---
Configuration
---
EGIZ
---
2010
---
MOCCA Configuration
Since MOCCA version 1.3 {{{http://commons.apache.org/configuration/}commons-configuration}} is used for the main configuration of MOCCA.
The configuration is built by the {{{./apidocs/at/gv/egiz/bku/spring/ConfigurationFactoryBean.html} ConfigurationFactoryBean}} class. It creates a composite configuration using a default configuration read from {{{./apidocs/constant-values.html#at.gv.egiz.bku.spring.ConfigurationFactoryBean.DEFAULT_CONFIG}ConfigurationFactoryBean.DEFAULT_CONFIG}} and an (optional) resource specified by {{{./apidocs/at/gv/egiz/bku/spring/ConfigurationFactoryBean.html#setConfigurationResource(org.springframework.core.io.Resource)}setConfigurationResource(org.springframework.core.io.Resource)}}. The latter {{{http://static.springsource.org/spring/docs/2.5.5/reference/resources.html}resource}} is usually injected via a {{{http://static.springsource.org/spring/docs/2.5.5/reference/beans.html}spring application context}}. See the configuration sections of MOCCA Online / MOCCA Local on how the configuration resource is constructed in their respective application contexts and on how to provide your own configuration file.
* Common Configuration Options
A typical configuration file looks like this:
+------------------+
true
50
true
./certStore
./trustStore
+------------------+
** Supported Configuration Parameters
[<<>>] Allows to control whether MOCCA should register the Java {{{http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#ProviderArch}Cryptographic Service Providers}}.
NOTE: MOCCA will only work if the required security providers are registered. If this is set to <<>>, the security providers must be registered by some other means (e.g. {{{http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#ProviderInstalling}registered statically}}).
Default: <<>>
[<<>>]
[<<>>] Sets the number of consecutive requests allowed to be received from the {{{http://www.buergerkarte.at/konzept/securitylayer/spezifikation/aktuell/bindings/Bindings.en.html#http.ablauf.schritte}DataURL}} server.
This allows to prevent infinite request loops caused by erroneous server implementations.
Default: <<<50>>>
[<<>>] A list of allowed DataURLs, separated by commas.
The entries are interpreted as {{{http://docs.oracle.com/javase/6/docs/api/java/util/regex/Pattern.html}regular expressions}}.
If this list is not present, any DataURL will be accepted. If it is empty, all DataURLs will be rejected.
[<<>>] Controls if to-be signed data is validated for conformity with the {{{http://www.buergerkarte.at/konzept/securitylayer/spezifikation/aktuell/viewerformat/ViewerFormat.en.html}standardised viewer format}} of the Austrian Citizen Card specification.
Default: <<>>
[<<>>]
The following two configuration elements must provide an URL which resolves to a directory in the file system. It may either be an absolute URL or a relative URL, which is resolved using the URL of the configuration file.
[<<>>] Specifies the URL of a certificate store directory. This directory must contain all certificates required to build a valid certification chain up to an anchor of trust (e.g. a certificate also contained in the trust store directory). Certificate filenames are hashed. To add new certificates to the certificate store directory create a sub-directory named <<>> and put the certificates into this directory. They will then be added to the certificate store upon startup of MOCCA.
Default: <<>>
[<<>>] Specifies the URL of a trust store directory. This directory must contain all certificates considered as a root of trust.
NOTE: Any certificate in the trust store directory must also be present in the certificate store directory!
Default: <<>>
[<<>>] Options: <<>> (default) or <<>>
[<<>>] Comma-separated (ordered) list of revocation services to be used, e.g. "<<>>". Any revocation service not contained in the list will be disabled.
Default: <<>>
[]
NOTE: Do not enable the following two options in production environments!
[<<>>] May be set to <<>> to disable verification of the server host name given in the server's certificate.
Default: <<>>
[<<>>] May be set to <<>> to disable all TSL/SSL related checks.
Default: <<>>
[<<>>] May be specified to set the product name given by the <<>> and <<>> HTTP headers as specified by {{{http://www.buergerkarte.at/konzept/securitylayer/spezifikation/aktuell/bindings/bindings.en.html#http}HTTP binding}}.
[<<>>] May be specified to set the product version given by the <<>> and <<>> HTTP headers as specified by {{{http://www.buergerkarte.at/konzept/securitylayer/spezifikation/aktuell/bindings/bindings.en.html#http}HTTP binding}}.
[<<>>] May be specified to set the <<>> HTTP header.
[<<>>]
Citizen Card Environment access control configuration file
[<<>>]
Default: <<>>
[<<>>] The hash algorithm defaults to SHA-1.
If this option is set, SHA-256 or RIPEMD-160 are used, depending on card support.
Default: <<>>
[<<>>] By default, provided StylesheetURLs will be ignored.
To enable this feature, set this to true.
Default: <<>>
[<<>>] Use provided key and certificate files instead of a smart card.
This feature expects the following files:
* <<>>: keystore containing the secure signature key pair (under the friendly name <<>>)
* <<>>: plain text file containing the password of the above key store
* <<>>: corresponding certificate
* <<>>: keystore containing the certified key pair (under the friendly name <<>>)
* <<>>: plain text file containing the password of the above key store
* <<>>: corresponding certificate
[]
Default: <<>>
** MOCCA Local Only Configuration Parameters
[<<>>]
Smart card interface device configuration options. Currently, only one configuration item.
[<<>>] Whether to disable the pinpad on a card reader and use keyboard pin entry instead.
Default: <<>>
** MOCCA Online Only Configuration Parameters
[<<>>] Set to true to enable a P3P Header with the following contents:
CP="NON DSP COR CUR ADM DEV TAI PSA PSD OUR DEL IND UNI COM NAV INT CNT STA";
This means that you agree not to give away information collected about users (e.g. log files)
This makes setting cookies from in iFrame served from another domain possible under Internet Explorer