Cúram Digest Settings

Cúram users, internal and external, when not invoked with identity-only, are authenticated using form-based login and the password entered in the form is digested and compared to the digest value stored in the database for the user.

Note: This processing does not apply to users authenticated in third party systems like LDAP.

The Cúram crypto configuration will work for you out-of-the box, but it is recommended you modify these settings with respect to your local security requirements. For instance, the OOTB settings may be adequate in development, but for production environments it is strongly recommended that you modify them (e.g. digest salt encrypted value).

The digest settings are stored in the CryptoConfig.properties file. The properties and their values are as follows:

curam.security.crypto.digest.algorithm
- Valid values: In JCE documentation, for instance: http://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#MessageDigest. The supported digests are the SHA variants (1, 256, etc.) and MD5.
- Default: SHA-256 (FIPS 140-2 and SP800-131a compliant)
- Purpose: Specification of the digest algorithm.
curam.security.crypto.digest.salt.location
- Valid values: A path identifying the file containing the encrypted secret digest salt.
- Default: None
- Purpose: An optional file to specify the salt (encrypted) for digesting.
curam.security.crypto.digest.iterations
- Valid values: 0 or a positive integer.
- Default: 0
- Purpose: Typically, higher values give better security, but at the cost of processing (e.g. at login time).

There are a set of corresponding "superseded" properties to allow for flexibility when migrating from one set of digest settings or standards to another. The following have a similar function to their counterparts above, but are used by the Cúram encryption functionality to support both old and new settings for a time of migration:

curam.security.crypto.superseded.digest.algorithm
curam.security.crypto.superseded.digest.salt.location
curam.security.crypto.superseded.digest.iterations

The usage and behavior of the superseded properties are controlled by the curam.security.convertsupersededpassworddigests.enabled property as managed by the Properties Administration user interface. See How to Utilize the Superseded Digest Settings for a Period of Migration for more information on using the superseded properties.