MTG SCEP Configuration

application.properties

Here you will find properties used to configure MTG SCEP. The properties are defined in the application.properties file.

Property Required Default Description

server.port

false

8507

Server HTTP port.

clm.url

true

-

Points to the HTTP location where the CLM is running.

clm.apiclient.id

true

-

The provider ID that the RA API Client uses for the connection to the CLM. This can be obtained from the CLM when an API client with a default policy is configured.

Example: ffc0d281-f9df-45cd-a30d-1881cd67012a

clm.apiclient.secret

true

-

The secret that the RA API Client uses for the connection to the CLM. This can be obtained from the CLM when an API client with a default policy is configured.

openid.provider.baseUrl

true

-

Points to the HTTP location where the Keycloak server is running.

logging.level.app

false

INFO

Specifies the log level of the log messages which are created directly by the application. This property is only used if the property logging.file.name or logging.file.path is configured.

logging.level.web

false

WARN

This property sets the log level of the webserver layer.

logging.level.sql

false

WARN

This property sets the log level of the database layer.

logging.config

false

WARN

Specifies the path to a log4j2/logback configuration file. The path can be an exact location or to the current directory. This property cannot be used together with the logging.file.name or logging.file.path property.

logging.file.path

false

/var/log/mtg/mtg-scep-server/

Specifies the directory where the application log files are stored. The directory path can be an exact location or relative to the current directory. This property cannot be used together with the logging.config or logging.file.name property.

logging.level.*

false

-

Specifies the level of the log messages which are created by third party components. It allows very fine granular control of the logging level. See also docs.spring.io/spring-boot/docs/current/reference/html/appendix-application-properties.html#logging.level . This property is only used if the property logging.file.name or logging.file.path is configured.

Examples: logging.level.sql=DEBUG, logging.level.web=WARN

logging.logback.rollingpolicy.file-name-pattern

false

${LOG_FILE}.%d{yyyy-MM-dd}.%i.gz

The filename pattern used to create log archives. (Copied verbatim from LogRotation.)

logging.logback.rollingpolicy.clean-history-on-start

false

false

If log archive cleanup should occur when the application starts. (Copied verbatim from LogRotation.)

logging.logback.rollingpolicy.max-file-size

false

10MB

The maximum size of log file before it is archived. (Copied verbatim from LogRotation.)

logging.logback.rollingpolicy.total-size-cap

false

0B

The maximum amount of size log archives can take before being deleted. (Copied verbatim from LogRotation.)

logging.logback.rollingpolicy.max-history

false

7

The maximum number of archive log files to keep.

tomcat.ajp.enable

false

false

If set to true, this property enables the additional embedded tomcat ajp connector that is required by Apache HTTPd.

tomcat.ajp.port

false

8707

Specifies the port for the ajp connector. It is used only if tomcat.ajp.enable is set to true.

tomcat.ajp.secret.required

false

false

If set to true, this property specified that an ajp secret is required by the ajp connector. It is used only if tomcat.ajp.enable is set to true.

tomcat.ajp.secret

false

-

Specifies the ajp secret to be used by the ajp connector. It is used only if tomcat.ajp.enable is set to true.

server.ssl.enabled

false

true

Enables TLS for SCEP server

server.ssl.enabled-protocols

false

TLSv1.2

Define SSL enabled protocols

server.ssl.key-store

false

classpath:keystore.p12

Path to the server SSL keystore

server.ssl.key-store-type

false

PKCS12

The format used for the keystore. It could be set to JKS in case it is a JKS file

server.ssl.key-store-password

false

-

The password of the keystore (see parameter server.ssl.key-store).

server.ssl.key-alias

false

-

The alias of the keystore entry used

server.ssl.trust-store

false

-

The location of a truststore file containing trusted certificates that are used to verify all TLS connections that the application is initiating.

server.ssl.trust-store-type

false

JKS

The type of the truststore (see parameter server.ssl.trust-store).

server.ssl.trust-store-password

false

-

Trust store password (see parameter server.ssl.trust-store).

server.ssl.client-auth

false

need

SSL client authentication

clm.client.truststore.path

false

-

The location of a keystore file containing certificates that are used to verify the TLS connection to the RA. It can be left empty.

clm.client.truststore.password

false

-

The password protecting the truststore (see property clm.client.truststore.path). It can be left empty.

clm.client.truststore.type

false

JKS

The format of the truststore (see property clm.client.truststore.path). Valid values are JKS, JCEKS or PKCS12.

clm.client.tls.version

false

TLSv1.2

The version of the TLS protocol to use in the connection to the CLM. Valid values are TLSv1.2 or TLSv1.3. It can be left empty.

clm.client.timeout.seconds

false

120

An integer value specifying the seconds to time out the connection to the CLM. It can be left empty.

openid.client.truststore.path

false

-

The location of a keystore file containing certificates that are used to verify the TLS connection to the Keycloak server. It can be left empty.

openid.client.truststore.password

false

-

The password protecting the truststore (see property openid.client.truststore.path). It can be left empty.

openid.client.truststore.type

false

JKS

The format of the truststore (see property openid.client.truststore.path). Valid values are JKS, JCEKS or PKCS12. It can be left empty.

openid.client.tls.version

false

TLSv1.2

The version of the TLS protocol to use in the connection to the Keycloak server. Valid values are TLSv1.2 or TLSv1.3. It can be left empty.

openid.client.timeout.seconds

false

120

An integer value specifying the seconds to time out the connection to Keycloak server. It can be left empty.

clm.client.http.proxy.host

false

-

Specifies the host of the HTTP proxy server for the connection to CLM. It can be left empty.

clm.client.http.proxy.port

false

-

Specifies the port of the HTTP proxy server for the connection to CLM. It can be left empty.

openid.client.http.proxy.host

false

-

Specifies the host of the HTTP proxy server for the connection to the OpenID server. It can be left empty.

openid.client.http.proxy.port

false

-

Specifies the port of the HTTP proxy server for the connection to the OpenID server. It can be left empty.

management.elastic.metrics.export.enabled

false

-

If set to true then metrics are sent to an OpenSearch server. It can be left empty.

management.elastic.metrics.export.host

false

-

Specifies the URL where the OpenSearch server can be accessed. It can be left empty.

management.elastic.metrics.export.user-name

false

-

Specifies the user who has access to the OpenSearch server. It can be left empty.

management.elastic.metrics.export.password

false

-

Specifies the password of the user of the OpenSearch server. It can be left empty.

shared.secret

false

-

If this configuration parameter is set then all client requests must set the challenge password to this value in order to be authorized to request certificates. In this case it is not necessary to have a previously issued active certificate or a separate challenge password for each participant.

This value can be in plain format or in hexadecimal representation of the SHA-256 hash output of the plain value. The clients in both cases must set the challenge password to the plain format. For example, you may place the value secret or 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b and the clients must use secret as challenge password.

Use this option with caution. All SCEP client are in position to create an arbitrary end-entity and request certificates for other end-entities.

scep.response.include.cachain

true

-

The SCEP-SuccessResponse default returns the EE-Cert with its full CA-Chain. However, Juniper JunOS/ScreenOS devices only expect the EE-Cert in the SCEP-SuccessResponse and fail if other certificates are also included. Cisco IOS accepts both variants. If this configuration parameter is set to false, then the SCEP-SuccessResponse only includes the EE-Cert i.e. excludes the CA-Chain.

This is a global flag, i.e. affects all SCEP-Clients.

scep.getcacert.include.cachain.onmessage

true

-

If this option is set to false, the CA chain is excluded and only the signing CA certificate is inserted in the GetCACert response. This is to support devices that only expect the CA certificate of the CA that signs the end-entity certificate.

This is a global flag, i.e. affects all SCEP-Clients.

debug.requests

false

false

If set to true then the incoming requests are written in the log file as debug messages.

scep.payload.protection

false

ca

If set to value ca then the SCEP responses are signed by the CA and the messages are decrypted by the CA directly. If set to value `ra`then the so-called RA Mode of SCEP is activated. In the RA mode the responses are singed by an RA and the messages are also decrypted by this RA.
Additional properties that can be configured can be found here: docs.spring.io/spring-boot/docs/current/reference/html/appendix-application-properties.html