Account

User accounts can be configured in the accountPolicy section of the .json file, which is divided into several sub-sections: parameters, creation and recovery.

parameters

The operating parameters of user accounts can be configured in the parameters section described in the table below. In the SDMC administration console, the equivalent parameters are found in Policies > Accounts > Parameters.

For further information, refer to the section Configuring generic account settings in the Administration guide.

Parameter	Type Description	Prescribed values	SDMC
cryptography	Indicates how cryptographic operations are performed when the account is in use. This parameter impacts all functions of SDS Enterprise, except Data Disk.		Encryption and signature
	encryptionAlgorithm: Algorithm to use in encryption operations.	AES-256	Encryption algorithm
	hashAlgorithm: Algorithm to use in signature operations.	SHA-256, SHA-512	Signature algorithm
	keyEncryptionMethod: Optional. Algorithm to use in operations encrypting the keys. Allowed values are: "RSA-OAEP-SHA-256", default value, "RSA-OAEP-SHA-1", compatibility value for old cards	RSA-OAEP-SHA- 256, RSA-OAEP-SHA-1	N/A
cardAccount	Optional. Indicates how smart card accounts operate. This field appears only if the policy allows connections to smart card accounts.		Card or USB token accounts
cardMiddlewares	List of middleware programs that can be used on the workstation. Middleware allows SDS Enterprise to communicate with all types of smart cards and USB tokens.		Middleware
	name: Name displayed for this middleware configuration.	String of characters
	dllname: Name of the DLL containing the middleware. The value is an absolute path to the DLL on the user's workstation. If the DLL is in a folder of the Windows PATH variable, the DLL name will suffice.	String of characters
	disablePKCS11Label, disablePKCS11Extractable, disablePKCS11Modifiable et disablePKCS11ModulusBits: Parameters that monitor the use of various PKCS#11 attributes during communication with smart cards/USB tokens. These parameters come from the database of known middleware programs on SDMC, and are entered to increase the agent's compatibility with middleware from various vendors. You are advised against modifying the default values provided.	true, false
	showAllSlots: Indicates whether the "Information" window in the smart card configurator displays information about all logical slots managed by the middleware (true), or only slots with a smart card/token inserted (false).	true, false
cardFilter	Optional. Filters to be applied to select the right smart card drive when the connection window appears.		Card reader filtering
	manufacturer: String to be used to filter smart card drives by vendor name. The characters * and ? are allowed.	String of characters	Vendor name
	description: String to be used to filter smart card drives by description.	String of characters	Type Description
accountMode	Indicates the user account types that can be connected. Allowed values are: "password" for the password mode. Keys are stored in the keystore.usr file and protected by a password. "smartcard" for smart card mode. Keys are stored on a smart card or USB token and protected by a PIN. "SSO" for single sign-on mode, in which the account's keys are issued by the Windows keystore. This mode does not require authentication. "passwordAndSmartcard" for password and smart card modes.	password, smartcard, SSO, passwordAnd Smartcard	Account type

creation

The creation parameters of user accounts can be configured in the creation section described in the table below. In the SDMC administration console, the equivalent parameters are found in Policies > Accounts > Creation.

For further information, refer to the section Setting account creation parameters in the Advanced configuration guide.

Parameter	Type Description	Prescribed values	SDMC
accountKeyMode	Indicates the operating mode of accounts when they are created. This parameter does not affect how existing accounts function. Allowed values are: "singleKeyEncryption" for accounts with a single encryption key, "singleKeySignature" for accounts with a single signature key, "dualKey" for accounts with an encryption key and a signature key.	singleKey Encryption, singleKey Signature, dualKey	Key management
passwordAccount Method	Indicates whether password accounts can be created, and how. Allowed values are: "forbidden" to prohibit the creation of password accounts, "manual" to allow users to create accounts manually.	forbidden, manual	General Settings Password accounts
cardAccountMethod	Indicates whether smart card or USB token accounts can be created, and how. Allowed values are: "forbidden" to prohibit the creation of smart card or token accounts, "manual" to allow users to create accounts manually, "automatic" to enable launching the creation of automatic accounts, "manualAndAutomatic" to combine the creation of manual and automatic accounts.	forbidden, manual, automatic, manualAnd Automatic	General Settings Accounts Card or USB token
passwordAccount	Optional. Indicates password creation settings. This field does not appear if password account creation is prohibited.		Password account creation
passwordStrength	Indicating the strength of the password chosen by the user for the new account.		Password strength
	alphabeticCharMinCount: Minimum number of alphabetic characters that the user's password must contain.	Positive integer.	Minimum number of alphabetic characters
	numericCharMinCount: Minimum number of digital characters that the user's password must contain.	Positive integer.	Minimum number of numeric characters
	specialCharMinCount: Minimum number of special characters that the user's password must contain.	Positive integer.	Minimum number of special characters
	totalCharMinCount: Minimum number of characters that the user's password must contain.	Positive integer.	Minimum number of characters
	allowedKeySources: List of sources from which users can choose keys for their accounts. Allowed values are: "p12File" so that users will select a P12 file in which the keys to their account are saved, "selfSignedP12" so that users request SDS Enterprise to generate self-certified keys for their accounts.	p12File, selfSignedP12	Import .p12 certificates Generate .p12 certificates locally
	selfSignedOptions: Optional. Specific parameters relating to the generation of self-certified keys. This field does not appear if the manual creation of password accounts does not allow the use of self-certified keys.		Self-certified certificates
	baseLifetimeYears: Certificate validity in number of years from their creation date.	Positive integer.	Validity period of self-certified certificates issued by SDS upon account creation
	renewalPeriodYears: Certificate validity in number of years from their renewal date.	Positive integer.	Validity period of self-certified certificates issued by SDS upon key renewal
	keyType: Size of keys generated by SDS Enterprise when the account is created.	RSA-2048, RSA-4096	Key size
automatic	Optional. Settings relating to the automatic creation of accounts. This field may not appear if automatic account creation is prohibited.		Filter CAs on automatic creation
	encryptionKeyAuthorityId: Optional. Unique ID of the authority that issued the encryption keys to be used for creating the account. You will find the ID in the list of authorities in the certificateData section of the .json file.	Unique character string	Authority name for decryption
	signatureKeyAuthorityId: Optional. Unique ID of the authority that issued the signature key to be used for creating the account. You will find the ID in the list of authorities in the certificateData section of the .json file.	Unique character string	Authority name for signature

recovery

The recovery parameters of user accounts can be configured in the recovery section described in the table below. In the SDMC administration console, the equivalent parameters are found in Policies > Accounts > Data recovery.

For more information, see the section Enabling data recovery in the Administration Guide.

Parameter	Type Description	Prescribed values	SDMC
certificateIds	Unique ID of the recovery certificate to be added to users for the SDS Enterprise agent's encryption operations. You will find the identifier in the list of certificates in the certificateData section of the .json file.	Unique character string	Key management