AppSuite:GuardConfiguration: Difference between revisions

From Open-Xchange
(Created page with "Cascade Options Main Options com.openexchange.capability.guard=true Enables Guard. If not set, no guard functions will be loaded in the UI. Needed if users should be able...")
 
 
(16 intermediate revisions by the same user not shown)
Line 1: Line 1:
Cascade Options
= Cascade Options =




Main Options
== Main Options ==


com.openexchange.capability.guard=true
'''com.openexchange.capability.guard=true'''


Enables Guard. If not set, no guard functions will be loaded in the UI. Needed if users should be able to do ANY Guard functions including reading encrypted emails
Enables Guard. If not set, no guard functions will be loaded in the UI. Needed if users should be able to do ANY Guard functions including reading encrypted emails.  This level will allow users without "guard-mail" enabled to read emails sent to them, reply to those emails, but not create new emails.  Recommended minimum level for all users.


com.openexchange.capability.guard-mail=true
'''com.openexchange.capability.guard-mail=true'''


Enables the user(s) ability to send encrypted emails. If False but guard enabled, they can read encrypted emails and reply to the original sender, but they cannot compose new emails
Enables the user(s) ability to send encrypted emails. If False but guard enabled, they can read encrypted emails and reply to the original sender, but they cannot compose new emails


com.openexchange.capability.guard-drive=true
'''com.openexchange.capability.guard-drive=true'''


Enables the drive functionality. If false, user(s) will not be able to decode nor upload new encrypted files
Enables the drive functionality. If false, user(s) will not be able to decode nor upload new encrypted files


== Optional Cascade Options ==


Optional Cascade Options
=== Capabilities ===


com.openexchange.capability.guard-noextra
'''com.openexchange.capability.guard-pin'''


Disables the ability to add an extra password to encrypted items. May be required by some industry
Enables optional PIN function when sending emails to non-ox users.  Will provide an additional 4 digit pin that should be sent to the recipient.  Extra protection during the time that the temporary password was assigned and sent.
 
'''com.openexchange.capability.guard-nodeleterecovery'''
 
(Guard 2.0) Disable the ability of the user to delete the recovery keys. Makes it impossible to reset password, but also adds level of protection/security
 
'''com.openexchange.capability.guard-norecovery'''
 
(Guard 2.0) Password recovery is disabled.  No way to recover a lost or forgotten password.  Increases security, but a lost password means lost data.
 
'''com.openexchange.capability.guard-nodeleteprivate'''


com.openexchange.capability.guard-noprivate
(Guard 2.0) Disable the ability of the user to delete their private key. They can revoke it, but not delete the key.


(Future, not currently supported) Disable ability for a user to use his/her own private keys
'''com.openexchange.guard.secureReply'''


com.openexchange.capability.guard-nodeleterecovery
(Guard 2.2) Normally, when a person replies from an encrypted email, the reply is automatically encrypted. Set to false to disable this automatic encryption


(Future, not currently supported) Disable the ability of the user to delete the recovery keys. Makes it impossible to reset password, but also adds level of protection/security


com.openexchange.capability.guard-nodeleteonrevoke
'''com.openexchange.capability.guard-nodeleteonrevoke''' (Depreciated as of Guard 2.0)


Default when revoking an item is to delete the content key, making the item impossible to decode. If this option is true, then the item is merely expired and can later be retrieved for decoding in case of legal requirements, corporate requirements, etc
Default when revoking an item is to delete the content key, making the item impossible to decode. If this option is true, then the item is merely expired and can later be retrieved for decoding in case of legal requirements, corporate requirements, etc


com.openexchange.guard.fromEmail= name<email>
'''com.openexchange.capability.guard-noextra''' (Depreciated as of Guard 2.0)
 
Disables the ability to add an extra password to encrypted items. May be required by some industry
 
=== Configuration Variables ===
 
'''com.openexchange.guard.fromEmail= name<email>'''


Email address to use as the From address when sending automated emails (First password, password reset)
Email address to use as the From address when sending automated emails (First password, password reset)




Configuration file (guard.properties)
'''com.openexchange.guard.externalReaderURL'''
 
When sending an email to a guest, this URL is used for the link to the Guest reader
 
'''com.openexchange.guard.externalOxUI'''
 
PGP MIME emails are sent with a help file attached.  This is the URL to the main appsuite UI that is included in the help file  
 
 
'''com.openexchange.guard.templateID'''


Define template customization ID for the Guest reader emails, the Guest reader, and system emails.  See [[AppSuite:GuardCustomization|Customization]] for details


Required
== Configuration file (guard.properties) ==




Database


com.openexchange.guard.configdbHostname=localhost
=== Database ===
 
'''com.openexchange.guard.configdbHostname=localhost'''


The address of the mysql database that contains the OX Backend configdb. This is used during initial setup and database sharding
The address of the mysql database that contains the OX Backend configdb. This is used during initial setup and database sharding


com.openexchange.guard.oxguardDatabaseHostname=localhost
'''com.openexchange.guard.oxguardDatabaseHostname=localhost'''


The address of the mysql database for OxGuard data. May be the same as the OX mysql database
The address of the mysql database for OxGuard data. May be the same as the OX mysql database


com.openexchange.guard.databaseUsername=username
'''com.openexchange.guard.oxguardDatabaseRead'''
 
Optional read-only IP/name for the Guard database.
 
'''com.openexchange.guard.oxguardShardDatabase'''
 
IP/Name for the location of the next Guest database shard.  Additional shards will be created on this database
 
'''com.openexchange.guard.databaseUsername=username'''


The username to access the OX Backend and Guard database. This user needs to have select, create, lock, insert, update privileges. Guard database user also should have alter (for updates), drop, index
The username to access the OX Backend and Guard database. This user needs to have select, create, lock, insert, update privileges. Guard database user also should have alter (for updates), drop, index


com.openexchange.guard.databasePassword=password
'''com.openexchange.guard.databasePassword=password'''


The password for the databases
The password for the databases


=== OX API ===


OX API
'''com.openexchange.guard.restApiHostname=localhost'''
 
com.openexchange.guard.restApiHostname=localhost


The address for the OX REST API. It would be the location of the OX Backend
The address for the OX REST API. It would be the location of the OX Backend


com.openexchange.guard.OXBackendPort = 8009
'''com.openexchange.guard.OXBackendPort = 8009'''


The port for the OX Backend. Default is 8009 (which is direct communication with the backend). Could be 80, etc, if going through load balancers
The port for the OX Backend. Default is 8009 (which is direct communication with the backend). Could be 80, etc, if going through load balancers


com.openexchange.guard.restApiUsername=open-xchange com.openexchange.guard.restApiPassword=secret
'''com.openexchange.guard.restApiUsername=open-xchange'''
'''com.openexchange.guard.restApiPassword=secret'''


Username and password for the REST API
Username and password for the REST API


com.openexchange.guard.externalEmailURL=example.com
'''com.openexchange.guard.externalEmailURL=example.com'''


=== Support API ===


File Store
If the support API is to be used, a username and password should be configured
 
'''com.openexchange.guard.supportapiusername=xxxxx'''
 
'''com.openexchange.guard.supportapipassword=yyyyy'''
 
 
When a user is deleted, the Private keys are saved in a temporary deleted Keys table (in case of accidental deletion).  If support "exposes" the key, the user can then retrieve it using link generated.  For security reasons, this link is only valid for a short period of time.
 
'''com.openexchange.guard.exposedKeyDurationInHours=168'''
 
=== File Store ===


When non-ox users get an email with a link to read the message, an external url is required so they can visit the non-ox reader page. This should be the public domain that would prefix /appsuite/api/guard/reader
When non-ox users get an email with a link to read the message, an external url is required so they can visit the non-ox reader page. This should be the public domain that would prefix /appsuite/api/guard/reader


com.openexchange.guard.storage.type=file
'''com.openexchange.guard.storage.type=file'''


Local/remote storage is required for temporary caching of non-ox encrypted emails. This can be an attached file store, or Amazon S3 compatible object store. Values are “file” or “s3”
Local/remote storage is required for temporary caching of non-ox encrypted emails. This can be an attached file store, or Amazon S3 compatible object store. Values are “file” or “s3”


com.openexchange.guard.storage.file.uploadDirectory=/var/spool/open-xchange/guard/uploads
'''com.openexchange.guard.storage.file.uploadDirectory=/var/spool/open-xchange/guard/uploads'''


Location of local filestore if type was “file”
Location of local filestore if type was “file”


com.openexchange.guard.storage.s3.endpoint=
'''com.openexchange.guard.storage.s3.endpoint='''


com.openexchange.guard.storage.s3.bucketName=
'''com.openexchange.guard.storage.s3.bucketName='''


com.openexchange.guard.storage.s3.region=
'''com.openexchange.guard.storage.s3.region='''


com.openexchange.guard.storage.s3.accessKey=
'''com.openexchange.guard.storage.s3.accessKey='''


com.openexchange.guard.storage.s3.secretKey=
'''com.openexchange.guard.storage.s3.secretKey='''


S3 configuration options if filestore selected was S3
S3 configuration options if filestore selected was S3


com.openexchange.guard.cacheDays=30
'''com.openexchange.guard.cacheDays=30'''


How many days emails are kept in file store before being deleted. Measured from time of sending, reset when someone reads the email
How many days emails are kept in file store before being deleted. Measured from time of sending, reset when someone reads the email


com.openexchange.guard.cronHour=2
'''com.openexchange.guard.cronHour=2'''


Time that the filestore is checked for old items
Time that the filestore is checked for old items




Crypto
=== Crypto ===


com.openexchange.guard.aesKeyLength=256
'''com.openexchange.guard.aesKeyLength=256'''  (Depreciated)


AES Key length. 256 is preferred, but not supported on all systems. May need to have java unlimeted key strength pack installed
AES Key length. 256 is preferred, but not supported on all systems. May need to have java unlimeted key strength pack installed


com.openexchange.guard.rsaKeyLength=2048
'''com.openexchange.guard.rsaKeyLength=2048'''


RSA key length.
RSA key length. Used when creating PGP keys


'''com.openexchange.guard.keyValidDays=3650'''


Email
Length of time for PGP key validity.  Set to 0 if no expiration date


com.openexchange.guard.guestSMTPServer=smtp.example.com
=== PGP ===


com.openexchange.guard.guestSMTPPort=25
'''com.openexchange.guard.publicPGPDirectory'''


com.openexchange.guard.guestSMTPUsername=
List of PGP Public key servers to query for public keys


com.openexchange.guard.guestSMTPPassword=
'''com.openexchange.guard.publicKeyWhitelist'''
 
A list of IP addresses of TRUSTED Guard servers.  When the public PGP key server is queried, it will normally only find Guard keys that have already been created.  If on the whitelist, the Guard server will also query the OX backend to see if the email address exists on the OX system, and if so, will create new keys for the user
 
'''com.openexchange.guard.keyValidDays'''
 
PGP keys created will only be valid for this number of days.  Default is 10 years
 
=== Email ===
 
'''com.openexchange.guard.guestSMTPServer=smtp.example.com'''
 
'''com.openexchange.guard.guestSMTPPort=25'''
 
'''com.openexchange.guard.guestSMTPUsername='''
 
'''com.openexchange.guard.guestSMTPPassword='''


SMTP settings for outgoing emails from the guest reader. Emails sent from within the system use the OX Backend. The guest reader, however, sends replies through this SMTP. In addition, password emails (reset, initial) are sent through the SMTP server
SMTP settings for outgoing emails from the guest reader. Emails sent from within the system use the OX Backend. The guest reader, however, sends replies through this SMTP. In addition, password emails (reset, initial) are sent through the SMTP server


Remote
=== Remote ===


com.openexchange.guard.maxremote = 100
'''com.openexchange.guard.pgpCacheDays=7


Maximum number of remote emails that can be recieved in lockout period (com.openexchange.com.badMinuteLock)
When looking up remote PGP keys, if found, the keys will be stored in a temporary cache. Set number of days until the cache item is expired and remote lookup is repeated.


Optional
Optional


com.openexchange.guard.usestarttls = true
'''com.openexchange.guard.usestarttls = true'''


Use TLS when delivering to the SMTP server when available
Use TLS when delivering to the SMTP server when available


=== Bad attempts ===
'''com.openexchange.guard.badMinuteLock= 10'''
Defines how long someone will be locked out after bad attempts. Default 10
'''com.openexchange.guard.badPasswordCount= 5'''


Optional Configuration Settings
Defines how many times a person can attempt to unlock an encrypted item before being locked out. Default 5


'''com.openexchange.guard.badIpCount: 10'''


API SSL
Defines how many times an outside computer can request a public key that doesn't exist before being locked out


com.openexchange.guard.backend_ssl=true


Communication between Guard and the OX backend is set to HTTP by default. All items to be encrypted are already encrypted at this point, but other information (sender name, filename, etc) could appear in plaintext here. If SSL is desired, sest to true.
=== RSA Key Generation ===


'''com.openexchange.guard.rsacache=true'''


Incoming SSL
RSA keys are pre-generated in the background, encrypted, and stored for future user keys. RSA key generation is the most time consuming function and the RSA cache significantly improves new user creation time


Communication between the frontend load balancer (APACHE or otherwise) to Guard is by default HTTP (if protected network). To have Guard listen on an SSL socket, the following needs to be set
'''com.openexchange.guard.rsacachecount=100'''
 
Number of RSA keys to pre-generate


com.openexchange.guard.useSSL= true
'''com.openexchange.guard.keycachecheckinterval= 30'''


Enables jetty listener for ssl
Interval in seconds to check the RSA cache and re-populate if less than rsacachecount


com.openexchange.guard.SSLPort= 8443
'''com.openexchange.guard.rsacertainty=256'''


Jetty will listen on defined port for ssl connections
Bit certainty for RSA key generation. Higher numbers assure the number is in fact prime but time consuming. Lower is much faster. May need to be lower if not using cache


com.openexchange.guard.SSLKeyStore= xxxx


Location of the keystore with ssl keys
=== Passwords ===


com.openexchange.guard.SSLKeyName= xxxx
'''com.openexchange.guard.newpasslength=8'''


Name/alieas of the key to use
Length of the randomly generated passwords when a user resets password.


com.openexchange.guard.SSLKeyPass= xxxx
'''com.openexchange.guard.minpasswordlength=6'''


Password for the ssl key
Minimum password length




Recovery
=== Backend ===


If you do not want password recovery available, you can disable by adding
'''com.openexchange.guard.oxbackendpath=/ajax/'''


com.openexchange.guard.noRecovery= true
URL used to communicated directly with the OX backend


Keep in mind, that a lost password will result in total loss of encrypted data
'''com.openexchange.guard.oxbackendidletime=60'''


HTTP connections to the backend are kept open for faster response. This is the timeout setting that will close idle connections.


Bad attempts
'''com.openexchange.guard.configdbname=configdb'''


com.openexchange.guard.badMinuteLock= 10
Name of the configdb database


Defines how long someone will be locked out after bad attempts. Default 10
=== Support ===


com.openexchange.guard.badPasswordCount= 5
'''com.openexchange.guard.supportApiUsername'''


Defines how many times a person can attempt to unlock an encrypted item before being locked out. Default 5
Username for the support API


com.openexchange.guard.badIpCount: 10
'''com.openexchange.guard.supportApiPassword'''


Defines how many times an outside computer can request a public key that doesn't exist before being locked out
Password for the support API


=== Guest Accounts ===


RSA Key Generation
'''com.openexchange.guard.shardsize=1000'''


com.openexchange.guard.rsacache=true
Guest users data are placed in databases oxguard_x. After set number of users, another database shard is created


RSA keys are pre-generated in the background, encrypted, and stored for future user keys. RSA key generation is the most time consuming function and the RSA cache significantly improves new user creation time
'''com.openexchange.guard.externalreaderpath=/appsuite/api/oxguard/reader/reader.html'''


com.openexchange.guard.rsacachecount=100
Full path after domain name for the external reader (if changed from default)


Number of RSA keys to pre-generate
==Optional Configuration Settings==


com.openexchange.guard.keycachecheckinterval= 30


Interval in seconds to check the RSA cache and re-populate if less than rsacachecount
=== API SSL ===


com.openexchange.guard.rsacertainty=256
'''com.openexchange.guard.backend_ssl=true'''


Bit certainty for RSA key generation. Higher numbers assure the number is in fact prime but time consuming. Lower is much faster. May need to be lower if not using cache
Communication between Guard and the OX backend is set to HTTP by default. All items to be encrypted are already encrypted at this point, but other information (sender name, filename, etc) could appear in plaintext here. If SSL is desired, sest to true.




Passwords
=== Incoming SSL ===


com.openexchange.guard.newpasslength=8
Communication between the frontend load balancer (APACHE or otherwise) to Guard is by default HTTP (if protected network). To have Guard listen on an SSL socket, the following needs to be set


Length of the randomly generated passwords when a user resets password.
'''com.openexchange.guard.useSSL= true'''


com.openexchange.guard.minpasswordlength=6
Enables jetty listener for ssl


Minimum password length
'''com.openexchange.guard.SSLPort= 8443'''


Jetty will listen on defined port for ssl connections


Backend
'''com.openexchange.guard.SSLKeyStore= xxxx'''


com.openexchange.guard.oxbackendpath=/ajax/
Location of the keystore with ssl keys


URL used to communicated directly with the OX backend
'''com.openexchange.guard.SSLKeyName= xxxx'''


com.openexchange.guard.oxbackendidletime=60
Name/alieas of the key to use


HTTP connections to the backend are kept open for faster response. This is the timeout setting that will close idle connections.
'''com.openexchange.guard.SSLKeyPass= xxxx'''


com.openexchange.guard.configdbname=configdb
Password for the ssl key


Name of the configdb database


=== Recovery ===


Guest Accounts
If you do not want password recovery available, you can disable by adding


com.openexchange.guard.shardsize=1000
'''com.openexchange.guard.noRecovery= true'''


Guest users data are placed in databases oxguard_x. After set number of users, another database shard is created
Keep in mind, that a lost password will result in total loss of encrypted data


com.openexchange.guard.externalreaderpath=/appsuite/api/oxguard/reader/reader.html
Users will be able to change their passwords if they remember their current/old password. But they won't be able to create a new password in the event it is forgotten.


Full path after domain name for the external reader (if changed from default)
Users without recovery would have to create new keys, with a new password, to continue to use Guard.  These keys would apply to future encrypted items, not the old ones.


Guests that forget their passwords will need to have their account reset from the command line tool (this will create new keys for them, and send them a new password)


Misc
=== Misc ===


com.openexchange.guard.defaultlanguage=en_US
'''com.openexchange.guard.defaultlanguage=en_US'''


Default language if a language is requested but not available
Default language if a language is requested but not available

Latest revision as of 15:50, 8 July 2019

Cascade Options

Main Options

com.openexchange.capability.guard=true

Enables Guard. If not set, no guard functions will be loaded in the UI. Needed if users should be able to do ANY Guard functions including reading encrypted emails. This level will allow users without "guard-mail" enabled to read emails sent to them, reply to those emails, but not create new emails. Recommended minimum level for all users.

com.openexchange.capability.guard-mail=true

Enables the user(s) ability to send encrypted emails. If False but guard enabled, they can read encrypted emails and reply to the original sender, but they cannot compose new emails

com.openexchange.capability.guard-drive=true

Enables the drive functionality. If false, user(s) will not be able to decode nor upload new encrypted files

Optional Cascade Options

Capabilities

com.openexchange.capability.guard-pin

Enables optional PIN function when sending emails to non-ox users. Will provide an additional 4 digit pin that should be sent to the recipient. Extra protection during the time that the temporary password was assigned and sent.

com.openexchange.capability.guard-nodeleterecovery

(Guard 2.0) Disable the ability of the user to delete the recovery keys. Makes it impossible to reset password, but also adds level of protection/security

com.openexchange.capability.guard-norecovery

(Guard 2.0) Password recovery is disabled. No way to recover a lost or forgotten password. Increases security, but a lost password means lost data.

com.openexchange.capability.guard-nodeleteprivate

(Guard 2.0) Disable the ability of the user to delete their private key. They can revoke it, but not delete the key.

com.openexchange.guard.secureReply

(Guard 2.2) Normally, when a person replies from an encrypted email, the reply is automatically encrypted. Set to false to disable this automatic encryption


com.openexchange.capability.guard-nodeleteonrevoke (Depreciated as of Guard 2.0)

Default when revoking an item is to delete the content key, making the item impossible to decode. If this option is true, then the item is merely expired and can later be retrieved for decoding in case of legal requirements, corporate requirements, etc

com.openexchange.capability.guard-noextra (Depreciated as of Guard 2.0)

Disables the ability to add an extra password to encrypted items. May be required by some industry

Configuration Variables

com.openexchange.guard.fromEmail= name<email>

Email address to use as the From address when sending automated emails (First password, password reset)


com.openexchange.guard.externalReaderURL

When sending an email to a guest, this URL is used for the link to the Guest reader

com.openexchange.guard.externalOxUI

PGP MIME emails are sent with a help file attached. This is the URL to the main appsuite UI that is included in the help file


com.openexchange.guard.templateID

Define template customization ID for the Guest reader emails, the Guest reader, and system emails. See Customization for details

Configuration file (guard.properties)

Database

com.openexchange.guard.configdbHostname=localhost

The address of the mysql database that contains the OX Backend configdb. This is used during initial setup and database sharding

com.openexchange.guard.oxguardDatabaseHostname=localhost

The address of the mysql database for OxGuard data. May be the same as the OX mysql database

com.openexchange.guard.oxguardDatabaseRead

Optional read-only IP/name for the Guard database.

com.openexchange.guard.oxguardShardDatabase

IP/Name for the location of the next Guest database shard. Additional shards will be created on this database

com.openexchange.guard.databaseUsername=username

The username to access the OX Backend and Guard database. This user needs to have select, create, lock, insert, update privileges. Guard database user also should have alter (for updates), drop, index

com.openexchange.guard.databasePassword=password

The password for the databases

OX API

com.openexchange.guard.restApiHostname=localhost

The address for the OX REST API. It would be the location of the OX Backend

com.openexchange.guard.OXBackendPort = 8009

The port for the OX Backend. Default is 8009 (which is direct communication with the backend). Could be 80, etc, if going through load balancers

com.openexchange.guard.restApiUsername=open-xchange com.openexchange.guard.restApiPassword=secret

Username and password for the REST API

com.openexchange.guard.externalEmailURL=example.com

Support API

If the support API is to be used, a username and password should be configured

com.openexchange.guard.supportapiusername=xxxxx

com.openexchange.guard.supportapipassword=yyyyy


When a user is deleted, the Private keys are saved in a temporary deleted Keys table (in case of accidental deletion). If support "exposes" the key, the user can then retrieve it using link generated. For security reasons, this link is only valid for a short period of time.

com.openexchange.guard.exposedKeyDurationInHours=168

File Store

When non-ox users get an email with a link to read the message, an external url is required so they can visit the non-ox reader page. This should be the public domain that would prefix /appsuite/api/guard/reader

com.openexchange.guard.storage.type=file

Local/remote storage is required for temporary caching of non-ox encrypted emails. This can be an attached file store, or Amazon S3 compatible object store. Values are “file” or “s3”

com.openexchange.guard.storage.file.uploadDirectory=/var/spool/open-xchange/guard/uploads

Location of local filestore if type was “file”

com.openexchange.guard.storage.s3.endpoint=

com.openexchange.guard.storage.s3.bucketName=

com.openexchange.guard.storage.s3.region=

com.openexchange.guard.storage.s3.accessKey=

com.openexchange.guard.storage.s3.secretKey=

S3 configuration options if filestore selected was S3

com.openexchange.guard.cacheDays=30

How many days emails are kept in file store before being deleted. Measured from time of sending, reset when someone reads the email

com.openexchange.guard.cronHour=2

Time that the filestore is checked for old items


Crypto

com.openexchange.guard.aesKeyLength=256 (Depreciated)

AES Key length. 256 is preferred, but not supported on all systems. May need to have java unlimeted key strength pack installed

com.openexchange.guard.rsaKeyLength=2048

RSA key length. Used when creating PGP keys

com.openexchange.guard.keyValidDays=3650

Length of time for PGP key validity. Set to 0 if no expiration date

PGP

com.openexchange.guard.publicPGPDirectory

List of PGP Public key servers to query for public keys

com.openexchange.guard.publicKeyWhitelist

A list of IP addresses of TRUSTED Guard servers. When the public PGP key server is queried, it will normally only find Guard keys that have already been created. If on the whitelist, the Guard server will also query the OX backend to see if the email address exists on the OX system, and if so, will create new keys for the user

com.openexchange.guard.keyValidDays

PGP keys created will only be valid for this number of days. Default is 10 years

Email

com.openexchange.guard.guestSMTPServer=smtp.example.com

com.openexchange.guard.guestSMTPPort=25

com.openexchange.guard.guestSMTPUsername=

com.openexchange.guard.guestSMTPPassword=

SMTP settings for outgoing emails from the guest reader. Emails sent from within the system use the OX Backend. The guest reader, however, sends replies through this SMTP. In addition, password emails (reset, initial) are sent through the SMTP server

Remote

com.openexchange.guard.pgpCacheDays=7

When looking up remote PGP keys, if found, the keys will be stored in a temporary cache. Set number of days until the cache item is expired and remote lookup is repeated.

Optional

com.openexchange.guard.usestarttls = true

Use TLS when delivering to the SMTP server when available

Bad attempts

com.openexchange.guard.badMinuteLock= 10

Defines how long someone will be locked out after bad attempts. Default 10

com.openexchange.guard.badPasswordCount= 5

Defines how many times a person can attempt to unlock an encrypted item before being locked out. Default 5

com.openexchange.guard.badIpCount: 10

Defines how many times an outside computer can request a public key that doesn't exist before being locked out


RSA Key Generation

com.openexchange.guard.rsacache=true

RSA keys are pre-generated in the background, encrypted, and stored for future user keys. RSA key generation is the most time consuming function and the RSA cache significantly improves new user creation time

com.openexchange.guard.rsacachecount=100

Number of RSA keys to pre-generate

com.openexchange.guard.keycachecheckinterval= 30

Interval in seconds to check the RSA cache and re-populate if less than rsacachecount

com.openexchange.guard.rsacertainty=256

Bit certainty for RSA key generation. Higher numbers assure the number is in fact prime but time consuming. Lower is much faster. May need to be lower if not using cache


Passwords

com.openexchange.guard.newpasslength=8

Length of the randomly generated passwords when a user resets password.

com.openexchange.guard.minpasswordlength=6

Minimum password length


Backend

com.openexchange.guard.oxbackendpath=/ajax/

URL used to communicated directly with the OX backend

com.openexchange.guard.oxbackendidletime=60

HTTP connections to the backend are kept open for faster response. This is the timeout setting that will close idle connections.

com.openexchange.guard.configdbname=configdb

Name of the configdb database

Support

com.openexchange.guard.supportApiUsername

Username for the support API

com.openexchange.guard.supportApiPassword

Password for the support API

Guest Accounts

com.openexchange.guard.shardsize=1000

Guest users data are placed in databases oxguard_x. After set number of users, another database shard is created

com.openexchange.guard.externalreaderpath=/appsuite/api/oxguard/reader/reader.html

Full path after domain name for the external reader (if changed from default)

Optional Configuration Settings

API SSL

com.openexchange.guard.backend_ssl=true

Communication between Guard and the OX backend is set to HTTP by default. All items to be encrypted are already encrypted at this point, but other information (sender name, filename, etc) could appear in plaintext here. If SSL is desired, sest to true.


Incoming SSL

Communication between the frontend load balancer (APACHE or otherwise) to Guard is by default HTTP (if protected network). To have Guard listen on an SSL socket, the following needs to be set

com.openexchange.guard.useSSL= true

Enables jetty listener for ssl

com.openexchange.guard.SSLPort= 8443

Jetty will listen on defined port for ssl connections

com.openexchange.guard.SSLKeyStore= xxxx

Location of the keystore with ssl keys

com.openexchange.guard.SSLKeyName= xxxx

Name/alieas of the key to use

com.openexchange.guard.SSLKeyPass= xxxx

Password for the ssl key


Recovery

If you do not want password recovery available, you can disable by adding

com.openexchange.guard.noRecovery= true

Keep in mind, that a lost password will result in total loss of encrypted data

Users will be able to change their passwords if they remember their current/old password. But they won't be able to create a new password in the event it is forgotten.

Users without recovery would have to create new keys, with a new password, to continue to use Guard. These keys would apply to future encrypted items, not the old ones.

Guests that forget their passwords will need to have their account reset from the command line tool (this will create new keys for them, and send them a new password)

Misc

com.openexchange.guard.defaultlanguage=en_US

Default language if a language is requested but not available