Account
User accounts can be configured in the accountPolicy section of the .json file, which is divided into several sub-sections: parameters, creation and recovery.
The operating parameters of user accounts can be configured in the parameters section described in the table below. In the SDMC administration console, the equivalent parameters are found in Policies > Accounts > Parameters.
For further information, refer to the section Configuring generic account settings in the Administration guide.
Parameter | Type Description | Prescribed values | SDMC |
---|---|---|---|
cryptography |
Indicates how cryptographic operations are performed when the account is in use. This parameter impacts all functions of SDS Enterprise, except Data Disk. |
Encryption and signature | |
encryptionAlgorithm: Algorithm to use in encryption operations. |
AES-256 | Encryption algorithm | |
hashAlgorithm: Algorithm to use in signature operations. |
SHA-256, SHA-512 |
Signature algorithm | |
keyEncryptionMethod: Optional. Algorithm to use in operations encrypting the keys. Allowed values are:
|
RSA-OAEP-SHA- RSA-OAEP-SHA-1 |
N/A | |
cardAccount | Optional. Indicates how smart card accounts operate. This field appears only if the policy allows connections to smart card accounts. | Card or USB token accounts | |
cardMiddlewares |
List of middleware programs that can be used on the workstation. Middleware allows SDS Enterprise to communicate with all types of smart cards and USB tokens. |
Middleware | |
name: Name displayed for this middleware configuration. | String of characters | ||
dllname: Name of the DLL containing the middleware. The value is an absolute path to the DLL on the user's workstation. If the DLL is in a folder of the Windows PATH variable, the DLL name will suffice. |
String of characters | ||
disablePKCS11Label, disablePKCS11Extractable, disablePKCS11Modifiable et disablePKCS11ModulusBits: Parameters that monitor the use of various PKCS#11 attributes during communication with smart cards/USB tokens. These parameters come from the database of known middleware programs on SDMC, and are entered to increase the agent's compatibility with middleware from various vendors. You are advised against modifying the default values provided. | true, false |
||
showAllSlots: Indicates whether the "Information" window in the smart card configurator displays information about all logical slots managed by the middleware (true), or only slots with a smart card/token inserted (false). | true, false |
||
cardFilter |
Optional. Filters to be applied to select the right smart card drive when the connection window appears. |
Card reader filtering | |
manufacturer: String to be used to filter smart card drives by vendor name. The characters * and ? are allowed. | String of characters | Vendor name | |
description: String to be used to filter smart card drives by description. | String of characters | Type Description | |
accountMode |
Indicates the user account types that can be connected. Allowed values are:
|
password, smartcard, SSO, passwordAnd |
Account type |
The creation parameters of user accounts can be configured in the creation section described in the table below. In the SDMC administration console, the equivalent parameters are found in Policies > Accounts > Creation.
For further information, refer to the section Setting account creation parameters in the Advanced configuration guide.
Parameter | Type Description | Prescribed values | SDMC |
---|---|---|---|
accountKeyMode |
Indicates the operating mode of accounts when they are created. This parameter does not affect how existing accounts function. Allowed values are:
|
singleKey singleKey dualKey |
Key management |
passwordAccount Method |
Indicates whether password accounts can be created, and how. Allowed values are:
|
forbidden, manual |
General Settings Password accounts |
cardAccountMethod |
Indicates whether smart card or USB token accounts can be created, and how. Allowed values are:
|
forbidden, manual, automatic, manualAnd |
General Settings Accounts |
passwordAccount | Optional. Indicates password creation settings. This field does not appear if password account creation is prohibited. | Password account creation | |
passwordStrength | Indicating the strength of the password chosen by the user for the new account. | Password strength | |
alphabeticCharMinCount: Minimum number of alphabetic characters that the user's password must contain. | Positive integer. | Minimum number of alphabetic characters | |
numericCharMinCount: Minimum number of digital characters that the user's password must contain. | Positive integer. | Minimum number of numeric characters | |
specialCharMinCount: Minimum number of special characters that the user's password must contain. | Positive integer. | Minimum number of special characters | |
totalCharMinCount: Minimum number of characters that the user's password must contain. | Positive integer. | Minimum number of characters | |
allowedKeySources: List of sources from which users can choose keys for their accounts. Allowed values are:
|
p12File,
selfSignedP12 |
Import .p12 certificates Generate .p12 certificates locally |
|
selfSignedOptions: Optional. Specific parameters relating to the generation of self-certified keys. This field does not appear if the manual creation of password accounts does not allow the use of self-certified keys. | Self-certified certificates | ||
baseLifetimeYears: Certificate validity in number of years from their creation date. | Positive integer. | Validity period of self-certified certificates issued by SDS upon account creation |
|
renewalPeriodYears: Certificate validity in number of years from their renewal date. | Positive integer. | Validity period of self-certified certificates issued by SDS upon key renewal |
|
keyType: Size of keys generated by SDS Enterprise when the account is created. | RSA-2048, RSA-4096 |
Key size | |
automatic | Optional. Settings relating to the automatic creation of accounts. This field may not appear if automatic account creation is prohibited. | Filter CAs on automatic creation | |
encryptionKeyAuthorityId: Optional. Unique ID of the authority that issued the encryption keys to be used for creating the account. You will find the ID in the list of authorities in the certificateData section of the .json file. | Unique character string |
Authority name for decryption | |
signatureKeyAuthorityId: Optional. Unique ID of the authority that issued the signature key to be used for creating the account. You will find the ID in the list of authorities in the certificateData section of the .json file. | Unique character string |
Authority name for signature |
The recovery parameters of user accounts can be configured in the recovery section described in the table below. In the SDMC administration console, the equivalent parameters are found in Policies > Accounts > Data recovery.
For more information, see the section Enabling data recovery in the Administration Guide.
Parameter | Type Description | Prescribed values | SDMC |
---|---|---|---|
certificateIds |
Unique ID of the recovery certificate to be added to users for the SDS Enterprise agent's encryption operations. You will find the identifier in the list of certificates in the certificateData section of the .json file. |
Unique |
Key management |