Unity Console Admin Guide

Property

Description

Caching for Certificates, CRLs and OCSP Responses

These parameters are used for caching the Certificates, CRLs and OCSP Responses in memory found during path building process. These properties are consumed by the Verification, XKMS and SCVP Services only.

• ENABLE_CERTIFICATE_CACHING = TRUE
  This property is used for certificate caching. If you wish to disable the certificate caching then set the value to FALSE.
• CERTIFICATE_CACHE_INTERVAL = 4
  This property defines the caching time in minutes for the certificate. If the certificate caching is disabled then it does not have any effect on the system.
• ENABLE_CRL_OCSP_CACHING = TRUE
  This property is used for CRL and OCSP responses caching found during path building. If you wish to disable the CRL and OCSP response caching then set the value to FALSE.
• CRL_OCSP_CACHE_INTERVAL = 4
  This property defines the caching time in minutes for the CRLs and OCSP responses. If the CRL and OCSP caching is disabled then it does not have any effect on the system. If the CRLs in cache expires before reaching the cache expiry time then new CRL will be downloaded. If ''NEXT_UPDATE'' is set as a value for ''CRL_OCSP_CACHE_INTERVAL", then after 15 minutes both CRL and OCSP responses would be removed from the cache for which next update is reached.

Organization Identifier

When set to TRUE, the IAK parser accurately identifies and processes the "organizationIdentifier" attribute while parsing X.509 Distinguished Names (DN). Default Value: False

• ENABLE_ORGANIZATION_IDENTIFIER_DN = FALSE

HMAC verification of public keys

If enabled, HMAC of the records containing different types of public keys and certificates will be checked on each access of the key and certificate and an error will be generated if any tampering detected. Some of these certificates include user and business application's TLS client certificates. Possible values are TRUE/FALSE. Default value: FALSE

• PUBLIC_KEY_HMAC_VERIFY = FALSE

Unregistered CA/ CRL timeout during path building

Number of seconds to terminate a connection if a certificate/CRL is not downloaded when Advanced Discovery option is enabled in Verification, XKMS and SCVP Services.

• UNREGISTERED_CA_CRL_TIMEOUT = 180

Certificate not issued status

Certificate status in the OCSP response when allowed listing is enabled and target certificate is not found in the database.

• CERTIFICATE_NOT_ISSUED_STATUS = REVOKED

The possible values are 'REVOKED' & 'UNKNOWN' 

CRL cache update interval for high speed OCSP

Time interval in seconds to update the CRL in its memory cache when high speed revocation checking has been enabled for a CA in Trust Manager.

• CRL_CACHE_UPDATE_INTERVAL = 600

Valid certificate deletion

When this property is set to TRUE, a non expired certificate can be deleted by a DELETE request from the Certification Service or the Admin GUI.

If the value is set to FALSE then only expired certificates can be deleted.

• ENABLE_VALID_CERTIFICATE_DELETION = TRUE

Unwrapped key cache interval

Configure this parameter to set the time interval in seconds, after which any cached keys will be deleted from the target HSM if KEK based wrapping is enabled.

• UNWRAPPED_KEY_CACHE_INTERVAL = 60

OTP configurations for two factor authentication

These parameters are used for OTP configurations when using two factor authentication.

• SIGN_AUTH_OTP_LENGTH = 9
  One Time Password (OTP) length when OTP via SMS is used as second factor authentication, default value is 9. Possible values are 6 and 9.
• EXPIRED_OTP_REMOVAL_INTERVAL = 60
  It defines the sleep interval in minutes for expired OTP removal process, the default value is 60.

USE_READ_ONLY_
PKCS11_KEY_STORE

This value is used to set the PKCS11 keystore for the read only use.  If value is TRUE then fast PKCS11KeyStore will be used for read-only operations. 

The default value is FALSE thus allowing read / write operations and the (slower) communication option PKCS11KeyStore will be used. 

• USE_READ_ONLY_PKCS11_KEY_STORE = FALSE

PKIX compliance mode

Used to validate the certificates according to the PKIX guidelines in Verification, XKMS and SCVP Services. Set this TRUE or FALSE as required.

• PKIX_COMPLIANCE_MODE = FALSE

Alert block threshold

Time interval after which an accumulated alert message is sent to users when frequent occurrences of a log error event have occurred.

• ALERTS_BLOCK_THRESHOLD = 300

ADSS Server instances synchronization interval

Time interval in seconds to synchronize the following files among ADSS Server instances when installed in load-balanced mode or stand-alone installation was made on multiple machines.

• ADSS_INSTANCES_SYNCHRONIZATION_INTERVAL = 5

This property sync these files:

• [ADSS Server Installation Dir]\jdk\jre\lib\security\jssecacerts
• [ADSS Server Installation Dir]\conf\adss.keystore
• [ADSS Server Installation Dir]\conf\pkcs11.properties

ADSS Server connection retry count

If ADSS Server fails to communicate with the external HTTP/S resource (i.e. TSA, CRLs (CDP), OCSP etc.), this retry parameter can be configured to recover the connection.

• EXTERNAL_CONNECTION_RETRY_COUNT = 3

Enable MSCAPI Crypto

When enabled, MSCAPI will be shown on Crypto Source page and the keys stored in it could be used for cryptographic operations. This is a license controlled feature.

• ENABLE_MSCAPI_CRYPTO = FALSE 

Online log access mode

ADSS Server debug logs can be accessed from the Admin GUI. This feature can be exploited for a directory traversal attack and this parameter can be used to close off this feature.

• ONLINE_LOG_ACCESS_MODE = OPEN_ACCESS

Possible values are: NO_ACCESS, OPEN_ACCESS, AUTHENTICATED_ACCESS 

Messages Format

ADSS Server uses different templates to display errors and exceptions in response messages. user can modify them as per needed. 

• FORMATTED_ERROR_MESSAGE_TEMPLATE = [Error-%ERROR_CODE%] %ERROR_MESSAGE%
  Defines the template to display error information from the related ADSS Service. The "ERROR_CODE" and "ERROR_MESSAGE" placeholders are replaced with the actual text returned by the ADSS Service. 
• HTML_FORMATTED_ERROR_MESSAGE_TEMPLATE = [Error-%ERROR_CODE%] %ERROR_MESSAGE%
  Defines the template to display error information from the ADSS Console instance in the log file. The "ERROR_CODE" and "ERROR_MESSAGE" placeholders are replaced with the actual text returned by the ADSS Console.
• FORMATTED_EXCEPTION_MESSAGE_TEMPLATE = [Error-%ERROR_CODE%] %ERROR_MESSAGE%, %EXCEPTION_MESSAGE%
  Defines the template to display exception for the ADSS Service instance. The "ERROR_CODE", "ERROR_MESSAGE" and "EXCEPTION_MESSAGE" placeholders are replaced with the actual text returned by the service.
• HTML_FORMATTED_EXCEPTION_MESSAGE_TEMPLATE = [Error-%ERROR_CODE%] %ERROR_MESSAGE%, %EXCEPTION_MESSAGE%
  Defines the template to display exception for the ADSS Console instance. The "ERROR_CODE", "ERROR_MESSAGE" and "EXCEPTION_MESSAGE" placeholders are replaced with the actual text returned by the ADSS Console.
• FORMATTED_CUSTOM_ERROR_MESSAGE_TEMPLATE = [Error-%ERROR_CODE%] %ERROR_MESSAGE%, %CUSTOM_MESSAGE%
  Defines the template to display customized errors for the ADSS Server core, console and service instances. The "ERROR_CODE", "ERROR_MESSAGE" and "CUSTOM_MESSAGE" placeholders are replaced with text generated by the ADSS Server. 
• HTML_FORMATTED_CUSTOM_ERROR_MESSAGE_TEMPLATE
  Reserved for the future use.

ETSI Interoperability plug test mode

This property is used for internal purpose only. When this property is enabled the basic service code is not executed. This property is not intended for customers.

• ETSI_PLUGTEST_INTEROP_MODE = FALSE

HSM Time Deviation

This property defines acceptable time difference between ADSS Server and HSM in milliseconds and send alerts to configured users if hardware crypto source monitoring alert is enabled in Key Manager. To disable this feature set the -1 as value. 

• HSM_TIME_DEVIATION = 3

ADSS Server communication ports

ADSS Server uses different connection port to receive service requests from client hosts.

• CORE_MANAGER_PORT = 8770
  The reserved connection port for the core is 8770
• CONSOLE_MANAGER_PORT = 8773
  The reserved connection port for the console is 8773
• SERVICE_MANAGER_PORT = 8778
  The reserved connection port for services is 8778

Support email address

Email address of Technical Support team to send email notification in case of an application error.

• SUPPORT_EMAIL_ADDRESS = support@ascertia.com

ADSS Server locale

ADSS Server Locale e.g. 'en_US', 'fr_CA' etc.

• ADSS_LOCALE = en_US

ADSS Server timezone

ADSS Server time zone e.g. 'GMT', 'Zulu', 'UTC', CET, Australia/Sydney etc.

• ADSS_TIME_ZONE = SYSTEM

Communication with SMTP server over TLS

When set to FALSE, the ECC cryptographic provider from IAIK is not loaded. Default value is TRUE. The value should be set to FALSE when communication with the SMTP Server for email notifications is over TLS.

• AUSE_IAIK_ECC_PROVIDER = TRUE

Visible Attribute Adjustment

Number of pixels, the next visible attribute in Signature Appearance is shifted upward when the value of an attribute is not provided in the request. Default value: 0 (Signature appearance object adjustment not required) 

• VISIBLE_ATTRIBUTE_ADJUSTMENT = 0

License Expiry Alert Settings

ADSS Server uses different settings for different types of license expiry alerts.

• LICENSE_EXPIRY_ALERT_FIRST_DAYS = 30
  When the license expiry for an ADSS Server module is approaching, this defines, how many days before the license expiry, the first alert should be sent to the configured users. Default value: 30 days 
• LICENSE_EXPIRY_ALERT_SECOND_DAYS = 7
  When the license expiry for an ADSS Server module is approaching, this defines, how many days before the license expiry, the second alert should be sent to the configured users. Default value: 7 days
• LICENSE_EXPIRY_ALERT_FIRST_TRANSACTIONS = 5
  When the allowed transactions limit for an ADSS Server module is approaching, this defines the percentage of allowed transactions left before the first alert should be sent to the configured users. Default value: 5% 
• LICENSE_EXPIRY_ALERT_SECOND_TRANSACTIONS = 2
  When the allowed transactions limit for an ADSS Server module is approaching, this defines the percentage of allowed transactions left before the second alert should be sent to the configured users. Default value: 2%
• LICENSE_EXPIRY_ALERT_SEND_TO = ADMIN
  ADSS Server license expiry and transactions limit approaching alerts are sent to these users. One or more comma separated registered user IDs can be configured. Default value: admin.
• LICENSE_EXPIRY_ALERT_FIRST_DAYS = 30
  When the license expiry for an ADSS Server module is approaching, this defines, how many days before the license expiry, the first alert should be sent to the configured users. Default value: 30 days 
• LICENSE_EXPIRY_ALERT_SECOND_DAYS = 7
  When the license expiry for an ADSS Server module is approaching, this defines, how many days before the license expiry, the second alert should be sent to the configured users. Default value: 7 days
• LICENSE_EXPIRY_ALERT_FIRST_TRANSACTIONS = 5
  When the allowed transactions limit for an ADSS Server module is approaching, this defines the percentage of allowed transactions left before the first alert should be sent to the configured users. Default value: 5% 
• LICENSE_EXPIRY_ALERT_SECOND_TRANSACTIONS = 2
  When the allowed transactions limit for an ADSS Server module is approaching, this defines the percentage of allowed transactions left before the second alert should be sent to the configured users. Default value: 2%
• LICENSE_EXPIRY_ALERT_SEND_TO = ADMIN
  ADSS Server license expiry and transactions limit approaching alerts are sent to these users. One or more comma separated registered user IDs can be configured. Default value: admin

Client Activation Threshold

It defines the time period in minutes for which the client application status remains INACTIVE, if Inactivated automatically by the system due to authentication failures. Once this period is elapsed, the client application status is automatically reverted back to ACTIVE. 

This property is used in conjunction with property "CLIENT_AUTHENTICATION_FAILURE_LIMIT". Default value: 60 minutes. 

• CLIENT_ACTIVATION_THRESHOLD = 60

Client Authentication failure limit

It defines the number of failed authentications after which the client application status is automatically marked as INACTIVE. The inactivity duration is defined using the property "CLIENT_ACTIVATION_THRESHOLD". Default value: 0 (i.e. unlimited failed authentications allowed).

• CLIENT_AUTHENTICATION_FAILURE_LIMIT = 0

Block Installation

When enabled ADSS Server Console enforces user to change default Admin certificate within 7 days otherwise ADSS Server installation will be blocked. Default value is : False. If Common Criteria (CC) is enabled in license then updating Admin certificate is mandatory and this setting will be ignored.   

• BLOCK_INSTALLATION = FALSE

Random number algorithm

It defines the algorithm to generate the random numbers in ADSS Server. Default value: HMacSHA256PRNG-SP80090. 

• RANDOM_NUMBER_ALGORITHM = HMacSHA256PRNG-SP80090

Supported algorithms are:

• NIST SP800-90

• Hash based secure Random
• SHA1PRNG-SP80090
• SHA224PRNG-SP80090
• SHA256PRNG-SP80090
• SHA384PRNG-SP80090
• SHA512PRNG-SP80090
• MAC-based secure random
• HMacSHA1PRNG-SP80090
• HMacSHA224PRNG-SP80090
• HMacSHA256PRNG-SP80090
• HMacSHA384PRNG-SP80090
• HMacSHA512PRNG-SP80090 (default algorithm)
• Blockcipher-based secure random 
• AES128PRNG-SP80090
• AES192PRNG-SP80090
• AES256PRNG-SP80090

• BSI AIS 20 v2.0

• Hash based secure Random
• SHA256PRNG
• SHA384PRNG
• SHA512PRNG.

SDK Custom Request Time Out

Time interval in seconds to be used as request time out in specific service calls between different ADSS Services. Default value: 60

• ADSS_SDK_CUSTOM_REQUEST_TIMEOUT = 60

Hash Algorithm to use with a key derivation function

Hash Algorithm to use with a key derivation function e.g. PBKDF2WithHMACSHA256 to securely store the passwords. Default Value: SHA256

• PBKDF2_HASH_ALGO = SHA256

Possible hash algorithms are:

• SHA256
• SHA384
• SHA512

Service Stats Sleep Interval

Time interval in seconds to be used as sleep interval before updating service stats in to database. Default value: 5 seconds

• SERVICE_STATS_SLEEP_INTERVAL = 5

Enable CA validation check

When enabled, ADSS CA Server enforces that the certificate are issued according to the CA/B forum and WebTrust guidelines. Default value: FALSE

• ENABLE_CA_VALIDATION_CHECK = FALSE

Debian weak Keys

If the value is set to TRUE, before generating a certificate, the ADSS server will check the public key in a CSR is not a Debian weak key. Default Value: FALSE

• CHECK_DEBIAN_WEAK_KEYS = FALSE

Bypass CRL expiry

When set to TRUE, the OCSP Service will skip the CRL expiry checking and return the certificate status in OCSP response. When set to FALSE, the OCSP service will check the CRL expiry before certificate status checking. Default value: FALSE

• BYPASS_CRL_EXPIRY = FALSE

Stop ADSS Services if HSM is disconnected

HSM monitoring thread checks the availability of HSM according to the configurations defined in a Crypto Profile. If HSM loses connection with the ADSS Server and the below property is set to TRUE, then the thread waits for 5 seconds to make another call to the HSM for connection. This process is repeated three times and still if the connection is not established with HSM, then the thread stops the ADSS Server Services and an alert is sent to the configured users. If the below property is set to FALSE, then ADSS Services will remain active and only alert is sent to configured users. Default Value: False  

• STOP_ADSS_IF_HSM_DISCONNECTED = FALSE

Check Valid Certificate Issuer Status

When enabled, system will check that target certificate is issued by the CA mentioned in OCSP request while checking its status in white list database. Default value: FALSE

• CHECK_VALID_CERTIFICATE_ISSUER = FALSE

Key Wrapping Mechanism

Key Wrapping Mechanism. Possible values: CKM_AES_CBC_PAD, CKM_AES_KEY_WRAP_KWP. Default value: CKM_AES_CBC_PAD. 

Note: The possible values will only work where the HSM is fully compliant with V3, otherwise you should use default values.

• PKCS11_KEY_WRAPPING_MECHANISM
• CKM_AES_KEY_WRAP_KWP

Bypass Proxy for Local IP Addresses

It is a comma separated list of local IP addresses or DNS names for which the system will bypass the proxy. Default value: 127.0.0.1.

• BYPASS_PROXY_FOR_LOCAL_IP_ADDRESSES = 127.0.0.1

Classic Console

This URL will be placed in the Unity Console in order to redirect the user to Classic Console. In production environment, the user will need to update it with a valid URL. Default value: https://localhost:8774/adss/console

• CLASSIC_CONSOLE_URL = https://localhost:8774/adss/console

Unity Console

This URL will be placed in the Classic Console in order to redirect the user to Unity Console. In production environment, the user will need to update it with a valid URL. Default value: https://localhost:8794/adss/console

• UNITY_CONSOLE_URL = https://localhost:8794/adss/console

RSA Vulnerability Detection

When enabled, ADSS Server ensures that certificates issued by the Local CA for client-generated keys and PFX files imported into Service Keys are not vulnerable to RSA-related issues, such as ROCA Infineon RSA key vulnerability (CVE-2017-15361) and the Close Primes Vulnerability (CVE-2022-26320). Default value: FASLE

• RSA_VULNERABILITY_DETECTION = FALSE

ECDSA Attacks Detection

When enabled, ADSS CA Server enforces that the certificate are issued after checking ECDSA public keys against security attacks (Side-channel and Twist-security). Default value: FASLE

• ECDSA_ATTACKS_DETECTION = FALSE