Reference / Web services configuration |
The fglprofile entries relating to Genero Web Services are divided between five categories: security, basic or digest HTTP authentication, proxy configuration, server configuration, and XML cryptography.
The following table lists the FGLPROFILE entries specifying the security certificates and algorithms the Web Services client uses for HTTPS and password encryption. These entries specify how an application using the low-level com or xml APIs performs secured communications.
Entry | Description |
---|---|
security.global.script |
Filename of a script executed each time a password of a private key is required by the client. The security script accepts one argument corresponding to the filename of the private key for which the password is required, and must return the correct password or the client stops. For script examples, see Windows™ Password Script Example or UNIX™ Password Script Example. This entry cannot be used if security.global.agent is set. |
security.global.agent |
Port number where the fglpass agent is waiting for requests. It returns the password that grants access to a private key when needed by a BDL application. The DVM and the fglpass agent perform authentication and exchange encrypted data over the local host network only. Refer to Using the password agent for details. This entry cannot be used if security.global.script is set. |
security.global.protocol |
The SSL protocol to use for secured communications. Possible values are:
|
security.global.ca |
Filename of the Certificate Authority list, with the concatenated PEM-encoded third party X.509 certificates considered as trusted, and in order of preference. |
security.global.windowsca |
If set to true, build the Certificate Authority list from the Certificate Authorities stored in the Windows key store. This entry is only valid on Windows systems where security.global.ca is not set. |
security.global.cipher |
The list of encryption, digest, and key exchange algorithms the client is allowed to use during a secured communication. If this entry is omitted, all algorithms are supported. For more details about cipher, refer to www.openssl.org. |
security.global.certificate |
Filename of the PEM-encoded client X.509 certificate to be used for any secured connection if not redefined in a specific server configuration. |
security.global.privatekey |
Filename of the PEM-encoded private key associated to the above X509 certificate and to be used for any secured connection if not redefined in a specific server configuration. |
security.global.keysubject |
The subject string of a X.509 certificate and its associated private key registered in the Windows key store to be used for any secured connection if not redefined in a specific server configuration. This entry is valid only on Windows systems. |
security.ident.certificate |
Filename of the PEM-encoded client X.509 certificate. |
security.ident.privatekey |
Filename of the PEM-encoded private key associated to the above X509 certificate. |
security.ident.keysubject |
The subject string of a X.509 certificate and its associated private key registered in the Windows key store. This entry is valid only on Windows systems. |
The following table lists the FGLPROFILE entries that specify the login and password to use in the case of HTTP authentication to a server or a proxy. The entries also specify the login and password to use in an application using the low-level com or xml API.
Entry | Description |
---|---|
authenticate.ident.login |
The login identifying the client to a server during HTTP Authentication. |
authenticate.ident.password |
The password validating the login of a client to a server during HTTP Authentication. As passwords should never be in clear text, it is recommended that you encrypt them with the fglpass tool. For more information, see FGLPROFILE password encryption. |
authenticate.ident.realm |
The string identifying the server to the client during HTTP Authentication. If the string does not match the server's string, authentication fails. This parameter is optional, but it is recommended that you check the server identity, especially if the server's location is suspicious. |
authenticate.ident.scheme |
One of the following strings representing the
different HTTP Authentication mechanisms.
|
The following table lists the FGLPROFILE entries that specify how the Web Services client communicates with a proxy. The entries specify the way an application using the low-level com or xml API communicates with a proxy.
Entry | Description |
---|---|
proxy.http.location |
Location of the HTTP proxy defined as host:port or ip:port. If the port is omitted, the port 80 is used. |
proxy.http.list |
The list of beginning host names, separated with semicolons, for which the Web Services client does not go via the HTTP proxy. |
proxy.http.authenticate |
The HTTP Authenticate identifier the Web Services client uses to authenticate itself to the HTTP proxy. |
proxy.https.location |
Location of the HTTPS proxy defined as host:port or ip:port. If the port is omitted, the port 443 is used |
proxy.https.list |
The list of beginning host names, separated with semicolons, for which the Web Services client does not go via this HTTPS proxy. |
proxy.https.authenticate |
The HTTP Authenticate identifier the Web Services client uses to authenticate itself to the HTTPS proxy. |
The following table lists the FGLPROFILE entries that specify how the Web Services client uses the IPv6 network protocol.
Entry | Description |
---|---|
ip.global.version |
Defines the IP version to be used. Possible values are "4" (IPv4) or "6" (IPv6). By default, when this entry is not defined, the WS library will try to use IPv6 and fallback to IPv4, according to the operating system. |
ip.global.v6.interface.name Important: This entry is not supported on Microsoft™ Windows
platforms.
|
Defines the name of the network interface to be used for IPv6 link-local addresses. For example, this entry can get values such as "eth0", "en0", "ethernet_5". |
ip.global.v6.interface.id |
Defines the id of the network interface to be used for IPv6 link-local addresses. For example, this entry can get values such as "1", "2", "11". |
The following table lists the FGLPROFILE entries that specify the correct way a Web Services client connects to an end point (usually a server). Notice that the entries specify also the way an application using the low-level com or xml API connects to an end point.
Entry | Description |
---|---|
ws.ident.url |
The endpoint URL of the server. By using a wildcard in the URL, you can create a URL base that applies to multiple server applications. URLs that have the same URL base can share server configuration (such as authentication and HTTPS). See Wildcards in the URL base. |
ws.ident.cipher |
The list of encryption, digest and key exchange algorithms the client is allowed to use during a secured communication to that server. It overwrites the global definition. |
ws.ident.verifyserver |
If set to true, the client performs a strict server identity validation. If not fulfilled, it stops the communication; otherwise no server identity verification is performed. The default value is true. |
ws.ident.security |
The security identifier the client uses to perform an HTTPS communication to the server. |
ws.ident.authenticate |
The HTTP authenticate identifier the client uses to authenticate itself to the server. |
The following table lists the FGLPROFILE entries that control XML to Genero values conversion, and XML cryptography key or certificate mapping.
Entry | Description |
---|---|
xml.keystore.calist |
The list of PEM-encoded third party X.509 certificates, separated with semicolons, of the Certificate Authority considered as trusted, in order of preference. |
xml.keystore.x509list |
The list of PEM-encoded third party X.509 certificates, separated with semicolons, to be used to find out the correct X.509 certificate when getting an incomplete one in a XML signature or an encrypted XML document. |
xml.ident.key |
The filename of a cryptography key. For instance RSA.pem, DSA.der or HMAC.bin. |
xml.ident.x509 |
The filename of a cryptography x509 certificate. For instance Cert.crt. |
xml.serializer.supportEmptyStrings |
Controls empty string XML nodes conversion to Genero STRING values. The default is false, empty XML tags are converted to NULL. If set to true, an empty XML tag is converted to an empty STRING value. As result, in Genero, the LENGTH() function will return zero and the IS NULL comparison operator will evaluate to FALSE. Note that this entry only works for the STRING data type, and if the tag is not present, the STRING is set to NULL. |
xml.signature.prefix = { "prefix" | "<none>" } |
Defines the prefix for an XML Signature. Use "<none>" to specify no prefix. By default, the XML Signature prefix is "dsig". |
xml.encryption.prefix = { "prefix" | "<none>" } |
Defines the prefix for an XML Encrypted data. Use "<none>" to specify no prefix. By default, the XML Encrypted data prefix is "xenc". |