Config Tab
The Configuration presents the Top Bar with the following functions:
- Servers - allows inspecting the CORE server status and download partition-specific crypto reports. See Servers Tab.
- Partition Settings - See Partition Settings in UI.
- Certificates - allows inspecting the system certificates. See Certificates Tab.
Servers Tab
Root SOSecurity officer - UKC partition administrator role. ˃ Configuration ˃ Servers.
→ Schematic layout of the cluster nodes appears
- Hover over one of the
server icons.
→ The ▼ button appears.
- Click ▼ and select one of the following options:
- Get Info.
- Download Crypto Logs specific to the partition.
Partition Settings in UI
To inspect or modify the current partition settings, Partition SOSecurity officer - UKC partition administrator role. ˃ Configuration ˃ Partition Settings.
The partition settings appear - see Partitions Setting Summary.
Notes:
- A
yes/no
,true/false
setting is presented using the checkbox icon. - The UCL
Unbound Command Language name of the setting is shown at the right edge of the setting.
- A setting that has a range of values is presented in the following format:
Partitions Setting Summary
Client and User Registration Settings
UI Name | CLI Alias | Description | Default |
---|---|---|---|
Client registration retry limit | client-limit |
Max client registration attempts See Client Registration Settings Activation code expiry (in minutes) |
5 |
Client registration timeout | client-timeout | 525600 | |
User login retry limit | user-limit | User login attempts limit (5 to 100) |
5 |
User password minimum length | pass-len | Minimum number of characters in a password (5 to 20) |
8 |
Enforce user password complexity | pass-comp | Password Requirements | Yes |
Enforce user login with 2FA![]() |
enforce-2fa | No | |
TOTP![]() |
totp-time-drif | 30 |
JWTJSON Web Token - means of representing claims transferred between two parties settings
UI Name | CLI Alias | Description | Default |
---|---|---|---|
JWT![]() |
jwt-exp | JWT![]() JWT Settings |
30 |
Maximum number of crypto operations per JWT![]() |
jwt-limit | Max number of crypto operations per JWT![]() JWT Settings. |
0 |
Client Certificate validation
UI Name | CLI Alias | Description | Default |
---|---|---|---|
Enforce client IP verification | check-ip | No | |
Allow the client to use NAT![]() |
allow-nat | No | |
Permit access to the root partition clients | cert-propagation | Cert-propagation | No |
Key metadata requirements
UI Name | CLI Alias | Description | Default |
---|---|---|---|
Enforce unique name (CKA_ID) | enforce-unique-name |
Enforce-unique |
No |
Enforce unique description (CKA_LABEL) | enforce-unique-desc | No |
Partition Policies
UI Name | CLI Alias | Description | Default |
---|---|---|---|
A non-SO![]() |
only-crypto | Only-crypto | No |
Time to preserve a cryptographic key in local memory (seconds) | cache-timeout | Key Validity Period | 0 |
Key policies | N/A | Add or Edit Key Policy Rule | unrestricted use |
Quorum Settings
UI Name | CLI Alias | Description | Default |
---|---|---|---|
Quorum size | N/A | Quorum Size | 1 |
Quorum request expiration (days) | N/A | Quorum Request Expiration | 1 |
Quorum operations | N/A | Quorum Settings | See reference |
Notes:
The following settings are specified during the partition creation and are permanent:
- The allow-ks (allow external keystore) setting.
- The fips-mode setting in a system that runs in FIPS mode
UKC system mode that allows processing FIPS-certified and not-certified keys.
The following settings can be modified using UCLUnbound Command Language or Rest API:
- The part-inherit (inherit the Root partition) setting. Default: NO.
-
The allow-default-client setting. Default: YES.
Add or Edit Key Policy Rule
By default, a partition does not apply any restrictions on how its key material may be used. Yet, the partition's SOSecurity officer - UKC partition administrator role. may allow-list the permitted key types, operations, and operation parameters by specifying the partition key policy. For the detailed discussion and an example of the policy, see the quickstart in
Partition Key Policy.
A key material usage policy is a collection of statements that govern the partition's keys. A policy statement specifies the key type and a list of argument-values pairs. To activate the policy, it is sufficient to specify a single policy statement. Once the key policy is activated, the system interprets its statements as follows:
- All you need to permit the required operation using the specified key is one policy statement that authorizes such use.
- The only permitted key types are those that appear in the policy statements.
- A non-empty list of the argument-values pairs following a key type is interpreted as follows:
- The absence of a particular argument permits unrestricted use of its values by the specified key type.
- The presence of an argument with the list of its values - permits only the listed values of the factor.
To permit a key type without any restrictions, create a policy statement with its name only.
To specify or update the partition's policy, scroll to the Key policy section of the settings. It presents already defined statements that allow editing and the Add key policy button. Click it.
→ The New Key Policy dialog appears.
Select the required key type.
Key type Permissions
- Key type
Click the ▼ button and select the required key type.
Tip.
To allow unrestricted use of the selected key type, leave out the other options, and click the Add key policy button.
Key type Attribute Restrictions
- Restrict minimum key size
- if not selected, all appropriate key sizes for this key type are permitted.
- if selected, it allows specifying the smallest permitted key size.
Click the ▼ button and select the minimum permitted key size.
- if not selected, all appropriate key sizes for this key type are permitted.
- Restrict EC curve
- if not selected, all appropriate EC curves for this key type are permitted.
- if selected, it allows specifying the permitted curves.
Click the ▼ button and mark all required curves
- if not selected, all appropriate EC curves for this key type are permitted.
Crypto Operation Restrictions
- Restrict crypto operations checkbox
- if not selected, all appropriate operations for the selected key type are permitted.
- if selected, it allows selection of permitted operations.
Click the ▼ button and select the permitted operations.
Crypto Parameter Restrictions
- Restrict Hash
- if not selected, all appropriate hash options for this key type are permitted.
- if selected, allows specifying the permitted hash options.
Click the ▼ button and mark the permitted hash options.
- if not selected, all appropriate hash options for this key type are permitted.
- Restrict Padding
- if not selected, all appropriate paddings for this key type are permitted.
- if selected, it allows specifying the permitted paddings.
- Click the ▼ button and mark the permitted paddings.
- Click the ▼ button and mark the permitted paddings.
- Restrict Modes
- if not selected, all appropriate block modes for this key type are permitted.
- if selected, allows only the permitted block modes.
Click the ▼ button and mark the permitted block modes.
- Restrict MACs
- if not selected, all appropriate MAC
Message Authentication Code - for example, CMAC, GMAC, HMAC. methods for this key type are permitted.
- if selected, it allows only the permitted MACs.
Click the ▼ button and mark the permitted MAC
Message Authentication Code - for example, CMAC, GMAC, HMAC. methods.
- if not selected, all appropriate MAC
Import/Export Restrictions
- Restrict Export Type
- if not selected, all export types permitted by this key itself are permitted.
- if selected, it allows enforcing the minimum export requirement.
Click the ▼ button and mark the minimum export requirement that must be met.
- if not selected, all export types permitted by this key itself are permitted.
Key Origin Restrictions
- Restrict Local
- if not selected, the attribute of a key is ignored.
- if selected, allows specifying the type of keys that the policy applies to.
- enabled - only locally generated keys that match the specified key type and parameters can be created and used.
- disabled - only imported keys that match the specified key type and parameters can be created and used.
- Restrict Trusted
- if not selected, the attribute of a key is ignored.
- if selected, allows specifying the type of keys that the policy applies to.
- enabled - only trusted keys that match the specified key type and parameters can be created and used.
- disabled - only keys that are not marked trusted and match the specified key type and parameters can be created and used.
This permission addresses the local
attribute of a key.
Click the ▼ button and select one of the following options:
This permission addresses the trusted
attribute of a key.
Click the ▼ button and select one of the following options:
For example, any AES key may be used to (un)wrap other keys with no particular requirement. To enforce that only trusted AES keys should be used for (un)wrapping, add the following policy statement: {"type":"AES","operations":["WRAP","UNWRAP"],"trusted":true}
. Now, all previously created AES keys designated for (un)wrapping and do not marked as "trusted" become useless.