Security Properties for C++

 

Property	Description	Default
vbroker.security.logLevel	Controls the degree of logging. Acceptable values are: LEVEL_WARN, LEVEL_NOTICE, LEVEL_INFO, and LEVEL_DEBUG strings.	LEVEL_WARN
vbroker.security.logFile	By default, log output is to std::cerr. You can use this property to redirect the log output to a named file.	null
vbroker.security. secureTransport	Determines whether secure transport is supported or not. If set to false, transport uses CLEAR_ONLY. This property also determines if the client side of the ORB is always connected to the server using SSL. If the server does not support SSL, this property is set to false, and the client will not connect.	true
vbroker.security.alwaysSecure	This is a client-side only property. It determines whether to use secure transport only or not. Note: To use secure transport only, the secureTransport property must also be set to true.	true
vbroker.security.server. transport	This is a server-side only property. It defines whether the server transport is: CLEAR_ONLY, SECURE_ONLY or ALL. This property will not take effect when the secureTransport property is set to false.	SECURE_ONLY
vbroker.security.disable	If this property is set to true, it disables all security services.	false
vbroker.security. requireAuthentication	A server-side only property. Use it to specify whether the client is required to authenticate.	true
vbroker.security. authentication. callbackHandler	Specifies the callback handler for login modules to use for interacting with the user for credentials. You can specify one of the following or your own custom callback handler: com.borland.security.provider.authn.CmdLineCallbackHandler com.borland.security.provider.authn.HostCallbackHandler CmdLineCallbackHandler has password echo on, while HostCallbackHandler has password echo off. For more information, see “VisiSecure for C++ APIs”.	HostCallback Handler
vbroker.security. authentication.config	Specifies the path to the configuration file used for authentication.	null
vbroker.security. authentication.retryCount	Number of times to retry if remote authentication failed.	3
vbroker.security.login	If set to true at initialization-time this property tries to login to all the realms listed by property vbroker.security.login.realms.	true
vbroker.security.login.realms	Gives a list of comma-separated realms to login to. This is used when login takes place, either through property vbroker.security.login (set to true) or API login.	n/a
vbroker.security.vault	Specifies the path to the vault file. This property takes effect regardless of whether vbroker.security.login is set to true or false.	n/a
vbroker.security.identity. reactiveLogin	When set to true, the security service behaves as follows. If the security service cannot find an identity for any of the targets supported by a server it is attempting to communicate with, it then attempts to acquire credentials for one of the targets in the target object's IOR. If a corresponding authentication realm is available for this target (that the user chooses to provide credentials for), then authentication is also attempted locally. Reactive login requires a callback handler to be set either using the appropriate property or at runtime by calling the appropriate method. The default handler is HostCallbackHandler.	true
vbroker.security.authDomains	Specifies a comma-separated list of available authorization domains. For example: vbroker.security.authDomains=domain1,domain2	n/a
vbroker.security.domain. <domain-name>.rolemap_path	Specifies the location of the RoleDB file that describes the roles used for authorization. This is scoped within the domain <domain_name> specified in: vbroker.security.authDomains.	n/a
vbroker.security.domain. <domain_name>. rolemap_enableRefresh	When set to true, enables dynamic loading of the RoleDB file specified in vbroker.security.domain.<domain_name>.rolemap_path property. The interval of dynamic loading is specified by property vbroker.security.domain.<domain_name>.rolemap_refreshTimeInSeconds.	false
vbroker.security.domain. <domain_name>. rolemap_refreshTimeInSeconds	Specifies the rolemap refresh time in seconds.	300
vbroker.security.domain. <domain_name>. defaultAccessRule	When clients attempt to access CORBA resources, access control decides whether to allow or disallow. Decisions are made based on what roles are required to access the resources and on whether the client exists in at least one of the roles. In some situations in the system does not know the roles required to access some resource. The value of this property [grant or deny] determines the decision to be made in this kind of situation.	grant
vbroker.security.cert. basicConstraintCritical	As per the X509 V3 standard, non end-user certificates in a certificate chain must have an extension that is called “basic constraint”. According to the standard, this extension when present must be marked as “critical”, enforcing the recipient to “must understand” and to process accordingly. This enforcement is too strict for an earlier implementation that is aware only of X509 V1.	false
vbroker.security.config.root	This is the absolute path of the directory, to which all relative file system references for various VisiSecure config files refer.	n/a
vbroker.security. identityAssertion	The server side of this ORB is enabled to propagate the IdentityToken sent as part of CSIV2 service context to the next tier (if any). Value can be true or false.	n/a
vbroker.security. peerAuthenticationMode	Sets the peer authentication mode. Possible values are: REQUIRE—Peer certificates are required to establish a connection. If the peer does not present its certificates, the connection will be refused. Peer certificates will also be authenticated, if not valid, the connection will be refused. If required, transport identity can be established using these certificates. In this mode, peer certificates are not required to be trusted. REQUIRE_AND_TRUST—Same as REQUIRE mode, except that the peer certificates need to be trusted, otherwise the connection will be refused. REQUEST—Peer certificates will be requested. The peer is not required to have certificates; no transport identity will be established when peer does not have certificates. However, if a peer does present certificates, the certificates will be authenticated; if not valid, the connection will be refused. If required, transport identity can be established using these certificates. In this mode, peer certificates are not required to be trusted. REQUEST_AND_TRUST—Same as REQUEST mode except that the peer certificates need to be trusted, otherwise the connection will be refused. NONE—Authentication is not required. During handshake, no certificate request will be sent to the peer. Regardless of whether the peer has certificates, a connection will be accepted. There will be no transport identity for the peer.	REQUIRE_AND_ TRUST
vbroker.security. trustpointsRepository	Specifies a path to the directory containing trusted certificates. These are given in the form Directory:<certs_dir>. For example: vbroker.security.trustpointsRepository=Directory:c:\data\identities\Delta	n/a
vbroker.security.assertions. trust.<n>	Use to specify a list of trusted roles (specify with the format <role>@<authorization_domain>). <n> is uniquely identified for each trust assertion rule as a list of digits. For example, setting vbroker.security.assertions.trust.1=ServerAdmin@default means this process trusts any assertion made by the ServerAdmin role in the default authorization domain.	n/a
vbroker.security.assertions. trust.all	Setting to true will trust all assertions made by peers.	false
vbroker.security.server. requireUPIdentity	A server side only property. If the server requires the client to send a Username/Password for authentication (regardless of certificate-based authentication), set to true. If vbroker.security.login.realms is set, this property is automatically set to true. However, you can override it by explicitly setting it in the property file.	n/a
vbroker.security.cipherList	Set this to a list of comma-separated ciphers to be enabled by default on startup. If not set, a default list of cipher suites will be enabled. These should be valid SSL Ciphers for use with TLSv1.2 and below.	n/a
vbroker.security.wallet.type	A wallet is a set of directories containing encrypted private keys and certificate chains for each identity. The possible values are: Directory:<path_to_identities> Use the Directory value to point to the directory containing the directories for all identities. PKCS12:<path_to_PKCS#12_KeyStore>/<identity>.p12 Use the PKCS12 value to configure the PKCS#12 keystore. See “PKCS#12-based authentication using KeyStores” for details.	n/a
vbroker.security.wallet. identity	If the vbroker.security.wallet.type is set to Directory, use to point to a sub-directory within the path defined in vbroker.security.wallet.type that contains keys and/or certificate information for a specific identity. If vbroker.security.wallet.type is set to PKCS12, the vbroker.security.wallet.identity property is ignored for a PKCS#12 keystore, but the property must be set.	n/a
vbroker.security.wallet. password	Specifies the password used to decrypt the private key or the password associated with the login.	n/a
vbroker.security.client. supportNoDelegation	If set to true, the client will add support for NoDelegate in TAG_SSL_SEC_TRANS tag.	false
vbroker.security.addOID	Allows for setting of additional OID.	null
vbroker.security.useCAPI	If this is set to true, the CAPI engine is initialized and enabled for all SSL/TLS conversations in the process. Note that enabling the engine means it takes over signing operations, which means the associated private key must exist in a Windows store.	false
vbroker.security.useCAPICAs	If this is set to true, then CA root and intermediary certificates from the Local Machine and Current User stores are loaded into the trustpoint, along with any other certificates already present. vbroker.security.useCAPI does not have to be enabled to use this option.	false
vbroker.security. useCapiCertificate	This property is supported for the client side only, and requires vbroker.security.useCAPI to be enabled. If this is set to true, then if the client needs a certificate (and key), the provider will try to obtain one from the Windows Current User "My" ("Personal") store.	false
vbroker.security. identityCertificates. nameMustContain	This option is currently only supported when vbroker.security.useCapiCertificate is enabled. When looking for a client certificate, only consider ones that contain the given string (case-insensitively) in their Friendly Name or Subject Name. Used to assist in picking the right client certificate where you have multiple identity certificates that are otherwise eligible. If this property is not set, and you have multiple certificates that could be sent to the server, the first suitable certificate found in the client's certificate store is used. When using this property you should be aware that it references the full Subject Name rather than the Common Name.	null
vbroker.security.client. socket.allowedDigests	If set to short, this prevents the use of the SHA-2 family of digests (SHA-256, etc). See “VisiBroker C++ Only” for further details of how to use this option.	null
vbroker.security.server. socket.TLSSecurityLevel vbroker.security.client. socket.TLSSecurityLevel	OpenSSL now implements a means of tightening the security level in operation. There are six security levels defined; these are described in detail at https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_get_security_level.html. Starting from level 1, certain cryptographic algorithms and key lengths are disallowed as they are considered too weak for use at that level. Moving up the security levels, the requirements become ever more strict. Level 0 is made available to support legacy behaviors. Note that at level 1, SHA1 and MD5 signatures are disallowed, which in turn has the effect of disallowing TLSv1.0 and TLSv1.1. Any identity (leaf) certificates signed using SHA1 or MD5 will fail unless security level 0 is used. You can override the default by specifying a single integer value from 0 to 5.	1
vbroker.security.server. socket.minTLSProtocol vbroker.security.client. socket.minTLSProtocol	Defines the minimum allowable TLS protocol version. These properties and the corresponding maxTLSProtocol properties enable you to specify a range of supported TLS protocols, by specifying both a maximum and a minimum supported version. The following values are permitted: • TLS1 • TLS1_0 (available to support legacy behaviors) • TLS_MIN (a floating minimum, currently equivalent to TLS1) • TLS1_1 • TLS1_2 • TLS1_3 • TLS_MAX (a floating maximum, currently equivalent to TLS1_3) These properties are new at VisiBroker 8.5.7; in previous versions it was possible to specify a minimum protocol level, or a single supported protocol (using vbroker.security.server. socket.enabledProtocols), but not a range.	TLS1_0
vbroker.security.server. socket.maxTLSProtocol vbroker.security.client. socket.maxTLSProtocol	Defines the maximum allowable TLS protocol version. Used together with the corresponding minTLSProtocol properties, and has the same permitted values.	TLS1_3
vbroker.security. TLS13CipherSuites	Specifies the cipher suites to be used for TLSv1.3 connections (in preference order). It uses a colon-separated list following the OpenSSL configuration approach. The property defaults to: TLS_AES_256_GCM_SHA384: TLS_CHACHA20_POLY1305_SHA256: TLS_AES_128_GCM_SHA256 This property should be considered quite separate from vbroker.security.cipherList, which continues to be required for configuring cipher suites for TLSv1.2 and below.	See Description
vbroker.security.server. socket. EnforceServerCipherPriority	This option enables a server to apply its own cipher suite preference order during the TLS handshake. By default, in a TLS handshake sequence the client's cipher suite preference order is honored. However this can leave the server vulnerable to a malicious downgrade attack. To enforce the use of the server's cipher suite preference order, set this property to true. This enables a single central cipher suite configuration to control the priority sequence. Note: This property defaults to false in VisiBroker 8.5.7 in order to match previous behavior. It will default to true in a future update to increase security.	false
vbroker.security.server. socket.MinDHGroupSize	This is a server-side only option. It applies a minimum limit to the size of DH parameters required to feed into the Diffie-Hellman key exchange during a TLS handshake. This size directly corresponds to the size of the generated ephemeral keys that will be agreed upon and used during the session. VisiSecure supports DH parameter bit sizes of 512, 1024, 2048 and 4096. Any other value specified will be rounded down to the nearest supported value.	2048
vbroker.security.server. socket.enabledProtocols vbroker.security.client. socket.enabledProtocols	Note: These properties are deprecated (as of VisiBroker 8.5.7) and will be removed in a future release. Micro Focus recommends using the maxTLSProtocol and minTLSProtocol properties to specify a range of protocols. Specifies the SSL protocol version, that is TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3, during the SSL handshaking process when using the VBC security module, on the server and client sides respectively. Possible values are listed below: SSL_Version_3_0_With_2_0_Hello This is a legacy option that enables all available protocol versions. SSL_Version_Undetermined This is the default. It allows any of the TLS protocols (TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3) and disables SSLv2 or SSLv3 protocols. TLS_Version_1_0_With_2_0_Hello In this mode, the library accepts a minimum of TLSv1.0 (currently this results in either TLSv1.0, TLSv1.1,TLSv1.2 or TLSv1.3). TLS_Version_1_0_Only Use this option for the highest security when you are certain that the SSL peer also supports TLS 1.0. This option behaves in the same manner as SSL_Version_3_0_Only, but applies to the TLS 1.0 protocol. TLS_Version_1_1_With_2_0_Hello In this mode, the library accepts a minimum of TLSv1.1 (currently this results in either TLSv1.1, TLSv1.2 or TLSv1.3). TLS_Version_1_1_Only In this mode, the library negotiates only a TLSv1.1 connection. However, if the client might also support TLSv1.2 or higher, use TLS_Version_1_1_With_2_0_Hello to take advantage of the higher level protocol version. TLS_Version_1_2_With_2_0_Hello In this mode, the library accepts a minimum of TLSv1.2 (currently this results in either TLSv1.2 or TLSv1.3) TLS_Version_1_2_Only In this mode, the library accepts only a TLSv1.2 connection. TLS_Version_1_3_With_2_0_Hello In this mode, the library accepts a minimum of TLSv1.3. Setting this value future-proofs your configuration should further TLS protocol versions need to be supported. TLS_Version_1_3_Only In this mode, the library accepts only a TLSv1.3 connection.	SSL_Version_ Undetermined
vbroker.security. CRLRepository	This property is deprecated. To specify a CRL, use the “void addTrustedCertificate (const CORBAsec::X509Cert& trusted,const CORBAsec::ASN1Object* crl = NULL)” API instead. Specifies the directory where you want the list of serial numbers of revoked certificates (Certificate Revocation List (CRL)), issued by the Certificate Authority (CA), to reside. All files in the directory will be loaded and interpreted as CRL—no longer valid. Once the CRLs are loaded, VisiSecure examines all certificates sent by a peer during SSL handshake. If any of the peer certificates appears in the CRLs, an exception will be thrown and the connection will be refused. For more information, see “Certificate Revocation List (CRL) and revoked certificate serial numbers”.	n/a
vbroker.security.server.ssl. handshakeTimeout	Specifies the maximum time (in milliseconds) for the SSL handshake to complete at the Server side. It can help to prevent the Server from hanging due to unresponsive Clients during the SSL handshake. The default timeout is 5000ms. To disable the timeout, set it to 0.	5000
vbroker.security.server. socket.ecdheCurve	This property is deprecated, and Micro Focus recommends using TLSCipherGroups instead. Valid values for this property are identical to those for vbroker.security.server.socket.TLSCipherGroups. See note about that property below.	-
vbroker.security.server.socket.TLSCipherGroups vbroker.security.client.socket.TLSCipherGroups	These options specify the Diffie-Hellman key exchange groups (DH Groups) to be used at the server and the client, respectively. Each of these properties applies when running in server or client mode respectively. The separate configuration allows a single process to have differing DH Groups configured for receiving incoming connections and calling out to remote peers. During the TLS handshake, the client and server agree on the group to be used. Groups are specified in order of preference, with the most preferred first. If this option is defined, it overrides the behavior of vbroker.security.server.socket.ecdheCurve. If this option is not defined, it defaults as follows: 1 If vbroker.security.server.socket.ecdheCurve is configured (for servers only), its value applies. 2 If not, then the following apply: • For TLSv1.3 connections, the X25519 group is used. • For TLSv1.2 connections (and below if security level 0 is in operation), the prime256v1 group is used. This is a comma-separated list of curves, each of which must match one of the well-known elliptic curves as defined by IANA (the Internet Assigned Numbers Authority) for use with TLS.	See Description

SSL Server Connection Manager properties

The following table lists the SSL Server Connection Manager (SCM) properties.

In this table, possible values for <se_name> are:

•

iiop_tp

•

iiop_ts

Property	Default	Description
vbroker.se.<se_name>.scm. ssl.manager.type	Socket	Type of the Server Connection Manager. The only possible value, in VisiBroker for C++, is Socket.
vbroker.se.<se_name>.scm. ssl.manager.connectionMax	0	The maximum number of cached connections on the server. The default 0 means that there is no restriction.
vbroker.se.<se_name>.scm. ssl.manager.connectionMaxIdle	0	Specifies the time, in seconds, which the server uses to determine if an inactive connection should be closed. If a cached connection has been idle longer than this time, then the server closes the connection.
vbroker.se.<se_name>.scm. ssl.listener.type	SSL	The type of protocol that the listener is using.
vbroker.se.<se_name>.scm. ssl.listener.port	0	Specifies the port number to be used with the host name property. 0 means that the system will pick a random port number.
vbroker.se.<se_name>.scm. ssl.listener.proxyPort	0	Specifies the proxy port number to be used with the proxy host name property. 0 means that the system will pick a random port number.
vbroker.se.<se_name>.scm. ssl.dispatcher.type	ThreadPool	The type of thread dispatcher used in the Server Connection Manager. Possible values are ThreadPool and ThreadSession.
vbroker.se.<se_name>.scm. ssl.dispatcher.threadMin	0	Specifies the minimum number of threads that the Server Connection Manager must create.
vbroker.se.<se_name>.scm. ssl.dispatcher.threadMax	0	Specifies the maximum number of threads that the Server Connection Manager can create.
vbroker.se.<se_name>.scm. ssl.dispatcher. threadMaxIdle	0	Specifies the time, in seconds, before an idle thread is removed from the thread pool.
vbroker.se.<se_name>.scm. ssl.connection.tcpNoDelay	false	Specifies whether tcp_nodelay should be set on the socket.
vbroker.se.<se_name>.scm. <scm_name>.listener. selectorMax	20	Specifies the maximum number of NIO Selectors that can be created in the NIO Selector Pool. Increasing this value may improve the throughput if there is a very high number of concurrent invocations. This property is only applicable if NIO SSL Socket is configured at the server side.