Security Guide : Security Properties for C++

Security Properties for C++
 
Controls the degree of logging. Acceptable values are: LEVEL_WARN, LEVEL_NOTICE, LEVEL_INFO, and LEVEL_DEBUG strings.
By default, log output is to std::cerr. You can use this property to redirect the log output to a named file.
Note: To use secure transport only, the secureTransport property must also be set to true.
This is a server-side only property. It defines whether the server transport is: CLEAR_ONLY, SECURE_ONLY or ALL. This property will not take effect when the secureTransport property is set to false.
If this property is set to true, it disables all security services.
CmdLineCallbackHandler has password echo on, while HostCallbackHandler has password echo off. For more information, see “VisiSecure for C++ APIs”.
If set to true at initialization-time this property tries to login to all the realms listed by property vbroker.security.login.realms.
When set to true, the security service behaves as follows. If the security service cannot find an identity for any of the targets supported by a server it is attempting to communicate with, it then attempts to acquire credentials for one of the targets in the target object's IOR. If a corresponding authentication realm is available for this target (that the user chooses to provide credentials for), then authentication is also attempted locally.
When set to true, enables dynamic loading of the RoleDB file specified in vbroker.security.domain.<domain_name>.rolemap_path property. The interval of dynamic loading is specified by property vbroker.security.domain.<domain_name>.rolemap_refreshTimeInSeconds.
Value can be true or false.
REQUIRE—Peer certificates are required to establish a connection. If the peer does not present its certificates, the connection will be refused. Peer certificates will also be authenticated, if not valid, the connection will be refused. If required, transport identity can be established using these certificates. In this mode, peer certificates are not required to be trusted.
REQUIRE_AND_TRUST—Same as REQUIRE mode, except that the peer certificates need to be trusted, otherwise the connection will be refused.
REQUEST—Peer certificates will be requested. The peer is not required to have certificates; no transport identity will be established when peer does not have certificates. However, if a peer does present certificates, the certificates will be authenticated; if not valid, the connection will be refused. If required, transport identity can be established using these certificates. In this mode, peer certificates are not required to be trusted.
REQUEST_AND_TRUST—Same as REQUEST mode except that the peer certificates need to be trusted, otherwise the connection will be refused.
NONE—Authentication is not required. During handshake, no certificate request will be sent to the peer. Regardless of whether the peer has certificates, a connection will be accepted. There will be no transport identity for the peer.
Use to specify a list of trusted roles (specify with the format <role>@<authorization_domain>). <n> is uniquely identified for each trust assertion rule as a list of digits.
For example, setting vbroker.security.assertions.trust.1=ServerAdmin@default means this process trusts any assertion made by the ServerAdmin role in the default authorization domain.
Setting to true will trust all assertions made by peers.
A server side only property. If the server requires the client to send a Username/Password for authentication (regardless of certificate-based authentication), set to true. If vbroker.security.login.realms is set, this property is automatically set to true. However, you can override it by explicitly setting it in the property file.
Use the Directory value to point to the directory containing the directories for all identities.
Use the PKCS12 value to configure the PKCS#12 keystore. See “PKCS#12-based authentication using KeyStores” for details.
If the vbroker.security.wallet.type is set to Directory, use to point to a sub-directory within the path defined in vbroker.security.wallet.type that contains keys and/or certificate information for a specific identity.
If vbroker.security.wallet.type is set to PKCS12, the vbroker.security.wallet.identity property is ignored for a PKCS#12 keystore, but the property must be set.
If set to true, the client will add support for NoDelegate in TAG_SSL_SEC_TRANS tag.
If this is set to true, the CAPI engine is initialized and enabled for all SSL/TLS conversations in the process. Note that enabling the engine means it takes over signing operations, which means the associated private key must exist in a Windows store.
If this is set to true, then CA root and intermediary certificates from the Local Machine and Current User stores are loaded into the trustpoint, along with any other certificates already present.
vbroker.security.useCAPI does not have to be enabled to use this option.
This property is supported for the client side only, and requires vbroker.security.useCAPI to be enabled. If this is set to true, then if the client needs a certificate (and key), the provider will try to obtain one from the Windows Current User "My" ("Personal") store.
This option is currently only supported when vbroker.security.useCapiCertificate is enabled. When looking for a client certificate, only consider ones that contain the given string (case-insensitively) in their Friendly Name or Subject Name. Used to assist in picking the right client certificate where you have multiple identity certificates that are otherwise eligible.
If set to short, this prevents the use of the SHA-2 family of digests (SHA-256, etc). See “VisiBroker C++ Only” for further details of how to use this option.
In this mode, the library negotiates only a .1 connection. However, if the client might also support .2, use TLS_Version_1_1_With_2_0_Hello to take advantage of the higher level protocol version.
TLS_Version_1_2_With_2_0_Hello
In this mode, the library negotiates using only TLS 1.0, but begins by sending an SSL 2.0 “Hello”. This mode behaves in the same way as SSL_Version_3_0_With_2_0_Hello, but applies to TSL 1.0. If the OpenSSL security provider is selected, it also allows use of TLS1.1 and TLS1.2.
In this mode, the library negotiates only a .1 connection. However, if the server might also support .2, use TLS_Version_1_1_With_2_0_Hello to take advantage of the higher level protocol version.
SSL Server Connection Manager properties
The following table lists the SSL Server Connection Manager (SCM) properties.
In this table, possible values for <se_name> are:
Specifies whether tcp_nodelay should be set on the socket.