Config Tab

The Configuration presents the Top Bar with the following functions:

Servers Tab

Root SOClosedSecurity officer - UKC partition administrator role. ˃ Configuration ˃ Servers.

→ Schematic layout of the cluster nodes appears

  • Hover over one of the server icons.
  • → The ▼ button appears.

Partition Settings in UI

To inspect or modify the current partition settings, Partition SOClosedSecurity officer - UKC partition administrator role. ˃ Configuration ˃ Partition Settings.

The partition settings appear - see Partitions Setting Summary.

Notes:

  • A yes/no, true/false setting is presented using the checkbox icon.
  • The UCLClosedUnbound Command Language name of the setting is shown at the right edge of the setting.
  • A setting that has a range of values is presented in the following format:
  • Setting presentation in UI

Partitions Setting Summary

UI Name CLI Alias Description Default
Client registration retry limit client-limit Max client registration attempts
(5 to 100)
5
Client registration timeout client-timeout Activation code expiry (in minutes)
(1 to 129600)
20
User login retry limit user-limit User login attempts limit
(5 to 100)
5
User password minimum length pass-len Minimum number of characters in a password
(5 to 20)
8
JWTClosedJSON Web Token - means of representing claims transferred between two parties expiration jwt-exp JWTClosedJSON Web Token - means of representing claims transferred between two parties token validity (1-60 minutes).
JWT Settings
30
Maximum number of crypto operations per JWTClosedJSON Web Token - means of representing claims transferred between two parties jwt-limit Max number of crypto operations per JWTClosedJSON Web Token - means of representing claims transferred between two parties token (0 - unlimited).
JWT Settings.
0
Enforce user password complexity pass-comp Password Requirements Yes
Enforce client IP verification check-ip

Check-IP and Allow-NAT

No
Allow the client to use NATClosedNetwork Address Translation - remapping of IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device allow-nat No
Support certificate propagation cert-propagation Cert-propagation No
Allow user to call only crypto operations only-crypto Only-crypto No
Enforce unique name (CKA_ID) enforce-unique-name

 

Enforce-unique
No
Enforce unique description (CKA_LABEL) enforce-unique-desc No
Quorum size N/A Quorum Size 1
Quorum request expiration (days) N/A Quorum Request Expiration 1
Quorum operations N/A Quorum Settings See reference
Key policies N/A Add or Edit Key Policy Rule unrestricted use

Notes:

The following settings that are defined during the partition's creation are not shown:

Add or Edit Key Policy Rule

By default, a partition does not apply any restrictions on how its key material may be used. Yet, the partition's SOClosedSecurity officer - UKC partition administrator role. may allow-list the permitted key types, operations, and operation parameters by specifying the partition key policy. For the detailed discussion and an example of the policy, see the quickstart in Partition Key Policy.

A key material usage policy is a collection of statements that govern the partition's keys. A policy statement specifies the key type and a list of argument-values pairs. To activate the policy, it is sufficient to specify a single policy statement. Once the key policy is activated, the system interprets its statements as follows:

  1. All you need to permit the required operation using the specified key is one policy statement that authorizes such use.
  2. The only permitted key types are those that appear in the policy statements.
  3. To permit a key type without any restrictions, create a policy statement with its name only.

  4. A non-empty list of the argument-values pairs following a key type is interpreted as follows:
    1. The absence of a particular argument permits unrestricted use of its values by the specified key type.
    2. The presence of an argument with the list of its values - permits only the listed values of the factor.

To specify or update the partition's policy, scroll to the Key policy section of the settings. It presents already defined statements that allow editing and the Add key policy button. Click it.

→ The New Key Policy dialog appears.

Select the required key type.

Key type Permissions

  • Key type
    Click the ▼ button and select the required key type.
  • Tip.
    To allow unrestricted use of the selected key type, leave out the other options, and click the Add key policy button.

Key type Attribute Restrictions

  • Restrict minimum key size
    • if not selected, all appropriate key sizes for this key type are permitted.
    • if selected, it allows specifying the smallest permitted key size.
      • Click the ▼ button and select the minimum permitted key size.

  • Restrict EC curve
    • if not selected, all appropriate EC curves for this key type are permitted.
    • if selected, it allows specifying the permitted curves.

        Click the ▼ button and mark all required curves

Crypto Operation Restrictions

  • Restrict crypto operations checkbox
    • if not selected, all appropriate operations for the selected key type are permitted.
    • if selected, it allows selection of permitted operations.

        Click the ▼ button and select the permitted operations.

Crypto Parameter Restrictions

  • Restrict Hash
    • if not selected, all appropriate hash options for this key type are permitted.
    • if selected, allows specifying the permitted hash options.

        Click the ▼ button and mark the permitted hash options.

  • Restrict Padding
    • if not selected, all appropriate paddings for this key type are permitted.
    • if selected, it allows specifying the permitted paddings.
      • Click the ▼ button and mark the permitted paddings.
  • Restrict Modes
    • if not selected, all appropriate block modes for this key type are permitted.
    • if selected, allows only the permitted block modes.

        Click the ▼ button and mark the permitted block modes.

  • Restrict MACs

Import/Export Restrictions

  • Restrict Export Type
    • if not selected, all export types permitted by this key itself are permitted.
    • if selected, it allows enforcing the minimum export requirement.

        Click the ▼ button and mark the minimum export requirement that must be met.

Key Origin Restrictions

  • Restrict Local
  • This permission addresses the local attribute of a key. 

    • if not selected, the attribute of a key is ignored.
    • if selected, allows specifying the type of keys that the policy applies to.
    •  Click the ▼ button and select one of the following options:

      • enabled - only locally generated keys that match the specified key type and parameters can be created and used.
      • disabled - only imported keys that match the specified key type and parameters can be created and used.

  • Restrict Trusted
  • This permission addresses the trusted attribute of a key.

    • if not selected, the attribute of a key is ignored.
    • if selected, allows specifying the type of keys that the policy applies to.
    •  Click the ▼ button and select one of the following options:

      • enabled - only trusted keys that match the specified key type and parameters can be created and used.
      • disabled - only keys that are not marked trusted and match the specified key type and parameters can be created and used.

    For example, any AES key may be used to (un)wrap other keys with no particular requirement. To enforce that only trusted AES keys should be used for (un)wrapping, add the following policy statement: {"type":"AES","operations":["WRAP","UNWRAP"],"trusted":true}. Now, all previously created AES keys designated for (un)wrapping and do not marked as "trusted" become useless.