AppSuite:GuardConfiguration: Difference between revisions
(Created page with "Cascade Options Main Options com.openexchange.capability.guard=true Enables Guard. If not set, no guard functions will be loaded in the UI. Needed if users should be able...") |
No edit summary |
||
| Line 1: | Line 1: | ||
Cascade Options | = Cascade Options = | ||
Main Options | == Main Options == | ||
com.openexchange.capability.guard=true | '''com.openexchange.capability.guard=true''' | ||
Enables Guard. If not set, no guard functions will be loaded in the UI. Needed if users should be able to do ANY Guard functions including reading encrypted emails | Enables Guard. If not set, no guard functions will be loaded in the UI. Needed if users should be able to do ANY Guard functions including reading encrypted emails | ||
com.openexchange.capability.guard-mail=true | '''com.openexchange.capability.guard-mail=true''' | ||
Enables the user(s) ability to send encrypted emails. If False but guard enabled, they can read encrypted emails and reply to the original sender, but they cannot compose new emails | Enables the user(s) ability to send encrypted emails. If False but guard enabled, they can read encrypted emails and reply to the original sender, but they cannot compose new emails | ||
com.openexchange.capability.guard-drive=true | '''com.openexchange.capability.guard-drive=true''' | ||
Enables the drive functionality. If false, user(s) will not be able to decode nor upload new encrypted files | Enables the drive functionality. If false, user(s) will not be able to decode nor upload new encrypted files | ||
Optional Cascade Options | == Optional Cascade Options == | ||
com.openexchange.capability.guard-noextra | '''com.openexchange.capability.guard-noextra''' | ||
Disables the ability to add an extra password to encrypted items. May be required by some industry | Disables the ability to add an extra password to encrypted items. May be required by some industry | ||
com.openexchange.capability.guard-noprivate | '''com.openexchange.capability.guard-noprivate''' | ||
(Future, not currently supported) Disable ability for a user to use his/her own private keys | (Future, not currently supported) Disable ability for a user to use his/her own private keys | ||
com.openexchange.capability.guard-nodeleterecovery | '''com.openexchange.capability.guard-nodeleterecovery''' | ||
(Future, not currently supported) Disable the ability of the user to delete the recovery keys. Makes it impossible to reset password, but also adds level of protection/security | (Future, not currently supported) Disable the ability of the user to delete the recovery keys. Makes it impossible to reset password, but also adds level of protection/security | ||
com.openexchange.capability.guard-nodeleteonrevoke | '''com.openexchange.capability.guard-nodeleteonrevoke''' | ||
Default when revoking an item is to delete the content key, making the item impossible to decode. If this option is true, then the item is merely expired and can later be retrieved for decoding in case of legal requirements, corporate requirements, etc | Default when revoking an item is to delete the content key, making the item impossible to decode. If this option is true, then the item is merely expired and can later be retrieved for decoding in case of legal requirements, corporate requirements, etc | ||
com.openexchange.guard.fromEmail= name<email> | '''com.openexchange.guard.fromEmail= name<email>''' | ||
Email address to use as the From address when sending automated emails (First password, password reset) | Email address to use as the From address when sending automated emails (First password, password reset) | ||
Configuration file (guard.properties) | == Configuration file (guard.properties) == | ||
=== Database === | |||
'''com.openexchange.guard.configdbHostname=localhost''' | |||
com.openexchange.guard.configdbHostname=localhost | |||
The address of the mysql database that contains the OX Backend configdb. This is used during initial setup and database sharding | The address of the mysql database that contains the OX Backend configdb. This is used during initial setup and database sharding | ||
com.openexchange.guard.oxguardDatabaseHostname=localhost | '''com.openexchange.guard.oxguardDatabaseHostname=localhost''' | ||
The address of the mysql database for OxGuard data. May be the same as the OX mysql database | The address of the mysql database for OxGuard data. May be the same as the OX mysql database | ||
com.openexchange.guard.databaseUsername=username | '''com.openexchange.guard.databaseUsername=username''' | ||
The username to access the OX Backend and Guard database. This user needs to have select, create, lock, insert, update privileges. Guard database user also should have alter (for updates), drop, index | The username to access the OX Backend and Guard database. This user needs to have select, create, lock, insert, update privileges. Guard database user also should have alter (for updates), drop, index | ||
com.openexchange.guard.databasePassword=password | '''com.openexchange.guard.databasePassword=password''' | ||
The password for the databases | The password for the databases | ||
OX API | === OX API === | ||
com.openexchange.guard.restApiHostname=localhost | '''com.openexchange.guard.restApiHostname=localhost''' | ||
The address for the OX REST API. It would be the location of the OX Backend | The address for the OX REST API. It would be the location of the OX Backend | ||
com.openexchange.guard.OXBackendPort = 8009 | '''com.openexchange.guard.OXBackendPort = 8009''' | ||
The port for the OX Backend. Default is 8009 (which is direct communication with the backend). Could be 80, etc, if going through load balancers | The port for the OX Backend. Default is 8009 (which is direct communication with the backend). Could be 80, etc, if going through load balancers | ||
com.openexchange.guard.restApiUsername=open-xchange com.openexchange.guard.restApiPassword=secret | '''com.openexchange.guard.restApiUsername=open-xchange''' | ||
'''com.openexchange.guard.restApiPassword=secret''' | |||
Username and password for the REST API | Username and password for the REST API | ||
com.openexchange.guard.externalEmailURL=example.com | '''com.openexchange.guard.externalEmailURL=example.com''' | ||
File Store | === File Store === | ||
When non-ox users get an email with a link to read the message, an external url is required so they can visit the non-ox reader page. This should be the public domain that would prefix /appsuite/api/guard/reader | When non-ox users get an email with a link to read the message, an external url is required so they can visit the non-ox reader page. This should be the public domain that would prefix /appsuite/api/guard/reader | ||
com.openexchange.guard.storage.type=file | '''com.openexchange.guard.storage.type=file''' | ||
Local/remote storage is required for temporary caching of non-ox encrypted emails. This can be an attached file store, or Amazon S3 compatible object store. Values are “file” or “s3” | Local/remote storage is required for temporary caching of non-ox encrypted emails. This can be an attached file store, or Amazon S3 compatible object store. Values are “file” or “s3” | ||
com.openexchange.guard.storage.file.uploadDirectory=/var/spool/open-xchange/guard/uploads | '''com.openexchange.guard.storage.file.uploadDirectory=/var/spool/open-xchange/guard/uploads''' | ||
Location of local filestore if type was “file” | Location of local filestore if type was “file” | ||
com.openexchange.guard.storage.s3.endpoint= | '''com.openexchange.guard.storage.s3.endpoint=''' | ||
com.openexchange.guard.storage.s3.bucketName= | '''com.openexchange.guard.storage.s3.bucketName=''' | ||
com.openexchange.guard.storage.s3.region= | '''com.openexchange.guard.storage.s3.region=''' | ||
com.openexchange.guard.storage.s3.accessKey= | '''com.openexchange.guard.storage.s3.accessKey=''' | ||
com.openexchange.guard.storage.s3.secretKey= | '''com.openexchange.guard.storage.s3.secretKey=''' | ||
S3 configuration options if filestore selected was S3 | S3 configuration options if filestore selected was S3 | ||
com.openexchange.guard.cacheDays=30 | '''com.openexchange.guard.cacheDays=30''' | ||
How many days emails are kept in file store before being deleted. Measured from time of sending, reset when someone reads the email | How many days emails are kept in file store before being deleted. Measured from time of sending, reset when someone reads the email | ||
com.openexchange.guard.cronHour=2 | '''com.openexchange.guard.cronHour=2''' | ||
Time that the filestore is checked for old items | Time that the filestore is checked for old items | ||
Crypto | === Crypto === | ||
com.openexchange.guard.aesKeyLength=256 | '''com.openexchange.guard.aesKeyLength=256''' | ||
AES Key length. 256 is preferred, but not supported on all systems. May need to have java unlimeted key strength pack installed | AES Key length. 256 is preferred, but not supported on all systems. May need to have java unlimeted key strength pack installed | ||
com.openexchange.guard.rsaKeyLength=2048 | '''com.openexchange.guard.rsaKeyLength=2048''' | ||
RSA key length. | RSA key length. | ||
Email | === Email === | ||
com.openexchange.guard.guestSMTPServer=smtp.example.com | '''com.openexchange.guard.guestSMTPServer=smtp.example.com''' | ||
com.openexchange.guard.guestSMTPPort=25 | '''com.openexchange.guard.guestSMTPPort=25''' | ||
com.openexchange.guard.guestSMTPUsername= | '''com.openexchange.guard.guestSMTPUsername=''' | ||
com.openexchange.guard.guestSMTPPassword= | '''com.openexchange.guard.guestSMTPPassword=''' | ||
SMTP settings for outgoing emails from the guest reader. Emails sent from within the system use the OX Backend. The guest reader, however, sends replies through this SMTP. In addition, password emails (reset, initial) are sent through the SMTP server | SMTP settings for outgoing emails from the guest reader. Emails sent from within the system use the OX Backend. The guest reader, however, sends replies through this SMTP. In addition, password emails (reset, initial) are sent through the SMTP server | ||
Remote | === Remote === | ||
com.openexchange.guard.maxremote = 100 | '''com.openexchange.guard.maxremote = 100''' | ||
Maximum number of remote emails that can be recieved in lockout period (com.openexchange.com.badMinuteLock) | Maximum number of remote emails that can be recieved in lockout period (com.openexchange.com.badMinuteLock) | ||
| Line 146: | Line 145: | ||
Optional | Optional | ||
com.openexchange.guard.usestarttls = true | '''com.openexchange.guard.usestarttls = true''' | ||
Use TLS when delivering to the SMTP server when available | Use TLS when delivering to the SMTP server when available | ||
=== Bad attempts === | |||
com.openexchange.guard. | '''com.openexchange.guard.badMinuteLock= 10''' | ||
Defines how long someone will be locked out after bad attempts. Default 10 | |||
'''com.openexchange.guard.badPasswordCount= 5''' | |||
Defines how many times a person can attempt to unlock an encrypted item before being locked out. Default 5 | |||
'''com.openexchange.guard.badIpCount: 10''' | |||
Defines how many times an outside computer can request a public key that doesn't exist before being locked out | |||
=== RSA Key Generation === | |||
com.openexchange.guard. | '''com.openexchange.guard.rsacache=true''' | ||
RSA keys are pre-generated in the background, encrypted, and stored for future user keys. RSA key generation is the most time consuming function and the RSA cache significantly improves new user creation time | |||
com.openexchange.guard. | '''com.openexchange.guard.rsacachecount=100''' | ||
Number of RSA keys to pre-generate | |||
com.openexchange.guard. | '''com.openexchange.guard.keycachecheckinterval= 30''' | ||
Interval in seconds to check the RSA cache and re-populate if less than rsacachecount | |||
com.openexchange.guard. | '''com.openexchange.guard.rsacertainty=256''' | ||
Bit certainty for RSA key generation. Higher numbers assure the number is in fact prime but time consuming. Lower is much faster. May need to be lower if not using cache | |||
=== Passwords === | |||
'''com.openexchange.guard.newpasslength=8''' | |||
Length of the randomly generated passwords when a user resets password. | |||
'''com.openexchange.guard.minpasswordlength=6''' | |||
Minimum password length | |||
=== Backend === | |||
'''com.openexchange.guard.oxbackendpath=/ajax/''' | |||
URL used to communicated directly with the OX backend | |||
'''com.openexchange.guard.oxbackendidletime=60''' | |||
HTTP connections to the backend are kept open for faster response. This is the timeout setting that will close idle connections. | |||
'''com.openexchange.guard.configdbname=configdb''' | |||
Name of the configdb database | |||
=== Guest Accounts === | |||
'''com.openexchange.guard.shardsize=1000''' | |||
Guest users data are placed in databases oxguard_x. After set number of users, another database shard is created | |||
'''com.openexchange.guard.externalreaderpath=/appsuite/api/oxguard/reader/reader.html''' | |||
Full path after domain name for the external reader (if changed from default) | |||
==Optional Configuration Settings== | |||
=== API SSL === | |||
'''com.openexchange.guard.backend_ssl=true''' | |||
Communication between Guard and the OX backend is set to HTTP by default. All items to be encrypted are already encrypted at this point, but other information (sender name, filename, etc) could appear in plaintext here. If SSL is desired, sest to true. | |||
=== Incoming SSL === | |||
Communication between the frontend load balancer (APACHE or otherwise) to Guard is by default HTTP (if protected network). To have Guard listen on an SSL socket, the following needs to be set | |||
'''com.openexchange.guard.useSSL= true''' | |||
Enables jetty listener for ssl | |||
'''com.openexchange.guard.SSLPort= 8443''' | |||
Jetty will listen on defined port for ssl connections | |||
'''com.openexchange.guard.SSLKeyStore= xxxx''' | |||
Location of the keystore with ssl keys | |||
'''com.openexchange.guard.SSLKeyName= xxxx''' | |||
Name/alieas of the key to use | |||
'''com.openexchange.guard.SSLKeyPass= xxxx''' | |||
Password for the ssl key | |||
=== Recovery === | |||
If you do not want password recovery available, you can disable by adding | |||
com.openexchange.guard. | '''com.openexchange.guard.noRecovery= true''' | ||
Keep in mind, that a lost password will result in total loss of encrypted data | |||
Misc | === Misc === | ||
com.openexchange.guard.defaultlanguage=en_US | '''com.openexchange.guard.defaultlanguage=en_US''' | ||
Default language if a language is requested but not available | Default language if a language is requested but not available | ||
Revision as of 18:58, 20 November 2014
Cascade Options
Main Options
com.openexchange.capability.guard=true
Enables Guard. If not set, no guard functions will be loaded in the UI. Needed if users should be able to do ANY Guard functions including reading encrypted emails
com.openexchange.capability.guard-mail=true
Enables the user(s) ability to send encrypted emails. If False but guard enabled, they can read encrypted emails and reply to the original sender, but they cannot compose new emails
com.openexchange.capability.guard-drive=true
Enables the drive functionality. If false, user(s) will not be able to decode nor upload new encrypted files
Optional Cascade Options
com.openexchange.capability.guard-noextra
Disables the ability to add an extra password to encrypted items. May be required by some industry
com.openexchange.capability.guard-noprivate
(Future, not currently supported) Disable ability for a user to use his/her own private keys
com.openexchange.capability.guard-nodeleterecovery
(Future, not currently supported) Disable the ability of the user to delete the recovery keys. Makes it impossible to reset password, but also adds level of protection/security
com.openexchange.capability.guard-nodeleteonrevoke
Default when revoking an item is to delete the content key, making the item impossible to decode. If this option is true, then the item is merely expired and can later be retrieved for decoding in case of legal requirements, corporate requirements, etc
com.openexchange.guard.fromEmail= name<email>
Email address to use as the From address when sending automated emails (First password, password reset)
Configuration file (guard.properties)
Database
com.openexchange.guard.configdbHostname=localhost
The address of the mysql database that contains the OX Backend configdb. This is used during initial setup and database sharding
com.openexchange.guard.oxguardDatabaseHostname=localhost
The address of the mysql database for OxGuard data. May be the same as the OX mysql database
com.openexchange.guard.databaseUsername=username
The username to access the OX Backend and Guard database. This user needs to have select, create, lock, insert, update privileges. Guard database user also should have alter (for updates), drop, index
com.openexchange.guard.databasePassword=password
The password for the databases
OX API
com.openexchange.guard.restApiHostname=localhost
The address for the OX REST API. It would be the location of the OX Backend
com.openexchange.guard.OXBackendPort = 8009
The port for the OX Backend. Default is 8009 (which is direct communication with the backend). Could be 80, etc, if going through load balancers
com.openexchange.guard.restApiUsername=open-xchange com.openexchange.guard.restApiPassword=secret
Username and password for the REST API
com.openexchange.guard.externalEmailURL=example.com
File Store
When non-ox users get an email with a link to read the message, an external url is required so they can visit the non-ox reader page. This should be the public domain that would prefix /appsuite/api/guard/reader
com.openexchange.guard.storage.type=file
Local/remote storage is required for temporary caching of non-ox encrypted emails. This can be an attached file store, or Amazon S3 compatible object store. Values are “file” or “s3”
com.openexchange.guard.storage.file.uploadDirectory=/var/spool/open-xchange/guard/uploads
Location of local filestore if type was “file”
com.openexchange.guard.storage.s3.endpoint=
com.openexchange.guard.storage.s3.bucketName=
com.openexchange.guard.storage.s3.region=
com.openexchange.guard.storage.s3.accessKey=
com.openexchange.guard.storage.s3.secretKey=
S3 configuration options if filestore selected was S3
com.openexchange.guard.cacheDays=30
How many days emails are kept in file store before being deleted. Measured from time of sending, reset when someone reads the email
com.openexchange.guard.cronHour=2
Time that the filestore is checked for old items
Crypto
com.openexchange.guard.aesKeyLength=256
AES Key length. 256 is preferred, but not supported on all systems. May need to have java unlimeted key strength pack installed
com.openexchange.guard.rsaKeyLength=2048
RSA key length.
com.openexchange.guard.guestSMTPServer=smtp.example.com
com.openexchange.guard.guestSMTPPort=25
com.openexchange.guard.guestSMTPUsername=
com.openexchange.guard.guestSMTPPassword=
SMTP settings for outgoing emails from the guest reader. Emails sent from within the system use the OX Backend. The guest reader, however, sends replies through this SMTP. In addition, password emails (reset, initial) are sent through the SMTP server
Remote
com.openexchange.guard.maxremote = 100
Maximum number of remote emails that can be recieved in lockout period (com.openexchange.com.badMinuteLock)
Optional
com.openexchange.guard.usestarttls = true
Use TLS when delivering to the SMTP server when available
Bad attempts
com.openexchange.guard.badMinuteLock= 10
Defines how long someone will be locked out after bad attempts. Default 10
com.openexchange.guard.badPasswordCount= 5
Defines how many times a person can attempt to unlock an encrypted item before being locked out. Default 5
com.openexchange.guard.badIpCount: 10
Defines how many times an outside computer can request a public key that doesn't exist before being locked out
RSA Key Generation
com.openexchange.guard.rsacache=true
RSA keys are pre-generated in the background, encrypted, and stored for future user keys. RSA key generation is the most time consuming function and the RSA cache significantly improves new user creation time
com.openexchange.guard.rsacachecount=100
Number of RSA keys to pre-generate
com.openexchange.guard.keycachecheckinterval= 30
Interval in seconds to check the RSA cache and re-populate if less than rsacachecount
com.openexchange.guard.rsacertainty=256
Bit certainty for RSA key generation. Higher numbers assure the number is in fact prime but time consuming. Lower is much faster. May need to be lower if not using cache
Passwords
com.openexchange.guard.newpasslength=8
Length of the randomly generated passwords when a user resets password.
com.openexchange.guard.minpasswordlength=6
Minimum password length
Backend
com.openexchange.guard.oxbackendpath=/ajax/
URL used to communicated directly with the OX backend
com.openexchange.guard.oxbackendidletime=60
HTTP connections to the backend are kept open for faster response. This is the timeout setting that will close idle connections.
com.openexchange.guard.configdbname=configdb
Name of the configdb database
Guest Accounts
com.openexchange.guard.shardsize=1000
Guest users data are placed in databases oxguard_x. After set number of users, another database shard is created
com.openexchange.guard.externalreaderpath=/appsuite/api/oxguard/reader/reader.html
Full path after domain name for the external reader (if changed from default)
Optional Configuration Settings
API SSL
com.openexchange.guard.backend_ssl=true
Communication between Guard and the OX backend is set to HTTP by default. All items to be encrypted are already encrypted at this point, but other information (sender name, filename, etc) could appear in plaintext here. If SSL is desired, sest to true.
Incoming SSL
Communication between the frontend load balancer (APACHE or otherwise) to Guard is by default HTTP (if protected network). To have Guard listen on an SSL socket, the following needs to be set
com.openexchange.guard.useSSL= true
Enables jetty listener for ssl
com.openexchange.guard.SSLPort= 8443
Jetty will listen on defined port for ssl connections
com.openexchange.guard.SSLKeyStore= xxxx
Location of the keystore with ssl keys
com.openexchange.guard.SSLKeyName= xxxx
Name/alieas of the key to use
com.openexchange.guard.SSLKeyPass= xxxx
Password for the ssl key
Recovery
If you do not want password recovery available, you can disable by adding
com.openexchange.guard.noRecovery= true
Keep in mind, that a lost password will result in total loss of encrypted data
Misc
com.openexchange.guard.defaultlanguage=en_US
Default language if a language is requested but not available