Plugin

[Plugin]
:AccessEnumProperty=
:AccessFailMode=1
:AccessGetProperty=
:AccessInvoke=
:AccessSetProperty=
:AutoDecodeBase64=1
:BlockInvokeThread=0
:CompabilityVersion=0700
:Description=
:HostInformationSignature=0
:LogFile=
:MimeType=
:Name=
SiteAccessUnknown=as-parent-app
SiteAccessUntrusted=low
:UseInternalEncrypt=2
:UseInternalVerify=1
:Version=
:VersionAPI=

AccessGetProperty, AccessSetProperty, AccessEnumProperty, AccessInvoke

The default access restrictions for accessing the plugin should probably be acceptable. But there are situations when the default values must be changed.

[Plugin]
AccessGetProperty=<name>,<access-level>;<name>,<access-level>
AccessSetProperty=<name>,<access-level>,<type>,<min-size-byte>,<max-size-byte>
AccessEnumProperty=<name>,<access-level>
AccessInvoke=<name>,<access-level>

Values

<name>

<name> AccessGetProperty

See list Default access GetProperty

<name> AccessSetProperty

See list Default access SetProperty

<name> AccessEnumProperty

See list Default access EnumProperty

<name> AccessInvoke

See list Default access Invoke

<access-level>

always

This parameter or action is always accessible, even when Plugin is blocked. The parameter should not be sensitive at all.

full

The parameter or action is accessible when the configuration says you have full access.

use

The parameter or action is accessible when the configuration says you have use access

low

The parameter or action is accessible at the lowest possible access. Usually, the parameter is not sensitive at all.

block

The parameter or action is blocked and is therefore ignored.

<type>

0

PARAM_TYPE_IGNORE

1

PARAM_TYPE_BOOL

2

PARAM_TYPE_NUMBER

3

PARAM_TYPE_HEXADECIMAL

4

PARAM_TYPE_BASE64

5

PARAM_TYPE_OID

6

PARAM_TYPE_STRING

7

PARAM_TYPE_URL

<min-size-byte>, <max-size-byte>

Sizes are in bytes. Default sizes for the SetProperty parameter are given in this list. And the different pre-defined sizes are given in this list.

Example 1. Plugin configuration example
[Plugin]
AccessGetProperty=Version,low;MachineInfo,full
AccessSetProperty=Data,use,4,0,10000
AccessEnumProperty=Token,full
AccessInvoke=Refresh,full

AccessFailMode

AccessFailMode specifies the behavior after a plugin call is blocked.

[Plugin]
AccessFailMode=1

Values

0

ACCESS_FAIL_MODE_BLOCK

1

ACCESS_FAIL_MODE_CONTINUE

AutoDecodeBase64Data

AutoDecodeBase64Data specifies whether base64-encoded data should be auto-decoded when used for Invoke Decrypt or Invoke Verify. Data should be base64-encoded, so will usually only auto-correct when double-encoded.

[Plugin]
AutoDecodeBase64Data=1

Values

0

off

1

on, 1 is the default.

BlockInvokeThread

When investigating failure it can be necessary to block the execution in separate threads. The BlockInvokeThread parameter stops the execution of the invoke command in a separate thread.

[Plugin]
BlockInvokeThread=0

CompabilityVersion

Plugin loaded with old ActiveX classID can have a different version number for better compability with existing web applications.

Description

This parameter is used to control the information returned by the NPAPI interface. It is only used for debugging. Do not change this value.

HostInformationSignature

The HostInformationSignature parameter adds host information to a plugin signature.

LogFile

The LogFile parameter allows for recording of all plugin calls to the specified file. This file is useful for the investigation of failures. It is also a bit sensitive since it can contain passwords and other sensitive information. Thus, this parameter is ignored unless running on a development license.

[Plugin]
LogFile=C:\Temp\plugin.txt

MimeType

This parameter is used to control the information returned by the NPAPI interface. It is only used for debugging. Do not change this value.

Name

This parameter is used to control the information returned by the NPAPI interface. It is only used for debugging. Do not change this value.

SiteAccessUnknown

The introduction of I/O access towards the plugin has opened a possible man-in-middle attack. Thus, we have added a parameter that tells the access level for unknown access.

[Plugin]
SiteAccessUnknown=as-parent-app

Values

The access value sets the access level described in section Access level.

full

All functionality is enabled. Sets access level to full.

use

Most functionality is enabled. Sets access level to use.

ask-multi

Asks the user to allow access each time.

  • Answer yes, (click YES), sets access level to use.

  • Answer no, (click NO), sets access level to block.

ask-once

Asks the user to allow access and remember the answer.

  • Answer yes, (click YES), sets access level to use.

  • Answer no, (click NO), sets access level to block.

as-parent-app

Makes a check of the unknown caller by getting the parent process ID and make sure that the process is allowed. This is done by validating the parent process' application path. The process or parent process must be defined in Plugin AllowApp or located in a system-specific safe location.

If this check fails, the access level is set to block. Otherwise, it is set to the access value, resulting in an access level, set for the process in Plugin AllowApp.

low

Only basic functionality is enabled. Sets access level to low.

block

No functionality is enabled. Sets access level to block.

Parameters and actions with access level always are always accessible no matter the set access value.

SiteAccessUntrusted

The web browser Internet Explorer will by default use a sandbox for sites that are not marked as "trusted". Those sites are apparently not fully trusted and should probably not be used to administrate Net iD Client. Net iD Client handles the administration of "sandboxed" data, such as soft tokens, but you may want to limit the access.

[Plugin]
SiteAccessUntrusted=low

Values

The access value sets the access level described in section Access level.

full

All functionality is enabled. Sets access level to full.

use

Most functionality is enabled. Sets access level to use.

ask-multi

Asks the user to allow access each time.

  • Answer yes, (click YES), sets access level to use.

  • Answer no, (click NO), sets access level to block.

ask-once

Asks the user to allow access and remember the answer.

  • Answer yes, (click YES), sets access level to use.

  • Answer no, (click NO), sets access level to block.

low

Only basic functionality is enabled. Sets access level to low.

block

No functionality is enabled. Sets access level to block.

Parameters and actions with access level always are always accessible no matter what access value is given.

UseInternalEncrypt, UseInternalVerify

The plugin can for encryption or verify use both external or internal library. This parameter tells what to use.

#define USE_INTERNAL_NEVER       0
#define USE_INTERNAL_MAY         1
#define USE_INTERNAL_ALWAYS      2

[Plugin]
UseInternalEncrypt=2
UseInternalVerify=1

VerifySignature

The VerifySignature parameter activates verification of created signatures when calling Invoke Sign. This is only possible for attached signatures.

Only use the VerifySignature parameter for debugging purposes.
[Plugin]
VerifySignature=0

Values

0

off

1

on, 1 is default.

Version

This parameter is used to control the information returned by the NPAPI interface. It is only used for debugging. Do not change this value.

VersionAPI

This parameter is used to control the information returned by the NPAPI interface. It is only used for debugging. Do not change this value.