MOCCA Configuration
Since MOCCA version 1.3 commons-configuration is used for the main configuration of MOCCA.
The configuration is built by the ConfigurationFactoryBean class. It creates a composite configuration using a default configuration read from ConfigurationFactoryBean.DEFAULT_CONFIG and an (optional) resource specified by setConfigurationResource(org.springframework.core.io.Resource). The latter resource is usually injected via a spring application context. See the configuration sections of MOCCA Online / MOCCA Local on how the configuration resource is constructed in their respective application contexts and on how to provide your own configuration file.
Common Configuration Options
A typical configuration file looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<MoccaConfiguration version="1.0">
<RegisterSecurityProviders>true</RegisterSecurityProviders>
<DataURLConnection>
<MaxHops>50</MaxHops>
</DataURLConnection>
<ValidateHashDataInputs>true</ValidateHashDataInputs>
<SSL>
<certDirectory>./certStore</certDirectory>
<caDirectory>./trustStore</caDirectory>
</SSL>
</MoccaConfiguration>Supported Configuration Parameters
- RegisterSecurityProviders
- Allows to control whether MOCCA should register the required Java Cryptographic Service Providers.
NOTE: MOCCA will only work if the required security providers are registered. If this is set to false, the security providers must be registered by some other means (e.g. registered statically).
Default: true
- DataURLConnection
- MaxHops
- Sets the number of consecutive requests allowed to be received from the DataURL server. This allows to prevent infinite request loops caused by erroneous server implementations.
Default: 50
- Whitelist
- A list of allowed DataURLs, separated by commas. The entries are interpreted as regular expressions. If this list is not present, any DataURL will be accepted. If it is empty, all DataURLs will be rejected.
- ValidateHashDataInputs
- Controls if to-be signed data is validated for conformity with the standardised viewer format of the Austrian Citizen Card specification.
Default: true
- SSL
The following two configuration elements must provide an URL which resolves to a directory in the file system. It may either be an absolute URL or a relative URL, which is resolved using the URL of the configuration file.
- certDirectory
- Specifies the URL of a certificate store directory. This directory must contain all certificates required to build a valid certification chain up to an anchor of trust (e.g. a certificate also contained in the trust store directory). Certificate filenames are hashed. To add new certificates to the certificate store directory create a sub-directory named toBeAdded and put the certificates into this directory. They will then be added to the certificate store upon startup of MOCCA.
Default: classpath:at/gv/egiz/bku/certs/certStore
- caDirectory
- Specifies the URL of a trust store directory. This directory must contain all certificates considered as a root of trust.
NOTE: Any certificate in the trust store directory must also be present in the certificate store directory!
Default: classpath:at/gv/egiz/bku/certs/trustStore
- sslProtocol
- Options: TLS (default) or SSL
- revocationServiceOrder
- Comma-separated (ordered) list of revocation services to be used, e.g. "CRL,OCSP". Any revocation service not contained in the list will be disabled.
Default: OCSP,CRL
NOTE: Do not enable the following two options in production environments!
- disableHostnameVerification
- May be set to true to disable verification of the server host name given in the server's certificate.
Default: false
- disableAllChecks
- May be set to true to disable all TSL/SSL related checks.
Default: false
- ProductName
- May be specified to set the product name given by the Server and User-Agent HTTP headers as specified by HTTP binding.
- ProductVersion
- May be specified to set the product version given by the Server and User-Agent HTTP headers as specified by HTTP binding.
- SignatureLayout
- May be specified to set the SignatureLayout HTTP header.
- AccessController
Citizen Card Environment access control configuration file
- PolicyResource
Default: classpath:/at/gv/egiz/bku/accesscontrol/config/accessControlConfig.xml
- UseStrongHash
- The hash algorithms default to SHA-256 or RIPEMD-160, depending on card support. If this option is set to false, SHA-1 is used.
Default: true
- UseStylesheetURL
- By default, provided StylesheetURLs will be ignored. To enable this feature, set this to true.
Default: false
- UseSWCard
- Use provided key and certificate files instead of a smart card. This feature expects the following files:
- smcc/secure.p12: keystore containing the secure signature key pair (under the friendly name SecureSignatureKeypair)
- smcc/secure.pwd: plain text file containing the password of the above key store
- smcc/secure.cer: corresponding certificate
- smcc/certified.p12: keystore containing the certified key pair (under the friendly name CertifiedKeypair)
- smcc/certified.pwd: plain text file containing the password of the above key store
- smcc/certified.cer: corresponding certificate
Default: false
MOCCA Local Only Configuration Parameters
- CCID
Smart card interface device configuration options. Currently, only one configuration item.
- disablePinpad
- Whether to disable the pinpad on a card reader and use keyboard pin entry instead.
Default: false
MOCCA Online Only Configuration Parameters
- EnableP3PHeader
- Set to true to enable a P3P Header with the following contents:
CP="NON DSP COR CUR ADM DEV TAI PSA PSD OUR DEL IND UNI COM NAV INT CNT STA";
This means that you agree not to give away information collected about users (e.g. log files)
This makes setting cookies from in iFrame served from another domain possible under Internet Explorer
