Partition Settings

This section summarizes partition settings that are configurable by UCLClosedUnbound Command Language and UI. For UI-only configurable settings, see:

Partition Settings Summary

CORE partition settings include the following settings:

Examples:

  • To list a partition's general settings, run
  • ucl settings get -p <partition-name>

  • To change a partition setting, perform the key-value assignment:
  • ucl settings set -p <partition name> -k <alias> -v <value>

Allow-Keystores

If enabled during the partition creation, this setting authorizes the partition's SOClosedSecurity officer - UKC partition administrator role. to add external keystores to the partition. See ucl partition create.

Allow default-client

This setting participates in the decision whether the partition's user has to present the partition's certificate. See Exemption from Certificate Possession. This setting has three values:

  • undefined:
  • Certificate possession requirement depends on the No-cert system setting.

  • defined:
    • 0 - certificate is mandatory.
    • 1 - certificate is optional.

Check-IP and Allow-NAT

Client certificate obtained using the ucl register method is locked to the client appliance - CORE client software on any other appliance will dismiss any attempt to use it as a valid certificate.

However, the client certificate generated on the CORE server doesn't have appliance-specific protection. Multiple appliances may reuse it. To assure that a partition certificate can be used only by the authorized clients, enable the partition's check-ip property.

Suppose the partition's check-ip property is enabled. In that case, the targeted CORE server checks that the certificate holder's IP address carried in the TCP/IP header is listed in the certificate or is within the permitted range of IPs.

The allow-nat keeps the above working by mitigating the NATClosedNetwork Address Translation - remapping of IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device impact even in case NATClosedNetwork Address Translation - remapping of IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device is used.

Note
A partition's client may overrule the partition's check-ip and allow_nat setting. See Certificate Misuse Prevention for the complete decision tree.

When the check-ip assertion fails, the system responds with the Login failed error.

Error: Login failed
Additional error information:
Client ip verification failed: given ([192.168.0.242]), actual([192.168.0.182]), code=3, partition=test200

Part-inherit

The Root partition inheritance property:

  • Allows any root so to act in the partition as the partition's SOClosedSecurity officer - UKC partition administrator role..
  • For example, given that the codesign is an inherited partition, the root so can act upon its clients when it is explicitly specified as the --user:

    ucl client list -p codesign --user so@root
    so@root's password:

  • Impacts the default settings of the partition as follows:

    Note
    The partition inherits all settings of the Root partition except
    1. Settings that were explicitly set by the ucl partition create command.
    2. Root partition Quorum settings.

The part-inherit setting can be enabled:

  • During the partition creation, using the ucl partition create command with the -i option.
  • For an existing partition using the ucl settings command:

    ucl settings set -p <partition name> -k part-inherit --value 1

    Note
    Inheritance and Quorum are two mutually exclusive properties. You can't enable Inheritance if Quorum-based approval is already enabled.

Cert-propagation

Note
To enable the cert-propagation feature, you must enable the part-inherit property as well.

By default, access to a partition by a CORE client requires the possession of the partition's certificate by the client's appliance.

The cert-propagation setting on a partition lets a CORE client appliance accessing the partition while possessing only the root partition certificate. In the other words, a client that possesses the Root partition certificate has the right to access any partition that enabled the cert-propagation setting.

This setting can be enabled:

  • During the partition creation using the ucl partition create command with the -c option
  • For the existing partition using the ucl settings command:

    ucl settings set -p <partition name> -k cert-propagation --value 1

Only-crypto

This setting affects all users that bear the role USER by narrowing the range of their operations to the following:

  • List, show, and export the partition's key-material
  • Use the key-material in crypto operations

Enforce-unique

The enforce-unique-name and the enforce-unique-desc settings enforce the uniqueness of the key-material names and the associated description within the partition.

Warning
To use the Key-Rotation function when the enforce-unique-name property in the partition is enabled, ensure that the key has a non-default name. (The default key name is the UID of the key).

JWT Settings

CORE clients, RESTClosedRepresentational State Transfer (REST) - an architectural style that defines a set of constraints and properties based on HTTP. Web Services that conform to the REST architectural style, or RESTful web services, provide interoperability between computer systems on the Internet. API, PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications., and Java libraries use JSON Web Tokens (JWTClosedJSON Web Token - means of representing claims transferred between two parties) to carry authorization claims for performing CORE operations in the specified partition. The CORE server generates a token and delivers it to the requester once the requester is authenticated and its role and permissions are clarified. See, for example, Authentication Token and Get Token in CORE REST API Guide.

CORE partition settings control the following JWTClosedJSON Web Token - means of representing claims transferred between two parties token properties:

  • jwt-exp - token's usability period (in minutes) since its generation by CORE server.
  • Note
    The Idle UI User Automatic Logout timer is set to this value.

  • jwt-limit - the maximum number of the allowed crypto operations per token. The default value is 0. It indicates an unlimited number of crypto operations.

Password Requirements

User password may contain any ASCII printable characters (character code 32-127) except SPACE and DELETE characters.

Note
Using the extended character codes (128-255), such as various currency signs (e.g., €, £, ¥), is not allowed.

Partition settings specify the minimum password length and the character mix requirements:

  • pass-len - minimal number of characters (default: 8).
  • complexity - (YES/NO) (default: YES).
  • The YES option enforces the password string to contain the following characters:

    • At least one digit.
    • At least one lowercase letter.
    • At least one upper-case letter.
    • At least one special character from the set specified in Password Characters ( @ # $ % ^ & + = !).