E2E Encryption Configuration

Overview#

Configuration for the MindLink End-to-End Encryption (E2EE) system.

Configuration#

Setting up E2EE first requires configuration of MCE: MCE Configuration.

KeyValueDescription
debug.connector.mce.encryption.enabledtrueEnables E2EE.
debug.encryption.publickeyrepository.clientcertificate.thumbprintb71ef8fb1fdbd39f49bb1acb4037c2726155abcdThe thumbprint of the certificate that the MindLink Server will present to the public key repository to fetch CoI public keys.
debug.encryption.publickeyrepository.searchspaceO=My Org, C=USConstrains the LDAP search filter to the location of the CoI entries for more efficient search. E.g. "OU=NSA, OU=DoD, O=U.S. Government, C=US".
debug.encryption.publickeyrepository.externalserviceurlcoi.domain.localThe FQDN of the public key repository.
debug.encryption.publickeyrepository.externalserviceport3002The port to connect to the the public key repository.
debug.encryption.decryption.externalserviceurlshttps://DS1.local:8443/cois,https://DS2.local:8443/coisA comma-separated list of CoI decryption service URLs.
debug.encryption.maximumexpirationintervalhours48[OPTIONAL] Defines the maximum encryption key expiration time that can be configured for a Security Context. The default value for this configuration if none is provided is 168 hours (7 days).
debug.encryption.encryptionkey.expirationtimehours24[OPTIONAL] This value is used as the default encryption key expiration time for a group if none was configured for the group Security Context. The default value for this configuration if none is provided is 168 hours (7 days).
debug.connector.mce.multiplesecuritycontexts.enabledtrue[OPTIONAL] Whether to enable multi-CoI group creation. Note: This is off by default.
debug.connector.mce.enablebypasstrue[OPTIONAL] Whether to allow users to log in without being enabled in the MCE environment. Note: This is off by default.
debug.datalabelling.instantmessaging.disabledtrue[OPTIONAL] Whether to disable data labelling for instant messaging. Note: Data labelling is enabled by default.
debug.encryption.ocsp.enabledtrue[OPTIONAL] Whether to enable CoI OCSP certificate status validation. Note: This is off by default.
debug.encryption.ocsp.endpointhttp://coi-ca.local/ocspThe FQDN of the OCSP service. Note: This is required if and only if OCSP certificate status validation is enabled.
debug.encryption.publickeyrepository.cacertificates.thumbprintsc0223705efc595adbbe2092336fa89d10ffd4209,47beabc922eae80e78783462a79f45c254fde68bA comma-separated list of Certificate Authorities used to issue CoI certificates. Note: These are required if and only if OCSP certificate status validation is enabled.
debug.encryption.ocsp.strictnoncetrue[OPTIONAL] Whether to enable the usage of the NONE extension for OCSP. This extension must be configured correctly on the OCSP server when this feature is enabled. Requests that do not respond with the correct NONCE information will cause a denial of encryption functions.