This section summarizes partition settings that are configurable by UCLUnbound Command Language and UI. For UI-only configurable settings, see:
CORE partition settings include the following settings:
- Permanent read-only properties that were set by the Root SOSecurity officer - UKC partition administrator role. when the partition was created:
- Changeable by the partition's SOSecurity officer - UKC partition administrator role.:
|x-DY_FIPSFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors_REQUIREMENTS||fips-req||Partition Policy in FIPS Mode
|x-DY_ALLOW_NATNetwork Address Translation - remapping of IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device||allow-nat||Check-IP and Allow-NAT||No|
|x-DY_CHECK_IP||check-ip||Check-IP and Allow-NAT||No|
|x-DY_CLIENT_REGISTRATION_RETRIES||client-limit||(5 to 100)||5|
|x-DY_CLIENT_REGISTRATION_TIMEOUT||client-timeout||ACActivation Code expiry timeout (in minutes) (1 to 129600)||20|
|x-DY_JWTJSON Web Token - means of representing claims transferred between two parties_EXPIRATION||jwt-exp||JWTJSON Web Token - means of representing claims transferred between two parties token validity (1 - 60 min). JWT Settings||30|
|x-DY_JWTJSON Web Token - means of representing claims transferred between two parties_LIMIT||jwt-limit||Max number of crypto operations using JWTJSON Web Token - means of representing claims transferred between two parties token. 0 - unlimited.||0|
|x-DY_PASSWORD_LENGTH||pass-len||Minimum number of characters in a password (5 to 20)||8|
|x-DY_USER_LOGIN_RETRIES||user-limit||The user is locked when the number of consecutive login rejections exceeds this number (5 to 100)||5|
- To list a partition's general settings, run
- To change a partition setting, perform the key-value assignment:
ucl settings get -p <partition-name>
ucl settings set -p <partition name> -k <alias> -v <value>
If enabled during the partition creation, this setting authorizes the partition's SOSecurity officer - UKC partition administrator role. to add external keystores to the partition. See ucl partition create.
This setting participates in the decision whether the partition's user has to present the partition's certificate. See Exemption from Certificate Possession. This setting has three values:
0- certificate is mandatory.
1- certificate is optional.
Certificate possession requirement depends on the No-cert system setting.
Client certificate obtained using the
ucl register method is locked to the client appliance - CORE client software on any other appliance will dismiss any attempt to use it as a valid certificate.
However, the client certificate generated on the CORE server doesn't have appliance-specific protection. Multiple appliances may reuse it. To assure that a partition certificate can be used only by the authorized clients, enable the partition's
Suppose the partition's
check-ip property is enabled. In that case, the targeted CORE server checks that the certificate holder's IP address carried in the TCP/IP header is listed in the certificate or is within the permitted range of IPs.
allow-nat keeps the above working by mitigating the NATNetwork Address Translation - remapping of IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device impact even in case NATNetwork Address Translation - remapping of IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device is used.
A partition's client may overrule the partition's
allow_nat setting. See Certificate Misuse Prevention for the complete decision tree.
check-ip assertion fails, the system responds with the
Login failed error.
Error: Login failed
Additional error information:
Client ip verification failed: given ([192.168.0.242]), actual([192.168.0.182]), code=3, partition=test200
The Root partition inheritance property:
- Allows any
root soto act in the partition as the partition's SOSecurity officer - UKC partition administrator role..
- Impacts the default settings of the partition as follows:
The partition inherits all settings of the Root partition except
1. Settings that were explicitly set by the
ucl partition createcommand.
2. Root partition Quorum settings.
For example, given that the
codesign is an inherited partition, the
root so can act upon its clients when it is explicitly specified as the
ucl client list -p codesign --user so@root
part-inherit setting can be enabled:
- During the partition creation, using the
ucl partition createcommand with the
- For an existing partition using the
ucl settings set -p <partition name> -k part-inherit --value 1
Inheritance and Quorum are two mutually exclusive properties. You can't enable Inheritance if Quorum-based approval is already enabled.
To enable the
cert-propagation feature, you must enable the
part-inherit property as well.
By default, access to a partition by a CORE client requires the possession of the partition's certificate by the client's appliance.
cert-propagation setting on a partition lets a CORE client appliance accessing the partition while possessing only the root partition certificate. In the other words, a client that possesses the Root partition certificate has the right to access any partition that enabled the
This setting can be enabled:
- During the partition creation using the
ucl partition createcommand with the
- For the existing partition using the
ucl settings set -p <partition name> -k cert-propagation --value 1
This setting affects all users that bear the role USER by narrowing the range of their operations to the following:
- List, show, and export the partition's key-material
- Use the key-material in crypto operations
enforce-unique-name and the
enforce-unique-desc settings enforce the uniqueness of the key-material names and the associated description within the partition.
To use the Key-Rotation function when the
enforce-unique-name property in the partition is enabled, ensure that the key has a non-default name. (The default key name is the UID of the key).
CORE clients, RESTRepresentational State Transfer (REST) - an architectural style that defines a set of constraints and properties based on HTTP. Web Services that conform to the REST architectural style, or RESTful web services, provide interoperability between computer systems on the Internet. API, PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications., and Java libraries use JSON Web Tokens (JWTJSON Web Token - means of representing claims transferred between two parties) to carry authorization claims for performing CORE operations in the specified partition. The CORE server generates a token and delivers it to the requester once the requester is authenticated and its role and permissions are clarified. See, for example, Authentication Token and Get Token in CORE REST API Guide.
CORE partition settings control the following JWTJSON Web Token - means of representing claims transferred between two parties token properties:
jwt-exp- token's usability period (in minutes) since its generation by CORE server.
jwt-limit- the maximum number of the allowed crypto operations per token. The default value is
0. It indicates an unlimited number of crypto operations.
Idle UI User Automatic Logout timer is set to this value.
User password may contain any ASCII printable characters (character code 32-127) except SPACE and DELETE characters.
Using the extended character codes (128-255), such as various currency signs (e.g., €, £, ¥), is not allowed.
Partition settings specify the minimum password length and the character mix requirements:
pass-len- minimal number of characters (default: 8).
- At least one digit.
- At least one lowercase letter.
- At least one upper-case letter.
- At least one special character from the set specified in Password Characters (
@ # $ % ^ & + = !).
YES option enforces the password string to contain the following characters: