Product Documentation

Property

strongkeylite.cfg.property.addedpsn.reportprefix

Explanation

When a site originally chooses to use an HMAC value to represent the sensitive data as the “token” within their applications, they may choose to convert to Pseudo-Numbers (see Explanation for strongkeylite.cfg.property.tokentype) after the SAKA has gone live. During the conversion process, a report is generated indicating the pseudo-numbers that were added to the SAKA internal database during the conversion process. The report is saved to a file in STRONGKEYLITE/log with a report name containing the prefix from this property. The report name has the Domain ID and date/time of the report creation appended to the report name.

Default Value

AddedPseudoNumbers-

Property

strongkeylite.cfg.property.authsource

Explanation

The type of repository to use when verifying the authentication credentials of a requester. Options supported by SAKA are:

  • DB—for the internal database of SAKA

  • LDAP—for an LDAP-based directory server either in or outside SAKA

  • BOTH—when sites choose to use both types of repositories—DB and LDAP

 

All requesters of cryptographic services must be defined in the SAKA database or LDAP before they start requesting services.

Default Value

DB

Property

strongkeylite.cfg.property.authsourcefirst

Explanation

The access control repository to check first when SAKA has been configured to use BOTH the internal database and an LDAP-based directory serverfor requester authorization.

The strongkeylite.cfg.property.authsource property must have the value BOTH defined in it for the strongkeylite.cfg.property.authsourcefirst property to be referenced. If strongkeylite.cfg.property.authsource is set to either DB or LDAP, strongkeylite.cfg.property.authsourcefirst is ignored.

Default Value

DB

Property

strongkeylite.cfg.property.bytebuffer.enable

Explanation

The Entropy web service allows encryption users to gather true random numbers from the TRSM. This property determines whether SAKA auto-fills a bytebuffer to increase the speed in which random numbers can be returned.

Default Value

false

Property

strongkeylite.cfg.property.bytebuffer.size

Explanation

The bytebuffer stores true random numbers to be consumed by the Entropy web service. This property determines the size of the bytebuffer in bytes.

Default Value

1048576 (1 mb)

Property

strongkeylite.cfg.property.bytebuffer.trsmretrievalsize

Explanation

The bytebuffer stores true random numbers to be consumed by the Entropy Web service. This property determines how many bytes to recover from the TRSM each time SAKA populates the bytebuffer.

Default Value

64

Property

strongkeylite.cfg.property.cacheprimer.enable

Explanation

After the TPM or HSM is activated, there may be a lot of symmetric keys that must be decrypted. The appliance will only decrypt on demand those keys which can cause delays once transactions start being sent to the appliance. By setting this property to true, the appliance will automatically attempt to decrypt all HMAC, ENC, and PWD symmetric keys after the cryptomodule is activated.

Default Value

true

Property

strongkeylite.cfg.property.cacheprimer.limit

Explanation

Once the cache primer engages, this property determines what is the total number of keys that it may decrypt per domain (in earliest to oldest order).

Default Value

365

Property

strongkeylite.cfg.property.ccsautodelete

Explanation

The default behavior of the CCS getCardCaptureData web service is to encrypt the credit card data and return a token back to the calling application. By setting this property to true, the credit card will no longer be tokenized. This property is most useful when combined with strongkeylite.cfg.property.ccsplaintextpan to return the plaintext credit card.

Default Value

false

Property

strongkeylite.cfg.property.ccsresponseformat

Explanation

The CryptoCard Service (CCS) Servlet offers two different response types—json and xml. This property determines which response type the web service will use.

Default Value

json

Property

strongkeylite.cfg.property.ccsencodingformat

Explanation

This property is used to determine the encoding format used for data sent by PIN and magstripe readers. Valid values are hex and base64.

Default Value

hex

Property

strongkeylite.cfg.property.ccsplaintextpan

Explanation

The default behavior of the CCS getCardCaptureData is to encrypt the credit card data and return a token back to the calling application. By setting this property to true, the plaintext credit card number will also be returned along side the token. When this property is set to true, the getCardCaptureData web service user must have both encryption privilege and decryption privilege.

Default Value

false

Property

strongkeylite.cfg.property.ccsprocesstrack2

Explanation

When processing a credit card through CCS, there are a number of tracks available in the card swipe. By default we only process track1 data. By setting this property to true, we will process the swipe's track2 data.

Default Value

false

Property

strongkeylite.cfg.property.ccsprocesstrack3

Explanation

When processing a credit card through CCS, there are a number of tracks available in the card swipe. By default we only process track1 data. By setting this property to true, we will process the swipe's track3 data.

Default Value

false

Property

strongkeylite.cfg.property.cryptomodule.lock.waittime

Explanation

Access to the cryptomodule is locked to prevent overloading the module. If a lock has been acquired by another thread, the current thread may wait for this many seconds to acquire the lock before giving up.

Default Value

25

Property

strongkeylite.cfg.property.cryptomodule.provider

Explanation

The type of cryptographic Hardware Security Module (HSM) used in the SAKA when it is configured with an HSM. The values currently supported by the SAKA are CRYPTOKI—for the HSM from Eracom (now SafeNet) and CryptoServer—for the HSM from Utimaco (now Sophos). This property is superfluous when SAKA is configured to use the TPM.

Default Value

CryptoServer

Property

strongkeylite.cfg.property.cryptomodule.provider.utimaco.adminkeyfile

Explanation

When using the Utimaco HSM, this property represents the file of the Administrator's key used to configure the HSM. This file is only required during the initialization of the HSM during the installation of the HSM. Once initialized, this file should be removed for security reasons.

Default Value

ADMIN.key

Property

strongkeylite.cfg.property.cryptomodule.provider.utimaco.device

Explanation

When SAKA is configured with a CryptoServer HSM from Utimaco, this property identifies the device address of the HSM with which the SAKA software will communicate. Before the HSM can be used, the device must already be configured using the tools supplied with SAKA. This property is neither used by the SafeNet HSM nor the TPM.

Default Value

/dev/cs2

Property

strongkeylite.cfg.property.cryptomodule.provider.utimaco.listobjects

Explanation

When using the Utimaco HSM, this property indicates if objects within a keystore should be listed.

Default Value

false

Property

strongkeylite.cfg.property.cryptomodule.provider.utimaco.timeout

Explanation

When SAKA is configured with a CryptoServer HSM from Utimaco, this property identifies the number of milliseconds to wait before timing out for a connection to the HSM. This property is neither used by the SafeNet HSM nor the TPM.

Default Value

5000

Property

strongkeylite.cfg.property.cryptomodule.provider.utimaco.userflags

Explanation

When using the Utimaco HSM, this property indicates the property flags to be used when a new user is created to access keystores within the HSM. More information about the meaning of these flags is available in the HSM documentation included in the software distribution directory of the appliance.

Default Value

,00000002,hmacpwd,no_login+sma,

Property

strongkeylite.cfg.property.cryptomodule.provider.utimaco.user

Explanation

When SAKA is configured with a CryptoServer HSM from Utimaco, this property identifies the username on the HSM authorized to access cryptographic keys and perform cryptographic functions. Before the HSM can be used, the credentials must already be configured using the tools supplied with SAKA. This property is neither used by the SafeNet HSM nor the TPM.

Default Value

strongauth

Property

strongkeylite.cfg.property.cryptomodule.slot

Explanation

When SAKA is configured with a Protect Server Gold (PSG) HSM from SafeNet, this property identifies the HSM slot where the domain keys are stored. Before the HSM can be used, the slot must have been configured using the supplied tools. This property is neither used by the Utimaco HSM nor the TPM.

Default Value

1

Property

strongkeylite.cfg.property.cryptomodule.type

Explanation

The type of cryptographic hardware module used by SAKA. The appliance supports tpm—when using the Trusted Platform Module and hsm—when using a Hardware Security Module. A SAKA server may only use one type of cryptographic module—it cannot combine the TPM and the HSM within its operations. The choice of the cryptographic module is made during installation and must not be changed. Migrating from the TPM to the HSM, or vice versa, is not currently supported.

Default Value

tpm

Property

strongkeylite.cfg.property.cryptomodule.vendor

Explanation

When the SAKA server is configured to work with an HSM, this property identifies the manufacturer of the HSM. The appliance supports eracom—when using the PSG HSM from Eracom (now SafeNet) and utimaco—when using a CryptoServer HSM from Utimaco (now Sophos). For the strongkeylite.cfg.property.cryptomodule.vendor property to be relevant, the strongkeylite.cfg.property.cryptomodule.type property must be set to hsm. This property is ignored when the SAKA is configured to use a TPM.

Default Value

stm

Property

strongkeylite.cfg.property.debug.printentity

Explanation

In order to aid debugging, this property allows the application to log parameters as it traverses through different modules. Tracking changes to these parameters as they are processed aids in the debugging process. However, even when this property is set to true, SAKA does not log plaintext sensitive data to log files.

Default Value

false

Property

strongkeylite.cfg.property.decryption.usergranularity

Explanation

An indicator that tells SAKA whether to reject decryption requests from any other user than the one that originally encrypted the plaintext (or the special user recoveryuser). The default is not to compare the decrypting user to the encrypting user (false). The other acceptable value is true, in which case only the user which encrypted the plaintext, or the recoveryuser user, can decrypt the ciphertext.

Default Value

false

Property

strongkeylite.cfg.property.defaultmanufacturer

Explanation

The default manufacturer ID used by the CCS. This property was introduced to ease the transition when MFR was added to the web service. Valid values are 0 (for IDTECH), 1 (for UIC), 2 (for MAGTEK), and 3 (for INFINITE).

Default Value

0

Property

strongkeylite.cfg.property.digestalgorithm

Explanation

The algorithm used for verifying message digests of Key Custodian passwords when they communicate with the SAKA server using the Key Custodian SetPIN Tool. Currently supported algorithms include:

  • SHA-1

  • SHA-256 (the default)

  • SHA-384

  • SHA-512

 

Default Value

SHA-256

Property

strongkeylite.cfg.property.dnprefix

Explanation

When authenticating a requester within the LDAP directory, the web service application needs to know whether to search for the requester's identity based on the Common Name or the UserID of the requester's LDAP DN. This property defines how SAKA should authenticate requesters within the LDAP directory. Valid values for this property are:

  • cn=(the default)

  • uid=

 

NOTE: The value MUST be followed by an equals (“=”) sign for it to be valid.

Default Value

cn=

Property

strongkeylite.cfg.property.dnsuffix

Explanation

When SAKA is configured to use an LDAP directory server for determining the authorization of requesters, this property defines the suffix of the LDAP directory where the user's credential can be located. This is useful if a site has an Active Directory (AD) installation and would like to authorize requesters based on their AD credential.

NOTE: If a site chooses to use an LDAP directory for access control, and if they also choose not to use an existing AD tree, or those who want to keep the SAKA requesters distinct from their regular AD users, MUST create the dnsuffix part of the tree within their directory server before SAKA can be used.

NOTE: The comma (“,”) that precedes the value of the dnsuffix; this comma must be present in the property value to work correctly. In the default value shown below, document formatting might have the comma appear on its own separate line, but the value must be an unbroken line.

Default Value

,ou=users,ou=v1,ou=StrongKeyLite,ou=StrongAuth,ou=applications,dc=strongauth,dc=com

Property

strongkeylite.cfg.property.enckeysize

Explanation

The size of the symmetric encryption cryptographic key used to encrypt sensitive data. SAKA currently supports only the AES algorithm with the following sizes:

  • 128 bits

  • 192 bits

  • 256 bits (the default)

 

This property goes into effect only when a new symmetric key is generated (which may be the next day, week, month, or year depending on the key duration policy in effect in this encryption-domain); existing keys remain unmodified.

Default Value

256

Property

strongkeylite.cfg.property.encryptionrequestremovaljob.cutoff

Explanation

The amount of time that must lapse between an encryption request and the request (with its encrypted sensitive data) being deleted permanently from the database. While there is no upper limit to the cutoff period, the lower limit is 1. Units for this property are defined by strongkeylite.cfg.property.encryptionrequestremovaljob.cutoff.units.

Relevant only if the strongkeylite.cfg.property.encryptionreqestremovaljab.run property is set to true.

Default Value

30

Property

strongkeylite.cfg.property.encryptionrequestremovaljob.cutoff.units

Explanation

Time unit for the strongkeylite.cfg.property.encryptionrequestremovaljob.cutoff property. Valid options are days, hours, minutes, and seconds. Relevant only if the strongkeylite.cfg.property.encryptionreqestremovaljob.run property is set to true.

Default Value

days

Property

strongkeylite.cfg.property.encryptionrequestremovaljob.log

Explanation

Determines if a log report should be generated in STRONGKEYLITE_HOME/logs for this job type.

Default Value

false

Property

strongkeylite.cfg.property.encryptionrequestremovaljob.reportprefix

Explanation

The prefix used for reports generated by the SAKA when encryption requests are deleted. The report's name is appended with the date and time of the run and stored in the STRONGKEYLITE_HOME/log directory. This property is referenced only if the strongkeylite.cfg.property.encryptionreqestremovaljob.run property is set to true.

Default Value

DeletedEncryptionRequests-

Property

strongkeylite.cfg.property.encryptionrequestremovaljob.run

Explanation

Determines if SAKA runs the encryption removal job. If set to true, SAKA also looks at strongkeylite.cfg.property.encryptionreqestremovaljob.runfrequency so it knows how frequently to schedule the job.

Setting the property to true will permanently delete encryption requests with associated encrypted sensitive data from the internal database. The implication is that future requests for decryption of that ciphertext will fail since the ciphertext will not exist in the database anymore.

This property exists for sites whose business rules require deleting sensitive data after a specified duration.

Default Value

false

Property

strongkeylite.cfg.property.hmacgeneration

Explanation

In a cluster, an object may have been encrypted by one appliance, but might come into another node again for encryption. To determine if the object already exists, the appliance must HMAC the incoming object against all HMAC keys of the cluster nodes to search for them. This property indicates if the code should generate one HMAC at a time, then search the DB, or generate all HMACs at once and search the DB for each one. Performance will vary depending on node count per cluster, load on the machines, and number of objects encrypted in the cluster. Sites may try both strategies to see if performance improves. Valid values for this property are:

  • one—checks HMACs using one node's HMAC key at a time (the default).

  • all—checks HMACs after generating HMACs using HMAC keys of all nodes.

 

Default Value

one

Property

strongkeylite.cfg.property.hmackeyalgorithm

Explanation

The cryptographic algorithm used for generating symmetric keys that will create HMACs of sensitive data. The key algorithm has a direct dependency on the strongkeylite.cfg.property.hmackeysize and the strongkeylite.cfg.property.hmactransform properties, so changes to these three properties must be carried out in tandem. SAKA currently supports the following HMAC key algorithms:

  • HmacSHA224—based on a 224-bit symmetric key

  • HmacSHA256—based on a 256-bit symmetric key (the default)

  • HmacSHA384—based on a 384-bit symmetric key

  • HmacSHA512—based on a 512-bit symmetric key

 

Default Value

HmacSHA256

Property

strongkeylite.cfg.property.hmackeysize

Explanation

Size of the symmetric HMAC key used to generate HMACs of sensitive data. SAKA currently only supports the following sizes:

  • 224 bits

  • 256 bits(the default)

  • 384 bits

  • 512 bits

 

Changes to the default values MUST have a corresponding change in the strongkeylite.cfg.property.hmackeyalgorithm and strongkeylite.cfg.property.hmactransform properties.

Default Value

256

Property

strongkeylite.cfg.property.hmactransform

Explanation

Algorithm used to generate HMACs of sensitive data. The transform algorithm has a direct dependency on the strongkeylite.cfg.property.hmackeyalgorithm and the strongkeylite.cfg.property.hmackeysize properties, so changes to these properties must be carried out in tandem. SAKA currently supports the following HMAC algorithms:

  • HmacSHA224—based on a 224-bit symmetric key

  • HmacSHA256—based on a 256-bit symmetric key (the default)

  • HmacSHA384—based on a 384-bit symmetric key

  • HmacSHA512—based on a 512-bit symmetric key

 

Default Value

HmacSHA256

Property

strongkeylite.cfg.property.jdbc.dbcommitsize

Explanation

When executing one of the key rotation jobs (Rotate HMACs or Rotate Symmetric Keys), SAKA uses JDBC to communicate with the database instead of JPA. This vastly improves performance and memory utilization for very large databases. To further improve performance of the jobs, updated transactions are batched before being committed.

The strongkeylite.cfg.property.jdbc.dbcommitsize property indicates how many records should be batched before being committed to the database. The fewer the records batched, the lower the risk of having to repeat the entire job again should anything go wrong. However, lower dbcommitsize numbers increase the time taken to complete the job. Depending on the database size and the stability of the environment, consider increasing this number to complete the jobs marginally faster.

NOTE: This value may not be less than1. The application must commit at least one record per batched transaction. Enormous numbers will consume more memory and increase risk of a transaction rollback if something goes awry.

Default Value

200

Property

strongkeylite.cfg.property.jdbc.dbfetchsize

Explanation

When executing one of the key rotation jobs (Rotate HMACs), SAKA uses JDBC to communicate with the database instead of JPA. This vastly improves performance and memory utilization for very large databases.

The strongkeylite.cfg.property.jdbc.dbfetchsize property indicates how many records should be fetched by the JDBC driver when retrieving records. The fewer the records fetched, the lower the consumption of memory.

NOTE: This value may not be less than 1. The application must commit at least one record per batched transaction. Enormous numbers will consume more memory and increase risk of a transaction rollback if something goes awry.

Default Value

500

Property

strongkeylite.cfg.property.jdbc.dbprocesssize

Explanation

When executing one of the key-rotation jobs (Rotate HMACs), SAKA uses JDBC to communicate with the database instead of JPA. This vastly improves performance and memory utilization for very large databases.

The strongkeylite.cfg.property.jdbc.dbprocesssize indicates how many records should be processed by the job in an iteration. The fewer the records fetched, the lower the consumption of memory, but the longer it takes to complete the entire job. However, a very large number will not only increase memory usage, but can increase the risk of a transaction rollback should there be a problem. However, the ultimate performance is determined by number of records encrypted by the specific key being rotated and how frequently the appliance must decrypt the key hierarchy to process the records.

NOTE: This value may not be less than 1. The application must commit at least one record per batched transaction.

Default Value

10000

Property

strongkeylite.cfg.property.keyduration.enc

Explanation

Cryptographic keys used by the web service application are changed frequently, based on the policy defined in this property. The default for a symmetric encryption key (ENC) is to use a new key every day. Advantages to this policy are:

  1. Only 1/365th of sensitive records in the database use any specific key; so the risk of the compromise of any single key is reduced to only 1/365th of the database.

  2. When it is time to rotate symmetric keys (as required by PCI DSS), the burden on the system for key rotation (even though it is completely automatic) is reduced to 1/365th of encrypted records. On the other extreme, an annual key rotation must re-encrypt every encrypted record in the internal database in one run.

  3. Key rotation—decrypting ciphertext and re-encrypting it with a new key—can be spread out evenly across the year to rotate 1/365th of the database daily. A single large annual key rotation can slow down responses to client applications as it occurs.

  4. Valid values for this property are:

    • daily—new symmetric key each day and 365 keys per year

    • weekly—new symmetric key each week and 52 keys per year

    • monthly—new symmetric key each month and 12 keys per year (default)

    • annual—one symmetric key per year

     

 

Default Value

monthly

Property

strongkeylite.cfg.property.keyremovaljob.cutoff

Explanation

The duration in seconds that must pass before SAKA removes symmetric encryption keys from its internal cache.

Since symmetric keys on SAKA are encrypted under multiple layers of asymmetric keys when stored on disk, decrypting them requires the movement of multiple keys into cryptographic hardware modules and expensive cryptographic operations. Therefore, when a key is decrypted by SAKA, it holds the key in an internal cache for the duration of cutoff seconds before deleting them from the cache. Should the symmetric key be required before the cutoff duration has expired, there will be dramatic improvements to performance since the entire chain of keys need not be decrypted again.

The lower the strongkeylite.cfg.property.keyremovaljob.cutoff value, the more secure the environment since keys are cached for a shorter duration. However, too short a duration can impact performance since a key that is flushed from its cache must be decrypted again. Know business transaction characteristics is important for realistically setting this value to balance performance and security. The default value of 300 (5 minutes) leans towards more security.

Default Value

86400

Property

strongkeylite.cfg.property.keyremovaljob.run

Explanation

An indicator to tell SAKA whether to run the thread that removes symmetric keys from its cache. The default is to run the thread (true). The other acceptable value for this property is: false, in which case objects are cached as long as the server is up and running and memory resources are available. For security reasons, sites are encouraged to leave this property setting at its default value of true.

Default Value

true

Property

strongkeylite.cfg.property.keyremovaljob.runfrequency

Explanation

The frequency in seconds at which the thread executes that removes symmetric encryption keys from cache.

The lower the strongkeylite.cfg.property.keyremovaljob.runfrequency value, the more secure the environment since keys are cached for a shorter duration. Do not set the value less than half of strongkeylite.cfg.property.keyremovaljob.cutoff. For example, if the cutoff property value is 300 seconds (the default), setting the property value of runfrequency to be less than 150 seconds only wastes computing resources as there will be instances when the job will do nothing.

Default Value

300

Property

strongkeylite.cfg.property.ldapauthtype

Explanation

When SAKA is configured to use an LDAP-based directory server for managing access control to SAKA services, this property identifies the type of LDAP authentication to use with the directory server.

In this release, SAKA supports the simple LDAP authentication. It is recommended that sites use LDAP over Transport Layer Security (TLS) or within an Internet Protocol Security (IPSec) tunnel to protect the LDAP passwords flowing between SAKA and the LDAP directory server.

Default Value

simple

Property

strongkeylite.cfg.property.ldapdecryptiongroup

Explanation

When SAKA is configured to use an LDAP-based directory server for managing access control to SAKA services, this property identifies the LDAP group authorized to request decryption services from SAKA. The members of this group must have valid LDAP credentials within the same directory server that can be verified by SAKA.

While SAKA can use any group container in the directory, it is recommended using the value specified here as it will ensure better support. Sites must create this LDAP group container hierarchy before using the web service application.

NOTE: An LDAP user's membership in this group does not authorize them to request encryption or deletion services from SAKA; that requires separate membership in the groups identified in the strongkeylite.cfg.property.ldapencryptiongroup and strongkeylite.cfg.property.ldapdeletiongroup properties, respectively.

Default Value

cn=DecryptionAuthorized,ou=groups,ou=v1,ou=StrongKeyLite,ou=StrongAuth,ou=applications,dc=strongauth,dc=com

Property

strongkeylite.cfg.property.ldapdeletiongroup

Explanation

When SAKA is configured to use an LDAP-based directory server for managing access control to SAKA services, this property identifies the LDAP group authorized to request deletion services from SAKA. The members of this group must have valid LDAP credentials within the same directory server that can be verified by SAKA.

While SAKA can use any group container in the directory, it is recommended using the value specified here as it will ensure better support. Sites must create this LDAP group container hierarchy before using the web service application.

NOTE: An LDAP user's membership in this group does not authorize them to request encryption or decryption services from SAKA; that requires separate membership in the groups identified in the strongkeylite.cfg.property.ldapencryptiongroup and strongkeylite.cfg.property.ldapdecryptiongroup properties, respectively.

Default Value

cn=DeletionAuthorized,ou=groups,ou=v1,ou=StrongKeyLite,ou=StrongAuth,ou=applications,dc=strongauth,dc=com

Property

strongkeylite.cfg.property.ldapencryptiongroup

Explanation

When SAKA is configured to use an LDAP-based directory server for managing access control to SAKA services, this property identifies the LDAP group authorized to request encryption services from SAKA. The members of this group must have valid LDAP credentials within the same directory server that can be verified by SAKA.

While SAKA can use any group container in the directory, it is recommended using the value specified here as it will ensure better support. Sites must create this LDAP group container hierarchy before using the web service application.

NOTE: An LDAP user's membership in this group does not authorize them to request decryption or deletion services from SAKA; that requires separate membership in the groups identified in the strongkeylite.cfg.property.ldapdecryptiongroup and strongkeylite.cfg.property.ldapdeletiongroup properties, respectively.

Default Value

cn=EncryptionAuthorized,ou=groups,ou=v1,ou=StrongKeyLite,ou=StrongAuth,ou=applications,dc=strongauth,dc=com

Property

strongkeylite.cfg.property.ldaprelaygroup

Explanation

When SAKA is configured to use an LDAP-based directory server for managing access control to SAKA services, this property identifies the LDAP group authorized to request relay services from SAKA. The members of this group must have valid LDAP credentials within the same directory server that can be verified by SAKA.

While SAKA can use any group container in the directory, it is recommended using the value specified here as it will ensure better support. Sites must create this LDAP group container hierarchy before using the web service application.

NOTE: An LDAP user's membership in this group does not necessarily authorize them to request other web services from SAKA.

Default Value

cn=RelayAuthorized,ou=groups,ou=v1,ou=StrongKeyLite,ou=StrongAuth,ou=applications,dc=strongauth,dc=com

Property

strongkeylite.cfg.property.ldapsearchgroup

Explanation

When SAKA is configured to use an LDAP-based directory server for managing access control to SAKA services, this property identifies the LDAP group authorized to request search services from SAKA. The members of this group must have valid LDAP credentials within the same directory server that can be verified by SAKA.

While SAKA can use any group container in the directory, it is recommended using the value specified here as it will ensure better support. Sites must create this LDAP group container hierarchy before using the web service application.

NOTE: An LDAP user's membership in this group does not authorize them to request encryption, decryption, or deletion services from SAKA; that requires separate membership in the groups identified in the strongkeylite.cfg.property.ldapencryptiongroup, strongkeylite.cfg.property.ldapdecryptiongroup, and the strongkeylite.cfg.property.ldapsearchgroup properties, respectively.

Default Value

cn=SearchAuthorized,ou=groups,ou=v1,ou=StrongKeyLite,ou=StrongAuth,ou=applications,dc=strongauth,dc=com

Property

strongkeylite.cfg.property.ldaptype

Explanation

Standard LDAP directories define LDAP groups as a groupOfUniqueNames object class. However, AD does not. This requires that determining a requester's authorization within AD must use a different query for AD than for a standard LDAP directory. This property tells SAKA with which type of LDAP directory it is dealing. The two valid values for this property are: AD—Active Directory and LDAP—for a standard LDAP directory server (the default)

This property MUST be overridden if SAKA is to work with an Active Directory-based directory server.

Default Value

LDAP

Property

strongkeylite.cfg.property.ldapurl

Explanation

When SAKA is configured to use an LDAP-based directory server for managing access control to SAKA services, this property defines the FQDN of the LDAP directory server, the LDAP service listening port, and the security mode of the LDAP protocol.Valid values of this property may look like:

ldaps://poseidon.strongauth.com:636

...where the ldaps indicates that directory server requires TLS, and is listening over the default LDAPS port (636).

This property MUST be overridden before SAKA is used successfully. If using LDAP, sites are strongly encouraged to use TLS for communications between SAKA and the directory server.

Default Value

ldap://poseidon.strongauth.com:389

Property

strongkeylite.cfg.property.luhntokens

Explanation

Some sites may want to issue token numbers that conform to the Luhn algorithm used by credit card issuers (https://en.wikipedia.org/wiki/Luhn_algorithm). This property, when set to true, will return tokens that conform to the Luhn algorithm; by default, this property is set to false so that tokens are just incremented sequentially for each new request. This ensures that other software checking tokens for Luhn conformance will pass. However, this might reduce the transaction throughput of the appliance since it must test every token generated to ensure that it passes the Luhn algorithm check. How much of a reduction depends on how busy the appliance is and how many requests come in for processing at any given time.

Default Value

false

Property

strongkeylite.cfg.property.messaging.blpsleeptime

Explanation

Before an object is replicated to other appliances, the source appliance saves the object metadata in a replication table, and then publishes the object to subscribers. Sometimes, the acknowledgment from subscribers may not reach the publisher. On such occasions, the publisher has a BacklogProcessor (BLP) that attempts to resend the object to subscribers who did not receive it. However, to ensure that the BLP does not get caught in an endless loop sending the objects continuously, it sleeps for the period of seconds specified in this parameter before checking the replication table again to publish objects.

Default Value

60

Property

strongkeylite.cfg.property.messaging.blpsuccpercent

Explanation

The BLP handles a job as a series of batches. After sending one of these batches the BLP will wait and count the number of acknowledgments it receives. This property determines the minimum percent of transactions (provided as a decimal) that must be acknowledged for the BLP to perform the next batch.

Default Value

.90

Property

strongkeylite.cfg.property.messaging.blptestsize

Explanation

When the BLP first wakes up, before it sends the bulk of backlog messages, it sends a small batch of records to test whether the subscribing node is available to send acknowledgments. If no acknowledgments are received from this test, the BLP gives up on this iteration. This property determines the quantity of records send in this test.

Default Value

25

Property

strongkeylite.cfg.property.messaging.timediff

Explanation

ZeroMQ normally replicates most objects to all appliances when they are created. However, there are occasions when there might be some leftover objects in the replication table that were either not acknowledged by recipients, or the publisher did not receive the acknowledgment as it was too busy. In these situations, the BLP attempts to replicate the object again as part oof the clean-up processor. The timediff property is the amount of seconds a record must be in the Replication table before the BLP attempts to resend it to other appliances.

Default Value

60

Property

strongkeylite.cfg.property.messaging.statechange.waittime

Explanation

When a BLP is being started, stopped, other threads may call the messaging service to get an instance. This parameter tells the messaging service how long to wait while the service is undergoing a state change—such as when it might be starting or stopping.

Default Value

15

Property

strongkeylite.cfg.property.objectremovaljob.cutoff

Explanation

The duration, in seconds, that must pass before SAKA removes metadata objects from its internal cache.

The lower the cutoff value, the more efficient SAKA uses memory resources. However, too low a duration can impact performance since metadata objects flushed from cache will have to be retrieved from the internal database before they can be reused. Knowing business transaction characteristics is important for realistically setting this value to balance resource utilization and performance. The default value of 1800 seconds (30 minutes) leans towards better performance. There is no security implication in leaving these objects in memory for a longer duration; none of the cached metadata is sensitive.

Default Value

1800

Property

strongkeylite.cfg.property.objectremovaljob.run

Explanation

An indicator that tells SAKA whether to run the thread that removes metadata objects from its internal cache. The default is to run the thread (true). The other acceptable value for this property is false, in which case objects are cached as long as the server is up and running and memory resources are available.

Default Value

true

Property

strongkeylite.cfg.property.objectremovaljob.runfrequency

Explanation

The frequency, in seconds, at which the thread that removes metadata objects from the SAKA internal cache, executes.

The lower the runfrequency value, the more efficiently SAKA uses memory resources, since objects are cached for a shorter duration. However, too low a duration can impact performance, since metadata objects flushed from cache must be retrieved from the internal database before they can be reused. Do not set the value less than half the strongkeylite.cfg.property.objectremovaljob.cutoff property's value. For example, if the cutoff property value is 1800 seconds (the default), setting the value of runfrequency to be less than 900 seconds only wastes computing resources, as there will be instances when the job will do nothing.

Default Value

900

Property

strongkeylite.cfg.property.pwdkeyalgorithm

Explanation

The cryptographic algorithm used for generating the symmetric key that will create HMACs of user-passwords. The key algorithm has a direct dependency on strongkeylite.cfg.property.pwdkeysize and strongkeylite.cfg.property.pwdtransform, so changes to any of these properties must be carried out in tandem. SAKA currently supports the following algorithms for the password HMAC generator:

  • HmacSHA224—based on a 224-bit symmetric key

  • HmacSHA256—based on a 256-bit symmetric key (the default)

  • HmacSHA384—based on a 384-bit symmetric key

  • HmacSHA512—based on a 512-bit symmetric key

 

Default Value

HmacSHA256

Property

strongkeylite.cfg.property.pwdkeysize

Explanation

The size of the symmetric HMAC key used to generate HMACs of user passwords. The SAKA currently only supports the following sizes:

  • 224 bits

  • 256 bits (the default)

  • 384 bits

  • 512 bits

 

Changes to the default values must include a corresponding change in the strongkeylite.cfg.property.pwdkeyalgorithm and the strongkeylite.cfg.property.pwdtransform properties.

Default Value

256

Property

strongkeylite.cfg.property.pwdtransform

Explanation

The cryptographic algorithm used to generate HMACs of sensitive data. The transform algorithm has a direct dependency on the strongkeylite.cfg.property.pwdkeyalgorithm and the strongkeylite.cfg.property.pwdkeysize properties, so changes to these three properties must be carried out in tandem. SAKA currently supports the following algorithms:

  • HmacSHA224—based on a 224-bit symmetric key

  • HmacSHA256—based on a 256-bit symmetric key (the default)

  • HmacSHA384—based on a 384-bit symmetric key

  • HmacSHA512—based on a 512-bit symmetric key

Default Value

HmacSHA256

Property

strongkeylite.cfg.property.readonly

Explanation

Allows an appliance to be in Read-Only mode. It will perform individual Decryption and Search operations without logging anything to the database, but be responsive to applications to decrypt tokens. All logging is performed only in the server.log file of Payara. This is useful when a site wants to setup more decryption throughput without the overhead of replicating decryption requests to other nodes in the cluster.

Default Value

false

Property

strongkeylite.cfg.property.relay.authorizedurls.1

Explanation

Every authorized URL for the relay web service must be uniquely identified in its own property. The first URL will begin with the numeral 1, the second with 2, and so on. There is no limit to the number of URLs that can be configured. However, the total number of configured URLs must be specified in the property, strongkeylite.cfg.property.relay.authorizedurls.number. Having more URLs than the specified number will prevent the appliance from using any URL that exceeds strongkeylite.cfg.property.relay.authorizedurls.number. Having fewer than the specified number of URLs will cause NullPointerExceptions (NPE) to be thrown. Since DACTool does not provide the ability to add new properties per domain, the URL values must be added in the strongkeylite-configuration.properties file in the /usr/local/strongauth/strongkeylite/etc directory. Please note properties in that file apply to all encryption domains on the appliance.

Default Value

https://test.authorize.net

Property

strongkeylite.cfg.property.relay.authorizedurls.number

Explanation

The relay web service will only work when the service request is targeted at specific URLs of payment gateways. In order to configure the gateway URLs, one must know the number of URLs the service is authorized to communicate with. That number must be specified in this property. By default only one URL is authorized out of the box: https://test.authorize.net.

Default Value

1

Property

strongkeylite.cfg.property.relay.namespaces.number

Explanation

In order to relay transactions to payment gateways, the appliance needs to parse XML content that is passed in as a parameter to the web service. The appliance needs to know the number and namespaces of the XML schemas that define the structure of XML being passed in. If new XML schema namespaces are added/deleted to the relay capability, this number must be changed to reflect the actual number of namespaces the appliance must recognize.

Default Value

6

Property

strongkeylite.cfg.property.relay.namespaces.prefix.1

Explanation

The relay web service permits the relay of HTTP and SOAP-based messages to external payment gateways. For SOAP messages to be validated correctly, the appliance must know all namespaces it must expect to process in the relay web service. There may be any number of prefixes configured, but each must be unique and must have a corresponding .relay.namespaces.url.N property (see below).

Default Value

adyen

Property

strongkeylite.cfg.property.relay.namespaces.prefix.2

Explanation

The relay web service permits the relay of HTTP and SOAP based messages to external payment gateways. For SOAP messages to be validated correctly, the appliance must know all namespaces it must expect to process in the relay web service. There may be any number of prefixes configured, but each must be unique and must have a corresponding .relay.namespaces.url.N property (see below).

Default Value

ds

Property

strongkeylite.cfg.property.relay.namespaces.prefix.3

Explanation

The relay web service permits the relay of HTTP and SOAP-based messages to external payment gateways. For SOAP messages to be validated correctly, the appliance must know all namespaces it must expect to process in the relay web service. There may be any number of prefixes configured, but each must be unique and must have a corresponding .relay.namespaces.url.N property (see below).

Default Value

soap

Property

strongkeylite.cfg.property.relay.namespaces.prefix.4

Explanation

The relay web service permits the relay of HTTP and SOAP-based messages to external payment gateways. For SOAP messages to be validated correctly, the appliance must know all namespaces it must expect to process in the relay web service. There may be any number of prefixes configured, but each must be unique and must have a corresponding .relay.namespaces.url.N property (see below).

Default Value

skles

Property

strongkeylite.cfg.property.relay.namespaces.prefix.5

Explanation

The relay web service permits the relay of HTTP and SOAP-based messages to external payment gateways. For SOAP messages to be validated correctly, the appliance must know all namespaces it must expect to process in the relay web service. There may be any number of prefixes configured, but each must be unique and must have a corresponding .relay.namespaces.url.N property (see below).

Default Value

skles

Property

strongkeylite.cfg.property.relay.namespaces.prefix.6<

Explanation

The relay web service permits the relay of HTTP and SOAP-based messages to external payment gateways. For SOAP messages to be validated correctly, the appliance must know all namespaces it must expect to process in the relay web service. There may be any number of prefixes configured, but each must be unique and must have a corresponding .relay.namespaces.url.N property (see below).

Default Value

xenc

Property

strongkeylite.cfg.property.relay.namespaces.url.1

Explanation

The relay web service permits the relay of HTTP and SOAP-based messages to external payment gateways. For SOAP messages to be validated correctly, the appliance must know all namespaces it must expect to process in the relay web service. There may be any number of namespace URLs configured, but each must be unique and must have a corresponding .relay.namespaces.prefix.N property (see above).

Default Value

http://payment.services.adyen.com

Property

strongkeylite.cfg.property.relay.namespaces.url.2

Explanation

The relay web service permits the relay of HTTP and SOAP-based messages to external payment gateways. For SOAP messages to be validated correctly, the appliance must know all namespaces it must expect to process in the relay web service. There may be any number of namespace URLs configured, but each must be unique and must have a corresponding .relay.namespaces.prefix.N property (see above).

Default Value

http://www.w3.org/2000/09/xmldsig#

Property

strongkeylite.cfg.property.relay.namespaces.url.3

Explanation

The relay web service permits the relay of HTTP and SOAP-based messages to external payment gateways. For SOAP messages to be validated correctly, the appliance must know all namespaces it must expect to process in the relay web service. There may be any number of namespace URLs configured, but each must be unique and must have a corresponding .relay.namespaces.prefix.N property (see above).

Default Value

http://schemas.xmlsoap.org/soap/envelope/

Property

strongkeylite.cfg.property.relay.namespaces.url.4

Explanation

The relay web service permits the relay of HTTP and SOAP-based messages to external payment gateways. For SOAP messages to be validated correctly, the appliance must know all namespaces it must expect to process in the relay web service. There may be any number of namespace URLs configured, but each must be unique and must have a corresponding .relay.namespaces.prefix.N property (see above).

Default Value

http://strongkey.strongauth.com/SKES201101

Property

strongkeylite.cfg.property.relay.namespaces.url.5

Explanation

The relay web service permits the relay of HTTP and SOAP-based messages to external payment gateways. For SOAP messages to be validated correctly, the appliance must know all namespaces it must expect to process in the relay web service. There may be any number of namespace URLs configured, but each must be unique and must have a corresponding .relay.namespaces.prefix.N property (see above).

Default Value

http://strongkeylite.strongauth.com/SAKA201009

Property

strongkeylite.cfg.property.relay.namespaces.url.6

Explanation

The relay web service permits the relay of HTTP and SOAP-based messages to external payment gateways. For SOAP messages to be validated correctly, the appliance must know all namespaces it must expect to process in the relay web service. There may be any number of namespace URLs configured, but each must be unique and must have a corresponding .relay.namespaces.prefix.N property (see above).

Default Value

http://www.w3.org/2001/04/xmlenc#

Property

strongkeylite.cfg.property.relay.soapxpath.xpath

Explanation

The string containing the elements that make up the XPath expression that will be used to search for the tokens within embedded SOAP messages sent to the appliance for relay to payment gateways.

Default Value

/SoapRelayContent/Envelope

Property

strongkeylite.cfg.property.replicate.essentialonly

Explanation

By default, the appliance replicates all objects to other appliances in the cluster. However, some sites may choose to not replicate decryption and search requests to other appliances since the information is for audit purposes. Since the original responder server will have it in their database and application server logs, this may be sufficient for some sites. In those situations, setting this property to true will ensure that only essential objects are replicated to other appliances—which means, decryption and search requests are not replicated to other appliances.

Default Value

false

Property

strongkeylite.cfg.property.reqid.retryattempts

Explanation

The number of times the front-end web server tries to get a unique request ID number from the back-end SAKA server when it receives a web service request from a client application. When the web server doesn't receive a response within the configured number of attempts, it returns an error message to the client application. The request ID is used to track request transactions in the SAKA encryption domain.

Default Value

3

Property

strongkeylite.cfg.property.rngtype

Explanation

The appliance supports two types of Random Number Generators: pseudo-RNG or true RNG. When this property has the value PRNG—the default—random bytes are extracted from the true RNG in cryptographic hardware when the application server is started; the TRNG bytes are used to seed a pseudo-RNG from which all future random bytes are generated. When the value of this property is TRNG, the appliance always uses the cryptographic hardware to generate random bytes. Using the PRNG is orders of magnitudes faster than using the TRNG. However, the appliance always uses the TRNG to generate random bytes for the cryptographic keys; initialization vectors and nonces for authentication are generated by the PRNG.

Default Value

PRNG

Property

strongkeylite.cfg.property.rotatedhmacs.reportprefix

Explanation

The prefix used for reports generated by SAKA when symmetric keys are rotated and encrypted objects are thus re-encrypted with the new key. The report's name is appended with the date and time of the run and stored in the STRONGKEYLITE_HOME/log directory.

Relevant only if the strongkeylite.cfg.property.rotatesymmetrickeysjob.run property is set to true.

Default Value

RotatedHMACs-

Property

strongkeylite.cfg.property.rotatehmacsjob.run

Explanation

This property tells SAKA whether to run the key rotation job. If set to true, SAKA will also look at strongkeylite.cfg.property.rotatehmacsjob.runfrequency to determine how frequently to schedule the job. If set to false, the job is never scheduled. To schedule even the on-demand execution of this job (from the DACTool) just once, this property value must be set to true to execute the job.

Default Value

true

Property

strongkeylite.cfg.property.rotatesymmetrickeysjob.cutoff

Explanation

Days that must elapse before a symmetric key is rotated. Key rotation is required by some regulations (annually for PCI DSS). SAKA has a built-in job that automatically generates new symmetric keys and re-encrypts data encrypted by the older key. Since the only externally mandated guideline currently is PCI DSS, a site's own security policies may or may not dictate how frequently the keys must be rotated within SAKA. The default value is to rotate keys at least one year old (365 days).

Default Value

365

Property

strongkeylite.cfg.property.rotatesymmetrickeysjob.reportprefix

Explanation

The prefix used for reports generated by SAKA when symmetric keys are rotated and encrypted objects are thus re-encrypted with the new key. The report's name is appended with the date/time and stored in the STRONGKEYLITE_HOME/log directory.

Relevant only if the strongkeylite.cfg.property.rotatesymmetrickeysjob.run property is set to true.

Default Value

ReencryptedObjects-

Property

strongkeylite.cfg.property.rotatesymmetrickeysjob.run

Explanation

Tells SAKA whether to run the key rotation job. If the value is set to true, SAKA will also look at strongkeylite.cfg.property.rotatesymmetrickeysjob.runfrequency property to determine how frequently to schedule the job. If set to false, the job is never scheduled. To even schedule the on-demand execution of this job (from the DACTool) for a single run, this property value must be true before the job is submitted.

Default Value

true

Property

strongkeylite.cfg.property.rotatesymmetrickeysrangejob.run

Explanation

Tells SAKA whether to run the key rotation job for a range of records. This allows for smaller sets of records in the database to be re-encrypted ahead of schedule, thereby preventing a huge re-encryption job on the anniversary date of the symmetric key. If set to false, the job is never scheduled; even the on-demand execution of this job (from the DACTool) will fail if this property value is set to false.

Default Value

true

Property

strongkeylite.cfg.property.symmmetrickeylock.waittime

Explanation

To generate a symmetric key, the generating module must acquire a lock to avoid creating duplicate keys. If a lock has been acquired by another thread, the current thread may wait for waittime seconds each time, to acquire the lock before trying again. It will make strongkeylite.cfg.property.symmmetrickeylock.attempts times, waiting for strongkeylite.cfg.property.symmmetrickeylock.waittime seconds before completely giving up.

Default Value

30

Property

strongkeylite.cfg.property.tokentype

Explanation

When a client application requests encryption services from SAKA, the server returns a token to uniquely identify the sensitive data in its internal database. Depending on the value configured for this property, the returned token is either an HMAC of the sensitive data or a pseudo-number. The valid values for this property are hmac—an alphanumeric HMAC, and pseudonumber—a numeric pseudo-number configured per site requirements

Applications that currently store the HMAC in their database must convert that value to the assigned pseudo-number separately—SAKA does not provide any tools to do so other than the AddedPseudoNumbers- report that provides the assigned pseudo-number for a specific HMAC.

Default Value

pseudonumber

Property

strongkeylite.cfg.property.uniquetokens

Explanation

This property indicates whether SAKA will return unique token values for any sensitive data sent to the appliance for encryption. A value of true returns unique tokens, even if duplicate sensitive data is sent to the appliance. By default, the property is false, indicating that duplicate sensitive data will return previously generated tokens.

NOTE: When a domain is using unique tokens, sensitive data cannot be searched for in that domain; the search web service will always return “false” because the appliance concatenates the unique encryption request ID to the plaintext to always generate unique plaintext, thus being able to generate unique tokens. To search in such domains are, create a second encryption domain where this property is set to its default (false) and query the second encryption domain to determine if a specific plaintext value is already encrypted in the database.

Default Value

false

Property

strongkeylite.cfg.property.sakasecret.autopinset

Explanation

This property defines whether SAKA will use PIN files for reading the Key Custodians' PINs to activate the cryptographic hardware module.

If a site chooses to use unattended SAKA reboots/restarts, this value must be true. If the value is set to false (the default), the KCs must use SetPIN Tool to set their PINs manually for activating the hardware module on the SAKA server. However, they can do this securely even from a remote location. The PINs must be either readable from files or set by the KCs after each SAKA restart/reboot.

Sites are strongly encouraged to leave this property at its default value (false) and use SetPIN Tool to activate the cryptographic module after restarts.

Default Value

false

Property

strongkeylite.cfg.property.sakasecret.k

Explanation

This property determines the minimum number of KCs necessary to activate the appliance through autopinset. To use this property there must be two accompanying properties for each KC to identify the location of their keystore and the password to their keystore in the form of:

  • strongkeylite.cfg.property.sakasecret.keycustodianN.location

  • strongkeylite.cfg.property.sakasecret.keycustodianN.password

 

The value N must be equal to or less than K and does not have to correspond to the name of the actual Key Custodian (i.e., keycustodian2.bcfks may be assigned to the property keycustodian1.location)

Default Value

0