SecurityServer Configuration
Configuring the Security Server with JAVA_OPTS start parameter (environment properties)
You can add several start parameters to your start script or to your service wrapper. Please note that the options listed below need a prefix -D for a correct setup, e.g. -Duse.inactive.certificates=true.
Configuring the Security Server using the properties file
Another way to set you options is to use a properties file. For this a file named config.properties needs to be added to your classpath. Since your FSS subfolder conf should be added to your classpath, this is the correct place for this file. Please note that you have configured options in the properties file AND as a Java start parameter, the start parameter is taken.
Options
There are some starting options that you might want to change:
| Option | Values | Description |
|---|---|---|
| use.inactive.certificates | true/false | This option enables the use of inactive certificates. Default is false |
| check.for.signature | true/false | This option disables checking for signatures. Default is true |
| store.qes.messages | true/false | Whether to store incoming qes messages before and after encryption. This feature is not really used anymore. The default is therefore false |
| use.rule.feature | true/false | Activates/deactivates the post processing with rules. Default is false |
| verify.filter.mapping | Path to properties file | Define whitelist for verify errors that you want to accept! The error codes to be automatically accepted need to be defined like this bc.accept.error.codes= |
| store.delete.delay | integer | The number of milliseconds to wait between writing a file and checking for it’s existence. |
| store.incoming.messages | true/false | This feature stores all incoming message in the ./store folder. This is needed to add virus detection. Default is false |
| store.incoming.messages.pre | true/false | This feature stores all incoming message in the store.incoming.messages.path folder BEFORE any decryption or signature verifying. Default is false |
| store.delete.incoming.messages | true/false | Extended feature to use virus scanner and propagating the result. Default is false. FSS stores a copy of every mail to the directory, giving the virus scanner the opportunity to delete the file. In such a case the FSS removes the content from the mail to avoid processing a malicious file. |
| store.incoming.messages.path | string | The folder where incoming messages and attachments will be stored. Defaults to ./store. |
| store.filename.maxlength | Integer | The maximum length of basename where stored filenames are |
| line.separator | string | The line separator to use for exports |
| security.gateway.plugins | Colon separated list of plugin classes. |
With plugins you can extend the functionality of the SecurityServer. |
| security.gateway.import.modifier | Full qualified classname of an import modifier class | Processor that can handle certificates and private key during import |
| mailcap.handlers | new-line separated strings | A list of strings to load into the default javax.activation.CommandMap |
| cluster.node | String | Name of this node. Needed for FSS cluster communication. |
| cluster.service.period | Integer | Time (seconds) between polling on Database for update-recognition. |
| content_encryption_algorithm | String | The algorithm which is used for encrypting the content of an S/MIME messages. Default is AES128_CBC before April 1, 2025; AES128_GCM after. |
| key_encryption_algorithm | String | The algorithm which is used for asymmetric encrypting the symmetric key. Default is id_RSAES_OAEP |
| signing_algorithm | String | The algorithm which is used for signing S/MIME messages. Default is SHA256withRSAandMGF1 |
| restore.crl.definition | true/false | Set this property once to migrate from version without crls to version with. Default is false |
| soft.crl.validation | true/false | Set this property if you want to activate a a soft CRL validation, meaning that it is sufficient if at least one CRL link can be accessed. Default is false |
| update.certificate.descriptions | true/false | Set this property once to update missing CRL URIs in the certificate description. Default is false |
| use.local.commandmap | true/false | Set this property if you want to use a local command map for AS/2 message generation. Default is false |
| scanner.type | String | With this property you configure whether and which scanner for virus detection is used |
| scanner.configuration | String | The configuration for a virus scanner, if needed |
| thumprint.to.lower.case | true/false | Set this property once to change the format of the thumprint in the certificate detail window to lower case. Default is false |
| thumprint.separator.char | ':' , ' ', '' | Set this property once to change separator char of the thumprint in the certificate detail window |
| serial.number.separator.char | ':' , ' ', '' | Set this property once to change separator char of the serial number in the certificate detail window |
| auto.sign.cert.import.from.mail | true/false | If enabled, the certificates used for mail signature are imported from the signed mail. The default is false |
| background.color | String | This sets the background color of the FSS UI |
| validityWarningDays | String | The number of days to show warning for private keys that are expiring soon |
| set.bouncy.castle.as.first.provider | true/false | Set this property to load bouncy castle as first security provider (more secure). It might be needed to improve the generation of entropy on your system (see here). The default is true |
| use.oldest.certificate.for.encryption | true/false | If enabled and if multiple certificates / private keys are available for encryption and signature (!), the oldest will be used. If disabled (default) the newest will be used. Default is false |
| hsm.slot.connection.inactivity.timeout | 3 (default: 10) | Timeout in minutes after when an unused HSM slot connection is closed. |
| hsm.connections.timeout | 30000 (default: 10000) | Read timeout in milliseconds in case of network issues to existing connections of HSM. |
Configuring the Security Server using the Spring properties
Some properties can also be configured via the application.yml file:
| Option | Values | Description |
|---|---|---|
| cache-ignores-corrupt-certificates | true/false (default: false) | Ignores any corrupt/broken certificates during keystore initiliazation such that health status remains ‘UP’ |