AnkaSecure CLI – Configuration Guide
This document outlines how to configure and run the AnkaSecure CLI. By specifying authentication credentials, server details, and logging preferences in cli.properties
, you can seamlessly connect to the AnkaSecure API and perform cryptographic operations.
Sample cli.properties
Below is an example cli.properties
file with minimal modifications needed for a production-like environment:
###############################################################################
# OPENAPI SERVER VARIABLES
###############################################################################
openapi.scheme=https
openapi.host=demo.ankatech.co
openapi.port=443
openapi.insecureSkipTlsVerify=true
###############################################################################
# TIMEOUTS (in milliseconds)
###############################################################################
openapi.connectTimeoutMs=10000
openapi.readTimeoutMs=30000
openapi.writeTimeoutMs=30000
###############################################################################
# PROXY SETTINGS (if needed):
###############################################################################
#openapi.proxyHost=proxy.mycompany.com
#openapi.proxyPort=8080
#openapi.proxyUser=someUser
#openapi.proxyPassword=somePassword
###############################################################################
# PQC TRANSPORT ENCRYPTION
###############################################################################
# Enable or disable application-level PQC transport encryption over HTTPS
pqc.transport.enabled=false
# Session TTL in seconds (after this, a new handshake se hará)
pqc.session.ttl.seconds=600
# KEM algorithm to use (server must support the same)
pqc.kem.algorithm=ML-KEM-512
###############################################################################
# PROGRESS BAR FOR LARGE FILE UPLOADS
###############################################################################
openapi.enableProgressBar=false
###############################################################################
# LOGGING CONFIGURATION
###############################################################################
# You can override these placeholders to control user logs and dev logs:
user.log.level = INFO
user.log.filename = AnkaSecureCLI.log
user.log.filenamePattern = AnkaSecureCLI.%i.log
user.log.maxFileSize = 5MB
# dev.log.level = DEBUG
# dev.log.filename = dev.log
# dev.log.filenamePattern = dev.%i.log
# dev.log.maxFileSize = 10MB
# root.log.level = WARN
###############################################################################
# CLI AUTHENTICATION (SECURE INIT METHOD RECOMMENDED)
# Use 'AnkaSecureCLI init' to securely store your clientId/clientSecret
###############################################################################
client.uuid=63cfdf0d48f9481088d08f5fd9fcdbf0
client.salt=4313618a4a836609cbff69badccb2801
clientIdEnc=KSv9KCpouy8VYDDr07jP7arF3ac5BDgjNBzQcW0EwPkL4SfBuW4YAMaQZ6X/B3nPGlSZwHHJL/EVhCNJlyT/7A==
clientSecretEnc=5B3K++Fhkd7l9jgkOMnchoMnd5AcHtYnUuH7j+XWnQuWEvcs5Sxejw==
Initialization via CLI (init
command)
Instead of manually specifying clientId
and clientSecret
in plaintext within your cli.properties
file, you must securely initialize them using the init
command provided by the CLI:
-
Prompt for Credentials:
You will be prompted to enter your
clientId
andclientSecret
.For automation, use the
--silent
flag to suppress interactive messages. -
Force Overwrite:
If the CLI is already initialized, use the
--force
flag to overwrite existing credentials without further prompt. -
Custom Configuration File:
Optionally, use the
--config-path=<file>
flag to specify an alternate configuration file.
Upon successful initialization, the CLI will encrypt your credentials using AES-GCM (with a derived key from a randomly generated UUID and salt) and update your cli.properties
with secure entries:
Important: Always use
AnkaSecureCLI init
(with--force
if needed) when setting up or rotating credentials.Do not manually edit the encrypted properties (
clientIdEnc
,clientSecretEnc
,client.uuid
,client.salt
).
Key Sections
-
Authentication Credentials (Secure Initialization Recommended)
-
The AnkaSecure CLI supports secure initialization via the
init
command. -
Credentials are encrypted and stored as:
-
To set these securely, run:
This command will prompt you to enter your credentials and store them in encrypted form.
-
-
OpenAPI Server Variables
-
openapi.scheme
,openapi.host
, andopenapi.port
define the server connection. -
openapi.insecureSkipTlsVerify=false
ensures TLS certificate validation is enforced---recommended for production.
-
-
Timeouts
-
openapi.connectTimeoutMs=10000
(10 seconds) for initial connection attempts. -
openapi.readTimeoutMs=30000
andopenapi.writeTimeoutMs=30000
for data transfers.
-
-
Proxy Settings
-
Uncomment and configure proxy settings if needed.
-
Accepts
openapi.proxyHost
,openapi.proxyPort
,openapi.proxyUser
, andopenapi.proxyPassword
.
-
-
PQC TRANSPORT ENCRYPTION
-
pqc.transport.enabled=false
enable or disable application-level PQC transport encryption over HTTPS -
pqc.session.ttl.seconds=600
(600 seconds) session TTL in seconds (after this, a new handshake se hará) -
pqc.kem.algorithm=ML-KEM-512
KEM algorithm to use (server must support the same). ML-KEM-512, ML-KEM-768, ML-KEM-1024 are acceptable
-
-
Progress Bar
openapi.enableProgressBar=false
by default. Set totrue
to display a progress indicator for large file transfers.
-
Logging Configuration
-
user.log.level=INFO
defines the verbosity of user logs (INFO is recommended in production). -
user.log.filename
anduser.log.filenamePattern
control log rotation. -
Developer logs (
dev.log.level
) are available but disabled by default. -
root.log.level=WARN
sets the base logging level.
-
How to Apply cli.properties
-
Same Directory as the JAR
If
cli.properties
is in the same folder asAnkaSecureCLI.jar
, the CLI will auto-discover it. -
Custom Path
You can specify an alternate configuration file using the system property:
Best Practices
-
Production TLS
Keep
openapi.insecureSkipTlsVerify=false
to ensure strict certificate validation. -
Secret Handling
The
clientSecret
is sensitive. Storecli.properties
securely and restrict file permissions. -
Log Rotation
Ensure that
user.log.filenamePattern
anduser.log.maxFileSize
are properly configured to prevent excessive log file growth. -
Proxy Settings
Configure only if necessary and verify that your network traffic is correctly routed.
-
Periodically Rotate Credentials
If your
clientId
orclientSecret
changes, simply run:(Use
--silent
for automated scripts if needed.)\ This will securely overwrite the existing encrypted credentials incli.properties
without manual editing.
Executable vs. JAR Usage
When installing the AnkaSecure CLI via the provided installers (e.g., .exe
for Windows, .dmg
for macOS, or .sh
for Linux), the installation process typically produces two native executables in your chosen install directory:
-
AnkaSecureCLI -- Standard command-line interface.
-
AnkaSecureCLIDemo -- An interactive, menu-driven demo showcasing example scenarios.
These executables are convenience wrappers around AnkaSecureClient.jar
. You can run them directly or run the JAR manually:
cli.properties
configuration.
Example Usage
Once your cli.properties
is configured and you have securely initialized your credentials via init
, the CLI will automatically use the specified secure credentials and server settings.
# Generate a new key
java -jar AnkaSecureClient.jar generate-key --kid myTestKey --kty RSA --alg RSA-2048
user.log.level
setting and saved to AnkaSecureCLI.log
.
Conclusion
The AnkaSecure CLI provides crypto-agility, post-quantum security, and large-file streaming in a secure command-line environment. By configuring cli.properties
to your environment and using the init
command to securely store your credentials, you can ensure robust, script-friendly, and secure operations. This configuration file centralizes your CLI's authentication, server settings, timeouts, proxy, and logging preferences, making integration with DevOps pipelines seamless and secure.