Configuration

Configuration
Prev	Chapter 5. Security	Next

Security policy configuration can be separated into these distinct areas:

Security configuration has a configuration type of security.

Table 5.1, “Principal configuration” defines the principal configuration parameters.


	It is strongly recommended that all principal configuration be done using administrative commands instead of configuration to avoid exposing clear text passwords in configuration files.


	It is illegal to activate security configuration that modifies the active principal executing the configuration command. Security configuration that modifies or removes principals should be activated by a principal which is not referenced in the configuration file.

Table 5.1. Principal configuration

Name	Type	Description
`name`	String	Principal name.
`textCredential`	String	Optional text credential. Default value is the empty string.
`opaqueCredential`	String	Optional opaque text credential. Default value is the empty string. Opaque text credentials are generated when user security configuration is exported - they should not be set manually. See the section called “Export user configuration”.
`deferredCredential`	Boolean	Optionally indicate whether credential definition be deferred until the initial authentication event. Default value is false.
`roles`	Role list	A comma separated list of roles.
`credentialExpirationPeriodDays`	Integer	An optional expiration time for the credential in days. Default value is 0 (no expiration).
`allowEmptyCredential`	Boolean	Optionally indicate whether empty text credentials are ever allowed for this principal. Default value is true.
`credentialRequired`	Boolean	Optionally indicate whether a credential is always required. If true the principal must always present credentials during authentication, and cannot use the trusted host facility. Default value is false.
`trustedHostUser`	Boolean	Optionally indicate whether the principal may only be authenticated when connecting from a trusted host. Default value is false.

Access control configuration is done in two parts - the access rules and the rule itself. Table 5.2, “Access control rule configuration” defines the configuration values for an access rule.

Table 5.2. Access control rule configuration

Name	Type	Description
`roleName`	String	Name of role associated with rule.
`permission`	Enumeration - `Execute` or `AccessAllOperationsAndAttributes`.	Define the granted permissions for the access control rule. `Execute` can only be specified on administrative commands. `AccessAllOperationsAndAttributes` can only be specified on administrative targets.

Table 5.3, “Rule configuration” defines the configuration values for a rule.

Table 5.3. Rule configuration

Name	Type	Description
`name`	String	Class name. This is a fully scoped class name of the administrative target or command being protected.
`lockAllElements`	Boolean	A value of `true` disables all unauthenticated access to administrative commands in the target. A value of `false` enables all access. Default value is `false`.
`accessRules`	Array of access rules.	The access control rules for the type defined in this rule.

Table 5.4, “Trusted hosts configuration” defines the trusted host configuration parameters.

Table 5.4. Trusted hosts configuration

Name	Type	Description
`name`	String	Trusted host name. Either a fully-qualified domain name, or a simple name.

Table 5.5, “Authentication source configuration” defines the authentication source configuration parameters.

Table 5.5. Authentication source configuration

Name	Type	Description
`sourceList`	Array of source names.	An array of source names in priority order. No default value.
`name`	String	Unique source name in `sourceList` array. The source name must match an available authentication source. The name of the node local authentication source is `Local`. See Example 5.1, “Authentication source configuration example” for an example. No default value.

Prev	Up	Next
Administration	Home	Chapter 6. Distribution and High Availability