Config Tab
The Configuration presents the Top Bar with the following functions:
- Servers - allows inspecting the CORE server status and download partition-specific crypto reports. See Servers Tab.
- Partition Settings - See Partition Settings in UI.
- Certificates - allows inspecting the system certificates. See Certificates Tab.
Servers Tab
Root SO
Security officer - UKC partition administrator role. ˃ Configuration ˃ Servers.
→ Schematic layout of the cluster nodes appears
- Hover over one of the
server icons.
→ The ▼ button appears.
- Click ▼ and select one of the following options:
- Get Info.
- Download Crypto Logs specific to the partition.
Partition Settings in UI
To inspect or modify the current partition settings, Partition SOSecurity officer - UKC partition administrator role. ˃ Configuration ˃ Partition Settings.
The partition settings appear - see Partitions Setting Summary.
Notes:
- A
yes/no,true/falsesetting is presented using the checkbox icon. - The UCLUnbound Command Language name of the setting is shown at the right edge of the setting.
- A setting that has a range of values is presented in the following format:
Partitions Setting Summary
Client and User Registration Settings
| UI Name | CLI Alias | Description | Default |
|---|---|---|---|
| Client registration retry limit | client-limit |
Max client registration attempts See Client Registration Settings Activation code expiry (in minutes) |
5 |
| Client registration timeout | client-timeout | 525600 | |
| User login retry limit | user-limit | User login attempts limit (5 to 100) |
5 |
| User password minimum length | pass-len | Minimum number of characters in a password (5 to 20) |
8 |
| Enforce user password complexity | pass-comp | Password Requirements | Yes |
| Enforce user login with 2FATwo-factor authentication - Authentication method that requires both something a user has (for example, a certificate) and something the user knows (for example, a password) |
enforce-2fa | No | |
| TOTPTime-based One Time Password grace period |
totp-time-drif | 30 |
JWTJSON Web Token - means of representing claims transferred between two parties settings
| UI Name | CLI Alias | Description | Default |
|---|---|---|---|
| JWTJSON Web Token - means of representing claims transferred between two parties expiration |
jwt-exp | JWTJSON Web Token - means of representing claims transferred between two parties token validity (1-60 minutes). JWT Settings |
30 |
| Maximum number of crypto operations per JWTJSON Web Token - means of representing claims transferred between two parties |
jwt-limit | Max number of crypto operations per JWTJSON Web Token - means of representing claims transferred between two parties token (0 - unlimited). JWT Settings. |
0 |
Client Certificate validation
| UI Name | CLI Alias | Description | Default |
|---|---|---|---|
| Enforce client IP verification | check-ip | No | |
| Allow the client to use NATNetwork Address Translation - remapping of IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device |
allow-nat | No | |
| Permit access to the root partition clients | cert-propagation | Cert-propagation | No |
Key metadata requirements
| UI Name | CLI Alias | Description | Default |
|---|---|---|---|
| Enforce unique name (CKA_ID) | enforce-unique-name |
Enforce-unique |
No |
| Enforce unique description (CKA_LABEL) | enforce-unique-desc | No |
Partition Policies
| UI Name | CLI Alias | Description | Default |
|---|---|---|---|
| A non-SOSecurity officer - UKC partition administrator role. user is restricted to use crypto operations only |
only-crypto | Only-crypto | No |
| Time to preserve a cryptographic key in local memory (seconds) | cache-timeout | Key Validity Period | 0 |
| Key policies | N/A | Add or Edit Key Policy Rule | unrestricted use |
Quorum Settings
| UI Name | CLI Alias | Description | Default |
|---|---|---|---|
| Quorum size | N/A | Quorum Size | 1 |
| Quorum request expiration (days) | N/A | Quorum Request Expiration | 1 |
| Quorum operations | N/A | Quorum Settings | See reference |
Notes:
The following settings are specified during the partition creation and are permanent:
- The allow-ks (allow external keystore) setting.
- The fips-mode setting in a system that runs in FIPS modeUKC system mode that allows processing FIPS-certified and not-certified keys.
The following settings can be modified using UCLUnbound Command Language or Rest API:
- The part-inherit (inherit the Root partition) setting. Default: NO.
-
The allow-default-client setting. Default: YES.
Add or Edit Key Policy Rule
By default, a partition does not apply any restrictions on how its key material may be used. Yet, the partition's SOSecurity officer - UKC partition administrator role. may allow-list the permitted key types, operations, and operation parameters by specifying the partition key policy. For the detailed discussion and an example of the policy, see the quickstart in
Partition Key Policy.
A key material usage policy is a collection of statements that govern the partition's keys. A policy statement specifies the key type and a list of argument-values pairs. To activate the policy, it is sufficient to specify a single policy statement. Once the key policy is activated, the system interprets its statements as follows:
- All you need to permit the required operation using the specified key is one policy statement that authorizes such use.
- The only permitted key types are those that appear in the policy statements.
- A non-empty list of the argument-values pairs following a key type is interpreted as follows:
- The absence of a particular argument permits unrestricted use of its values by the specified key type.
- The presence of an argument with the list of its values - permits only the listed values of the factor.
To permit a key type without any restrictions, create a policy statement with its name only.
To specify or update the partition's policy, scroll to the Key policy section of the settings. It presents already defined statements that allow editing and the Add key policy button. Click it.
→ The New Key Policy dialog appears.
Select the required key type.
Key type Permissions
- Key type
Click the ▼ button and select the required key type.
Tip.
To allow unrestricted use of the selected key type, leave out the other options, and click the Add key policy button.
Key type Attribute Restrictions
- Restrict minimum key size
- if not selected, all appropriate key sizes for this key type are permitted.
- if selected, it allows specifying the smallest permitted key size.
Click the ▼ button and select the minimum permitted key size.
- if not selected, all appropriate key sizes for this key type are permitted.
- Restrict EC curve
- if not selected, all appropriate EC curves for this key type are permitted.
- if selected, it allows specifying the permitted curves.
Click the ▼ button and mark all required curves
- if not selected, all appropriate EC curves for this key type are permitted.
Crypto Operation Restrictions
- Restrict crypto operations checkbox
- if not selected, all appropriate operations for the selected key type are permitted.
- if selected, it allows selection of permitted operations.
Click the ▼ button and select the permitted operations.
Crypto Parameter Restrictions
- Restrict Hash
- if not selected, all appropriate hash options for this key type are permitted.
- if selected, allows specifying the permitted hash options.
Click the ▼ button and mark the permitted hash options.
- if not selected, all appropriate hash options for this key type are permitted.
- Restrict Padding
- if not selected, all appropriate paddings for this key type are permitted.
- if selected, it allows specifying the permitted paddings.
- Click the ▼ button and mark the permitted paddings.
- Click the ▼ button and mark the permitted paddings.
- Restrict Modes
- if not selected, all appropriate block modes for this key type are permitted.
- if selected, allows only the permitted block modes.
Click the ▼ button and mark the permitted block modes.
- Restrict MACs
- if not selected, all appropriate MACMessage Authentication Code - for example, CMAC, GMAC, HMAC. methods for this key type are permitted.
- if selected, it allows only the permitted MACs.
Click the ▼ button and mark the permitted MAC
Message Authentication Code - for example, CMAC, GMAC, HMAC. methods.
- if not selected, all appropriate MAC
Import/Export Restrictions
- Restrict Export Type
- if not selected, all export types permitted by this key itself are permitted.
- if selected, it allows enforcing the minimum export requirement.
Click the ▼ button and mark the minimum export requirement that must be met.
- if not selected, all export types permitted by this key itself are permitted.
Key Origin Restrictions
- Restrict Local
- if not selected, the attribute of a key is ignored.
- if selected, allows specifying the type of keys that the policy applies to.
- enabled - only locally generated keys that match the specified key type and parameters can be created and used.
- disabled - only imported keys that match the specified key type and parameters can be created and used.
- Restrict Trusted
- if not selected, the attribute of a key is ignored.
- if selected, allows specifying the type of keys that the policy applies to.
- enabled - only trusted keys that match the specified key type and parameters can be created and used.
- disabled - only keys that are not marked trusted and match the specified key type and parameters can be created and used.
This permission addresses the local attribute of a key.
Click the ▼ button and select one of the following options:
This permission addresses the trusted attribute of a key.
Click the ▼ button and select one of the following options:
For example, any AES key may be used to (un)wrap other keys with no particular requirement. To enforce that only trusted AES keys should be used for (un)wrapping, add the following policy statement: {"type":"AES","operations":["WRAP","UNWRAP"],"trusted":true}. Now, all previously created AES keys designated for (un)wrapping and do not marked as "trusted" become useless.