Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.

SSH Tectia

Appendix D Broker Configuration File Syntax

The DTD of the broker configuration file is shown below:

<!-- secsh-broker.dtd                                                   -->
<!--                                                                    -->
<!-- Copyright (c) 2004-2007 SSH Communications Security, Finland       -->
<!--               All rights reserved.                                 -->
<!--                                                                    -->
<!-- Document type definition for the Connection Broker XML             -->
<!-- configuration files.                                               -->
<!--                                                                    -->

<!-- The top-level element -->
<!ELEMENT secsh-broker  (general?,default-settings?,profiles?,
<!ATTLIST secsh-broker
          version        CDATA #IMPLIED>

<!-- General element. -->
<!ELEMENT general      (crypto-lib?,cert-validation?,key-stores?,

<!-- Cryptographic library. -->
<!ELEMENT crypto-lib     EMPTY>
<!ATTLIST crypto-lib
          mode  (fips|standard) "standard">

<!-- PKI settings. -->
<!ELEMENT cert-validation      (ldap-server*,ocsp-responder*,crl-prefetch*,
                                dod-pki?, ca-certificate*)>

<!ATTLIST cert-validation
          end-point-identity-check (yes|no|YES|NO) "yes"
          default-domain      CDATA   #IMPLIED
          http-proxy-url      CDATA   #IMPLIED
          socks-server-url    CDATA   #IMPLIED>

<!ELEMENT ldap-server    EMPTY>
<!ATTLIST ldap-server
          address        CDATA #REQUIRED
          port           CDATA "389">

<!ELEMENT ocsp-responder  EMPTY>
<!ATTLIST ocsp-responder
          url             CDATA #REQUIRED
          validity-period CDATA "0">

<!-- CRL prefetch. -->
<!ELEMENT crl-prefetch   EMPTY>
<!ATTLIST crl-prefetch
          interval       CDATA "3600"
          url            CDATA #REQUIRED>

<!-- CA certificates. -->
<!ELEMENT ca-certificate (#PCDATA)>
<!ATTLIST ca-certificate
          name            CDATA #REQUIRED
          file            CDATA #IMPLIED
          disable-crls   (yes|no|YES|NO) "no"
          use-expired-crls CDATA "0" >

<!-- Enable DoD PKI compliancy. -->
<!ELEMENT dod-pki        EMPTY>
<!ATTLIST dod-pki
          enable        (yes|no|YES|NO) "no" >

<!ELEMENT key-stores (key-store*)>

<!ELEMENT key-store      EMPTY>
<!ATTLIST key-store
          type           CDATA #REQUIRED
          init           CDATA #IMPLIED>

<!ELEMENT strict-host-key-checking EMPTY>
<!ATTLIST strict-host-key-checking
          enable        (yes|no|YES|NO) #REQUIRED>

<!ELEMENT host-key-always-ask EMPTY>
<!ATTLIST host-key-always-ask
          enable        (yes|no|YES|NO) #REQUIRED>

<!ELEMENT accept-unknown-host-keys EMPTY>
<!ATTLIST accept-unknown-host-keys
          enable        (yes|no|YES|NO) #REQUIRED>

<!ELEMENT known-hosts    EMPTY>
<!ATTLIST known-hosts
          path           CDATA #REQUIRED>

<!-- Default settings element. -->
<!ELEMENT default-settings     (ciphers?, macs?,
                                transport-distribution?, rekey?,
                                compression?, proxy?, idle-timeout?,
                                server-banners?, forwards?,

<!-- Server banners. -->
<!ELEMENT server-banners EMPTY>
<!ATTLIST server-banners  
          visible       (yes|no|YES|NO) "yes">

<!-- Ciphers element. -->
<!ELEMENT ciphers       (cipher*)>

<!-- Cipher. -->
<!ELEMENT cipher         EMPTY>
<!ATTLIST cipher
          name           CDATA #REQUIRED>

<!-- Macs element. -->
<!ELEMENT macs          (mac*)>

<!-- Mac. -->
<!ELEMENT mac            EMPTY>
          name           CDATA #REQUIRED>

<!ELEMENT rekey          EMPTY>
<!ATTLIST rekey
          bytes          CDATA "0">

<!-- Hostbased default domain. -->
<!ELEMENT hostbased-default-domain EMPTY>
<!ATTLIST hostbased-default-domain
          name           CDATA #REQUIRED>
<!-- Authentication methods element. -->
<!ELEMENT authentication-methods (authentication-method*)>

<!-- Remote environment element. -->
<!ELEMENT remote-environment (environment*)>
  <!ELEMENT environment  EMPTY>
  <!ATTLIST environment
            name		     CDATA #REQUIRED
            value        CDATA #REQUIRED
            format	     (yes|no|YES|NO) "no">

<!-- Transport distribution. -->
<!ELEMENT transport-distribution EMPTY>
<!ATTLIST transport-distribution
          num-transports CDATA #REQUIRED>

<!-- Authentication method. -->
<!ELEMENT authentication-method  EMPTY>
<!ATTLIST authentication-method
          name           CDATA #REQUIRED

<!-- Proxy rules. -->
<!ATTLIST proxy
          ruleset        CDATA #REQUIRED>

<!-- Idle timeout. -->
<!ELEMENT idle-timeout   EMPTY>
<!ATTLIST idle-timeout
          type          (connection) "connection"
          time           CDATA #IMPLIED>

<!-- Forwards element. -->
<!ELEMENT forwards      (forward*)>

<!-- Forward. -->
<!ELEMENT forward        EMPTY>
<!ATTLIST forward
          type          (x11|agent)     #REQUIRED
          state         (on|off|denied) #REQUIRED>

<!-- Compression. -->
<!ELEMENT compression    EMPTY>
<!ATTLIST compression
          name           CDATA #IMPLIED
          level          CDATA #IMPLIED>

<!-- Profiles element. -->
<!ELEMENT profiles      (profile*)>

<!-- Connection profile. -->
<!ELEMENT profile       (hostkey?, ciphers?, macs?,
                         transport-distribution?, rekey?,
                         compression?, proxy?, idle-timeout?,
                         server-banners?, forwards?, tunnels?,
<!ATTLIST profile
          id             ID #REQUIRED
          name           CDATA #IMPLIED
          host           CDATA #REQUIRED
          port           CDATA "22"
          connect-on-startup (yes|no|YES|NO) "no"
          user           CDATA #IMPLIED
          gateway-profile CDATA #IMPLIED>

<!-- Hostkey. -->
<!ELEMENT hostkey       (#PCDATA)>
<!ATTLIST hostkey
          file           CDATA #IMPLIED>

<!-- Tunnels element. -->
<!ELEMENT tunnels       (local-tunnel*,remote-tunnel*)>

<!-- Local tunnel. -->
<!ELEMENT local-tunnel   EMPTY>
<!ATTLIST local-tunnel
          type           CDATA "tcp"
          listen-port    CDATA #REQUIRED
          dst-host       CDATA ""
          dst-port       CDATA #REQUIRED
          allow-relay   (yes|no|YES|NO) "no">

<!-- Remote tunnel. -->
<!ELEMENT remote-tunnel  EMPTY>
<!ATTLIST remote-tunnel
          type           CDATA "tcp"
          listen-port    CDATA #REQUIRED
          dst-host       CDATA ""
          dst-port       CDATA #REQUIRED
          allow-relay   (yes|no|YES|NO) "no">

<!-- Static tunnels element. -->
<!ELEMENT static-tunnels (tunnel*)>

<!-- Static tunnel. -->
<!ELEMENT tunnel         EMPTY>
<!ATTLIST tunnel
          type           CDATA "tcp"
          listen-port    CDATA #REQUIRED
          dst-host       CDATA ""
          dst-port       CDATA #REQUIRED
          allow-relay   (yes|no|YES|NO) "no"
          profile        CDATA #REQUIRED>

<!-- GUI. -->
<!ELEMENT gui            EMPTY>
          hide-tray-icon              (yes|no|YES|NO) #IMPLIED
          show-exit-button            (yes|no|YES|NO) #IMPLIED
          show-admin                  (yes|no|YES|NO) #IMPLIED
          enable-connector            (yes|no|YES|NO) #IMPLIED
          show-security-notification  (yes|no|YES|NO) #IMPLIED>

<!ELEMENT filter-engine      (network|dns|filter)*>
<!ATTLIST filter-engine
          ip-generate-start    CDATA #IMPLIED>
          ftp-filter-at-signs (yes|no|YES|NO) "no">

<!ELEMENT network        EMPTY>
<!ATTLIST network
          id                  ID    #REQUIRED
          address             CDATA #IMPLIED
          domain              CDATA #IMPLIED
          ip-generate-start   CDATA #IMPLIED>

<!ELEMENT dns            EMPTY>
          id                  ID    #REQUIRED
          network-id          IDREF #IMPLIED
          application         CDATA #IMPLIED
          host                CDATA #IMPLIED
          ip-address          CDATA #IMPLIED
          pseudo-ip          (yes|no|YES|NO) "no">

<!ELEMENT filter         EMPTY>
<!ATTLIST filter
          dns-id              IDREF #REQUIRED
          ports               CDATA #REQUIRED
          action              CDATA #REQUIRED
          profile-id          CDATA #IMPLIED
          fallback-to-plain  (yes|no|YES|NO) "no">

<!ELEMENT logging            (log-events*)>

<!-- Log events. -->
<!-- Log event facility. -->
<!ENTITY default-log-event-facility    "normal">

<!-- Log event severity. -->
<!ENTITY default-log-event-severity    "notice">

<!ELEMENT log-events    (#PCDATA)>
<!ATTLIST log-events
          facility      (normal|daemon|user|auth|local0|local1|
          severity      (informational|notice|warning|error|critical|