MOCCA - Configuration

MOCCA Configuration

Since MOCCA version 1.3 commons-configuration is used for the main configuration of MOCCA.

The configuration is built by the ConfigurationFactoryBean class. It creates a composite configuration using a default configuration read from ConfigurationFactoryBean.DEFAULT_CONFIG and an (optional) resource specified by setConfigurationResource(org.springframework.core.io.Resource). The latter resource is usually injected via a spring application context. See the configuration sections of MOCCA Online / MOCCA Local on how the configuration resource is constructed in their respective application contexts and on how to provide your own configuration file.

Common Configuration Options

A typical configuration file looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<MoccaConfiguration version="1.0">
  <RegisterSecurityProviders>true</RegisterSecurityProviders>
  <DataURLConnection>
    <MaxHops>50</MaxHops>
  </DataURLConnection>
  <ValidateHashDataInputs>true</ValidateHashDataInputs>
  <SSL>
    <certDirectory>./certStore</certDirectory>
    <caDirectory>./trustStore</caDirectory>
  </SSL>
</MoccaConfiguration>

Supported Configuration Parameters

RegisterSecurityProviders

Allows to control whether MOCCA should register the required Java Cryptographic Service Providers.

NOTE: MOCCA will only work if the required security providers are registered. If this is set to false, the security providers must be registered by some other means (e.g. registered statically).

Default: true

DataURLConnection

MaxHops: Sets the number of consecutive requests allowed to be received from the DataURL server. This allows to prevent infinite request loops caused by erroneous server implementations.
Default: 50

ValidateHashDataInputs

Controls if to-be signed data is validated for conformity with the standardised viewer format of the Austrian Citizen Card specification.

Default: true

SSL

The following two configuration elements must provide an URL which resolves to a directory in the file system. It may either be an absolute URL or a relative URL, which is resolved using the URL of the configuration file.

certDirectory

Specifies the URL of a certificate store directory. This directory must contain all certificates required to build a valid certification chain up to an anchor of trust (e.g. a certificate also contained in the trust store directory). Certificate filenames are hashed. To add new certificates to the certificate store directory create a sub-directory named toBeAdded and put the certificates into this directory. They will then be added to the certificate store upon startup of MOCCA.

Default: classpath:at/gv/egiz/bku/certs/certStore

caDirectory

Specifies the URL of a trust store directory. This directory must contain all certificates considered as a root of trust.

NOTE: Any certificate in the trust store directory must also be present in the certificate store directory!

Default: classpath:at/gv/egiz/bku/certs/trustStore

sslProtocol

Options: TLS (default) or SSL

revocationServiceOrder

Comma-separated (ordered) list of revocation services to be used, e.g. "CRL,OCSP". Any revocation service not contained in the list will be disabled.

Default: OCSP,CRL

NOTE: Do not enable the following two options in production environments!

disableHostnameVerification: May be set to true to disable verification of the server host name given in the server's certificate.
Default: false
disableAllChecks: May be set to true to disable all TSL/SSL related checks.
Default: false

ProductName

May be specified to set the product name given by the Server and User-Agent HTTP headers as specified by HTTP binding.

ProductVersion

May be specified to set the product version given by the Server and User-Agent HTTP headers as specified by HTTP binding.

SignatureLayout

May be specified to set the SignatureLayout HTTP header.

AccessController

Citizen Card Environment access control configuration file

PolicyResource: Default: classpath:/at/gv/egiz/bku/accesscontrol/config/accessControlConfig.xml

MOCCA Local Only Configuration Parameters

CCID

Smart card interface device configuration options. Currently, only one configuration item.

disablePinpad: Whether to disable the pinpad on a card reader and use keyboard pin entry instead.
Default: false

Parent Project

BKU Common

Project Documentation