Account

User accounts are configured in the accountPolicy section of the .json file, itself divided into several subsections: parameters, creation, recovery, keyRing and renewal.

parameters

The operating parameters of user accounts can be configured in the parameters section described in the table below. In the SDMC administration console, the equivalent settings are found in the Policies > Accounts > Settings and Connection panel.

For further information, refer to the section Configuring generic account settings in the Administration guide.

Parameter	Description	Possible values	SDMC
cryptography	Indicates how cryptographic operations are performed when the account is in use. This parameter impacts all functions of SDS Enterprise, except Data Disk.		Encryption and signature
	encryptionAlgorithm: Algorithm to use in encryption operations.	AES-256	Encryption algorithm
	hashAlgorithm: Algorithm to use in signature operations.	SHA-256, SHA-512	Signature algorithm
	keyEncryptionMethod: Optional. Algorithm to use in operations encrypting the keys. Allowed values are: "RSA-OAEP-SHA-256", default value, "RSA-OAEP-SHA-1", compatibility value for old cards	RSA-OAEP-SHA- 256, RSA-OAEP-SHA-1	N/A
primaryUserPath	Optional. Tells the agent the primary path to use to retrieve application user accounts and create new users. The behavior differs for the two use cases: Account recovery: If this path is missing or invalid, the agent uses the secondaryUserPath. Account creation: If this path is missing, the agent uses the application's default path: <COMMON_APPDATA>\Arkoon\Security BOX\Users. If it is invalid, the action fails.
secondaryUserPath	Optional. Tells the agent the secondary path to use if the primaryUserPath is absent or invalid. The behavior differs for the two use cases: Account recovery: If the secondaryUserPath is missing, the agent uses the <COMMON_APPDATA>\Arkoon\Security BOX\Users path. If it is invalid, or if primaryUserPath was invalid, the action fails. Account creation: If the secondaryUserPath is missing, the agent uses the default path of the application: <COMMON_APPDATA>\Arkoon\Security BOX\Users. If this path is invalid, the action fails.
cardAccount	Optional. Indicates how smart card accounts operate. This field appears only if the policy allows connections to smart card accounts.		Card or USB token accounts
unfreezeOnCardInsertion	Optional. Specifies whether the session unlock window opens automatically when a card is inserted into the workstation. Allowed values are: “true” to open the window (default value), “false” to not open the window.	true, false	N/A
connectOnCardInsert	Optional. Specifies whether the login window opens automatically when a card is inserted into the workstation. Allowed values are: “true” to open the window, “false” to not open the window (default value).	true, false	N/A
enableRepairCardAccount	Optional. Makes it possible to repair a smart card if only the certificate is available, by renewing the key based on the known CKA_ID in the account. Allowed values are: “true” to enable repair, “false” to disable repair (default value).	true, false	N/A
enableAutomaticRenewFromCard	Optional. When a user's new encryption or signature key is already in the card, this option automatically renews the key when the previous one expires. Allowed values are: “forbidden” to prohibit automatic renewal (default value), “confirm” to automatically renew after confirmation by the user. After a refusal, renewal is no longer offered. Therefore, using this value is not recommended. “silent” to automatically renew without user confirmation. In SSO mode, this value is forced even if another value is set.	forbidden, confirm, silent	N/A
cardMiddlewares	List of middleware programs that can be used on the workstation. Middleware allows SDS Enterprise to communicate with all types of smart cards and USB tokens. The Stormshield Smartcard Support middleware is included by default.		Middleware
	name: Name displayed for this middleware configuration.	String
	dllname: Name of the DLL containing the middleware. The value is an absolute path to the DLL on the user's workstation. If the DLL is in a folder of the Windows PATH variable, the DLL name will suffice.	String
	disablePKCS11Label, disablePKCS11Extractable, disablePKCS11Modifiable et disablePKCS11ModulusBits: Parameters that monitor the use of various PKCS#11 attributes during communication with smart cards/USB tokens. These parameters come from the database of known middleware programs on SDMC, and are entered to increase the agent's compatibility with middleware from various vendors. You are advised against modifying the default values provided.	true, false
	showAllSlots: Indicates whether the "Information" window in the smart card configurator displays information about all logical slots managed by the middleware (true), or only slots with a smart card/token inserted (false).	true, false
accountMode	Indicates the user account types that can be connected. Allowed values are: "password" for the password mode. Keys are stored in the keystore.usr file and protected by a password. "smartcard" for smart card mode. Keys are stored on a smart card or USB token and protected by a PIN. "SSO" for single sign-on mode, in which the account's keys are issued by the Windows keystore. This mode does not require authentication. "passwordAndSmartcard" for password and smart card modes.	password, smartcard, SSO, passwordAnd Smartcard	Account type
sessionLockActions	Optional. Defines the behavior of the SDS Enterprise session when the user locks their Windows session, when the screen saver is activated, or when the smart card or USB token is removed. Note about SSO accounts: if the disconnectUser value is chosen in the policy, it is ignored by SDS Enterprise accounts of the SSO type. A user can only log out of their SDS Enterprise account if they log out of their Windows session.		Connexion settings
windowsScreenSaverAction	Indicates the behavior of the SDS Enterprise session when the screen saver is triggered. Allowed values are: “lockUserSession” to lock the SDS Enterprise session (default value), “disconnectUser” to disconnect the user, “noAction” to stay connected.	lockUserSession, disconnectUser, noAction	When the screen saver is activated
windowsSessionLockAction	Specifies the SDS Enterprise session behavior when the user locks their Windows session. Allowed values are: “lockUserSession” to lock the SDS Enterprise session, “disconnectUser” to disconnect the user (default value), “noAction” to stay connected.	lockUserSession, disconnectUser, noAction	When the Windows session locks
cardRemovalAction	Indicates the behavior of the SDS Enterprise session when the user removes the smart card or USB token. Allowed values are: “lockUserSession” to lock the SDS Enterprise session, “disconnectUser” to disconnect the user (default value).	lockUserSession, disconnectUser	When the smart card or USB token is removed

creation

The creation parameters of user accounts can be configured in the creation section described in the table below. In the SDMC administration console, the equivalent parameters are found in Policies > Accounts > Creation.

For further information, refer to the section Setting account creation parameters in the Advanced configuration guide.

Parameter	Description	Possible values	SDMC
accountKeyMode	Indicates the operating mode of accounts when they are created. This parameter does not affect how existing accounts function. Allowed values are: "singleKeyEncryption" for accounts with a single encryption key, "singleKeySignature" for accounts with a single signature key, "dualKey" for accounts with an encryption key and a signature key.	singleKey Encryption, singleKey Signature, dualKey	Key management
passwordAccountMethod	Indicates whether password accounts can be created, and how. Allowed values are: "forbidden" to prohibit the creation of password accounts, "manual" to allow users to create accounts manually.	forbidden, manual	General settings Password accounts
cardAccountMethod	Indicates whether smart card or USB token accounts can be created, and how. Allowed values are: "forbidden" to prohibit the creation of smart card or token accounts, "manual" to allow users to create accounts manually, "automatic" to enable launching the creation of automatic accounts, "manualAndAutomatic" to combine the creation of manual and automatic accounts.	forbidden, manual, automatic, manualAnd Automatic	General settings Accounts Card or USB token
passwordAccount	Optional. Indicates password creation settings. This field does not appear if password account creation is prohibited.		Password account creation
passwordStrength	Indicating the strength of the password chosen by the user for the new account.		Password strength
	alphabeticCharMinCount: Minimum number of alphabetic characters that the user's password must contain.	Positive integer.	Minimum number of alphabetic characters
	numericCharMinCount: Minimum number of digital characters that the user's password must contain.	Positive integer.	Minimum number of numeric characters
	specialCharMinCount: Minimum number of special characters that the user's password must contain.	Positive integer.	Minimum number of special characters
	totalCharMinCount: Minimum number of characters that the user's password must contain.	Positive integer.	Minimum number of characters
	allowedKeySources: List of sources from which users can choose keys for their accounts. Allowed values are: "p12File" so that users will select a P12 file in which the keys to their account are saved, "selfSignedP12" so that the user can ask SDS Enterprise to generate self-certified keys for their account.	p12File, selfSignedP12	Import .p12 certificates Generate .p12 certificates locally
	selfSignedOptions: Optional. Specific parameters relating to the generation of self-certified keys. This field does not appear if the manual creation of password accounts does not allow the use of self-certified keys.		Self-certified certificates
	baseLifetimeYears: Certificate validity in number of years from their creation date.	Positive integer.	Validity period of self-certified certificates issued by SDS upon account creation
	renewalPeriodYears: Certificate validity in number of years from their renewal date.	Positive integer.	Validity period of self-certified certificates issued by SDS upon key renewal
	keyType: Size of keys generated by SDS Enterprise when the account is created.	RSA-2048, RSA-4096	Key size
automatic	Optional. Settings relating to the automatic creation of accounts. This field may not appear if automatic account creation is prohibited.		Filter CAs on automatic creation
	encryptionKeyAuthorityId: Optional. Unique identifier of the authority providing the encryption keys to be used to create the account. You will find the ID in the list of authorities in the certificateData section of the .json file.	Unique character string	Authority name for decryption
	signatureKeyAuthorityId: Optional. Unique ID of the authority that issued the signature key to be used for creating the account. You will find the ID in the list of authorities in the certificateData section of the .json file.	Unique character string	Authority name for signature
allowedKeyTypesForP12Import	Optional. Used to define the type and size of keys authorized, along with the default value proposed when a user creates an account by importing a P12 file.		N/A
	type: type of key authorized for creation with a P12 file. A key type missing from the list is not proposed to the user. If the list is empty or the parameter is missing, the default key type proposed is RSA-4096.	RSA-2048, RSA-4096	N/A
	default: defines whether this key type is selected by default in the drop-down list proposed to the user in the window. If several key types have their default value set to true, RSA-4096 will be proposed by default.	true, false	N/A

recovery

The recovery parameters of user accounts can be configured in the recovery section described in the table below. In the SDMC administration console, the equivalent parameters are found in Policies > Accounts > Data recovery.

For more information, see the section Enabling data recovery in the Administration Guide.

Parameter	Description	Possible values	SDMC
certificateIds	Unique ID of the recovery certificate to be added to users for the SDS Enterprise agent's encryption operations. You will find the identifier in the list of certificates in the certificateData section of the .json file.	Unique character string	Key management

keyRing

User key management parameters are configured in the keyRing section described in the table below. In the SDMC administration console, the equivalent settings are found in the Policies > Accounts > Keyrings panel.

For more information, see Managing user keyrings in the Administration Guide.

Parameter	Description	Possible values	SDMC
encryptionKey	Optional. showTab: Shows or hides the Encryption tab in the user’s keyring. The tab is displayed by default.	true, false	Encryption key
signatureKey	Optional. showTab: Shows or hides the Signature tab in the user’s keyring. The tab is displayed by default.	true, false	Signature key
dualUseKey	Optional. showTab: Shows or hides the Personal key tab in the user’s keyring. The tab is displayed by default.	true, false	Personal key
decryptionKey	Optional. showTab: Shows or hides the Decryption tab in the user’s keyring. The tab is displayed by default.	true, false	Decryption key
recoveryKey	Optional. showTab: Shows or hides the Recovery tab in the user’s keyring. The tab is displayed by default.	true, false	Recovery key

renewal

User key renewal parameters are configured in the renewal section described in the table below.

Parameter	Description	Possible values	SDMC
allowedKeyTypes	Optional. Defines the type and size of keys allowed when a user renews a key by generating a new one.
	type: type of key allowed for renewal. A key type missing from the list is not proposed to the user. If the list is empty or if the parameter is missing, the default key type proposed in the renewal window is RSA-4096.	RSA-2048, RSA-4096	N/A
	default: defines the default key type selected from the drop-down list offered to the user in the renewal window.	true, false	N/A

Parameter

Description

Possible values

SDMC

allowedKeyTypes

Optional.

Defines the type and size of keys allowed when a user renews a key by generating a new one.

type: type of key allowed for renewal.

A key type missing from the list is not proposed to the user.

If the list is empty or if the parameter is missing, the default key type proposed in the renewal window is RSA-4096.

RSA-2048,
RSA-4096

N/A

default: defines the default key type selected from the drop-down list offered to the user in the renewal window.

true,

false

N/A