E2E Encryption Configuration
Overview
Configuration for the MindLink End-to-End Encryption (E2EE) system.
Configuration
Setting up E2EE first requires configuration of MCE: MCE Configuration.
Key | Value | Description |
---|---|---|
debug.connector.mce.encryption.enabled | true | Enables E2EE. |
debug.encryption.publickeyrepository.clientcertificate.thumbprint | b71ef8fb1fdbd39f49bb1acb4037c2726155abcd | The thumbprint of the certificate that the MindLink Server will present to the public key repository to fetch CoI public keys. |
debug.encryption.publickeyrepository.searchspace | O=My Org, C=US | Constrains the LDAP search filter to the location of the CoI entries for more efficient search. E.g. "OU=NSA, OU=DoD, O=U.S. Government, C=US". |
debug.encryption.publickeyrepository.externalserviceurl | coi.domain.local | The FQDN of the public key repository. |
debug.encryption.publickeyrepository.externalserviceport | 3002 | The port to connect to the the public key repository. |
debug.encryption.decryption.externalserviceurls | https://DS1.local:8443/cois,https://DS2.local:8443/cois | A comma-separated list of CoI decryption service URLs. |
debug.encryption.maximumexpirationintervalhours | 48 | [OPTIONAL] Defines the maximum encryption key expiration time that can be configured for a Security Context. The default value for this configuration if none is provided is 168 hours (7 days). |
debug.encryption.encryptionkey.expirationtimehours | 24 | [OPTIONAL] This value is used as the default encryption key expiration time for a group if none was configured for the group Security Context. The default value for this configuration if none is provided is 168 hours (7 days). |
debug.connector.mce.multiplesecuritycontexts.enabled | true | [OPTIONAL] Whether to enable multi-CoI group creation. Note: This is off by default. |
debug.connector.mce.enablebypass | true | [OPTIONAL] Whether to allow users to log in without being enabled in the MCE environment. Note: This is off by default. |
debug.datalabelling.instantmessaging.disabled | true | [OPTIONAL] Whether to disable data labelling for instant messaging. Note: Data labelling is enabled by default. |
debug.encryption.ocsp.enabled | true | [OPTIONAL] Whether to enable CoI OCSP certificate status validation. Note: This is off by default. |
debug.encryption.ocsp.endpoint | http://coi-ca.local/ocsp | The FQDN of the OCSP service. Note: This is required if and only if OCSP certificate status validation is enabled. |
debug.encryption.publickeyrepository.cacertificates.thumbprints | c0223705efc595adbbe2092336fa89d10ffd4209,47beabc922eae80e78783462a79f45c254fde68b | A comma-separated list of Certificate Authorities used to issue CoI certificates. Note: These are required if and only if OCSP certificate status validation is enabled. |
debug.encryption.ocsp.strictnonce | true | [OPTIONAL] Whether to enable the usage of the NONE extension for OCSP. This extension must be configured correctly on the OCSP server when this feature is enabled. Requests that do not respond with the correct NONCE information will cause a denial of encryption functions. |