KeyMaster configuration

These DataSource configuration items allow a DataSource application to work with KeyMaster.

Use these configuration items to set up Liberator, Transformer and C-based Integration Adapters so they can work with KeyMaster. KeyMaster is used to authenticate user logins to Liberator via a single sign-on facility. It can also be used to authenticate monitoring connections to Liberator, Transformer and C-based Integration Adapters.

KeyMaster can’t be used in Java-based DataSource applications, so these configuration items don’t apply to them.

add-sigkey

add-sigkey specifies the properties of a signature key.

Use in: C

Syntax:

add-sigkey
   hashing-algorithm  [integer/string]
   key-id             [string]
   keyfile            [string]
   timeout            [float]
end-sigkey
Options
hashing-algorithm

Type: integer/string | Default: 0

The algorithm to use for validating the digital signature in user credentials tokens provided by KeyMaster.

The hashing algorithms that DataSource applications can use are:

  • md5 or 0: MD5 algorithm

  • sha256 or 1: SHA256withRSA algorithm

  • sha384 or 2: SHA384 algorithm

  • sha512 or 3: SHA512 algorithm

  • sha1 or 4: SHA1 algorithm

  • ripemd160 or 5: RIPEMD160 algorithm

Pick the setting that corresponds to the algorithm used by your KeyMaster Signature Generator.

key-id

Type: string | Default: null

A name identifying the signature key.

If you’re setting up KeyMaster for Liberator, and the Liberator is using the XMLauth authentication module, the key-id must correspond to a sigkey-id attribute in the XMLauth users.xml configuration file.

(For more about XMLauth, see Liberator user authentication and permissioning.)

keyfile

Type: string | Default: null

The filename and path of the DER (binary) format public key file.

The directory path can contain the parameter %r, which is replaced at run time by the root directory under which this DataSource application runs.

timeout

Type: float | Default: 0.0

The length of time in seconds for which a user credentials token is valid.

This overrides the signature-validtime configuration item.

Example 1. add-sigkey
add-sigkey
   key-id               testkey
   keyfile              %r/etc/publickey.der
   hashing-algorithm    sha256
   timeout              300
end-sigkey

signature-hashsize

signature-hashsize specifies the size in buckets of the hash table for storing signature keys.

Use this configuration item to tune the Liberator’s performance when authorizing users; set it to twice the number of user credentials tokens that are likely to be created within the configured time out period (as defined by the configuration item signature-validtime and the timeout option of add-sigkey).

Use in: C

Syntax: signature-hashsize <hash-table-size-in-buckets>

Type: integer

Default value: 8192

Values accepted:

Minimum: 1024

signature-validtime

signature-validtime specifies the length of time in seconds for which a user credentials token is valid. This timeout applies to any user credentials token that doesn’t have a specific timeout configuration item defined for it in the timeout option of an add-sigkey item.

Use in: C

Syntax: signature-validtime <time-in-seconds>

Type: float

Default value: 600.0 (= 10 minutes)

See also: