Configuring the Identity Server
The Identity Server configuration file contains parameters required to configure the Identity Service for PEM 2.0. This topic describes the parameters and their default values.
Overview
The Identity Server configuration file (typically named pemIdentitySetup.cfg) contains properties for database connectivity, SSL/TLS settings, server URLs, and authentication parameters. Configure these properties before deploying the Identity Service container.
Application and database configuration
The following table lists the parameters for application code and database configuration:
| Parameter | Default Value | Description |
|---|---|---|
| app_code | pem | Application code identifier. Do not change this value. |
| identity.encryption_key | 0123456789ABCD...CDEF | Encryption key used to encrypt/decrypt passwords. Generic key works for PEM and B2BI deployments. Override with a custom 32-byte hex key for production. |
| pem.db_type | db2 | Specify the type of database. Allowed values: db2, oracle, mssql. |
| pem.db_ssl_connection | false | Enable SSL for database connections. Valid values: true or false. |
| pem.db_host | Not set | Database host IP address or hostname. |
| pem.db_port | Not set | Database connection port number. |
| pem.db_data | Not set | Database name. |
| pem.db_user | Not set | Database user name. |
| pem.db_password | Not set | Database user password. |
| pem.db_oracle_use_service_name | true | Whether to use service name instead of SID for Oracle DB connection. Valid values: true or false. |
Database SSL/TLS configuration
The following table lists the parameters for database SSL/TLS security:
| Parameter | Default Value | Description |
|---|---|---|
| pem.db_truststore | Not set | Truststore file name with relative path mounted to the resource location. Example: security/dbtruststore.p12. |
| pem.db_truststore_password | Not set | Password for the database truststore. |
| pem.db_keystore | Not set | Keystore file name with relative path mounted to the resource location. Example: security/dbkeystore.p12. |
| pem.db_keystore_password | Not set | Password for the database keystore. |
| pem.db_mssql_host_name_in_certificate | Not set | Hostname expected in certificate for MSSQL connections. Required for MSSQL SSL validation. |
| pem.db_mssql_trust_server_certificate | true | Whether to trust server certificate for MSSQL. Valid values: true or false. |
| pem.db_mssql_encrypt | true | Enable encryption for MSSQL connections. Valid values: true or false. |
| pem.db_mssql_tls_version | TLSv1.2 | TLS version for MSSQL database connections. Example: TLSv1.2, TLSv1.3. |
Server URLs configuration
The following table lists the parameters for configuring service URLs:
| Parameter | Default Value | Description |
|---|---|---|
| pem.pem_url | Not set | URL for PEM 2.0 service. Format: https://<host>:<port>. |
| pem.sso_urls | Not set | SSO URL(s) as a comma-separated list. Format: https://host:port,https://host2:port2. |
| pem.sso_logout_url | /Signon/logout.html | Logout URL path appended to each SSO URL to build post-logout redirect URIs. |
Server SSL configuration
The following table lists the parameters for server SSL/TLS configuration:
| Parameter | Default Value | Description |
|---|---|---|
| pem.servers_ssl_enabled | true | Enable SSL for Identity server. Valid values: true or false. |
| pem.servers_ssl_keystore | Not set | Keystore file name with relative path mounted to the resource location. Example: security/key.p12. |
| pem.servers_ssl_keystore_password | Not set | Password for the server keystore. |
| pem.servers_ssl_keystore_type | PKCS12 | Keystore type. Common values: PKCS12, JKS. |
| pem.servers_ssl_key_alias | Not set | Alias of the key in the keystore to be used for SSL. |
| pem.servers_ssl_protocol | TLS | SSL/TLS protocol used by the server. Example: TLS. |
| pem.servers_ssl_enabled_protocols | TLSv1.2,TLSv1.3 | Allowed TLS protocols. Provide comma-separated values. Example: TLSv1.2,TLSv1.3. |
| pem.skip_sni_validation | true | Skip SNI (Server Name Indication) validation. Valid values: true or false. |
Logging, JVM options, and CORS configuration
The following table lists the parameters for logging, JVM options, and CORS settings:
| Parameter | Default Value | Description |
|---|---|---|
| pem.log_level | INFO | Log level for the Identity Service. Example: INFO, DEBUG, WARN. |
| pem.jvm_options | Not set | JVM options for Identity Service. Example: -Xms156m -Xmx512m -Dproperty=value. |
| pem.cors_allowed_origins | "*" | CORS allowed origins. Provide comma-separated URLs. Example: "https://url1,https://url2" or "*" for all origins. |
OAuth 2.0 client configuration
The following table lists the parameters for OAuth 2.0 client configuration:
| Parameter | Default Value | Description |
|---|---|---|
| pem.client_id | pem-client | OAuth 2.0 client identifier for the Identity Service. |
| pem.client_secret | Not set | OAuth 2.0 client secret for authentication. |
| pem.access_token_expiry | 3600 | Access token expiry time in seconds. Example: 3600 (1 hour). |
| pem.refresh_token_expiry | 3600 | Refresh token expiry time in seconds. Example: 3600 (1 hour). |
SEAS SSO SSL configuration
The following table lists the parameters for SEAS (Single Enterprise Authentication Service) SSO SSL configuration:
| Parameter | Default Value | Description |
|---|---|---|
| pem.seassso_enable_ssl | false | Enable SSL for SEAS SSO. Valid values: true or false. |
| pem.seassso_truststore_name | Not set | SEAS SSO truststore file name (filename only, e.g., seas-truststore.jks). File must be copied to the resource location. |
| pem.seassso_truststore_password | Not set | Password for the SEAS SSO truststore. |
| pem.seassso_truststore_alias | Not set | Alias in the SEAS SSO truststore. |
| pem.seassso_truststore_type | JKS | SEAS SSO truststore type. Common values: JKS, PKCS12. |
| pem.seassso_keystore_name | Not set | SEAS SSO keystore file name (filename only, e.g., seas-keystore.jks). File must be copied to the resource location. |
| pem.seassso_keystore_password | Not set | Password for the SEAS SSO keystore. |
| pem.seassso_keystoretype | JKS | SEAS SSO keystore type. Common values: JKS, PKCS12. |
| pem.seassso_keystore_alias | Not set | Alias in the SEAS SSO keystore. |