Configuring the Stormshield KMaaS

The global configuration of the Stormshield KMaaS is managed through a JSON file, config.json, which is saved by default in /etc/stormshield/cse. This file sets the specifications for authentication and authorization, as well as the port, service name and service mode.

Creating the global configuration file

A template file, config.json.template, is available to assist you.

In RPM mode, this file is located in the directory /etc/stormshield/cse.
- Create your own global configuration file from the copy of the template using the following command:
  # cd /etc/stormshield/cse # cp --preserve config.json.template config.json
In Docker mode, the file is located in the dedicated directory you have created during installation. For more information, see Installing the Stormshield KMaaS via a Docker image.

Assigning access privileges to the file

Assign the read and write access privileges held by the current user to the file and read access to the current config.json group:
# chmod u=rw,g=r,o= config.json

Do not assign any run privileges on these files, or any privileges to other users. If access privileges are too permissive, a warning log will be generated when the Stormshield KMaaS starts, but will not prevent it from launching.

During installation, the stormshield-cse user is the owner of the configuration files by default. Do not change the owner.

Editing the global configuration file

To edit the configuration, change the default values of the config.json file template.

For more information on this file, refer to sections Installing the Stormshield KMaaS via a Docker image and Installing the Stormshield KMaaS via RPM

The tables below describe the parameters in the config.json file. The first table lists simple parameters which do not contain any sub-objects. More complex parameters have their own table.

Unless otherwise specified, in the configuration files:

All “String” fields are restricted to 10,000 characters for security reasons,

All ”Array” fields are limited to 500 items for security reasons.

Simple parameters

Parameter	Description	Type	Optional/ mandatory
kacls_url	The Stormshield KMaaS URL used to prevent "Man-in-the-middle" attacks. E.g., https://<cse.example.com>.	String	Mandatory
port	Port on which the Stormshield KMaaS listens. Port 3000 by default.	Integer	Optional
name	Name of the Stormshield KMaaS.	String	Optional
persistence_type	Mode used for storing KEKs. The prescribed values are: "json_file" if keys are stored in the keks.json file, "kms'" if keys are stored in a key management system (KMS).	String	Mandatory
kacls_kek_label	Label used to identify and retrieve the KEKs from the KMS, if the KEKs are stored in a KMS.	String between 1 and 255 characters long.	Mandatory if "persistence_type": "kms"
external_request_timeout	Timeout in milliseconds before canceling an external request (7000 ms by default). This timeout does not apply to the KMIP-related requests when using a KMS.	Integer	Optional
jwt_supported_signing_algorithms	List of the allowed signature algorithms for checking the validity of authorization and authentication tokens. Supported algorithms are: [ "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512"].	String	Mandatory (at least one algorithm)

tenants parameter

Contains configuration information specific to each tenant. They are grouped by "tenant_id", which is the tenant unique identifier and is mandatory. The "tenants" object includes the following components:

Parameter	Description	Type	Optional/ mandatory
tenant_id	Unique identifier of the tenant in UUIDv4 format.	String	Mandatory
kacls: JSON object containing the configuration for the KACLS feature. For more information, refer to Configuring the KACLS.
enable	Enables or disables the KACLS feature.	Boolean	Mandatory
crypto_api: JSON object containing the configuration for the Crypto API feature. For more information, refer to Configuring Crypto API.
enable	Enables or disables the Crypto API feature.	Boolean	Mandatory
pki: JSON object containing the configuration for the PKI (Public Key Infrastructure) feature. For more information, refer to Configuring PKI.
enable	Enables or disables the PKI feature.	Boolean	Mandatory
kas: Json object containing the configuration for the Key Access Service (KAS) feature. For more information, refer to Configuring the Key Access Management.
enable	Enables or disables the KAS feature.	Boolean	Mandatory

authorization parameters

Array of JSON objects that describes how the KACLS authorization token generated by Google is verified. It includes the following components.

Add one entry per Google service (e.g., Meet, Drive, Calendar, Gmail). The values of these settings are provided in the Google documentation. For more information, see Example of the authorization parameter for Google services

The authorization parameter is mandatory in all configurations. When using the KACLS, it must contain the required authorization data. If you do not use the KACLS, the parameter must be an empty array ("authorization": []).

Parameter	Description	Type	Optional/ mandatory
issuer	Issuer of the JWT authorization token (see RFC 7519).	String	Optional
url	URL to the JWKS JSON file.	String	Mandatory
audience	Recipient of the JWT authorization token (see RFC 7519).	String	Optional

Example of the authorization parameter for Google services

This extract of the config.json file is an example of how the authorization token can be configured for the Drive, Meet, Calendar and Gmail Google services, the migration of one KACLS to another, and Gmail Send to Anyone option. You can customize the rules that allow or deny a request to the Stormshield KMaaS, using Open Policy Agent (OPA) policies. For more information, see the section Implementing the authorization rules with Open Policy Agent.

Copy

"authorization": [
    {
    "url": "https://www.googleapis.com/service_accounts/v1/jwk/gsuitecse-tokenissuer-drive@system.gserviceaccount.com",
    "issuer": "gsuitecse-tokenissuer-drive@system.gserviceaccount.com",
    "audience": "cse-authorization"
    },
    {
    "url": "https://www.googleapis.com/service_accounts/v1/jwk/gsuitecse-tokenissuer-meet@system.gserviceaccount.com",
    "issuer": "gsuitecse-tokenissuer-meet@system.gserviceaccount.com",
    "audience": "cse-authorization"
    }
    {
    "url": "https://www.googleapis.com/service_accounts/v1/jwk/gsuitecse-tokenissuer-calendar@system.gserviceaccount.com",
    "issuer": "gsuitecse-tokenissuer-calendar@system.gserviceaccount.com",
    "audience": "cse-authorization"
    }
    {
    "url": "https://www.googleapis.com/service_accounts/v1/jwk/gsuitecse-tokenissuer-gmail@system.gserviceaccount.com",
    "issuer": "gsuitecse-tokenissuer-gmail@system.gserviceaccount.com",
    "audience": "cse-authorization"
    }
    {
    "url": "https://www.googleapis.com/service_accounts/v1/jwk/apps-security-cse-kaclscommunication@system.gserviceaccount.com",
    "issuer": "apps-security-cse-kaclscommunication@system.gserviceaccount.com”",
    "audience": "cse-authorization"
    }
    {
    "url": "https://www.googleapis.com/service_accounts/v1/jwk/gsuitecse-tokenissuer-gmail-sta@system.gserviceaccount.com",
    "issuer": "gsuitecse-tokenissuer-gmail-sta@system.gserviceaccount.com",
    "audience": "cse-authorization"
    },
    ]

https parameter

JSON object that describes the HTTPS certificates. To be used when you want to run the server in secure mode. It includes the following components:

Parameter	Description	Type	Optional/ mandatory
credentials	key: path to the private HTTPS key in PEM format. cert: path to the HTTPS certificate in PEM format. ca (optional): path to the HTTPS certification authority in PEM format.	Object	Optional

Parameter

Description

Type

Optional/
mandatory

credentials

key: path to the private HTTPS key in PEM format.

cert: path to the HTTPS certificate in PEM format.

ca (optional): path to the HTTPS certification authority in PEM format.

Object

Optional

keks parameter

JSON object describing the refresh frequency of the KEKs while the Stormshield KMaaS is running. It includes the following components:

Parameter	Description	Type	Optional/ mandatory
auto_refresh	scheduled.interval_seconds: frequency at which the KEKs are scheduled to be automatically refreshed by the Stormshield KMaaS (by default 86400 seconds, minimum value 1800 seconds). Make sure you specify a value matching your needs and use. Any value lower than 1800 seconds (30 minutes) will be considered invalid and will prevent the server from starting. minimum_interval_seconds: minimum interval between two refresh operations, whether periodic or one-off (3600 seconds by default). Limits queries to the KMS. KEK refresh is only applicable if the parameter persistence_type: "kms"	Integer in seconds	Optional

Parameter

Description

Type

Optional/
mandatory

auto_refresh

scheduled.interval_seconds: frequency at which the KEKs are scheduled to be automatically refreshed by the Stormshield KMaaS (by default 86400 seconds, minimum value 1800 seconds).

Make sure you specify a value matching your needs and use. Any value lower than 1800 seconds (30 minutes) will be considered invalid and will prevent the server from starting.
minimum_interval_seconds: minimum interval between two refresh operations, whether periodic or one-off (3600 seconds by default). Limits queries to the KMS.

KEK refresh is only applicable if the parameter persistence_type: "kms"

Integer in seconds

Optional

kmip_configuration parameters

JSON object that describes the KMS configuration. It is mandatory if "persistence_type": "kms". It includes the following objects:

Parameter	Description	Type	Optional/ mandatory
host	KMS server.	String	Mandatory
port	Port that the KMS listens on (optional, 5696 by default).	Integer	Optional
client_private_key_path	Path to the private key of the KMS client in PEM format.	String	Mandatory
client_certificate_path	Path to the certificate of the KMS client in PEM format	String	Mandatory
ca_certificate_path	Path to the certification authority of the KMS client in PEM format.	String	Optional

In order to use a KMS domain, the certificate of the KMS client must have a common name that conforms with the KMS_DOMAIN_NAME>||<KMS_USER_NAME> format.
For instance, if your user is Jane and your domain is JaneDomain, the common name must be: JaneDomain||Jane.
For more information, refer to the KMS KMIP documentation.

If using a KMs domain, the domain_id values of all the tenant configurations must imperatively be the same and match the domain used by the KMIP configuration. For more information, refer to section crypto_backends.

WARNING
Stormshielddoes not guarantee the proper functioning of the product if you do not follow these instructions.

NOTE:
The maximum number of simultaneous connections to the KMS server depends on your infrastructure and the KMS configuration.

cache parameter

JSON object that describes the configuration of the cache. Set the values according to your configuration, e.g., available memory. It includes the following objects:

Parameter	Description	Type	Optional/ mandatory
enable	Activation status of the cache (true by default).	Boolean	Optional
max_cache_capacity	Maximum capacity of the cache (100 MB by default).	Integer in MB	Optional
max_object_size	Maximum size of a cached object in KB (100 KB by default). OpenId, jwks and remote configurations (cse-config) are cached. Set a value high enough to store these objects.	Integer in MB	Optional
max_object_lifetime	Lifetime of a cached object (1440 min by default). We advise against exceeding the lifetime of tokens provided by the identity providers.	Integer in minutes	Optional

logs parameters

JSON object that allows configuring how to display the logs in the new format. If the object is missing in the config.json file, only the logs with the old format are displayed. It includes the following objects.

For more information, see the section Managing logs.

Parameter	Description	Type	Optional/ mandatory
enable	Enable log display.	Boolean	Mandatory
formats	Version of the log format to enable. The prescribed values are: ["v1", "v2"] if all logs are displayed, ["v2"] if only logs with the new format are displayed, ["v1"] if only logs with the old format are displayed, [] if no logs are displayed.	String list	Mandatory if enable is set to true
kinds	Log family to which the log belongs. Prescribed values: domain: Stormshield KMaaS business operation logs. system: Logs relating to the operations concerning the environment. http: Logs relating to the HTTP operations of the Stormshield KMaaS.	String list	Mandatory if format is set to v2
severities	Level of severity of the log. Prescribed values: emerg: The system is unusable, alert: The problem must be fixed immediately, crit: Critical error, err: Non-critical error, warning: The operation was successful but generated a warning, notice: Unusual event not requiring corrective action, info: Normal operation information message, debug: Information useful to developers for troubleshooting the application.	String list	Mandatory if format is set to v2