Appendix: Supported GSKit attributes
You can configure the these GSKit attributes with Security Access Manager.
Strings
- GSK_HTTP_PROXY_SERVER_NAME
- Sets the http proxy server for http CDP CRL retrieval if required. The numeric identifier is 225.
- GSK_SSL_EXTN_SERVERNAME_REQUEST
- Sets the server name to be requested. The numeric identifier is 230.
- GSK_SSL_EXTN_SERVERNAME_CRITICAL_REQUEST
- Sets the server name to be requested. This request must be satisfied. If this request is not satisfied, an error is returned. The numeric identifier is 231.
Enums
- GSK_ALLOW_UNAUTHENTICATED_RESUME
- The numeric identifier is 423. One of the following ENUM values must be specified (The default
is GSK_ALLOW_UNAUTHENTICATED_RESUME_OFF):
- GSK_ALLOW_UNAUTHENTICATED_RESUME_ON
- Indicates that a session resume can be completed successfully even if the client has not provided a certificate during the initial handshake when the server is configured for client authentication. The numeric identifier is 588.
- GSK_ALLOW_UNAUTHENTICATED_RESUME_OFF
- Indicates that a session resume cannot be completed successfully when a client has not provided a certificate during the initial handshake when the server is configured for client authentication. This will cause the connection to complete an entire SSL handshake. This will ensure that server has the opportunity to authenticate the client. The numeric identifier is 589.
This ENUM_ID may only be set prior to gsk_environment_init().
- GSK_SSL_SUITEB_MODE_PROCESSING
- The numeric identifier is 454. One of the following ENUM values must be specified (The default
is GSK_FALSE):
- GSK_TRUE
- SSL Suite B mode is set. The setting will restrict SSL session negotiation to only use TLS Suite
B Profile; RFC 5430, approved mode of operation which restricts Cipher Suites, Certificates and
Signature and Hash Algorithms. The numeric identifier is 1.Note: This setting enables both 128 bit and 192 bit Security levels of Suite B. Do not make other settings related to CipherSuites, Protocol and Signature and Hash Algorithms once this setting has been made.
- GSK_FALSE
- SSL Suite B mode is not enabled. The numeric identifier is 0.
- GSK_SSL_SUITEB_128BIT_MODE_PROCESSING
- The numeric identifier is 455. One of the following ENUM values must be specified (The default
is GSK_FALSE):
- GSK_TRUE
- SSL Suite B 128 bit Security mode is set. The setting will restrict SSL session negotiation to
only use TLS Suite B Profile; RFC 5430, approved mode of operation which restricts Cipher Suites,
Certificates and Signature and Hash Algorithms. The numeric identifier is 1.Note: This setting enables only 128 bit Security level of Suite B. Do not make other settings related to CipherSuites, Protocol and Signature and Hash Algorithms once this setting has been made.
- GSK_FALSE
- SSL Suite B mode is not enabled. The numeric identifier is 0.
Note: This ENUM may only be set prior to gsk_environment_init(). FIPS-140 certified cryptographic modules should also be configured if using this setting. This setting will enable the TLS12 Protocol and disable all others. - GSK_SSL_SUITEB_192BIT_MODE_PROCESSING
- The numeric identifier is 456. One of the following ENUM values must be specified (The default
is GSK_FALSE):
- GSK_TRUE
- SSL Suite B 192 bit Security mode is set. The setting will restrict SSL session negotiation to
only use TLS Suite B Profile; RFC 5430, approved mode of operation which restricts Cipher Suites,
Certificates and Signature and Hash Algorithms. The numeric identifier is 1.Note: This setting enables only 192 bit Security level of Suite B. Do not make other settings related to CipherSuites, Protocol and Signature and Hash Algorithms once this setting has been made.
- GSK_FALSE
- SSL Suite B mode is not enabled. The numeric identifier is 0.
- GSK_LDAP_REQUIRED_AT_INIT
- Specify the requirements of an LDAP server at environment initialization. The numeric identifier
is 412. One of the following ENUM values must be specified (The default is
GSK_INIT_CRL_LDAP_REQUIRED_OFF) :
- GSK_INIT_CRL_LDAP_REQUIRED_ON
- Operational LDAP server (CRL database) is required during environment initialization. The numeric identifier is 538.
- GSK_INIT_CRL_LDAP_REQUIRED_OFF
- Availability of an active LDAP server (CRL database) is not required during environment initialization. The numeric identifier is 539.
- GSK_CC_MODE_CONTROL
- This group controls the Common Criteria Mode operational requirements. The numeric identifier is
418. One of the following ENUM_VALUE values must be specified (The defaults is OFF for each of these):
- GSK_CC_MODE_DISABLE_STASH_FILE_ON
- Disable the use of stash files to open keystores. The numeric identifier is 555.
- GSK_CC_MODE_DISABLE_STASH_FILE_OFF
- Allow the use of stash files to open keystores. The numeric identifier is 556.
This ENUM may only be set prior to gsk_environment_init(). gsk_environment_init() will fail if the use of stash files have been disallowed but no keystore password has been given. It cannot be set using an environment variable.
- GSK_CC_MODE_FIPS_ON
- FIPS mode is set. The numeric value is 557. The enumerated value for GSK_BASE_CRYPTO_LIBRARY must not be GSK_BASE_CRYPTO_RSA (the default is GSK_BASE_CRYPTO_ICC) or an error is returned. This enum has the same effect as setting all of GSK_FIPS_MODE_PROCESSING_ON, GSK_SSL_FIPS_MODE_PROCESSING_ON, GSK_ICC_FIPS_MODE_PROCESSING_ON. Additionally setting this enum will have a similar effect to setting GSK_NIST_DES_FIPS_DEPRECATION except that the deprecation of DES will happen immediately and not wait until May 18 2007.
- GSK_CC_MODE_FIPS_OFF
- FIPS mode is not enabled. The numeric identifier is 558. This enum has the same effect as GSK_FIPS_MODE_PROCESSING_OFF. This ENUM may only be set prior to gsk_environment_init(). gsk_environment_init() will fail if FIPS mode is not supported on the platform. It cannot be set using an environment variable.
- GSK_CC_MODE_ENFORCE_STRONG_PWD_ON
- Enforce the use of Common Criteria strength passwords for keystore operations. The numeric identifier is 559.
- GSK_CC_MODE_ENFORCE_STRONG_PWD_OFF
- Remove the enforcement of the use of Common Criteria strength passwords for keystore operations.
The numeric identifier is 560.
This ENUM may only be set prior to gsk_environment_init(). gsk_environment_init() will fail if the given password does not meet the strength rules. It cannot be set using an environment variable.
- GSK_CC_MODE_DISABLE_PKCS11_ON
- Disable the use of pkcs#11 devices. The numeric identifier is 561.
- GSK_CC_MODE_DISABLE_PKCS11_OFF
- Allow the use of pkcs#11 devices. The numeric identifier is 562.
This ENUM may only be set prior to gsk_environment_init(). It cannot be set using an environment variable.
- GSK_CC_MODE_ENFORCE_STRONG_KDB_ON
- Enforce that only newer version cms keystores that have stronger tamper protection be used. The numeric identifier is 563.
- GSK_CC_MODE_ENFORCE_STRONG_KDB_OFF
- Remove the enforcement that only newer version cms keystores that have stronger tamper protection be used. The numeric identifier is 564.
- GSK_CC_MODE_STRICT_BASIC_CONST_ON
- Enforce the rule that non end entity certificates that are missing the Basic Constraints extension are not permitted to be used in a validation chain. The numeric identifier is 565.
- GSK_CC_MODE_STRICT_BASIC_CONST_OFF
- Allow non end entity certificates that are missing the Basic Constraints extension to be permitted to be used in a validation chain. The numeric identifier is 566.
- GSK_CC_MODE_ENFORCE_RIP_ON
- Ensure that GSKit clears residual information for a session when that session encounters ssl errors. The numeric identifier is 567.
- GSK_CC_MODE_ENFORCE_RIP_OFF
- Do not enforce that GSKit clears residual information for a session when that session encounters ssl errors. The numeric identifier is 568.
- GSK_NIST_DES_FIPS_DEPRECATION
- On May 19 2007 NIST have determined that DES will no longer be a FIPS certified cipher. Turning
this flag on will cause DES to be removed from the cipher list in FIPS mode after this date. The
numeric identifier is 433.
- GSK_TRUE
- Turn DES deprecation on after May 18 2007. The numeric identifier is 1.
- GSK_FALSE
- Do not remove DES from the FIPS cipher list after May 18 2007. The numeric identifier is 0.
- GSK_BINARY_DN_MATCHING_ENABLE
- Allows for faster operation by comparing DN names using Binary DER Encoding The default is off
(Disabled). The numeric identifier is 441.
- GSK_TRUE
- Turn Binary Matching On (Not recommended). The numeric identifier is 1.
- GSK_FALSE
- Turn Binary Matching Off. The numeric identifier is 0.
- GSK_PROTOCOL_SSLV2
- Enables or disables the SSL V2 protocol. Note that in FIPs mode of operation (see
GSK_FIPS_MODE_PROCESSING) this setting will have no effect. The numeric identifier is 403.
ENUM_VALUE must specify one of the following operations (The default is GSK_PROTOCOL_SSLV2_ON):
- GSK_PROTOCOL_SSLV2_ON
- Enable SSL V2
- GSK_PROTOCOL_SSLV2_OFF
- Disable SSL V2
- GSK_PROTOCOL_SSLV3
- Enables or disables the SSL V3 protocol. The numeric identifier is 404. ENUM_VALUE must specify
one of the following operations (The default is GSK_PROTOCOL_SSLV3_ON):
- GSK_PROTOCOL_SSLV3_ON
- Enable SSL V3
- GSK_PROTOCOL_SSLV3_OFF
- Disable SSL V3
- GSK_PROTOCOL_TLSV10
- Enables or disables the TLSV10 protocol. The numeric identifier is 436. ENUM_VALUE must specify
one of the following operations (The default is on):
- GSK_TRUE
- Enable TLSV10
- GSK_FALSE
- Disable TLSV10
- GSK_PROTOCOL_TLSV11
- Enables or disables the TLSV11 protocol. The numeric identifier is 437. ENUM_VALUE must specify
one of the following operations (The default is on):
- GSK_TRUE
- Enable TLSV11
- GSK_FALSE
- Disable TLSV11
- GSK_PROTOCOL_TLSV12
- Enables or disables the TLSV12 protocol. The numeric identifier is 438. ENUM_VALUE must specify
one of the following operations (The default is on):
- GSK_TRUE
- Enable TLSV12
- GSK_FALSE
- Disable TLSV12
- GSK_V2_CIPHER_SPECS
- If multiple connections occur under a SSL session the values set for this field may not be used.
The cipher specification negotiated during the first SSL connection of a session will be used until
that session expires. Here is the list of available cipher specs. The list contains the string
values that can be used with the buf_value for this buffer ID. Any combination of these may be used;
none may be used twice.
- 1-RC4 US
- 2-RC4 Export
- 3-RC2 US
- 4-RC2 Export
- 6-DES 56-Bit
- 7-Triple DES US
If a NULL string ("") is specified for the cipherspec list, SSL version 2 protocols will not be used.
The default cipherspec is "713642". The numeric identifier is 205.
- GSK_V3_CIPHER_SPECS_EX, GSK_TLSV10_CIPHER_SPECS_EX, GSK_TLSV11_CIPHER_SPECS_EX, GSK_TLSV12_CIPHER_SPECS_EX
- Allows the user to specify Cipher Specs for TLS protocol versions. The numeric identifiers are
240, 241, 242, and 243. Different TLS Protocols may have mutually exclusive Cipher Spec.
The buffer cotains a list of comma delimted string values that are defined by RFC 2246, 4346, 5246, 4492, 5289.
Example : Setting AES TLS Ciphersuite would require a buffer comtaining « TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA”
Numbers
- GSK_LDAP_FAILOVER_RECONNECTION_PERIOD
- If multiple LDAP servers are specified for the failover function and the first LDAP server on
the list is not available, the next one on the list will be queried until one is available or all
the LDAP servers are tried. Periodically, an attempt will be made to retry the LDAP server query
process. This attribute specifies the time period before the query retry is to begin. The value of
int_value must be in the range of 0 - 86400 seconds. Defaults:
- For a single LDAP server, 0 seconds.
- When multiple LDAP servers are specified, 300 seconds.
The numeric identifier is 307.
- GSK_V2_SIDCACHE_SIZE
- The number of entries in the SID (Session ID) cache used for SSLV2, range 0-2047 (default=256). The numeric identifier is 304.
- GSK_V3_SIDCACHE_SIZE
- The number of entries in the SID (Session ID) cache used for SSLV3 and TLSV1, range 0-MAXINT (default=512). This setting does not impose an upper limit, however GSKit internally imposes a limit that may be reviewed over time. Currently the internal limit is 655360. Note: Very large cache sizes could have adverse impacts on process performance due to the large memory usage. The cache memory allocation is dynamic in that memory is not allocated for cache entries until they are required, thus the memory usage may in fact be far less than the maximum number of cache entries specified. It is suggested that application consider these aspects when setting the cache size. The numeric identifier is 305.
- GSK_OCSP_TIMEOUT
- Sets the timeout in seconds that we will wait for a response from the server. The default is 30. The numeric identifier is 318.
- GSK_HTTP_CDP_MAX_RESPONSE_SIZE
- Sets the maximum size in bytes that GSKit will accept as a response from a HTTP Server when retrieving a CRL. This may help protect against a denial of service attack. The default is 204800 (200K). The numeric identifier is 316.
- GSK_HTTP_CDP_TIMEOUT
- Sets the timeout in seconds that we will wait for a response from the server. The default is 30. The numeric identifier is 319.
- GSK_MAX_SSL_MESSAGE_SIZE
- Sets the maximum message size that can be received by GSKit. This setting is design to protect against certain Denial of Service attack where very lare message can be used to exhust memory on a system. The default is 128K bytes. The numeric identifier is 320.
- GSK_HTTP_PROXY_SERVER_PORT
- Sets the http proxy server port for http CDP CRL retrieval if needed. The numeric identifier is 317.
- GSK_LDAP_SERVER_VERSION
- Sets the LDAP protocol version to be used. This should be set to 2 or 3. The numeric identifier is 314.
- GSK_V2_SESSION_TIMEOUT
- SSL V2 session time-out. int_value must be in the range 0-100 seconds (default=100). The numeric identifier is 301.
- GSK_V3_SESSION_TIMEOUT
- SSL V3 session time-out. int_value must be in the range 0-86400 seconds (default=86400, 24 hours). The numeric identifier is 302.