Home > Global Settings > Advanced Settings > System Level Settings > General

General

These settings can be found from Global Settings > Advanced Settings page

Property Description
Caching for Certificates, CRLs and OCSP Responses
These parameters are used for caching the Certificates, CRLs and OCSP Responses in memory found during path building process. These properties are consumed by the Verification, XKMS and SCVP Services only.
  • ENABLE_CERTIFICATE_CACHING = TRUE
    This property is used for certificate caching. If you wish to disable the certificate caching then set the value to FALSE.
  • CERTIFICATE_CACHE_INTERVAL = 4
    This property defines the caching time in minutes for the certificate. If the certificate caching is disabled then it does not have any effect on the system.
  • ENABLE_CRL_OCSP_CACHING = TRUE
    This property is used for CRL and OCSP responses caching found during path building. If you wish to disable the CRL and OCSP response caching then set the value to FALSE.
  • CRL_OCSP_CACHE_INTERVAL = 4
    This property defines the caching time in minutes for the CRLs and OCSP responses. If the CRL and OCSP caching is disabled then it does not have any effect on the system. If the CRLs in cache expires before reaching the cache expiry time then new CRL will be downloaded. If ''NEXT_UPDATE'' is set as a value for ''CRL_OCSP_CACHE_INTERVAL", then after 15 minutes both CRL and OCSP responses would be removed from the cache for which next update is reached. 
Unregistered CA/ CRL timeout during path building
Number of seconds to terminate a connection if a certificate/CRL is not downloaded when Advanced Discovery option is enabled in Verification, XKMS and SCVP Services.
  • UNREGISTERED_CA_CRL_TIMEOUT = 180
Certificate not issued status
Certificate status in the OCSP response when whitelisting is enabled and target certificate is not found in the database.
  • CERTIFICATE_NOT_ISSUED_STATUS = REVOKED
The possible values are 'REVOKED' & 'UNKNOWN' 
CRL cache update interval for high speed OCSP
Time interval in seconds to update the CRL in its memory cache when high speed revocation checking has been enabled for a CA in Trust Manager.
  • CRL_CACHE_UPDATE_INTERVAL = 600
Valid certificate deletion
When this property is set to TRUE, a non expired certificate can be deleted by a DELETE request from the Certification Service or the Admin GUI.
If the value is set to FALSE then only expired certificates can be deleted.
  • ENABLE_VALID_CERTIFICATE_DELETION = TRUE
Unwrapped key cache interval
Configure this parameter to set the time interval in seconds, after which any cached keys will be deleted from the target HSM if KEK based wrapping is enabled.
  • UNWRAPPED_KEY_CACHE_INTERVAL = 60
OTP configurations for two factor authentication
These parameters are used for OTP configurations when using two factor authentication.
  • SIGN_AUTH_OTP_LENGTH = 9
    One Time Password (OTP) length when OTP via SMS is used as second factor authentication, default value is 9Possible values: 6 and 9.   
  • EXPIRED_OTP_REMOVAL_INTERVAL = 60
    It defines the sleep interval in minutes for expired OTP removal process, the default value is 60. 
USE_READ_ONLY_
PKCS11_KEY_STORE
This value is used to set the PKCS11 keystore for the read only use.  If value is TRUE then fast PKCS11KeyStore will be used for read-only operations. 
The default value is FALSE thus allowing read / write operations and the (slower) communication option PKCS11KeyStore will be used. 
  • USE_READ_ONLY_PKCS11_KEY_STORE = FALSE
PKIX compliance mode
Used to validate the certificates according to the PKIX guidelines in Verification, XKMS and SCVP Services. Set this TRUE or FALSE as required.
  • PKIX_COMPLIANCE_MODE = FALSE
Alert block threshold
Time interval after which an accumulated alert message is sent to operators when frequent occurrences of a log error event have occurred.
  • ALERTS_BLOCK_THRESHOLD = 300
ADSS Server instances synchronization interval
Time interval in seconds to synchronize the following files among ADSS Server instances when installed in load-balanced mode or stand-alone installation was made on multiple machines.
  • ADSS_INSTANCES_SYNCHRONIZATION_INTERVAL = 5
This property sync these files:
  • [ADSS Server Installation Dir]\jdk\jre\lib\security\jssecacerts
  • [ADSS Server Installation Dir]\conf\adss.keystore
  • [ADSS Server Installation Dir]\conf\pkcs11.properties
ADSS Server connection retry count
If ADSS Server fails to communicate with the external HTTP/S resource (i.e. TSA, CRLs (CDP), OCSP etc.), this retry parameter can be configured to recover the connection.
  • EXTERNAL_CONNECTION_RETRY_COUNT = 3
Enable MSCAPI Crypto
When enabled, MSCAPI will be shown on Crypto Source page and the keys stored in it could be used for cryptographic operations.   This is a license controlled feature.
  • ENABLE_MSCAPI_CRYPTO = FALSE
Online log access mode
ADSS Server debug logs can be accessed from the Admin GUI.   This feature can be exploited for a directory traversal attack and this parameter can be used to close off this feature.
  • ONLINE_LOG_ACCESS_MODE = OPEN_ACCESS
Possible values are: NO_ACCESS, OPEN_ACCESS, AUTHENTICATED_ACCESS 
Messages Format
ADSS Server uses different templates to display errors and exceptions in response messages. Operator can modify them as per needed. 
  • FORMATTED_ERROR_MESSAGE_TEMPLATE = [Error-%ERROR_CODE%] %ERROR_MESSAGE%
    Defines the template to display error information from the related ADSS Service. The "ERROR_CODE" and "ERROR_MESSAGE" placeholders are replaced with the actual text returned by the ADSS Service. 
  • HTML_FORMATTED_ERROR_MESSAGE_TEMPLATE = [Error-%ERROR_CODE%] %ERROR_MESSAGE%
    Defines the template to display error information from the ADSS Console instance in the log file. The "ERROR_CODE" and "ERROR_MESSAGE" placeholders are replaced with the actual text returned by the ADSS Console.

  • FORMATTED_EXCEPTION_MESSAGE_TEMPLATE = [Error-%ERROR_CODE%] %ERROR_MESSAGE%, %EXCEPTION_MESSAGE%
    Defines the template to display exception for the ADSS Service instance. The "ERROR_CODE", "ERROR_MESSAGE" and "EXCEPTION_MESSAGE" placeholders are replaced with the actual text returned by the service.
  • HTML_FORMATTED_EXCEPTION_MESSAGE_TEMPLATE = [Error-%ERROR_CODE%] %ERROR_MESSAGE%, %EXCEPTION_MESSAGE%
    Defines the template to display exception for the ADSS Console instance. The "ERROR_CODE", "ERROR_MESSAGE" and "EXCEPTION_MESSAGE" placeholders are replaced with the actual text returned by the ADSS Console.

  • FORMATTED_CUSTOM_ERROR_MESSAGE_TEMPLATE = [Error-%ERROR_CODE%] %ERROR_MESSAGE%, %CUSTOM_MESSAGE%
    Defines the template to display customized errors for the ADSS Server core, console and service instances. The "ERROR_CODE", "ERROR_MESSAGE" and "CUSTOM_MESSAGE" placeholders are replaced with text generated by the ADSS Server. 

  • HTML_FORMATTED_CUSTOM_ERROR_MESSAGE_TEMPLATE
    Reserved for the future use
ETSI Interoperability plug test mode
This property is used for internal purpose only. When this property is enabled the basic service code is not executed. This property is not intended for customers.
  • ETSI_PLUGTEST_INTEROP_MODE =  FALSE
HSM Time Deviation
This property defines acceptable time difference between ADSS Server and HSM in milliseconds and send alerts to configured operators if hardware crypto source monitoring alert is enabled in Key Manager. To disable this feature set the -1 as value. 
  •  HSM_TIME_DEVIATION = 3
ADSS Server communication ports
ADSS Server uses different connection port to receive service requests from client hosts.
  • CORE_MANAGER_PORT = 8770
    The reserved connection port for the core is 8770

  • CONSOLE_MANAGER_PORT = 8773
    The reserved connection port for the console is 8773

  • SERVICE_MANAGER_PORT = 8777
    The reserved connection port for services is 8777
Support email address
 Email address of Technical Support team to send email notification in case of an application error.
  • SUPPORT_EMAIL_ADDRESS = support@ascertia.com
ADSS Server locale
 ADSS Server Locale e.g. 'en_US', 'fr_CA' etc.
  • ADSS_LOCALE = en_US
ADSS Server timezone
 ADSS Server time zone e.g. 'GMT', 'Zulu', 'UTC', CET, Australia/Sydney etc.
  • ADSS_TIME_ZONE = SYSTEM
Communication with SMTP server over TLS
When set to FALSE, the ECC cryptographic provider from IAIK is not loaded. Default value is TRUE. The value should be set to FALSE when communication with the SMTP Server for email notifications is over TLS.
  • USE_IAIK_ECC_PROVIDER = TRUE
Visible Attribute Adjustment
Number of pixels, the next visible attribute in Signature Appearance is shifted upward when the value of an attribute is not provided in the request. Default value: 0 (Signature appearance object adjustment not required) 
  • VISIBLE_ATTRIBUTE_ADJUSTMENT = 0
License Expiry Alert Settings
ADSS Server uses different settings for different types of license expiry alerts.
  • LICENSE_EXPIRY_ALERT_FIRST_DAYS = 30
    When the license expiry for an ADSS Server module is approaching, this defines, how many days before the license expiry, the first alert should be sent to the configured operators. Default value: 30 days 
  • LICENSE_EXPIRY_ALERT_SECOND_DAYS = 7
    When the license expiry for an ADSS Server module is approaching, this defines, how many days before the license expiry, the second alert should be sent to the configured operators. Default value: 7 days
  • LICENSE_EXPIRY_ALERT_FIRST_TRANSACTIONS = 5
    When the allowed transactions limit for an ADSS Server module is approaching, this defines the percentage of allowed transactions left before the first alert should be sent to the configured operators. Default value: 5% 
  • LICENSE_EXPIRY_ALERT_SECOND_TRANSACTIONS = 2
    When the allowed transactions limit for an ADSS Server module is approaching, this defines the percentage of allowed transactions left before the second alert should be sent to the configured operators. Default value: 2%
  • LICENSE_EXPIRY_ALERT_SEND_TO = ADMIN
    ADSS Server license expiry and transactions limit approaching alerts are sent to these operators. One or more comma separated registered Operator IDs can be configured. Default value: admin
Client Activation Threshold
It defines the time period in minutes for which the client application status remains INACTIVE, if Inactivated automatically by the system due to authentication failures. Once this period is elapsed, the client application status is automatically reverted back to ACTIVE. 
This property is used in conjunction with property "CLIENT_AUTHENTICATION_FAILURE_LIMIT". Default value: 60 minutes. 
  • CLIENT_ACTIVATION_THRESHOLD = 60
Client Authentication failure limit
It defines the number of failed authentications after which the client application status is automatically marked as INACTIVE. The inactivity duration is defined using the property "CLIENT_ACTIVATION_THRESHOLD". Default value: 0 (i.e. unlimited failed authentications allowed)  
  • CLIENT_AUTHENTICATION_FAILURE_LIMIT = 0
Block Installation
When enabled ADSS Server Console enforces operator to change default Admin certificate within 7 days otherwise ADSS Server installation will be blocked. Default value is : False. If Common Criteria (CC) is enabled in license then updating Admin certificate is mandatory and this setting will be ignored.   
  • BLOCK_INSTALLATION = FALSE
Random number algorithm It defines the algorithm to generate the random numbers in ADSS Server. Default value: HMacSHA256PRNG-SP80090.  
  • RANDOM_NUMBER_ALGORITHM = HMacSHA256PRNG-SP80090
Supported algorithms are:
  • NIST SP800-90
    • Hash based secure Random
      • SHA1PRNG-SP80090
      • SHA224PRNG-SP80090
      • SHA256PRNG-SP80090
      • SHA384PRNG-SP80090
      • SHA512PRNG-SP80090
    • MAC-based secure random
      • HMacSHA1PRNG-SP80090
      • HMacSHA224PRNG-SP80090
      • HMacSHA256PRNG-SP80090
      • HMacSHA384PRNG-SP80090
      • HMacSHA512PRNG-SP80090 (default algorithm)
    • Blockcipher-based secure random 
      • AES128PRNG-SP80090
      • AES192PRNG-SP80090
      • AES256PRNG-SP80090

  • BSI AIS 20 v2.0
    • Hash based secure Random
      • SHA256PRNG
      • SHA384PRNG
      • SHA512PRNG
SDK Custom Request Time Out
Time interval in seconds to be used as request time out in specific service calls between different ADSS Services. Default value: 60
  • ADSS_SDK_CUSTOM_REQUEST_TIMEOUT = 60
Hash Algorithm to use with a key derivation function Hash Algorithm to use with a key derivation function e.g. PBKDF2WithHMACSHA256 to securely store the passwords. Default Value: SHA256
  • PBKDF2_HASH_ALGO = SHA256
Possible hash algorithms are:
  • SHA256
  • SHA384
  • SHA512
Service Stats Sleep Interval Time interval in seconds to be used as sleep interval before updating service stats in to database. Default value: 5 seconds
  • SERVICE_STATS_SLEEP_INTERVAL= 5
Enable CA validation check
When enabled, ADSS CA Server enforces that the certificate are issued according to the CA/B forum and WebTrust guidelines. Default value: FALSE
  • ENABLE_CA_VALIDATION_CHECK= FALSE
If this property is set to TRUE, it is recommended to also set the "Debian weak Keys" property to TRUE to check Debian weak keys as per CA/B Forum guide lines.If this property is set to TRUE, enable the check box Keep expired revoked certificates in the CRL for the configured Local CAs under the Manage CAs module as per WebTrust guide lines.
Debian weak Keys
If the value is set to TRUE, before generating a certificate, the ADSS server will check the public key in a CSR is not a Debian weak key. Default Value: FALSE
  • CHECK_DEBIAN_WEAK_KEYS= FALSE
Bypass CRL expiry
When set to TRUE, the OCSP Service will skip the CRL expiry checking and return the certificate status in OCSP response. When set to FALSE, the OCSP service will check the CRL expiry before certificate status checking. Default value: FALSE
  • BYPASS_CRL_EXPIRY= FALSE
Stop ADSS Services if HSM is disconnected
HSM monitoring thread checks the availability of HSM according to the configurations defined in a Crypto Profile. If HSM loses connection with the ADSS Server and the below property is set to TRUE, then the thread waits for 5 seconds to make another call to the HSM for connection. This process is repeated three times and still if the connection is not established with HSM, then the thread stops the ADSS Server Services and an alert is sent to the configured operators. If the below property is set to FALSE, then ADSS Services will remain active and only alert is sent to configured operators. Default Value: False  
  • STOP_ADSS_IF_HSM_DISCONNECTED= FALSE

See also

Core Instance
Console Instance
Service Instance