security Parameters

context Default value Description

With versions <= 2019.1, the log level on the DCV agent processes is only set when they start. — Available since version 2017.0-4100 (p. 151).

rotate integer

-DWORD (32-bit)

server 10 Number of log file rotations —

Specifies the number of times that log files are rotated before being removed. If the value is 0, old versions are removed rather than rotated. — Available since version 2017.0-4100 (p. 151).

transfer-audit string server 'none' Transfer direction to audit

— Specifies which transfer direction to audit. If this

parameter is enabled, a new CSV file logs transfers between the server and clients. The allowed values are: 'none', 'server-to-client', 'client-to-server', and 'all'.

If this value is missing or equal to 'none', transfer audits are disabled and no file is created.

— Available since version 2017.0-4100 (p. 151).

security Parameters

The following table describes the configuration parameters in the [security] section of the /etc/

dcv/dcv.conf file for Linux NICE DCV servers, and the security registry key for Windows NICE DCV servers.

context Default value Description

allowed-http-host-regex string server '^.+$' Allowed host regular

expression — Specifies a regular expression pattern representing the host names that this DCV server can serve. If the Host header of an incoming HTTP request does not match this pattern, the request itself fails with a 403 Forbidden status code. This is a security measure to prevent HTTP Host header

security Parameters

context Default value Description

attacks. The pattern must be a valid Javascript-like regular expression. Letters in the pattern match both uppercase and lowercase letters. Example:

'^(www\.)?example\.com$'.

— Available since version 2017.0-4100 (p. 151).

allowed-ws-origin-regex string server '^https://.+$' Allowed origins — Specifies

a regular expression pattern representing the origins that this DCV server accepts. When establishing a WebSocket connection, the Origin header field in the client's handshake indicates the origin of the script establishing the connection.

If the Origin header of an incoming HTTP request does not match this pattern, the request itself fails with a 403 Forbidden status code. This is a security measure to prevent cross-site WebSocket hijacking (CSWSH) attacks. The pattern must be a valid Javascript-like regular expression. Letters in the pattern match both uppercase and lowercase letters. The Origin header has the form:

<scheme> "://" <host> [ ":"

<port> ]. Example: '^https://

(www\.)?example\.com(:443)?

$'. — Available since version 2017.0-4100 (p. 151).

auth-connection-setup-timeout integer -DWORD (32-bit)

server 120 Authentication channel

connection setup timeout

— Specifies the amount of time (in seconds) allowed for the authentication channel connection setup procedure to be completed before timing out.

If the procedure takes more, then the channel is closed. If set to 0, the authentication channel connection setup timeout is disabled. — Available since version 2017.0-4100 (p. 151).

security Parameters

context Default value Description

auth-token-verifier string server '' The endpoint of the

authentication token verifier

— Specifies the endpoint (URL) of the authentication token verifier used by the DCV server. If empty, the internal authentication token verifier is used. — Available since version 2017.0-4100 (p. 151).

authentication string server 'system' Authentication method

— Specifies the client

authentication method used by the DCV server. Use 'system' to delegate client authentication to the underlying operating system. Use 'none' to disable client authentication and grant access to all clients.

— Available since version 2017.0-4100 (p. 151).

authentication-threshold integer

-DWORD (32-bit)

server 3 Authentication threshold —

Specifies how many times each client can fail authentication before the connection is closed by the server. To allow unlimited authentication attempts, use 0. — Available since version 2017.0-4100 (p. 151).

ca-file string server '' CA file — Specifies the file

containing the certificate authorities (CAs) trusted by the DCV server. If empty, use the default trust store provided by the system. — Available since version 2017.0-4100 (p. 151).

certificate-to-user-file string custom '' Certificate to user mapping file

— Specifies the file containing the certificate to user mapping list. — Available since version 2022.0-11954 (p. 136).

security Parameters

context Default value Description

ciphers string server

'ECDHE-RSA-

Cipher list used on the TLS connections — Specifies the cipher list used on TLS connections. The cipher list must be separated using the character

":" and must be supported by openssl and the clients.

— Available since version 2017.0-4100 (p. 151).

connection-estab-timeout integer

-DWORD (32-bit)

server 5 Connection establishment

timeout — Specifies the amount of time (in seconds) allowed for the connection procedure to be completed before timing out.

If the procedure takes more, then the connection is closed.

If set to 0, the connection establishment does not time out. — Available since version 2017.0-4100 (p. 151).

connection-setup-timeout integer

-DWORD (32-bit)

server 5 Channel connection setup

timeout — Specifies the amount of time (in seconds) allowed for the channel connection setup procedure to be completed before timing out. If the procedure takes more, then the channel is closed. If set to 0, the channel connection setup does not time out. — Available since version 2017.0-4100 (p. 151).

crl-file string custom '' CRL file — Specifies the file

containing the certificate revocation list (CRL). — Available since version

server Linux: false

-Windows: 0 Enable GSSAPI SASL mechanism — Enables or disables GSSAPI SASL mechanism, that allows DCV authentication with kerberos.

— Available since version 2017.3-6698 (p. 147).

security Parameters

context Default value Description

max-connections-per-user integer

-DWORD (32-bit)

server 10 Maximum number of user's

connections — Specifies the maximum number of allowed concurrent connections per user. Exceeding connections are rejected. — Available since version 2017.0-4100 (p. 151).

no-tls-strict true or false -DWORD (32-bit)

server Linux: false

-Windows: 0 Enables or disables strict certificate validation — Enables or disables strict certificate validation when connecting to an external authentication token verifier. Strict certificate validation must be disabled if the authentication token verifier uses a self-signed certificate.

— Available since version 2017.0-4100 (p. 151).

os-auto-lock true or false -DWORD (32-bit)

session Linux: true

-Windows: 1 Whether to lock the OS session when last client connection ends — If enabled, the OS session is locked when the last client connection is closed.

— Available since version 2017.1-5777 (p. 150).

pam-service-name string server 'dcv' PAM service name —

Specifies the name of the PAM configuration file used by DCV. The default PAM service name is 'dcv' and corresponds with the /etc/pam.d/dcv configuration file. This parameter is only used if the 'system' authentication method is used. — Available since version 2017.0-4100 (p. 151).

passwd-file string server '' Password file — Specifies the

password file to be used to check user credentials (only with dcv authentication mode).

If empty, use the default file in ${XDG_CONFIG_HOME}/

NICE/dcv/passwd for Linux, or

%CSIDL_LOCAL_APPDATA%

\NICE\dcv\passwd for Windows.

— Available since version 2017.0-4100 (p. 151).