AppSuite:OX Guard Configuration 2 10: Difference between revisions
| (3 intermediate revisions by the same user not shown) | |||
| Line 6: | Line 6: | ||
=== Main Properties === | === Main Properties === | ||
As of Guard 2.10.7, Guard now supports two types of email encryption, PGP and S/Mime. Prior versions only support PGP. | |||
<source lang="bash">com.openexchange.capability.guard = true</source> | <source lang="bash">com.openexchange.capability.guard = true</source> | ||
Enables Guard. If not set, no | Enables PGP Guard. If not set, no Guard PGP functions will be loaded in the UI. Needed if users should be able to do ANY Guard PGP functions including reading encrypted emails. This level will allow users without "guard-mail" enabled to read emails sent to them, reply to those emails, but not create new emails. Recommended minimum level for all users. | ||
<source lang="bash">com.openexchange.capability.guard-mail = true</source> | <source lang="bash">com.openexchange.capability.guard-mail = true</source> | ||
Enables the user(s) ability to send encrypted emails. If False but guard enabled, they can read encrypted emails and reply to the original sender, but they cannot compose new emails | Enables the user(s) ability to send PGP encrypted emails. If False but guard enabled, they can read encrypted emails and reply to the original sender, but they cannot compose new emails | ||
<source lang="bash">com.openexchange.capability.guard-drive = true</source> | <source lang="bash">com.openexchange.capability.guard-drive = true</source> | ||
Enables the drive functionality. If false, user(s) will not be able to decode nor upload new encrypted files | Enables the drive functionality. If false, user(s) will not be able to decode nor upload new encrypted files | ||
<source lang="bash">com.openexchange.capability.smime = true</source> (as of Guard 2.10.7) | |||
Enables S/MIME for the user. This can be used with or without any of the above PGP capabilities. Will enable sending and receiving of S/MIME encrypted/signed emails. | |||
=== Optional Properties === | === Optional Properties === | ||
<source lang="bash">com.openexchange.guard.templateID = 0</source> | <source lang="bash">com.openexchange.guard.templateID = 0</source> | ||
Define template customization ID for the Guest reader emails, the Guest reader, and system emails. See [https://oxpedia.org/wiki/index.php?title | Define template customization ID for the Guest reader emails, the Guest reader, and system emails. See [https://oxpedia.org/wiki/index.php?title=AppSuite:GuardCustomization Customization] for details. | ||
<source lang="bash">com.openexchange.guard.endpoint =</source> | <source lang="bash">com.openexchange.guard.endpoint =</source> | ||
| Line 30: | Line 35: | ||
<source lang="bash">com.openexchange.capability.guard-nodeleteprivate = true</source> | <source lang="bash">com.openexchange.capability.guard-nodeleteprivate = true</source> | ||
(Guard 2.0) Disable the ability of the user to delete their private key. They can revoke it, but not delete the key. | (Guard 2.0) Disable the ability of the user to delete their PGP private key. They can revoke it, but not delete the key. | ||
== Configuration File (<code>guard-core.properties</code>) == | == Configuration File (<code>guard-core.properties</code>) == | ||
| Line 101: | Line 100: | ||
==== S3-Storage ==== | ==== S3-Storage ==== | ||
S3 configuration options if the package <code>open-xchange-guard-s3-storage</code> is selected. | |||
As of 7.10.6, the appsuite middleware should be used for Guard S3 storage. Set up a bucket for Guard to use and configure in the middleware. Then tell Guard which S3 storage to use | |||
<source lang="bash"> | |||
com.openexchange.filestore.s3.guardstore.endpoint: "http://somewhere" | |||
com.openexchange.filestore.s3.guardstore.bucketName: "guardstore" | |||
com.openexchange.filestore.s3.guardstore.accessKey: AccessKey | |||
com.openexchange.filestore.s3.guardstore.secretKey: SecretKey | |||
com.openexchange.guard.storage.file.fileStorageType: "s3" | |||
com.openexchange.guard.storage.s3.s3FileStore: "guardstore" | |||
</source> | |||
''Deprecated'' | |||
<source lang="bash">com.openexchange.guard.storage.s3.endpoint = | <source lang="bash">com.openexchange.guard.storage.s3.endpoint = | ||
com.openexchange.guard.storage.s3.bucketName = | com.openexchange.guard.storage.s3.bucketName = | ||
| Line 107: | Line 120: | ||
com.openexchange.guard.storage.s3.accessKey = | com.openexchange.guard.storage.s3.accessKey = | ||
com.openexchange.guard.storage.s3.secretKey =</source> | com.openexchange.guard.storage.s3.secretKey =</source> | ||
=== Crypto === | === Crypto === | ||
| Line 133: | Line 145: | ||
<pre>com.openexchange.guard.useStartTLS = true</pre> | <pre>com.openexchange.guard.useStartTLS = true</pre> | ||
Use TLS when delivering to the SMTP server when available | Use TLS when delivering to the SMTP server when available | ||
=== S/Mime (as of 2.10.7) === | |||
<source lang="bash">com.openexchange.smime.checkCRL</source> | |||
Enables or disables checking certificate revocation lists when verifying certificates | |||
<source lang="bash">com.openexchange.smime.caGroupId</source> | |||
Specifies a certificate authority group number to which the user belongs. All users withing that group will trust certificate authorities configured for that group. | |||
=== Autocrypt (as of 2.10.2) === | |||
<source lang="bash">com.openexchange.guard.autoCryptEnabled</source> | |||
Enables AutoCrypt functionality for Guard. If incoming emails have an AutoCrypt header, the key will be imported. Outgoing emails contain the users public key in an autocrypt header. | |||
<source lang="bash">com.openexchange.guard.autoCryptMutual</source> | |||
On outgoing AutoCrypt headers, specifies desired AutoCrypt mode | |||
=== Email === | === Email === | ||
| Line 150: | Line 176: | ||
Defines how many times a person can attempt to unlock an encrypted item before being locked out. Defaults to 5 times. | Defines how many times a person can attempt to unlock an encrypted item before being locked out. Defaults to 5 times. | ||
=== RSA Key Generation === | === RSA Key Generation for PGP keys === | ||
<source lang="bash">com.openexchange.guard.rsacache = true</source> | <source lang="bash">com.openexchange.guard.rsacache = true</source> | ||
Latest revision as of 13:27, 13 February 2023
OX Guard 2.10 Configuration
There are two main files for configuring OX Guard: guard-api.properties and guard-core.properties. The first configuration file is part of the OX backend and contains properties, among others, that enable the OX Guard functionality for various modules such as Mail and Drive as well as some capabilities. The second configuration file is part of the OX Guard and contains properties that configures the behaviour of the product.
Configuration File (guard-api.properties)
Main Properties
As of Guard 2.10.7, Guard now supports two types of email encryption, PGP and S/Mime. Prior versions only support PGP.
com.openexchange.capability.guard = true
Enables PGP Guard. If not set, no Guard PGP functions will be loaded in the UI. Needed if users should be able to do ANY Guard PGP functions including reading encrypted emails. This level will allow users without "guard-mail" enabled to read emails sent to them, reply to those emails, but not create new emails. Recommended minimum level for all users.
com.openexchange.capability.guard-mail = true
Enables the user(s) ability to send PGP encrypted emails. If False but guard enabled, they can read encrypted emails and reply to the original sender, but they cannot compose new emails
com.openexchange.capability.guard-drive = true
Enables the drive functionality. If false, user(s) will not be able to decode nor upload new encrypted files
com.openexchange.capability.smime = true
(as of Guard 2.10.7)
Enables S/MIME for the user. This can be used with or without any of the above PGP capabilities. Will enable sending and receiving of S/MIME encrypted/signed emails.
Optional Properties
com.openexchange.guard.templateID = 0
Define template customization ID for the Guest reader emails, the Guest reader, and system emails. See Customization for details.
com.openexchange.guard.endpoint =
Specifies the URI to the OX Guard end-point; e.g. http://guard.host.invalid:8009/guardadmin. By default is empty.
Capabilities
com.openexchange.capability.guard-nodeleterecovery = true
(Guard 2.0) Disable the ability of the user to delete the recovery keys. Makes it impossible to reset password, but also adds level of protection/security
com.openexchange.capability.guard-nodeleteprivate = true
(Guard 2.0) Disable the ability of the user to delete their PGP private key. They can revoke it, but not delete the key.
Configuration File (guard-core.properties)
Database
com.openexchange.guard.oxguardDatabaseHostname = localhost
The address of the MySQL database for OX Guard data. May be the same as the OX MySQL database.
com.openexchange.guard.oxguardDatabaseRead
Optional read-only IP/name for the OX Guard database that might be used in Master-Slave setups.
com.openexchange.guard.oxguardShardDatabase
IP/Name for the location of the Guest database shards. Additional shards will be created on this database
com.openexchange.guard.oxguardShardRead
Optional read-only IP/name for Guest database shards that might be used in Master-Slave setups.
com.openexchange.guard.databaseUsername = username
The username to access the OX Backend and Guard database. This user needs to have select, create, lock, insert, update privileges. Guard database user also should have alter (for updates), drop, index.
com.openexchange.guard.databasePassword = password
The password for the databases
OX API
com.openexchange.guard.restApiHostname = localhost
The address for the OX REST API. It would be the location of the OX Backend
com.openexchange.guard.OXBackendPort = 8009
The port for the OX Backend. Default is 8009 (which is direct communication with the backend). Could be 80, etc, if going through load balancers
com.openexchange.guard.restApiUsername = open-xchange com.openexchange.guard.restApiPassword = secret
Username and password for the REST API
com.openexchange.guard.externalEmailURL = example.com/appsuite/api/oxguard/reader/reader.html
When Guard sends an encrypted eMail to members, they may not be using the webmail UI to read the email. A help file is attached, and a link will be provided to log into their webmail to read the encrypted item. This setting is used to point to a generic log in for the webmail system. Sent to multiple recipients, so not customized to the individual recipient.
Support API
com.openexchange.guard.supportapiusername = xxxxx
com.openexchange.guard.supportapipassword = yyyyy
If the support API is to be used, a username and password should be configured.
com.openexchange.guard.exposedKeyDurationInHours = 168
When a user is deleted, the Private keys are saved in a temporary deleted Keys table (in case of accidental deletion). If support "exposes" the key, the user can then retrieve it using link generated. For security reasons, this link is only valid for a short period of time. This property defines that duration.
File Storage
Local/remote storage is required for temporary caching of encrypted emails to guest/non-OX users. This can be an attached local file store, or Amazon S3 compatible object store depending on which open-xchange-guard-*-storage package is installed (file or S3).
General Properties
com.openexchange.guard.guestCleanedAfterDaysOfInactivity=365
Specifies how long emails and guest accounts are maintained for guests that have not had any activity. If the guest has not logged into the Guest account in the configured time, the emails are removed and the Guest account is closed.
Storage Specific Properties
File-Storage
com.openexchange.guard.storage.file.uploadDirectory = /var/spool/open-xchange/guard/uploads
Defines the temporary upload and cache directory for OX Guard Drive files for open-xchange-guard-file-storage package.
This directory needs to be shared between application servers serving the Guest Reader interface.
S3-Storage
S3 configuration options if the package open-xchange-guard-s3-storage is selected.
As of 7.10.6, the appsuite middleware should be used for Guard S3 storage. Set up a bucket for Guard to use and configure in the middleware. Then tell Guard which S3 storage to use
com.openexchange.filestore.s3.guardstore.endpoint: "http://somewhere"
com.openexchange.filestore.s3.guardstore.bucketName: "guardstore"
com.openexchange.filestore.s3.guardstore.accessKey: AccessKey
com.openexchange.filestore.s3.guardstore.secretKey: SecretKey
com.openexchange.guard.storage.file.fileStorageType: "s3"
com.openexchange.guard.storage.s3.s3FileStore: "guardstore"
Deprecated
com.openexchange.guard.storage.s3.endpoint =
com.openexchange.guard.storage.s3.bucketName =
com.openexchange.guard.storage.s3.region =
com.openexchange.guard.storage.s3.accessKey =
com.openexchange.guard.storage.s3.secretKey =
Crypto
com.openexchange.guard.aesKeyLength=256 (Depreciated)
AES Key length. 256 is preferred, but not supported on all systems. May need to have the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files installed.
com.openexchange.guard.rsaKeyLength=2048
RSA key length. Used when creating PGP keys
PGP
com.openexchange.guard.publicPGPDirectory = hkp://keys.gnupg.net:11371, hkp://pgp.mit.edu:11371
List of PGP Public key servers to query for public keys
com.openexchange.guard.publicKeyWhitelist
A list of IP addresses of TRUSTED Guard servers. When the public PGP key server is queried, it will normally only find Guard keys that have already been created. If on the whitelist, the Guard server will also query the OX backend to see if the email address exists on the OX system, and if so, will create new keys for the user.
com.openexchange.guard.keyValidDays = 3650
PGP keys created will only be valid for this number of days. Default is 10 years. Set to 0 if no expiration date.
com.openexchange.guard.pgpCacheDays=7
When looking up remote PGP keys, if found, the keys will be stored in a temporary cache. Set number of days until the cache item is expired and remote lookup is repeated.
com.openexchange.guard.useStartTLS = true
Use TLS when delivering to the SMTP server when available
S/Mime (as of 2.10.7)
com.openexchange.smime.checkCRL
Enables or disables checking certificate revocation lists when verifying certificates
com.openexchange.smime.caGroupId
Specifies a certificate authority group number to which the user belongs. All users withing that group will trust certificate authorities configured for that group.
Autocrypt (as of 2.10.2)
com.openexchange.guard.autoCryptEnabled
Enables AutoCrypt functionality for Guard. If incoming emails have an AutoCrypt header, the key will be imported. Outgoing emails contain the users public key in an autocrypt header.
com.openexchange.guard.autoCryptMutual
On outgoing AutoCrypt headers, specifies desired AutoCrypt mode
com.openexchange.guard.guestSMTPServer=smtp.example.com
com.openexchange.guard.guestSMTPPort=25
com.openexchange.guard.guestSMTPUsername=
com.openexchange.guard.guestSMTPPassword=
SMTP settings for outgoing emails from the guest reader. Emails sent from within the system use the OX Backend. The guest reader, however, sends replies through this SMTP. In addition, password emails (reset, initial) are sent through the SMTP server.
Bad Attempts
com.openexchange.guard.badMinuteLock = 10
Defines how long someone will be locked out after bad attempts. Defaults to 10 minutes.
com.openexchange.guard.badPasswordCount = 5
Defines how many times a person can attempt to unlock an encrypted item before being locked out. Defaults to 5 times.
RSA Key Generation for PGP keys
com.openexchange.guard.rsacache = true
RSA keys are pre-generated in the background, encrypted, and stored for future user keys. RSA key generation is the most time consuming function and the RSA cache significantly improves new user creation time.
com.openexchange.guard.rsacachecount = 100
Number of RSA keys to pre-generate
com.openexchange.guard.keycachecheckinterval = 30
Interval in seconds to check the RSA cache and re-populate if less than rsacachecount.
com.openexchange.guard.rsacertainty = 256
Bit certainty for RSA key generation. Higher numbers assure the number is in fact prime but time consuming. Lower is much faster. May need to be lower if not using cache.
Passwords
com.openexchange.guard.newpasslength=8
Length of the randomly generated passwords when a user resets password.
com.openexchange.guard.minpasswordlength=6
Minimum password length.
Backend
com.openexchange.guard.oxbackendpath = /ajax/
URL used to communicated directly with the OX backend.
com.openexchange.guard.oxbackendidletime = 60
HTTP connections to the backend are kept open for faster response. This is the timeout setting that will close idle connections.
Guest Accounts
com.openexchange.guard.shardsize=1000
Guest users data are placed in databases oxguard_x. After set number of users, another database shard is created
com.openexchange.guard.guestCleanedAfterDaysOfInactivity=365
Specifies how long emails and guest accounts are maintained for guests that have not had any activity. If the guest has not logged into the Guest account in the configured time, the emails are removed and the Guest account is closed. 0 implies indefinite (no cleaning done). Default 365 days
Recovery
If you do not want password recovery available, you can disable by adding
com.openexchange.guard.noRecovery = true
Keep in mind, that a lost password will result in total loss of encrypted data.
Miscellaneous
com.openexchange.guard.secureReply = true
(since Guard 2.2) Normally, when a person replies from an encrypted email, the reply is automatically encrypted. Set to false to disable this automatic encryption
SSL
Starting with 2.4.0, OX Guard is running inside the OSGi container, meaning that all its servlets are being registered and served by Grizzly.
API SSL
com.openexchange.guard.backendSSL = false
Per default the connection between the Guard backend and the configured Open-Xchange REST API host is unencrypted. Even though that Guard will never transmit unencrypted emails to or from the REST API you can optionally encrypt the whole communication between those two components by using SSL. Please note: Enabling SSL might decrease performance and/or create more system load due to additional encoding of the HTTP streams.
Incoming SSL
The communication between the frontend load balancer (Apache or otherwise) to Guard is by default HTTP (if protected network). More information on how to enable SSL you can find here.