General
These settings can be found from Global Settings > Advanced Settings page
Property |
Description |
||
Caching for Certificates, CRLs and OCSP Responses |
These parameters are used for caching the Certificates, CRLs and OCSP Responses in memory found during path building process. These properties are consumed by the Verification, XKMS and SCVP Services only.
|
||
Organization Identifier |
When set to TRUE, the IAK parser accurately identifies and processes the "organizationIdentifier" attribute while parsing X.509 Distinguished Names (DN). Default Value: False.
|
||
HMAC verification of public keys |
If enabled, HMAC of the records containing different types of public keys and certificates will be checked on each access of the key and certificate and an error will be generated if any tampering detected. Some of these certificates include operator and business application's TLS client certificates. Possible values are TRUE/FALSE. Default value: FALSE
|
||
Unregistered CA/ CRL timeout during path building |
Number of seconds to terminate a connection if a certificate/CRL is not downloaded when Advanced Discovery option is enabled in Verification, XKMS and SCVP Services.
|
||
Certificate not issued status |
Certificate status in the OCSP response when allowed listing is enabled and target certificate is not found in the database.
The possible values are 'REVOKED' & 'UNKNOWN' |
||
CRL cache update interval for high speed OCSP |
Time interval in seconds to update the CRL in its memory cache when high speed revocation checking has been enabled for a CA in Trust Manager.
|
||
Valid certificate deletion |
When this property is set to TRUE, a non expired certificate can be deleted by a DELETE request from the Certification Service or the Admin GUI. If the value is set to FALSE then only expired certificates can be deleted.
|
||
Unwrapped key cache interval |
Configure this parameter to set the time interval in seconds, after which any cached keys will be deleted from the target HSM if KEK based wrapping is enabled.
|
||
OTP configurations for two factor authentication |
These parameters are used for OTP configurations when using two factor authentication.
|
||
Use PKCS11 key-store for read only operations |
This value is used to set the PKCS11 key-store for the read only use. If value is TRUE then fast PKCS11KeyStore will be used for read-only operations. The default value is FALSE thus allowing read / write operations and the (slower) communication option PKCS11KeyStore will be used.
|
||
PKIX compliance mode |
Used to validate the certificates according to the PKIX guidelines in Verification, XKMS and SCVP Services. Set this TRUE or FALSE as required.
|
||
Alert block threshold |
Time interval after which an accumulated alert message is sent to operators when frequent occurrences of a log error event have occurred.
|
||
ADSS Server instances synchronization interval |
Time interval in seconds to synchronize the following files among ADSS Server instances when installed in load-balanced mode or stand-alone installation was made on multiple machines.
This property sync these files:
|
||
ADSS Server connection retry count |
If ADSS Server fails to communicate with the external HTTP/S resource (i.e. TSA, CRLs (CDP), OCSP etc.), this retry parameter can be configured to recover the connection.
|
||
Enable MSCAPI Crypto |
When enabled, MSCAPI will be shown on Crypto Source page and the keys stored in it could be used for cryptographic operations. This is a license controlled feature.
|
||
Online log access mode |
ADSS Server debug logs can be accessed from the Admin GUI. This feature can be exploited for a directory traversal attack and this parameter can be used to close off this feature.
Possible values are: NO_ACCESS, OPEN_ACCESS, AUTHENTICATED_ACCESS |
||
Messages Format |
ADSS Server uses different templates to display errors and exceptions in response messages. Operator can modify them as per needed.
|
||
ETSI Interoperability plug test mode |
This property is used for internal purpose only. When this property is enabled the basic service code is not executed. This property is not intended for customers.
|
||
HSM Time Deviation |
This property defines acceptable time difference between ADSS Server and HSM in milliseconds and send alerts to configured operators if hardware crypto source monitoring alert is enabled in Key Manager. To disable this feature set the -1 as value.
|
||
ADSS Server communication ports |
ADSS Server uses different connection port to receive service requests from client hosts.
|
||
Support email address |
Email address of Technical Support team to send email notification in case of an application error.
|
||
ADSS Server locale |
ADSS Server Locale e.g. 'en_US', 'fr_CA' etc.
|
||
ADSS Server timezone |
ADSS Server time zone e.g. 'GMT', 'Zulu', 'UTC', CET, Australia/Sydney etc.
|
||
Communication with SMTP server over TLS |
When set to FALSE, the ECC cryptographic provider from IAIK is not loaded. Default value is TRUE. The value should be set to FALSE when communication with the SMTP Server for email notifications is over TLS.
|
||
Visible Attribute Adjustment |
Number of pixels, the next visible attribute in Signature Appearance is shifted upward when the value of an attribute is not provided in the request. Default value: 0 (Signature appearance object adjustment not required)
|
||
License Expiry Alert Settings |
ADSS Server uses different settings for different types of license expiry alerts.
|
||
Client Activation Threshold |
It defines the time period in minutes for which the client application status remains INACTIVE, if Inactivated automatically by the system due to authentication failures. Once this period is elapsed, the client application status is automatically reverted back to ACTIVE. This property is used in conjunction with property "CLIENT_AUTHENTICATION_FAILURE_LIMIT". Default value: 60 minutes.
|
||
Client Authentication failure limit |
It defines the number of failed authentications after which the client application status is automatically marked as INACTIVE. The inactivity duration is defined using the property "CLIENT_ACTIVATION_THRESHOLD". Default value: 0 (i.e. unlimited failed authentications allowed).
|
||
Block Installation |
When enabled ADSS Server Console enforces operator to change default Admin certificate within 7 days otherwise ADSS Server installation will be blocked. Default value is : False. If Common Criteria (CC) is enabled in license then updating Admin certificate is mandatory and this setting will be ignored.
|
||
Random number algorithm |
It defines the algorithm to generate the random numbers in ADSS Server. Default value: HMacSHA256PRNG-SP80090.
Supported algorithms are:
|
||
SDK Custom Request Time Out |
Time interval in seconds to be used as request time out in specific service calls between different ADSS Services. Default value: 60
|
||
Hash Algorithm to use with a key derivation function |
Hash Algorithm to use with a key derivation function e.g. PBKDF2WithHMACSHA256 to securely store the passwords. Default Value: SHA256
Possible hash algorithms are:
|
||
Service Stats Sleep Interval |
Time interval in seconds to be used as sleep interval before updating service stats in to database. Default value: 5 seconds
|
||
Enable CA validation check |
When enabled, ADSS CA Server enforces that the certificate are issued according to the CA/B forum and WebTrust guidelines. Default value: FALSE
|
||
Debian weak Keys |
If the value is set to TRUE, before generating a certificate, the ADSS server will check the public key in a CSR is not a Debian weak key. Default Value: FALSE
|
||
Bypass CRL expiry |
When set to TRUE, the OCSP Service will skip the CRL expiry checking and return the certificate status in OCSP response. When set to FALSE, the OCSP service will check the CRL expiry before certificate status checking. Default value: FALSE
|
||
Stop ADSS Services if HSM is disconnected |
HSM monitoring thread checks the availability of HSM according to the configurations defined in a Crypto Profile. If HSM loses connection with the ADSS Server and the below property is set to TRUE, then the thread waits for 5 seconds to make another call to the HSM for connection. This process is repeated three times and still if the connection is not established with HSM, then the thread stops the ADSS Server Services and an alert is sent to the configured operators. If the below property is set to FALSE, then ADSS Services will remain active and only alert is sent to configured operators. Default Value: False
|
||
Check Valid Certificate Issuer Status |
When enabled, system will check that target certificate is issued by the CA mentioned in OCSP request while checking its status in white list database. Default value: FALSE
|
||
Key Wrapping Mechanism |
Key Wrapping Mechanism. Possible values: CKM_AES_CBC_PAD, CKM_AES_KEY_WRAP_KWP. Default value: CKM_AES_CBC_PAD. Note: The possible values will only work where the HSM is fully compliant with V3, otherwise you should use default values.
|
||
Bypass Proxy for Local IP Addresses |
It is a comma separated list of local IP addresses or DNS names for which the system will bypass the proxy. Default value: 127.0.0.1.
|
||
Classic Console |
This URL will be placed in the Unity Console in order to redirect the user to Classic Console. In production environment, the user will need to update it with a valid URL. Default value: https://localhost:8774/adss/console
|
||
Unity Console |
This URL will be placed in the Classic Console in order to redirect the user to Unity Console. In production environment, the user will need to update it with a valid URL. Default value: https://localhost:8794/adss/console
|
||
Serial Number Length |
This property defines the length of serial number (in bytes) for generating the certificate. Default value: 20 bytes Note: The value cannot be set to '0' or a negative number and also cannot be set greater then '20' in order to make it compliant with RFC 5280.
|
||
RSA Vulnerability Detection |
When enabled, ADSS Server ensures that certificates issued by the Local CA for client-generated keys and PFX files imported into Service Keys are not vulnerable to RSA-related issues, such as ROCA Infineon RSA key vulnerability (CVE-2017-15361) and the Close Primes Vulnerability (CVE-2022-26320). Default value: FASLE
|
||
ECDSA Attacks Detection |
When enabled, ADSS CA Server enforces that the certificate are issued after checking ECDSA public keys against security attacks (Side-channel and Twist-security). Default value: FASLE
Limitation: If an operator has enabled this property, the key lengths 160 and 192 for the curve types NIST P and Brainpool R & T will not be supported. |
See also