To configure MFDAS to operate in a UNIX environment you must specify the server and interactions in the
mfa_config.json configuration file. A template configuration file is supplied with the product and can be located at
$COBDIR/etc/config/mfa/mfa_config.json.
Required configuration is as follows:
{
"connection_config":
{
"host" : "MYMFAHOST",
"port" : "2020",
"timeout_seconds" : "60",
"retry_count" : "2",
"max_retry_time" : "120",
}
}
Optional configuration enables you to specify more advanced options which can be added to the
"connection_config" section.
To specify TLS client verification:
- client_cert
- Specifies the absolute path to the certificate file (.pem). If multiple certificates are used, separate the paths with a semicolon ';'.
- client_key
- Specifies the absolute path to the keyfile (.pem).
- client_password
- The password for the keyfile specify it here. If multiple keyfiles are used, separate the passwords with four colons '::::'.
- ca_path
- The location, on disk, of the server root certificate.
- client_cert_type
- The following certificate file types are supported DER, CER, PKCS #7, PKCS #8, PKCS #12, and PEM.
- client_key_type
- The following key file types are supported PKCS #8, PKCS #12, and PEM.
- verify_host=ENABLE|DISABLE
- When enabled, libcurl will verify that the certificate provided by the server has a Common Name (CN) field or a Subject Alternate
Name (SAN) field which matches the hostname in the URL that the mfsecretshashicorp vault provider is connecting to.
The default value is ENABLE.
- verify_peer=ENABLE|DISABLE
- When enabled, the mfsecretshashicorp vault provider will verify the authenticity of the server's certificate against the
Certification Authority's (CA) certificates supplied to the ca_path configuration option.
The default value is ENABLE.
- cert_revoke_check=ENABLE|DISABLE
- Specifies whether libcurl verifies the status of the server certificate using the "Certificate Status Request" TLS extension,
that is OCSP stapling.
The default value is DISABLE.
Note: If this option is enabled but the server does not support the TLS extension the verification will fail.
- cipher_list
- Specifies the priority of cipher suites to be used. The cipher suite priority is formed using a combination of keywords and
keyword modifiers for a space-separated string:
- !
- Exclude. Permanently exclude the cipher suite and ignore any subsequent attempt to add the cipher suite back in.
- +
- Add. Add the cipher suite to the end of the collection.
- -
- Delete. Delete the cipher suite from the existing collection.
By default, the following cipher suite list is used:
kEECDH+ECDSA kEECDH kEDH HIGH MEDIUM +3DES +SHA !RC4 !aNULL !eNULL !LOW !MD5 !EXP
- tls13_cipher_suites
- The list of cipher suites to be used with TLS1.3 separated by a colon ':'. For example:
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
- ssl_two_stage_connect=ENABLE|DISABLE
- Specifies whether libcurl should enable the use of false start during the TLS handshake. False start is a mode where a TLS
client will start sending application data before verifying the server's Finished message, this saves a round trip when performing
a full handshake.
The default value is DISABLE.
- tls_protocol
- Specified the TLS protocol version to use which can be one of the following options:
- TLSv1
- SSLv2
- SSlv3
- TLSv1_0
- TLSv1_1
- TLSv1_2
- TLSv1_3
- MAX_DEFAULT
- MAX_TLSv1_0
- MAX_TLSv1_1
- MAX_TLSv1_2
- MAX_TLSv1_3
- connection_debugging=true|false
- Set to true to turn on verbose transport layer debugging.
Warning: Setting this to true will print out HTTP headers and bodies which could contain sensitive data, such as passwords.
Note: You should not be set this to true unless asked to do so by the
Micro Focus support team.