KeyMaster configuration

These DataSource configuration items allow a DataSource application to work with KeyMaster.

Use these configuration items to set up Liberator, Transformer and C-based Integration Adapters so they can work with KeyMaster. KeyMaster is used to authenticate user logins to Liberator via a single sign-on facility. It can also be used to authenticate monitoring connections to Liberator, Transformer and C-based Integration Adapters.

Note: KeyMaster can't be used in Java-based DataSource applications, so these configuration items don't apply to them.

Contents:

add-sigkey

add-sigkey specifies the properties of a signature key.

Use in: C

Syntax:

add-sigkey
   key-id [string]
   hashing-algorithm [integer/string]
   keyfile [string]
   timeout [float]
end-sigkey

The options for add-sigkey are:

Name Type Default Description
hashing-algorithm integer or string

0
(="md5")

The algorithm to use for validating the digital signature in user credentials tokens provided by KeyMaster.

The hashing algorithms that DataSource applications can use are:

md5       or 0    MD5 algorithm
sha256    or 1    SHA256withRSA algorithm
sha384    or 2    SHA384 algorithm
sha512    or 3    SHA512 algorithm
sha1      orSHA1 algorithm

ripemd160 or 5    RIPEMD160 algorithm

Pick the setting that corresponds to the algorithm used by your KeyMaster Signature Generator.

key-id string [none]

A name identifying the signature key.

If you're setting up KeyMaster for Liberator, and the Liberator is using the XMLauth authentication module, the key-id must correspond to a sigkey-id attribute in the XMLauth users.xml configuration file.

(For more about XMLauth, see Liberator user authentication and permissioning.)

keyfile string [none]

The filename and path of the DER (binary) format public key file.

The directory path can contain the parameter %r, which is replaced at run time by the root directory under which this DataSource application runs.

timeout float 0.0

The length of time in seconds for which a user credentials token is valid.

This overrides the signature-validtime configuration item.

Example of add-sigkey:

add-sigkey
   key-id               testkey
   keyfile              %r/etc/publickey.der
   hashing-algorithm    sha256
   timeout 300
end-sigkey

signature-hashsize

signature-hashsize specifies the size in buckets of the hash table for storing signature keys.

Use this configuration item to tune the Liberator's performance when authorizing users; set it to twice the number of user credentials tokens that are likely to be created within the configured time out period (as defined by the configuration item signature-validtime and the timeout option of add-sigkey).

Use in: C

Syntax: signature-hashsize <hash-table-size-in-buckets>

Type: integer

Default value: 8192

Values accepted:

  • Minimum: 1024

signature-validtime

signature-validtime specifies the length of time in seconds for which a user credentials token is valid. This timeout applies to any user credentials token that doesn't have a specific timeout configuration item defined for it in the timeout option of an add-sigkey item.

Use in: C

Syntax: signature-validtime <time-in-seconds>

Type: float

Default value: 600.0 (= 10 minutes)


See also: