Security properties

The data types Crypto and CryptoX are used to encrypt passwords and other types of confidential information. You use security properties to specify security levels for your organization, such as the data that must be encrypted and can be decrypted.

CRYPTO and CRYPTOX parameters

Parameters identified as mxe.security.crypto are for the CRYPTO maxtype. These parameters identify the attributes that can be encrypted and decrypted.

Parameters identified as mxe.security.cryptox are for the CRYPTOX maxtype. These parameters identify the attributes that can be encrypted, but not decrypted. These maxtypes have their own means of encryption, the parameters for which are defined in the properties file.

Table 1. Security properties
Property Description Default value
mxe.sec.adduser.maxsets

Represents the maximum number of concurrent sets allowed for user self registration.

20
mxe.sec.allowedIP

A comma-delimited list of IP addresses that must not be blocked.

 
mxe.sec.forgotpassword.maxsets

Represents the maximum number of concurrent sets allowed for a forgotten password.

20
mxe.sec.IPblock

Performs security checks related to IP blocking.

1
mxe.sec.IPblock.MatchBoth

Matches both the client host and the client address when you check for clients that are blocked.

1
mxe.sec.IPblock.num

Represents the maximum number of incorrect login attempts allowed per number of seconds.

50
mxe.sec.IPblock.sec

Represents the time in seconds required for the IP blocking limit check.

30
mxe.security.crypto.algorithm

Identifies the attributes that can be encrypted and decrypted.

Algorithm is the basic type of encryption that is used.

This property can override the algorithm default value DESed.

 
mxe.security.crypto.key

Identifies the attributes that can be encrypted and decrypted.

The length of this property must be a multiple of 24.

 
mxe.security.crypto.mode

Identifies the attributes that can be encrypted and decrypted.

The following mode components are valid:

  • Cipher Block Chaining Mode (CBC) as defined in FIPS PUB 81.
  • Cipher Feedback Mode (CFB) as defined in FIPS PUB 81.
  • Electronic Codebook Mode (ECB) as defined in The National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) PUB 81, DES Modes of Operation, U.S. Department of Commerce, Dec 1980.
  • Output Feedback Mode (OFB) as defined in FIPS PUB 81. OFB must use NoPadding.
  • Propagating Cipher Block Chaining (PCBC) as defined by Kerberos V4.
 
mxe.security.crypto.modulus

Identifies the attributes that can be encrypted and decrypted.

Modulus is used only for the RSA algorithm.

 
mxe.security.crypto.padding

Identifies the attributes that can be encrypted and decrypted.

The following padding components are valid:
  • NoPadding - No padding.
  • PKCS5Padding - The padding scheme described in RSA Laboratories, PKCS #5: Password-Based Encryption Standard, version 1.5, November 1993.
 
mxe.security.crypto.spec

Identifies the attributes that can be encrypted and decrypted.

The length of this property must be a multiple of 8.

 
mxe.security.cryptox.algorithm

Identify the attributes that can be encrypted, but not decrypted.

Algorithm is the basic type of encryption that is used.

This property can override the algorithm default value (DESede).

 
mxe.security.cryptox.key

Identify the attributes that can be encrypted, but not decrypted.

The length of this property must be a multiple of 24.

 
mxe.security.cryptox.mode

Identify the attributes that can be encrypted, but not decrypted.

The following mode components are valid:
  • Cipher Block Chaining Mode (CBC) as defined in FIPS PUB 81.
  • Cipher Feedback Mode (CFB) as defined in FIPS PUB 81.
  • Electronic Codebook Mode (ECB) as defined in The National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) PUB 81, DES Modes of Operation, U.S. Department of Commerce, Dec 1980.
  • Output Feedback Mode (OFB) as defined in FIPS PUB 81. OFB must use NoPadding.
  • Propagating Cipher Block Chaining (PCBC) as defined by Kerberos V4.
 
mxe.security.cryptox.modulus

Identify the attributes that can be encrypted, but not decrypted.

Modulus is used only for the RSA algorithm.

 
mxe.security.cryptox.padding

Identify the attributes that can be encrypted, but not decrypted.

The following padding components are valid:
  • NoPadding - No padding.
  • PKCS5Padding - The padding scheme described in RSA Laboratories, PKCS #5: Password-Based Encryption Standard, version 1.5, November 1993.
 
mxe.security.cryptox.spec

Identify the attributes that can be encrypted, but not decrypted.

The length of this property must be a multiple of 8.

 
mxe.security.provider

Represents the security provider which is obtained from the policy file. The security provider is usually com.ibm.crypto.provider.IBMJCE.

To use a different provider, you can specify a value for this parameter.

 


Feedback