---
	Configuration
	---
	EGIZ
	---
	2010
	---
	
MOCCA Configuration

	Since MOCCA version 1.3 {{{http://commons.apache.org/configuration/}commons-configuration}} is used for the main configuration of MOCCA.
	
	The configuration is built by the {{{./apidocs/at/gv/egiz/bku/spring/ConfigurationFactoryBean.html} ConfigurationFactoryBean}} class. It creates a composite configuration using a default configuration read from {{{./apidocs/constant-values.html#at.gv.egiz.bku.spring.ConfigurationFactoryBean.DEFAULT_CONFIG}ConfigurationFactoryBean.DEFAULT_CONFIG}} and an (optional) resource specified by {{{./apidocs/at/gv/egiz/bku/spring/ConfigurationFactoryBean.html#setConfigurationResource(org.springframework.core.io.Resource)}setConfigurationResource(org.springframework.core.io.Resource)}}. The latter {{{http://static.springsource.org/spring/docs/2.5.5/reference/resources.html}resource}} is usually injected via a {{{http://static.springsource.org/spring/docs/2.5.5/reference/beans.html}spring application context}}. See the configuration sections of MOCCA Online / MOCCA Local on how the configuration resource is constructed in their respective application contexts and on how to provide your own configuration file.
	
* Common Configuration Options

	A typical configuration file looks like this:
	
+------------------+
<?xml version="1.0" encoding="UTF-8"?>
<MoccaConfiguration version="1.0">
  <RegisterSecurityProviders>true</RegisterSecurityProviders>
  <DataURLConnection>
    <MaxHops>50</MaxHops>
  </DataURLConnection>
  <ValidateHashDataInputs>true</ValidateHashDataInputs>
  <SSL>
    <certDirectory>./certStore</certDirectory>
    <caDirectory>./trustStore</caDirectory>
  </SSL>
</MoccaConfiguration>
+------------------+

** Supported Configuration Parameters

	[<<<RegisterSecurityProviders>>>] Allows to control whether MOCCA should register the <required> Java {{{http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#ProviderArch}Cryptographic Service Providers}}. 
	
	NOTE: MOCCA will only work if the required security providers are registered. If this is set to <<<false>>>, the security providers must be registered by some other means (e.g. {{{http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#ProviderInstalling}registered statically}}). 
	
	Default: <<<true>>>
	
	[<<<DataURLConnection>>>]
	
		[<<<MaxHops>>>] Sets the number of consecutive requests allowed to be received from the {{{http://www.buergerkarte.at/konzept/securitylayer/spezifikation/aktuell/bindings/Bindings.en.html#http.ablauf.schritte}DataURL}} server.
		This allows to prevent infinite request loops caused by erroneous server implementations.
		
		Default: <<<50>>>

		[<<<Whitelist>>>] A list of allowed DataURLs, separated by commas.
		The entries are interpreted as {{{http://docs.oracle.com/javase/6/docs/api/java/util/regex/Pattern.html}regular expressions}}.
		If this list is not present, any DataURL will be accepted. If it is empty, all DataURLs will be rejected.

	[<<<ValidateHashDataInputs>>>] Controls if to-be signed data is validated for conformity with the {{{http://www.buergerkarte.at/konzept/securitylayer/spezifikation/aktuell/viewerformat/ViewerFormat.en.html}standardised viewer format}} of the Austrian Citizen Card specification.
	
	Default: <<<true>>>
	
  [<<<enableFileURIs>>>] Whether to allow dereferencing of "file" URIs.

  Default: <<<false>>>    
	
	[<<<SSL>>>]
		
		The following two configuration elements must provide an URL which resolves to a directory in the file system. It may either be an absolute URL or a relative URL, which is resolved using the URL of the configuration file.
		
		[<<<certDirectory>>>] Specifies the URL of a certificate store directory. This directory must contain all certificates required to build a valid certification chain up to an anchor of trust (e.g. a certificate also contained in the trust store directory). Certificate filenames are hashed. To add new certificates to the certificate store directory create a sub-directory named <<<toBeAdded>>> and put the certificates into this directory. They will then be added to the certificate store upon startup of MOCCA.
		
		Default: <<<classpath:at/gv/egiz/bku/certs/certStore>>>
		
		[<<<caDirectory>>>] Specifies the URL of a trust store directory. This directory must contain all certificates considered as a root of trust.
		
		NOTE: Any certificate in the trust store directory must also be present in the certificate store directory!
		
		Default: <<<classpath:at/gv/egiz/bku/certs/trustStore>>>
		
		[<<<sslProtocol>>>] Options: <<<TLS>>> (default) or <<<SSL>>>
		
		[<<<revocationServiceOrder>>>] Comma-separated (ordered) list of revocation services to be used, e.g. "<<<OCSP,CRL>>>". Any revocation service not contained in the list will be disabled.

		Default: <<<CRL,OCSP>>>

		[]
		
		NOTE: Do not enable the following two options in production environments!

		[<<<disableHostnameVerification>>>] May be set to <<<true>>> to disable verification of the server host name given in the server's certificate.
		
		Default: <<<false>>>
		
		[<<<disableAllChecks>>>] May be set to <<<true>>> to disable all TSL/SSL related checks.
		
		Default: <<<false>>>

	[<<<ProductName>>>] May be specified to set the product name given by the <<<Server>>> and <<<User-Agent>>> HTTP headers as specified by {{{http://www.buergerkarte.at/konzept/securitylayer/spezifikation/aktuell/bindings/bindings.en.html#http}HTTP binding}}.


	[<<<ProductVersion>>>] May be specified to set the product version given by the <<<Server>>> and <<<User-Agent>>> HTTP headers as specified by {{{http://www.buergerkarte.at/konzept/securitylayer/spezifikation/aktuell/bindings/bindings.en.html#http}HTTP binding}}.


	[<<<SignatureLayout>>>] May be specified to set the <<<SignatureLayout>>> HTTP header.


	[<<<AccessController>>>]

		Citizen Card Environment access control configuration file

		[<<<PolicyResource>>>]

		Default: <<<classpath:/at/gv/egiz/bku/accesscontrol/config/accessControlConfig.xml>>>

	[<<<UseStrongHash>>>] The hash algorithms default to SHA-256 or RIPEMD-160, depending on card support.
	If this option is set to false, SHA-1 is used.

	Default: <<<true>>>

	[<<<UseStylesheetURL>>>] By default, provided StylesheetURLs will be ignored.
	To enable this feature, set this to true.

	Default: <<<false>>>

	[<<<UseSWCard>>>] Use provided key and certificate files instead of a smart card.
	This feature expects the following files:

	* <<<smcc/secure.p12>>>: keystore containing the secure signature key pair (under the friendly name <<<SecureSignatureKeypair>>>)

	* <<<smcc/secure.pwd>>>: plain text file containing the password of the above key store

	* <<<smcc/secure.cer>>>: corresponding certificate

	* <<<smcc/certified.p12>>>: keystore containing the certified key pair (under the friendly name <<<CertifiedKeypair>>>)

	* <<<smcc/certified.pwd>>>: plain text file containing the password of the above key store

	* <<<smcc/certified.cer>>>: corresponding certificate

	[]

	Default: <<<false>>>

	[<<<IssuerTemplateCache>>>] Initialize the issuer template transformations cache

	This feature allows to initialize the issuer template transformations cache
	so they don't have to be downloaded every time MOCCA is restarted.

	Usage:

+------------------+
<IssuerTemplateCache>
  <entry>
    <url>http://www.a-trust.at/zmr/persb204.xsl</url>
    <resource>file:/tmp/issuerTemplates/persb204.xsl</resource>
  </entry>
  <entry>
    ...
  </entry>
</IssuerTemplateCache>
+------------------+


** MOCCA Local Only Configuration Parameters

	[<<<CCID>>>]

		Smart card interface device configuration options. Currently, only one configuration item.

		[<<<disablePinpad>>>] Whether to disable the pinpad on a card reader and use keyboard pin entry instead.

		Default: <<<false>>>

** MOCCA Online Only Configuration Parameters

	[<<<EnableP3PHeader>>>] Set to true to enable a P3P Header with the following contents:

		CP="NON DSP COR CUR ADM DEV TAI PSA PSD OUR DEL IND UNI COM NAV INT CNT STA";

		This means that you agree not to give away information collected about users (e.g. log files)

		This makes setting cookies from in iFrame served from another domain possible under Internet Explorer