Skip to content
CA Privileged Identity Manager - 12.9.01
Documentation powered by DocOps

crypto (Windows)

Last update June 13, 2017

CA ControlMinder maintains cryptography module settings it uses under the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\crypto

The crypto registry key contains the following registry entries:

  • ca_certificate
    Defines the full pathname to the Certificate Authority (CA) certificate database.
    Default:ACInstallDir\data\crypto\def_root.pem
  • cleanup_schedule
    Specifies the interval to execute the cleanup task.
    Default: 00:00@Sun,Mon,Tue,Wed,Thu,Fri,Sat (Running every day at midnight)

  • communication_mode
    Specifies whether secure socket layer (SSL) protocols are enabled.
    If you set this to ssl_only, only SSL V2, SSL V3, and TLS connections are enabled. This means that this computer cannot communicate with computers that do not support SSL, and so cannot communicate with computers that are running versions of CA ControlMinder earlier than r12.0, which do not support SSL.

    Note: Computers that are running CA ControlMinder r12.0 and later do support SSL.

    If the fips_only token is set to 1, the actual communication mode is set to ssl_only in FIPS mode (that is, TLS), and the communication_mode token is ignored.
    Valid values are:

    • all_modes
    • ssl_only
    • non_ssl
    Default: non_ssl
  • encryption_methods
    Specifies the encryption libraries that the CA ControlMinder Agent uses to decrypt messages. The Agent attempts to use each library in the list, in turn, until the decryption is successful.
    Limits: aes256enc, aes192enc, aes128enc, desenc, tripledesenc, defenc
    Default: aes256enc, aes192enc, aes128enc, desenc, tripledesenc
  • fips_only
    This token controls whether CA ControlMinder works in FIPS only mode. In this mode all non-FIPS functions are disabled.
    Valid values:
    1 CA ControlMinder works in FIPS only mode
    0 CA ControlMinder works in non-FIPS mode
    Default: 0
  • private_key
    Defines the full pathname to the subject private key.
    Default:ACInstallDir\data\crypto\sub.key
  • refresh_timeout
    Specifies the interval to refresh an internal cache and resolve the IP address of the connected host.
    Default: 86400 seconds (24 hours)

  • ssl_hostname_validation
    Specifies whether the certificate hostname validation is enabled during a secure connection.
    Default: 0

    Note: The certificate hostname validation is not performed during a secure connection.
  • ssl_port
    Defines the port for SSL communications between CA ControlMinder clients and services.
    Default: 5249
  • subject_certificate
    Defines the full pathname to the subject certificate.
    Default:ACInstallDir\data\crypto\sub.pem
Was this helpful?

Please log in to post comments.