Revision as of 17:52, 5 June 2015 by Greg.hill (talk | contribs) (Main Options)

Cascade Options

Main Options


Enables Guard. If not set, no guard functions will be loaded in the UI. Needed if users should be able to do ANY Guard functions including reading encrypted emails. This level will allow users without "guard-mail" enabled to read emails sent to them, reply to those emails, but not create new emails. Recommended minimum level for all users.


Enables the user(s) ability to send encrypted emails. If False but guard enabled, they can read encrypted emails and reply to the original sender, but they cannot compose new emails


Enables the drive functionality. If false, user(s) will not be able to decode nor upload new encrypted files

Optional Cascade Options


Enables optional PIN function when sending emails to non-ox users. Will provide an additional 4 digit pin that should be sent to the recipient. Extra protection during the time that the temporary password was assigned and sent.


(Guard 2.0) Disable the ability of the user to delete the recovery keys. Makes it impossible to reset password, but also adds level of protection/security


(Guard 2.0) Password recovery is disabled. No way to recover a lost or forgotten password. Increases security, but a lost password means lost data.


(Guard 2.0) Disable the ability of the user to delete their private key. They can revoke it, but not delete the key.

com.openexchange.guard.fromEmail= name<email>

Email address to use as the From address when sending automated emails (First password, password reset)

com.openexchange.capability.guard-nodeleteonrevoke (Depreciated as of Guard 2.0)

Default when revoking an item is to delete the content key, making the item impossible to decode. If this option is true, then the item is merely expired and can later be retrieved for decoding in case of legal requirements, corporate requirements, etc

com.openexchange.capability.guard-noextra (Depreciated as of Guard 2.0)

Disables the ability to add an extra password to encrypted items. May be required by some industry

Configuration file (



The address of the mysql database that contains the OX Backend configdb. This is used during initial setup and database sharding


The address of the mysql database for OxGuard data. May be the same as the OX mysql database


The username to access the OX Backend and Guard database. This user needs to have select, create, lock, insert, update privileges. Guard database user also should have alter (for updates), drop, index


The password for the databases



The address for the OX REST API. It would be the location of the OX Backend

com.openexchange.guard.OXBackendPort = 8009

The port for the OX Backend. Default is 8009 (which is direct communication with the backend). Could be 80, etc, if going through load balancers

com.openexchange.guard.restApiUsername=open-xchange com.openexchange.guard.restApiPassword=secret

Username and password for the REST API

File Store

When non-ox users get an email with a link to read the message, an external url is required so they can visit the non-ox reader page. This should be the public domain that would prefix /appsuite/api/guard/reader

Local/remote storage is required for temporary caching of non-ox encrypted emails. This can be an attached file store, or Amazon S3 compatible object store. Values are “file” or “s3”

Location of local filestore if type was “file”

S3 configuration options if filestore selected was S3


How many days emails are kept in file store before being deleted. Measured from time of sending, reset when someone reads the email


Time that the filestore is checked for old items



AES Key length. 256 is preferred, but not supported on all systems. May need to have java unlimeted key strength pack installed


RSA key length.





SMTP settings for outgoing emails from the guest reader. Emails sent from within the system use the OX Backend. The guest reader, however, sends replies through this SMTP. In addition, password emails (reset, initial) are sent through the SMTP server


com.openexchange.guard.maxremote = 100

Maximum number of remote emails that can be recieved in lockout period (


com.openexchange.guard.usestarttls = true

Use TLS when delivering to the SMTP server when available

Bad attempts

com.openexchange.guard.badMinuteLock= 10

Defines how long someone will be locked out after bad attempts. Default 10

com.openexchange.guard.badPasswordCount= 5

Defines how many times a person can attempt to unlock an encrypted item before being locked out. Default 5

com.openexchange.guard.badIpCount: 10

Defines how many times an outside computer can request a public key that doesn't exist before being locked out

RSA Key Generation


RSA keys are pre-generated in the background, encrypted, and stored for future user keys. RSA key generation is the most time consuming function and the RSA cache significantly improves new user creation time


Number of RSA keys to pre-generate

com.openexchange.guard.keycachecheckinterval= 30

Interval in seconds to check the RSA cache and re-populate if less than rsacachecount


Bit certainty for RSA key generation. Higher numbers assure the number is in fact prime but time consuming. Lower is much faster. May need to be lower if not using cache



Length of the randomly generated passwords when a user resets password.


Minimum password length



URL used to communicated directly with the OX backend


HTTP connections to the backend are kept open for faster response. This is the timeout setting that will close idle connections.


Name of the configdb database

Guest Accounts


Guest users data are placed in databases oxguard_x. After set number of users, another database shard is created


Full path after domain name for the external reader (if changed from default)

Optional Configuration Settings



Communication between Guard and the OX backend is set to HTTP by default. All items to be encrypted are already encrypted at this point, but other information (sender name, filename, etc) could appear in plaintext here. If SSL is desired, sest to true.

Incoming SSL

Communication between the frontend load balancer (APACHE or otherwise) to Guard is by default HTTP (if protected network). To have Guard listen on an SSL socket, the following needs to be set

com.openexchange.guard.useSSL= true

Enables jetty listener for ssl

com.openexchange.guard.SSLPort= 8443

Jetty will listen on defined port for ssl connections

com.openexchange.guard.SSLKeyStore= xxxx

Location of the keystore with ssl keys

com.openexchange.guard.SSLKeyName= xxxx

Name/alieas of the key to use

com.openexchange.guard.SSLKeyPass= xxxx

Password for the ssl key


If you do not want password recovery available, you can disable by adding

com.openexchange.guard.noRecovery= true

Keep in mind, that a lost password will result in total loss of encrypted data



Default language if a language is requested but not available