required to be trusted.
REQUIRE_AND_TRUST—Same as REQUIRE mode, except that the peer certificates need to be trusted, otherwise the connection will be refused.
REQUEST—Peer certificates will be requested. The peer is not required to have certificates; no transport identity will be established when peer does not have certificates. However, if a peer does present certificates, the certificates will be authenticated; if not valid, the connection will be refused. If required, transport identity can be established using these certificates. In this mode, peer certificates are not required to be trusted.
REQUEST_AND_TRUST—Same as REQUEST mode except that the peer certificates need to be trusted, otherwise the connection will be refused.
NONE—Authentication is not required. During handshake, no certificate request will be sent to the peer. Regardless of whether the peer has certificates, a connection will be accepted. There will be no transport identity for the peer.
vbroker.security.
trustpointsRepository
Use to specify a list of trusted roles (specify with the format <role>@<authorization_domain>). <n> is uniquely identified for each trust assertion rule as a list of digits.
For example, setting vbroker.security.assertions.trust.1=ServerAdmin@default means this process trusts any assertion made by the ServerAdmin role in the default authorization domain.
Setting to true will trust all assertions made by peers.
vbroker.security.server.
requireUPIdentity
A server side only property. If the server requires the client to send a Username/Password for authentication (regardless of certificate-based authentication), set to true. If vbroker.security.login.realms is set, this property is automatically set to true. However, you can override it by explicitly setting it in the property file.
Use the Directory value to point to the directory containing the directories for all identities.
Use the PKCS12 value to configure the PKCS#12 keystore. See “PKCS#12-based authentication using KeyStores” for details.
If the vbroker.security.wallet.type is set to Directory, use to point to a sub-directory within the path defined in vbroker.security.wallet.type that contains keys and/or certificate information for a specific identity.
If vbroker.security.wallet.type is set to PKCS12, the vbroker.security.wallet.identity property is ignored for a PKCS#12 keystore, but the property must be set.
vbroker.security.client.
supportNoDelegation
If set to true, the client will add support for NoDelegate in TAG_SSL_SEC_TRANS tag.
If this is set to true, the CAPI engine is initialized and enabled for all SSL/TLS conversations in the process. Note that enabling the engine means it takes over signing operations, which means the associated private key must exist in a Windows store.
If this is set to true, then CA root and intermediary certificates from the Local Machine and Current User stores are loaded into the trustpoint, along with any other certificates already present.
vbroker.security.useCAPI does not have to be enabled to use this option.
This property is supported for the client side only, and requires vbroker.security.useCAPI to be enabled. If this is set to true, then if the client needs a certificate (and key), the provider will try to obtain one from the Windows Current User "My" ("Personal") store.
This option is currently only supported when vbroker.security.useCapiCertificate is enabled. When looking for a client certificate, only consider ones that contain the given string (case-insensitively) in their Friendly Name or Subject Name. Used to assist in picking the right client certificate where you have multiple identity certificates that are otherwise eligible.
If set to short, this prevents the use of the SHA-2 family of digests (SHA-256, etc). See “VisiBroker C++ Only” for further details of how to use this option.
vbroker.security.server.
socket.TLSSecurityLevel
vbroker.security.client.
socket.TLSSecurityLevel
vbroker.security.server.
socket.minTLSProtocol
vbroker.security.client.
socket.minTLSProtocol
Defines the minimum allowable TLS protocol version. These properties and the corresponding maxTLSProtocol properties enable you to specify a range of supported TLS protocols, by specifying both a maximum and a minimum supported version.
TLS1_0 (available to support legacy behaviors)
TLS_MIN (a floating minimum, currently equivalent to TLS1)
TLS_MAX (a floating maximum, currently equivalent to TLS1_3)
vbroker.security.server.
socket.maxTLSProtocol
vbroker.security.client.
socket.maxTLSProtocol
Used together with the corresponding minTLSProtocol properties, and has the same permitted values.
vbroker.security.
TLS13CipherSuites
This property should be considered quite separate from vbroker.security.cipherList, which continues to be required for configuring cipher suites for TLSv1.2 and below.
vbroker.security.server.
socket.
EnforceServerCipherPriority
Note:
This property defaults to
false in VisiBroker 8.5.7 in order to match previous behavior.
It will default to true in a future update to increase security.
vbroker.security.server.
socket.MinDHGroupSize
VisiSecure supports DH parameter bit sizes of 512, 1024, 2048 and 4096. Any other value specified will be rounded down to the nearest supported value.
vbroker.security.server.
socket.enabledProtocols
vbroker.security.client.
socket.enabledProtocols
Note:
These properties are deprecated (as of VisiBroker 8.5.7) and will be removed in a future release. Micro Focus recommends using the maxTLSProtocol and minTLSProtocol properties to specify a range of protocols.
In this mode, the library negotiates only a TLSv1.1 connection. However, if the client might also support TLSv1.2 or higher, use TLS_Version_1_1_With_2_0_Hello to take advantage of the higher level protocol version.
vbroker.security.
CRLRepository
Valid values for this property are identical to those for vbroker.security.server.socket.TLSCipherGroups. See note about that property below.
If this option is defined, it overrides the behavior of vbroker.security.server.socket.ecdheCurve. If this option is not defined, it defaults as follows:
1
If vbroker.security.server.socket.ecdheCurve is configured (for servers only), its value applies.
For TLSv1.3 connections, the X25519 group is used.
For TLSv1.2 connections (and below if security level 0 is in operation), the prime256v1 group is used. This is a comma-separated list of curves, each of which must match one of the well-known elliptic curves as defined by IANA (the Internet Assigned Numbers Authority) for use with TLS.
SSL Server Connection Manager properties
The following table lists the SSL Server Connection Manager (SCM) properties.
In this table, possible values for <se_name> are:
vbroker.se.<se_name>.scm.
ssl.manager.connectionMax
vbroker.se.<se_name>.scm.
ssl.manager.connectionMaxIdle
vbroker.se.<se_name>.scm.
ssl.listener.type
vbroker.se.<se_name>.scm.
ssl.listener.port
vbroker.se.<se_name>.scm.
ssl.listener.proxyPort
vbroker.se.<se_name>.scm.
ssl.dispatcher.type
vbroker.se.<se_name>.scm.
ssl.dispatcher.threadMin
vbroker.se.<se_name>.scm.
ssl.dispatcher.threadMax
vbroker.se.<se_name>.scm.
ssl.dispatcher.
threadMaxIdle
vbroker.se.<se_name>.scm.
ssl.connection.tcpNoDelay
Specifies whether tcp_nodelay should be set on the socket.
vbroker.se.<se_name>.scm.
<scm_name>.listener.
selectorMax