Advanced configuration properties

Category filter

The category filter displays names of grouping of configuration settings. The groupings correspond to functional areas. When you select a category, the user interface displays only the settings for the category.

Table 1. Filter by Category
Category	Displays values for:
All	All keys
poc.websealAuth	WebSEAL Authenticate Callback
poc.websealSignout	WebSEAL Signout Callback
poc.otpAuth	One-time password Authenticate Callback
poc.authPolicy	Authentication-Policy Callback
sps.httpRequestClaims	SPS HTTP request claims
distributedMap	Distributed shared data storage
userBehavior	Attribute matcher properties
ipReputation	IP reputation PIP properties
attributeCollection	Attribute collector properties
deviceRegistration	Device registration properties
runtime	Runtime properties
sps.page	SPS page
sps	Single sign-on protocol service
riskEngine	Risk engine properties
sps.authService	Authentication service properties
authsvc.stateMgmt	Authentication service session store properties
session	Session
distributedSessionCache	Distributed session cache
otp.retry	TOTP and HOTP retry properties
otp	OTP properties
oauth20	OAuth20
util.httpClient	HTTP client
util.httpClient v2	HTTP Client version 2
demo	Demo
knowledge.questions	Knowledge questions properties
kess	Key encryption and signing service (KESS)
jwks	JSON Web Key
pip	Policy information point (PIP)
sts	Security token service (STS)
mmfa	Mobile Multi-Factor Authentication (MMFA)
wsfed	WS-Federation
saml20	SAML 2.0
demo	Demo
saml11	SAML 1.1
oidc	OIDC
js	Rhino Javascript Engine
basicLdapUser	Basic LDAP User
consentDeviceRegistration	Consent Device Registration
fido2	FIDO2
httpSession	HTTP Session
infomap	Info Map
poc.webseal.poc	WebSEAL POC
username	Username
audit	Audit
scim	SCIM

WebSEAL Authenticate Callback

poc.websealAuth.authLevel: The authentication level of the callback.; Data type: Integer; Example: 1

WebSEAL Signout Callback

poc.websealSignout.terminate: When forceauth=true is specified, poc.websealSignout.terminate determines which mechanism is used to force an authentication interaction in WebSEAL. A value of true (default) means use eai-server-task terminate session which will logout of WebSEAL. User will be prompted to login. The original WebSEAL session is destroyed (including any managed cookies).
A value of false means use eai-server-task force-reauthenticate session which will result in user being prompted to re-authenticate to WebSEAL. The original WebSEAL session including managed cookies are preserved on re-authentication.; Data type: Boolean; Example: true

One-time password Authenticate Callback

poc.otp.authLevel: The authentication level of the callback.; Data type: Integer; Example: 2
poc.otp.backwardCompatibilityEnabled: Indicates whether the one-time password authentication mechanism should run in backward compatibility mode. The default value is false if it is a new installation. The default value is true if the installation is an upgrade.; Data type: Boolean; Example: true

Authentication-Policy Callback

poc.authPolicy.allowRequestOverride: Whether the authentication level, the authentication mode, and the authentication type of the callback can be overwritten by query string parameters.; Data type: Boolean; Example: true
poc.authPolicy.authLevel: The authentication level of the callback.; Data type: Integer; Example: 1
poc.authPolicy.authType: The authentication type of the callback.; Data type: String; Example: COMPLEMENTARY, HIERARCHICAL

SPS HTTP request claims

sps.httpRequestClaims.enabled: Whether HTTP request information is sent to STS as HTTPRequestClaims. This flag additionally makes HTTP Request attributes (Headers, Cookies and Parameters) available to administrators in OIDC, OAuth, and SAML (see HTTP Claims in OIDC, OAuth and SAML JavaScript Mapping Rules), Authsvc and InfoMap (see HTTP Claims in Authsvc and InfoMap JavaScript Mapping Rules) and FIDO2 (see HTTP Claims in FIDO2 Mediator JavaScript Mapping Rules) JavaScript Mapping rules.; Data type: Boolean; Example:false
sps.httpRequestClaims.filterSpec: The filter that specifies the HTTP request information that is sent to STS as HTTPRequestClaims.; Data type: String; Example: cookies=*:headers=*

Distributed shared data storage

distributedMap.cleanupQueryTimeout

Specifies the maximum duration, in seconds, for a single distributed map cleanup operation. When the timeout is reached, the operation stops. A value of 0 disables the timeout.

The default value is 0.

Data type: Integer

Example: 1000

distributedMap.cleanupBatchSize

Controls batch deletion of expired distributed map entries and specifies the number of records deleted per batch.

If the value is set as 0 or is blank, batch delete is not enabled and all expired distributed map entries (or the cleanupMaxSize if specified) is deleted using one SQL delete statement.

If the value is set as an integer greater than 0, batch delete is enabled. The number that you specify determines how many records are deleted in each batch. The batch delete continues until all (or the cleanupMaxSize if specified) of the expired distributed map entries are deleted. The batch process is useful for deleting a large quantity of expired user attribute data.

Note: A database commit is performed after each batch delete.

The default value is 0.

Data type: Integer

Example: 1000

distributedMap.cleanupMaxSize

Specifies the maximum number of distributed map entries to be cleaned up in a single cleanup operation. When this limit is reached, the cleanup stops, even if more expired entries remain. If the value is set as 0 there is no max cleanup size.

Data type: Integer

Default value: 0

Example: 1000

distributedMap.cleanupOnlyOnPrimaryMaster

In a clustered environment, specifies whether the cleanup thread for distributed map entries runs only on the primary node.

Data type: Boolean

Default Value: false

Example: true

distributedMap.cleanupWait

The amount of time, in milliseconds, to wait before it performs another cleanup against the distributed map.

Distributed map clean up can be disabled by setting the cleanupWait to 0.

Data type: Integer

Example: 10000

distributedMap.defaultTTL

The amount of time, in seconds, that the entries in the distributed map must live when no lifetime is specified for an entry.

Data type: Integer

Example: 3600

distributedMap.getRetryDelay

The amount of time, in milliseconds, to wait before it performs another retrieval against the distributed map. The default is 0.

Data type: Integer

Example: 500

distributedMap.getRetryLimit

The number of retrievals that is done against the distributed map before it returns that the retrieved data is not in the distributed map. The default is 0.

Data type: Integer

Example: 10

distributedMap.store

Specifies storage location for distributed shared data.

Redis: stores the DMAP instance into Redis.
HVDB: stores the DMAP instance into the HVDB.

You can configure the parameter for AAC or Federation in one of the following screens in the LMI:

AAC > Global Settings > State Persistence
Federation > Global Settings > State Persistence

Allowed Values: Redis, HVDB

Example: Redis

distributedMap.redisServerConnectionName

Specifies the Redis server connection to use for the runtime.

This parameter must be specified when the distributedMap.store is set to Redis. See distributedMap.store.

You can configure the parameter for AAC or Federation in one of the following screens in the LMI:

AAC > Global Settings > State Persistence
Federation > Global Settings > State Persistence

Attribute matcher properties

userBehavior.minimumUsageHistoryRequired: Minimum usage data records required for any usage data analysis; used by LoginTimeMatcher.; Data type: Integer; Example: 8
userBehavior.ipAddressRequestAttribute: The XACML request attribute to read from the IP address.; Data type: String; Example: urn:ibm:security:subject:ipAddress

IP reputation PIP properties

ip.reputation.ipAddressAdverseReputationThreshold: The value that an IP classification score must be at or above for an IP address to be considered as that classification.; Data type: Integer; Example:50
ipReputation.dbConnectionTimeout: Indicates the number of seconds that the IP reputation policy information point (PIP) waits for a connection to the IP reputation database. The ipReputation.dbConnectionTimeout property defaults to 120.; Data type: Integer; Example: 60

Attribute collector properties

attributeCollection.cookieName

Correlation ID used by the attribute collector.

Data type: String

Example: ac.uuid

attributeCollection.requestServer

Request server for attribute collector. A list of the allowable hosts where the ajaxRequest can be sent from.

Data type: String List

Example: https://rbademo.example.com,https://rbaemo2.example.com

attributeCollection.serviceLocation

Location of the attribute collector.

Data type: String List

Example: http://rbademo.example.com/mga

attributeCollection.sessionTimeout

Number of seconds in which sessions stored in context-based access will automatically expire, unless updated. If any attribute in the session is updated, the session expiry is extended by the specified number of seconds configured in this property. The default is 1800 seconds.

Data type: Integer

Example: 1800 seconds

attributeCollection.enableGetAttributes

Enables the REST GET method to return attributes.

Data type: Boolean

Example: false

attributeCollection.getAttributesAllowedClients

A comma-separated list of clients that are allowed to access the ACS REST GET method.

If this property is not set and attributeCollection.enableGetAttributes is set to true, anyone can access the GET method. If this property is set but attributeCollection.enableGetAttributes is set to false, this property is ignored.

Data type: String List

Example: hostname1, hostname2

attributeCollection.hashAlgorithm

The algorithm that is used to create the hash.

Data type: String

Example: SHA256

attributeCollection.attributesHashEnabled

A comma-separated list of attribute URI values configured for hashing.

Attention: Do not hash the following attributes:

ipAddress
geoLocation
accessTime

Data type: String List

Example:

urn:ibm:security:environment:http:userAgent, 
urn:ibm:security:environment:deviceFonts, 
urn:ibm:security:environment:browserPlugins

attributeCollection.authenticationContextAttributes

A comma-separated list of attribute names to collect during an authentication service obligation. The maximum number of characters for this property is 200.

Data type: String List

Example: authenticationLevel, http:host

attributeCollection.hashedAuthenticationContextAttributes

A comma-separated list of attribute names to collect during an authentication service obligation. The attribute values that are collected are hashes of the real value. The maximum number of characters for this property is 200.

Data type: String List

Example: authenticationLevel, http:host

attributeCollection.obligationData.cleanupEnabled

Specifies whether the cleanup thread for expired obligation data, used in access control policy decisions, is enabled.

Data type: Boolean

Default value: true

Example: true

attributeCollection.obligationData.cleanupBatchSize

Specifies whether batch deletion is enabled for expired obligation data and the number of records deleted per batch.

If the value is set as 0 or is blank, batch delete is not enabled and all expired obligation data (or the cleanupMaxSize if specified) is deleted using one SQL delete statement.

If the value is set as an integer greater than 0, batch delete is enabled. The number that you specify determines how many records are deleted in each batch. The batch delete continues until all (or the cleanupMaxSize if specified) of the expired obligation data entries are deleted. The batch process is useful for deleting a large quantity of expired user attribute data.

Note: A database commit is performed after each batch delete.

Data type: Integer

Default value: 0

Example: 1000

attributeCollection.obligationData.cleanupMaxSize

Specifies the maximum number of obligation data entries to delete in a single cleanup operation. After this limit is reached, the cleanup thread stops until the next operation, even if more expired entries exist. If the value is set as 0 there is no max cleanup size.

Data type: Integer

Default value: 1000

Example: 1000

attributeCollection.obligationData.cleanupOnlyOnPrimaryMaster

In a clustered environment, specifies whether the cleanup thread for obligation data runs only on the primary node.

Data type: Boolean

Default value: false

Example: true

attributeCollection.obligationData.cleanupQueryTimeout

Specifies the maximum time, in seconds, for a single obligation data cleanup operation. The current cleanup operation stops when the timeout is reached. A value of 0 means that there is no timeout.

The default value is 0.

Data type: Integer

Example: 1000

attributeCollection.userSession.cleanupEnabled

Specifies whether the cleanup thread for expired user session attribute data, used in access control policy decisions, is enabled.

Data type: Boolean

Default value: true

Example: true

attributeCollection.userSession.cleanupBatchSize

Specifies whether batch deletion is enabled for expired user session attribute data and the number of records deleted per batch.

If the value is set as 0 or is blank, batch delete is not enabled and all expired user attribute data (or the cleanupMaxSize if specified) is deleted using one SQL delete statement.

If the value is set as an integer greater than 0, batch delete is enabled. The number that you specify determines how many records are deleted in each batch. The batch delete continues until all (or the cleanupMaxSize if specified) of the expired user attributes are deleted. The batch process is useful for deleting a large quantity of expired user attribute data.

Note: A database commit is performed after each batch delete.

Data type: Integer

Default value: 0

Example: 1000

attributeCollection.userSession.cleanupMaxSize

Specifies the maximum number of user session attribute data entries to delete in a single cleanup operation. After this limit is reached, the cleanup thread stops until the next operation, even if more expired entries exist. If the value is set as 0 there is no max cleanup size.

Data type: Integer

Default value: 0

Example: 1000

attributeCollection.userSession.cleanupOnlyOnPrimaryMaster

In a clustered environment, specifies whether the cleanup thread for user session attribute data runs only on the primary node.

Data type: Boolean

Default value: false

Example: true

attributeCollection.userSession.cleanupQueryTimeout

Specifies the maximum time, in seconds, for a single user session attribute data cleanup operation. The current cleanup operation stops when the timeout is reached. A value of 0 means that there is no timeout.

The default value is 0.

Data type: Integer

Example: 1000

Device registration properties

deviceRegistration.allowIncompleteFingerprints: Specifies to allow the device registration obligation to store fingerprints where all the fingerprint attributes are not available on the session information.; Data type: Boolean; Example: false
deviceRegistration.checkForExpiredDevices: Determines whether registered devices are inactive or expired. If the deviceRegistration.checkForExpiredDevices property is set to true, the risk engine checks whether a device is inactive or expired. The deviceRegistration.checkForExpiredDevices property defaults to false, which means that users can use any of the devices that are registered.; Date type: Boolean; Example: true
deviceRegistration.cleanupThread.cleanupOnlyOnPrimaryMaster: In a clustered environment, specifies whether the cleanup thread runs only on the primary node.; The default value is false.; Data type: Boolean; Example: false
deviceRegistration.cleanupThread.maxSize: Specifies the maximum number of inactive registered devices to remove in a single cleanup operation. When this limit is reached, the cleanup stops, even if more expired entries remain. A value of 0 means that there is no maximum.; The default value is 0.; Data type: Integer; Example: 1000
deviceRegistration.cleanupThread.queryTimeout: Specifies the maximum duration, in seconds, for a single cleanup operation on inactive registered devices. The current cleanup operation stops when the timeout is reached. A value of 0 means that there is no timeout.; The default value is 0.; Data type: Integer; Example: 1000
deviceRegistration.cleanupThread.batchSize: Specifies if batch delete is enabled for expired devices and how many records are deleted per batch.; If the value is defined as 0 or is blank, batch delete is not enabled and all expired devices are deleted using one SLQ delete statement.; If the value is defined as an integer greater than 0, batch delete is enabled. The number that you specify determines how many records are deleted in each batch. The batch delete continues until all of the expired devices are deleted. The batch process is useful for deleting a large quantity of expired devices.; Note: A database commit is performed after each batch delete.; Data type: Integer; Example: 1000 (Batch delete is enabled, with a batch size of 1000 records.)
deviceRegistration.deviceMatchThreshold: The risk score threshold where an existing fingerprint is considered to match the incoming device fingerprint.; Data type: Integer; Example: 20
deviceRegistration.inactiveExpirationTime: Specifies the number of days that a device must be inactive for it to expire. The deviceRegistration.inactiveExpirationTime property defaults to 90.; Date type: Integer; Example: 100
deviceRegistration.maxRegisteredDevices: Maximum device fingerprint count. The default is 10. Valid values are 1 to 100.; Data type: Integer; Example: 10
deviceRegistration.maxUsageDataPerUser: Maximum number of historical usage attribute records stored per user. The default is 200. Valid values are 1 to 5000.; Data type: Integer; Example: 1000
deviceRegistration.permitOnIncompleteFingerprints: Specifies to permit access to the resource if the fingerprint collected by the device registration obligation does not include all fingerprint attributes.; Data type: Boolean; Example: false

Runtime properties

runtime.dbLoggingEnabled

Enables fine-grained logging for database SQL statements.

Data type: Boolean

Example: false

runtime.hashAlgorithm

The algorithm that is used for hashing. The supported algorithms are:

SHA-1
SHA-256
SHA-384
SHA-512

The runtime.hashAlgorithm property defaults to SHA-256.

Data type: String

Example: SHA-256

runtime.verificationHashAlgorithms

Defines the hashing algorithms that are used to verify a hashed value. The value is typically a comma separated list of hashing algorithms.

Data type: String

Example: SHA-256, SHA-1

Single sign-on protocol service

sps.setCookiesAsSecure: Determine whether to flag the cookies set by Verify Identity Access as secure.
The default value is false.; Data type: Boolean; Example: false

sps.targetURLWhitelist

Specifies a list of allowed target URLs for SAML 2.0 and OpenID Connect. Use this property to prevent an attacker from redirecting the user to malicious target URLs.

The value of this advanced configuration property is a comma-separated string, where each string is a target URL in the form of a regular expression. The regular expression must not contain commas, and spaces between regular expressions are ignored.

For SAML 2.0 SSO flows, you can specify a Target URL when you configure the initial URL in flows that are initiated by either the Identity Provider or the Service Provider. For more information, see SAML 2.0 profile initial URLs.
For Open ID Connect flows, you can specify a Target URL when you configure the initial URL for Relying Party initiated single sign-on. For more information, see Relying Party SSO initiation endpoint.

The default value is “^\/[^\s]*$” (only allow target URLs in the same domain).

Data type String

Example

 
(http|https)://www.app.ibm.com/.*, (http|https)://www.myidp.ibm.com/.*

sps.authsvcTargetURLAllowlist

Specifies a list of allowed target URLs for the authentication service. Use this property to prevent an attacker from redirecting the user to malicious target URLs.

The value of this advanced configuration property is a comma-separated string. Each string represents a target URL in the form of a regular expression. Regular expressions that contain commas and spaces between them are ignored.

For the authentication service, you can specify a Target URL when you configure the authentication service trigger URL. For more information, see Configuring authentication.

The default value is “^\/[^\s]*$” (only allow target URLs in the same domain).

Data type String

Example

 
(http|https)://www.app.ibm.com/.*, (http|https)://www.myidp.ibm.com/.*

sps.illegalUrlSubstrings

A comma-separated list of strings, the single sign-on service stops processing the request if the request URL query parameters contain any of the strings.

The default value is "".

Data type: String

Example:

"<script"

sps.doNotSendXFrameOptionsHeader

Specifies whether an X-Frame-Options header with value SAMEORIGIN must be returned from the SPS endpoints for browser based flows. When this property is set to true, no X-Frame-Options header is sent.

Note: The sps.doNotSendXFrameOptionsHeader property defaults to false.

Data type: Boolean

Example: False

sps.adminGroup

Specifies the name of the admin group that a user must be a member of to view the runtime state page.

The default value is "" meaning that no users have access to the page.

Data type: String

Example: adminGroup

SPS page

sps.page.htmlEscapedMacros

A comma-separated list of macros that is HTML-escaped when it is rendered in pages that are sent to the browser.

Data type: String

Example:

@REQ_ADDR@,
@DETAIL@,
@EXCEPTION_STACK@,
@EXCEPTION_MSG@,
@OTP_METHOD_ID@,
@OTP_METHOD_LABEL@,
@OTP_HINT@,
@ERROR_MESSAGE@,
@MAPPING_RULE_DATA@

sps.page.exceptionMacros

A comma-separated list of classname:macro pairs. Classname is the fully qualified name of the exception class. Macro is the name of the macro to which the class maps.

Data type: String

Example:

com.tivoli.am.fim.otp.deliveries.OTPDeliveryException:@OTP_DELIVERY_EXCEPTION@, 
com.tivoli.am.fim.otp.providers.OTPProviderException:@OTP_PROVIDER_EXCEPTION@

sps.page.notEscapedMacros

A comma-separated list of macros that are not HTML-escaped when they are rendered in pages that are sent to the browser. Macros that do not appear in this list or the Macros in the htmlEscapedMacros list are HTML-escaped.

Data type: String

Example:


@COOKIE_NAME@,
@SERVER_NAME@,
@JUNCTION@

sps.page.hiddenMacros

A comma-separated list of macros that are not rendered in the pages that are sent to the browser. The default value is @EXCEPTION_STACK@,@EXCEPTION_MSG@.

Data type: String

Example: @EXCEPTION_STACK@,@EXCEPTION_MSG@

sps.page.allowedLocales

A comma separated list of locales, which are allowed to be returned when you are requesting a page or message. Each locale listed must be a valid locale identifier. For example, en, ja_JP, pt_BR, es, de.

The default value is all.

Data type: String

Example: en, de_DE, pt_BR, ja

sps.page.defaultLocale

The default locale to return if the requested locale identifier is not in the sps.page.allowedLocales list. This value must have a corresponding entry in the sps.page.allowedLocales list to be valid.

The default value is en.

Data type: String

Example: en

sps.page.strictLocaleMatching

A flag that controls whether the locale matching algorithm should be strict for matching the requested locale to the available template files/messages, as well as the allowed locales list.

When set to true, both the base language code (for example, en, pt) and the region code (for example, US, BR) must exactly match.

When set to false, an exact match of base language and region code is preferred, but if no exact match is found, an approximate match of only the base language code is accepted.

The default value is false.

Data type: Boolean

Example: false

sps.page.junctionMacro

Specifies the junction name used by the Advanced Access Control runtime.

The default value is /mga.

Data type: String

Example: /jct/mga, /mga

Risk engine properties

riskEngine.reportsEnabled: Enables the generation of risk calculation reports.; Data type: Boolean; Example: false
riskEngine.reportsMaxStored: Specifies the maximum number of reports to store.; Data type: Integer; Example: 5
riskEngine.useRoundingMethod: Specifies whether the generated risk percentage is rounded to the nearest whole number.; Default value: false; Data type: Boolean; Example: true

Authentication service properties

sps.authService.reauthenticationEnabled

Specifies that the authentication service performs authentication even if the user already has an authenticated session at the required authentication level.

Data type: Boolean

Example: true

sps.authService.policyKickoffMethod

Specifies whether the URLs /sps/authsvc and /sps/apiauthsvc can be invoked with the policyId query string parameter.

If set to query, the authentication service endpoints continue to accept policyId as a query or post parameter.

If set to path, authentication service endpoints are changed to:

/sps/apiauthsvc/policy/<shortPolicyId>
/sps/authsvc/policy/<shortPolicyId>

Where <shortPolicyId> is the value that comes after the prefix urn:ibm:security:authentication:asf:

When set to both, either the path or query parameter can be used to initiate an authentication service flow.

By default, the value is set to path.

sps.authService.stateIdSource.authsvc

Specifies whether the URL /sps/authsvc can be invoked with the StateId query string parameter.

If set to Body and Query, the authentication service endpoint continues to accept StateId as a query or body parameter.

If set to Body Only, the authentication service endpoint only accepts the StateId as a body parameter (POST or PUT).

Data type: String

Default: Body and Query

Example: Body only

sps.authService.stateIdSource.apiauthsvc

Specifies whether the URL /sps/apiauthsvc can be invoked with the StateId query string parameter.

If set to Body and Query, the API authentication service endpoint continues to accept StateId as a query or body parameter.

If set to Body Only, the API authentication service endpoint only accepts the StateId as a body parameter (POST or PUT).

Data type: String

Default: Body and Query

Example: Body Only

sps.authService.password.pwdFailCountLDAPAttribute

Specify the LDAP attribute which is used to store the number of failed login attempts using the password attribute. If null and login failure persistent is enabled, the default secPwdFailures attribute is used.

Example: secPwdFailures

Default: null

sps.authService.password.lastLoginLDAPAttribute

Specify a LDAP attribute which is used to store the last successful login using the password attribute. If null the and password last use is enabled, the default secPwdLastUsed attribute is used.

Example: secPwdLastUsed

Default: null

sps.authService.reCAPTCHA.serviceLocation

Specifies the URL for the external reCAPTCHA service.

Default: https://www.google.com/recaptcha/api/siteverify

Data type: URL

Example: https://www.google.com/recaptcha/api/siteverify

Authentication service session store properties

authsvc.stateMgmt.cookieless

Enables the server side storage of session data for the authentication service. If enabled, this removes the need for the JSESSIONID cookie.

Data type: Boolean

Example: true

Default value: true

authsvc.stateMgmt.store

Specifies the storage type that is used by the Authentication service to cache user session data. The authentication service can be supported by the DSC, the DMap, or stored in Memory.

Note: For clustered environments, storage in Memory does not replicate between nodes.

Data type: String

Example: Memory

Default value: DMap

authsvc.stateMgmt.lifetime

Length of time in seconds that a session is cached for. Once this time period is exceeded, the user’s session is removed from the session store. If this value is less than 0, the default lifetime of 3600 seconds (1 hour) is enforced for Memory, and 600 seconds (10 minutes) is enforced for DMap. This configuration option applies only to session stores supported by the DMap or Memory.

Data type: Integer

Example: 60 (1 minute)

Default value: 3600

authsvc.stateMgmt.memory.maxSessions

Maximum number of user sessions to be cached at any point in time. If the number of sessions in the store exceeds this value, the oldest session is invalidated. This configuration option only applies to the Memory session store.

Data type: Integer

Example: 10000

Default value: 1000

authsvc.stateMgmt.memory.cleanupWait

Frequency (in seconds) that expired or excess sessions are removed from the session store. Setting this entry to -1 disables the cleanup thread. This configuration option only applies to the Memory session store.

Data type: Integer

Example: 30

Default value: 120

authsvc.stateMgmt.memory.cleanupThread.batchSize

Maximum number of expired sessions which are removed in a single cleanup operation. If the value is defined as 0 or is blank, batch delete is not enabled. All expired sessions are deleted by using one SQL delete statement. If the value is defined as an integer greater than 0, batch delete is enabled. The number that you specify determines how many sessions are deleted in each batch. The batch delete continues until all of the expired sessions are deleted. This configuration option only applies to sessions that are stored in Memory.

Data type: Integer

Example: 1000

Default value: 0

Session

session.dbCleanupInterval

Specifies the interval, in seconds, that the database cleanup thread runs to remove expired data in the runtime database. The default is 86400. The minimum value for this property is 3600. For more information, see Runtime database tuning parameters

Session database clean up can be disabled by setting the dbCleanupInterval to 0. This is not overridden by the minimum value.

Data type: Integer

Example: 90000

session.store

Specifies the user session store.

Note: This configuration is dependent on distributedSessionCache.enabled.

You can configure the parameter for AAC or Federation in one of the following screens in the LMI:

AAC > Global Settings > State Persistence
Federation > Global Settings > State Persistence

Allowed values: unset, In-Memory, DSC, DMap

Example: unset

Distributed session cache

distributedSessionCache.localCacheSize

The number of sessions to be stored on the client as a local cache. A value of 0 or less means that any number of sessions can be cached by the client. A low number requires more connections to the distributed session cache if there are many active sessions. A high number runs the risk of running out of memory if many sessions are locally cached. All sessions are still stored on the distributed session cache when it is enabled.

Data type: Integer

Example: 4096

distributedSessionCache.externalServers

A list of locations of the distributed session cache servers in weighted order.

Syntax:

<primary_address>:<port>[:<ssl>];<secondary_address>:<port>[:<ssl>],...

<address>

The IP address of the distributed session cache server. For example, 10.150.21.80.

<port>

The port for the distributed session cache. For example, 2126.

<ssl>

Whether SSL communication with the distributed session cache is required. The default value is false.

Data type: String

Example:

10.150.21.80:2126:true;10.150.21.81:2126:false,10.150.21.82:2126

distributedSessionCache.localCacheEnabled

A switch that dictates whether a local cache of distributed sessions is maintained. If this setting is disabled a higher load is placed on the distributed session cache server. The local cache should only be enabled if all requests from the same client is guaranteed to be sent to the same runtime server (otherwise known as stickiness). Session inconsistencies might occur if the local cache is enabled and stickiness is not maintained. All sessions are still stored in the distributed session cache when it is enabled.

Data type: Boolean

Example: False

distributedSessionCache.enabled

Note: This is a legacy configuration. It is recommended that this configuration be set to false and use session.store instead.

You can configure the parameter for AAC or Federation in one of the following screens in the LMI:

AAC > Global Settings > State Persistence
Federation > Global Settings > State Persistence

A switch that dictates if the distributed session cache is used for session failover. If this setting is not enabled, the distributed session cache server still runs as a service, but the client does not use it.

Data type: Boolean

Example: false

TOTP and HOTP retry properties

otp.retry.enabled: Whether the retry protection is enabled.; Data type: Boolean; Example: true
otp.retry.maxNumberOfAttempts: The maximum number of strikes the users can have before they are prevented from logging in.; Data type: Integer; Example: 5
otp.retry.otpRetryTimeout: The number in seconds a strike lasts.; Data type: Integer; Example: 600

OTP properties

otp.usc.legacyBehavior

OTP secret keys are available from the REST API and USC pages at:

REST services for OTP secret keys

https://<WebSEAL host>:<port>/<junction name>/sps/mga/user/mgmt/otp/{otpType}

Managing OTP secret keys

https://<WebSEAL host>:<port>/<junction name>/sps/mga/user/mgmt/html/otp/otp.html

This configuration controls whether these earlier APIs and pages are enabled. If set to false, a deactivated message is returned when the REST API or USC pages are accessed.

The MMFA discovery payload also dynamically removes the TOTP and HOTP mechanism URIs from the discovery mechanisms if otp.usc.legacyBehavior is set to false. See Discovery mechanisms.

Data type: Boolean

Example: false

OAuth20

oauth20.clientDataToInclude

Specifies the OAuth client information to be returned as JSON data. This property is a comma-separated list of the JSON Keys. Valid values are:


contact_type
email_address
contact_person
company_name
company_url
phone_number
other_info

You can specify one or more of these keys for this property.

Note: The oauth20.clientDataToInclude property defaults to contact_type, email_address, contact_person, company_name, company_url, phone_number, other_info.

Data type: String

Example: contact_type, email_address, company_name

oauth20.doNotSendXFrameOptionsHeader

Specifies whether an X-Frame-Options header with value SAMEORIGIN must be returned from the OAuth 2.0 endpoints. When set to true, no X-Frame-Options header is sent.

Note: The oauth20.doNotSendXFrameOptionsHeader property defaults to false.

Data type: Boolean

Example: false

oauth20.hashedTokenStorageEnabled

Enables hashed storage when set to true. The Verify Identity Access appliance can persist OAuth 2.0 tokens in the clear text form or in the more secure hashed form.

The hashing algorithm set in the runtime.hashAlgorithm property will be used. When verifying hashed tokens, the runtime.verificationHashAlgorithms property will be used. The algorithms listed in the runtime.verificationHashAlgorithms property will be tried in the specified order. This mechanism allows for upgrading of the hashing algorithm while continuing to support old tokens.

Note: The oauth20.hashedTokenStorageEnabled property defaults to false, and the OAuth 2.0 tokens will be stored as-is.

Data type: Boolean

Example: false

oauth20.sessionEndpointEnabled

Enables the ability to return an authenticated session at the point-of-contact when the oauth20.sessionEndpointEnabled property is set to true.

Note: The oauth20.sessionEndpointEnabled property defaults to false.

Data type: Boolean

Example: false

oauth20.tokenCache.cleanupWait

The amount of time, in seconds, to wait before it performs another cleanup of expired tokens in the OAuth 2.0 token cache.

Note: The oauth20.tokenCache.cleanupWait property defaults to 120.

OAuth token clean up can be disabled by setting the cleanupWait value to 0.

Data type: Integer

Example: 120

oauth20.legacyAttributeHandling

Changes how associated attributes function across the API Protection and OpenID Connect solution. This includes:

OauthMappingExtUtils.retrieveAllAssociations() OauthMappingExtUtils.getAssociation() calls in mapping rules
- When it is set to True, it does not return READONLY or SENSITIVE attributes.
- When it is set to False, it returns READONLY or SENSITIVE attributes.
The user self care endpoint /mga/sps/mga/user/mgmt/grant/
- When it is set to True, attributes that are both READONLY and SENSITIVE are returned
- When it is set to False, attributes that are both READONLY and SENSITIVE are not returned.
Attributes which are saved from attribute sources when performing identity enrichment.
- When it is set to True, attributes are saved against the grant as neither READONLY or SENSITIVE.
- When it is set to False, attributes are saved against the grant as READONLY. The post token rule can be used to update this value if necessary.

oauth20.authorize.stateRequired

Specifies state as a required parameter in authorization code flow.

Data type: Boolean

Default: true

Note: For OIDC conformance, set to false.

oauth20.support.chunked.transfer.encoding

Specifies if Transfer-Encoding chunked is supported as a request header by /token and /introspect endpoint.

Data type: Boolean

Default: false

oauth20.backwardCompatibilityEnabled

Specifies whether the redirect_uri is read in the decoded format or raw format. When set to true, it is read in the decoded format.

Note: The oauth20.backwardCompatibilityEnabled property defaults to false.

Data type: Boolean

Example: false

oauth20.clientCacheLifetime

Length of time in seconds that a specific client instance is cached for. Once this time period is exceeded, the client instance is removed from the cache. Setting it to 0 will default it to 60 secs for dynamic clients.

Note: The oauth20.clientCacheLifetime property defaults to 5.

Data type: Integer

Example: 20

oauth20.deviceFlow.slowDownThreshhold

Specifies the length in seconds of the slow down threshold of polling interval during Device Flow.

Note: The oauth20.deviceFlow.slowDownThreshhold property defaults to 2.

Data type: Integer

Example: 5

oauth20.tokenCache.allowDBConnectExceptionEnable

Specifies if HTTP Status Code 502 Bad Gateway should be returned by the authorization server due to database connection issue or HTTP Status Code 400 Bad Request during an Exception.

Note: The oauth20.tokenCache.allowDBConnectExceptionEnable property defaults to false.

Data type: Boolean

Example: false

oauth20.tokenCache.cleanupOnlyOnPrimaryMaster

In a clustered environment, specifies if the cleanup thread should run only on the master node.

Note: The oauth20.tokenCache.cleanupOnlyOnPrimaryMaster property defaults to false.

Data type: Boolean

Example: false

oauth20.cleanupThread.maxSize

Specifies the maximum number of expired tokens to remove in a single cleanup operation. When this limit is reached, the cleanup stops, even if more expired entries remain. A value of 0 means that there is no maximum.

The default value is 0.

Data type: Integer

Example: 1000

oauth20.cleanupThread.queryTimeout

Specifies the maximum duration, in seconds, for a single token cleanup operation. The operation stops when the timeout is reached. A value of 0 means that there is no timeout.

The default value is 0.

Data type: Integer

Example: 1000

oauth20.cleanupThread.batchSize

Specifies whether batch deletion is enabled for expired OAuth 2.0 tokens and the number of records deleted per batch.

If the value is defined as 0 or is blank, batch delete is not enabled and all expired OAuth tokens are deleted using one SQL delete statement.

If the value is defined as an integer greater than 0, batch delete is enabled. The number that you specify determines how many records are deleted in each batch. The batch delete continues until all of the expired OAuth tokens are deleted. The batch process is useful for deleting a large quantity of expired tokens.

Note: A database commit is performed after each batch delete.

The default value is 0.

Data type: Integer

Example: 1000 (Batch delete is enabled, with a batch size of 1000 records.)

oauth20.redirecturl.authority.legacy.behaviour

If set to false, the redirect_uri match against registered redirect_uri is performed by comparing with authorities by eliminating additional characters.

Note: The oauth20.redirecturl.authority.legacy.behaviour property defaults to true.

Data type: Boolean

Example: false

PostgreSQL

postgresdb.fetchsize: Specifies the PostgreSQL database fetch size.; Data type: Integer; Example: 50

HTTP client

util.httpClient.defaultTrustStore

Stores the default truststore that HTTPS connections in HTTP client uses.

Note: The util.httpClient.TrustStore property defaults to rt_profile_keys.

Data type: String

Example: rt_profile_keys

util.httpClient.defaultSSLProtocol

Specifies the default SSL protocol configuration used by HTTPS connections in the HTTP client.

The following values are valid:

TLSv1
TLSv1.1
TLSv1.2
TLSv1.3
TLS (enables all of the above protocols)

Note: The util.httpClient.defaultSSLProtocol property defaults to TLS.

Data type: String

Example: TLS

util.httpClient.maxActiveConnections

Specifies the maximum number of HTTP and HTTPS connections, per host, between the appliance runtime and other modules. In a multiple host environment, the runtime might need to establish many HTTP/HTTPS connections at the same time. By specifying this property, you can limit the number of active connections for each host. This setting ensures that each host can obtain their fair share of HTTP/HTTPS connections without being forced to wait for other hosts to release connections.

Data type: String
Default: An unlimited number of HTTP/HTTPS connections are permitted

You can specify the maximum number of active connections in one of two ways:

Specify a maximum number to apply to every host. Syntax:
```
"*=<count>"
```
Specify a maximum number on a per host basis. Syntax:
```
"<host1>:<port1>=<count>,<host2>:<port2>=<count>,*=<count>"
```
<host>
The host value can be either an IP address, a hostname or domain name as specified in the Endpoint URL. Specify the host value based on the URL format. For example:
- IP Address: 192.168.102.192
- Hostname or domain name: www.server1.com
<port>=<count>

The communication port on the host. For example, to limit port 80 to only 100 connections, enter 80=100.

*=<count>

The count limit for servers that are not specified by a <host> value in this property. When set to zero (*=0) there is no limit on the number of HTTP/HTTPS connections that can be created to other servers. When set to an integer greater than zero, the integer specifies the maximum number of HTTP/HTTPS connections that can be created to each of the other servers.
Note: Ensure that <count> is specified as a value of type integer. Do not use values of type string for <count>.

Example 1: Specifying a maximum number to apply to every host

For example, your deployment must establish connections to two servers. You want to limit the number of connections to 100 per server. You also want to ensure that when you add additional servers, the number of connections to each additional server is limited to 100.

Use the syntax "*=<count>". For this example:

"*=100"

Example 2: Specifying maximum numbers on a per host basis

For example, your deployment must establish connections to two servers. You want to limit the number of connections for one server to 100, but allow the other server to have 200 connections. In addition, you do not want to limit the number of connections for any additional servers.

Use the syntax: "<host1>:<port1>=<count>,<host2>:<port2>=<count>,*=<count>"

For example, the runtime might need to establish the connections to the following URLs, for an SMS OTP flow and an OIDC flow:

http://www.server1.com/isam/sms_otp
https://192.168.102.192/isam/oidc_sts

Example configuration entry:

"www.server1.com:80=100,192.168.102.192:443=200,*=0"

The example configuration entry specifies:

The maximum number of HTTP/HTTPS connections that can be created to www.server1.com at a time (on port 80) is 100.
The maximum number of HTTP/HTTPS connections that can be created to 192.168.102.192 at a time (on port 443) is 200.
There is no limit on the number of HTTP/HTTPS connections that can be created to other hosts.

HTTP Client version 2

util.httpClientv2.getConnectionTimeout

Specifies the timeout for retrieving a connection from the connection pool. Value is in seconds.

Note: The util.httpClientv2.getConnectionTimeout property defaults to 5 seconds for every host (*=5)

Data type: String

Example: *=5

You can specify the timeout by using one of the following methods:

Specify a timeout that applies to every host and port.
```
“*=<timeout>”
```

Specify a timeout on a per host and port basis

“<host1>:<port1>=<timeout>,<host2>:<port2>=<timeout2>,*=<timeout3>

util.httpClientv2.connectTimeout

Specifies the timeout for establishing a connection with the remote host. Value is in seconds.

Note: The util.httpClientv2.connectTimeout property defaults to 5 seconds for every host (*=5).

Data type: String

Example: (*=5)

You can specify the timeout by using one of the following methods:

Specify a timeout that applies to every host and port.
```
“*=<timeout>”
```

Specify a timeout on a per host and port basis

“<host1>:<port1>=<timeout>,<host2>:<port2>=<timeout2>,*=<timeout3>

util.httpClientv2.connectionInactiveValidate

Specifies the period of inactivity in milliseconds after which pooled connections must be re-validated prior to being reused. Value is in seconds.

Note: The util.httpClientv2.connectionInactiveValidate property defaults to 2 seconds for every host (*=2).

Data type: String

Example: *=2

You can specify the value by using one of the following methods:

Specify a value that applies to every host and port.
```
“*=<value>”
```

Specify a value on a per host and port basis

“<host1>:<port1>=<value>,<host2>:<port2>=<value2>,*=<value3>

util.httpClientv2.connectionTimeToLive

Specifies the maximum time a connection stays open. After which it automatically closes. Value is in seconds.

Note: The util.httpClientv2.connectionTimeToLive property defaults to no timeout.

Data type: String

Example: *=30

You can specify the value by using one of the following methods:

Specify a value that applies to every host and port.
```
“*=<value>”
```

Specify a value on a per host and port basis

“<host1>:<port1>=<value>,<host2>:<port2>=<value2>,*=<value3>

util.httpClientv2.socketTimeout

Specifies the timeout to wait for packets to arrive on an established connection. Value is in seconds.

Note: The util.httpClientv2.socketTimeout property defaults to 5 seconds for every host (*=5).

Data type: String

Example: *=5

You can specify the timeout by using one of the following methods:

Specify a timeout that applies to every host and port.
```
“*=<timeout>”
```

Specify a timeout on a per host and port basis

“<host1>:<port1>=<timeout>,<host2>:<port2>=<timeout2>,*=<timeout3>

util.httpClientv2.defaultSSLProtocol

Specifies the default SSL protocol configuration that HTTPS connections in HTTP client uses.

The following values are valid:

TLSv1
TLSv1.1
TLSv1.2
TLSv1.3
TLS (enables all of the above protocols)

Note: The util.httpClientv2.defaultSSLProtocol property defaults to TLS.

Data type: String

Example: TLS

util.httpClientv2.defaultTrustStore

Specifies the default truststore that HTTPS connections in HTTP client uses.

Note: The util.httpClientv2.defaultTrustStore property defaults to rt_profile_keys.

Data type: String

Example: rt_profile_keys

util.httpClientv2.disableAutoRetries

Specifies whether or not to disable automatic request recovery and re-execution.

Note: The util.httpClientv2.disableAutoRetries property defaults to false for every host (*=false).

Data type: String

Example: *=false

You can specify the value by using one of the following methods:

Specify a value that applies to every host and port.
```
“*=<value>”
```

Specify a value on a per host and port basis

“<host1>:<port1>=<value>,<host2>:<port2>=<value2>,*=<value3>

util.httpClientv2.enableHostNameVerification

Specifies whether or not to enable hostname verification. If enabled it verifies that the target hostname matches the names that are stored inside the server’s X.509 certificate once the connection is established.

Note: The util.httpClientv2.enableHostNameVerification property defaults to true for every host (*=host).

Data type: String

Example: *=true

You can specify the value by using one of the following methods:

Specify a value that applies to every host and port.
```
“*=<value>”
```

Specify a value on a per host and port basis

“<host1>:<port1>=<value>,<host2>:<port2>=<value2>,*=<value3>

util.httpClientv2.disablePublicSuffixVerification

Specifies whether or not to disable hostname verification using the list of valid public suffixes. HttpClient uses the public suffix list to ensure that wildcards in SSL certificates cannot be misused to apply to multiple domains with a common top-level domain. The HTTP Client ships with a copy of the list retrieved at the time of the release. The local copy is a configuration file named local-copy-effective_tld_names.dat and can be updated following the instructions at Managing advanced configuration.

Note: The util.httpClientv2.disablePublicSuffixVerification property defaults to false for every host (*=false).

Data type: String

Example: *=false

You can specify the value by using one of the following methods:

Specify a value that applies to every host and port.
```
“*=<value>”
```

Specify a value on a per host and port basis

“<host1>:<port1>=<value>,<host2>:<port2>=<value2>,*=<value3>

util.httpClientv2.disableRedirectHandling

Specifies whether or not the HTTP Client automatically handles redirects.

Note: The util.httpClientv2.disableRedirectHandling property defaults to false for every host (*=false).

Data type: String

Example: *=false

You can specify the value by using one of the following methods:

Specify a value that applies to every host and port.
```
“*=<value>”
```

Specify a value on a per host and port basis

“<host1>:<port1>=<value>,<host2>:<port2>=<value2>,*=<value3>

util.httpClientv2.maxConnections

Specifies the maximum number of connections that are created in each connection pool.

Note:

There is a separate connection pool that is created for each unique SSL connection key. This key is generated by using the URL hostname and port, truststore, client keystore, client key alias, protocol, and proxy server values that are specified in the HTTP Client V2 usage.
The util.httpClientv2.maxConnections property defaults to 200 for every host (*=200).

Data type: String

Example: *=200

You can specify the value by using one of the following methods:

Specify a value that applies to every host and port.
```
“*=<value>”
```

Specify a value on a per host and port basis

“<host1>:<port1>=<value>,<host2>:<port2>=<value2>,*=<value3>

util.httpClientv2.maxRouteConnections

Specifies the maximum number of connections in a connection pool that are available for each unique route.

Note:

The util.httpClientv2.maxRouteConnections property defaults to 20 for every host (*=20).

Data type: String

Example: *=20

You can specify the value by using one of the following methods:

Specify a value that applies to every host and port.
```
“*=<value>”
```

Specify a value on a per host and port basis

“<host1>:<port1>=<value>,<host2>:<port2>=<value2>,*=<value3>

util.httpClientv2.proxyHost

Specifies the hostname of the proxy server if requests must go through a proxy.

To disable the use of a proxy, leave this value, proxyPort and/or proxyProtocol empty.

Note: The util.httpClientv2.proxyHost defaults to none.

Data type: String

Example: test.com

util.httpClientv2.proxyPort

Specifies the port of the proxy server if requests must go through a proxy.

To disable the use of a proxy, leave this value, proxyHost and/or proxyProtocol empty.

Note: The util.httpClientv2.proxyPort property defaults to none.

Data type: Integer

Example: 443

util.httpClientv2.proxyProtocol

Specifies the protocol for the proxy server if requests must go through a proxy.

To disable the use of a proxy, leave this value, proxyHost and/or proxyPort empty.

Note: The util.httpClientv2.proxyProtocol property defaults to none.

Data type: String

Example: test.com

util.httpClientv2.proxyUsername

Specifies the username used to authenticate to the proxy server if requests must go through a proxy. If no authentication is required, leave this value and proxyPassword as empty.

Note: The util.httpClientv2.proxyUsername property defaults to none.

Data type: String

Example: admin

util.httpClientv2.proxyPassword

Specifies the password used to authenticate to the proxy server if requests must go through a proxy. If no authentication is required, leave this value and proxyUsername as empty.

Note: The util.httpClientv2.proxyPassword property defaults to none.

Data type: String

Example: passw0rd

util.httpClientv2.resultCacheEnabled

This cache stores the results for GET, HEAD, and OPTIONS requests to improve performance. Enable caching only for requests to endpoints whose responses do not change frequently. You can also enable the result cache for individual requests by using the RequestParameters object when calling HttpClientV2 methods.

The cache stores the com.ibm.security.access.httpclient.HttpResponse object that is generated from the HTTP call.

Note: The util.httpClientv2.resultCacheEnabled property defaults to false for every host (*=false).

Data type: String

Example: *=true

You can specify the value by using one of the following methods:

Specify a value that applies to every host and port.
```
“*=<value>”
```

Specify a value on a per host and port basis

“<host1>:<port1>=<value>,<host2>:<port2>=<value2>,*=<value3>

util.httpClientv2.resultCacheTimeoutSecs

Specifies the maximum time, in seconds, that a result stays in the result cache. You can set this timeout for individual requests by using the RequestParameters object when calling HttpClientV2 methods.

Note: The util.httpClientv2.resultCacheTimeoutSecs property defaults to 30 seconds for every host (*=30).

Data type: String

Example: *=60

You can specify the value by using one of the following methods:

Specify a value that applies to every host and port.
```
“*=<value>”
```

Specify a value on a per host and port basis

“<host1>:<port1>=<value>,<host2>:<port2>=<value2>,*=<value3>

Demo

live.demos.enabled

Enables the mobile demonstration application.

Data type: Boolean

Example: False

live.demos.settings

This setting can be used to pre-populate the settings of the mobile demo. This is a comma separated set of key, value pairs that match what is submitted on the settings form.

Data type: String

Example: lmiHostAndPort=lmi.host.com, lmiAdminId=admin, lmiAdminPwd=admin, acHostAndPort=127.0.0.1, websealHostNameAndPort=webseal.host.com

Knowledge questions properties

knowledge.questions.AnswerValidationRegEx: Specifies the regular expression used to validate the knowledge question answer value provided during a knowledge question management operation. The assigned value is the list of invalid characters to match against to determine if the supplied value is valid.
Note: At a minimum, this property must include the following characters: <>:"; Data type: RegEx; Example: [\[()<>,;:\\/\"\]=]
knowledge.questions.QuestionValidationRegEx: Specifies the regular expression used to validate the knowledge question text value provided during a knowledge question management operation. The assigned value is the list of invalid characters to match against to determine if the supplied value is valid.
Note: At a minimum, this property must include the following characters: <>:"; Data type: RegEx; Example: [\[()<>,;:\\/\"\]=]

Key encryption and signing service (KESS)

kess.crlEnabled

Checks the certificate revocation list. Checking is done by the key encryption and signature service (KESS) for all functions that use an external certificate, except for the audit syslog. If your configuration does not require CRL checking, you can disable it. For example, if you use if an internal certificate authority (CA), you might want to disable CRL checking. The kess.crlEnabled property defaults to true.

CRL site unavailability scenario

If you have kess.crlEnabled set to true and a CRL site becomes unavailable, you cannot determine the revocation status of the certificate. In this situation, the single sign-on flow will fail.

Confirm a CRL site unavailability issue by looking for the message FBTKJK056E The CRL site could not be determined. in the runtime trace.log file.

As a temporary workaround, set the CRL checking to false to keep the single sign-on flow running. As soon as the CRL site is working again, set kess.crlEnabled to true so that the single sign-on flow contains the CRL check.

CAUTION: If you do stop CRL checking as a temporary workaround, be aware that the certificate might have already been revoked by the CA. If this type of certificate is allowed to pass the validation, it creates security issues. Therefore, ensure that you enable CRL checking to avoid potential security issues such as this.

Data type: Boolean

Example: true

kess.crlInterval

The amount of time, in seconds, between successive CRL checks. Using an interval of time between CRL checks reduces the performance impact of doing the checks every time a certificate needs to be validated.

A value less than or equal to zero means that the runtime performs a CRL check every time it wants to use a certificate. The default is 0 seconds.

If kess.crlEnabled is set to false, this value is ignored.

Data type: Integer

Example: 86400

This value means that a CRL check on a certificate is performed once per day.

kess.hostnameValidationDisabled

Determine whether to disable host name verification when establishing an SSL connection. Host name verification is performed when the host name of the server does not match the CN of the certificate of the server.

In a test environment, you might want to disable the validation. In a production environment, you might want to enable validation.

The default value is False.

Data type: Boolean

Example: False

kess.keySelectionCriteria

Specify which key or certificate to use for signing, validating, encrypting, or decrypting various messages. If there are multiple keys or certificates with the same Subject DN as the key or certificate with the specified alias, this setting determines which one to use. Use one of the following selection methods:

only.alias: Alias only: The selected key only, without Auto rollover. If the key is invalid, the software indicates failure. Configure the property to use the value.
shortest.lifetime: Shortest lifetime: For signing, a valid key with the shortest available lifetime. For validation, key lifetime availability runs from shortest to longest.
longest.lifetime: Longest Lifetime: For signing, a valid key with the longest available lifetime. For validation, key lifetime availability runs from longest to shortest.

Data type: String

Example: only.alias

kessjksservice.exclude.inclusive.namespace.prefixes

Specifies a comma-separated list of prefix names. When this is set, the prefixes in the list are not added to the InclusiveNamespaces list that is in the Signature Element.

Data type: String

Example: ds

kess.validateCertPath

Specifies whether to validate certificate paths when performing certificate validation.

The default value is true.

Data type: Boolean

Example: true

JSON Web Key

jwks.encryption.keystore

Defines the name of the encryption keystore to be used by the jwks endpoint for the runtime. These certificates will have their public keys exposed, with the 'use' value 'enc'.

Default value: rt_profile_keys

jwks.signing.keystore

Defines the name of the signing keystore to be used by the jwks endpoint for the runtime. These certificates will have their public keys exposed, with the 'use' value 'sig'.

Default value: rt_profile_keys

jwks.encryption.enabled

Specifies whether or not the jwks endpoint for the runtime will use the encryption keystore.

Default value: true

Data type: Boolean

Example: true

Policy information point (PIP)

pip.uncachedAttributes: Defines a comma-separated list of attributes that are generated by a policy information point (PIP) that you do not want to be cached.; Data type: String list; Example: urn:ibm:security:jdbc:city, urn:ibm:security:ldap:priviledgeUser

Security token service (STS)

sts.ivcred.unauthenticated.user.name

Set to a special user account for unauthenticated user tokens when using IVCRED STS module in validate mode. The Default value is "".

Data type: String

Example: guest

sts.ivcred.unauthenticated.user.registry.id

In addition to the user name set in sts.ivcred.unauthenticated.user.name, a user's registry id can also be added when using IVCRED STS module in validate mode. The Default value is "".

This parameter is optional.

Data type: String

Example: cn=guest,o=ibm,c=us

sts.ivcred.unauthenticated.user.uuid

In addition to the user name set in sts.ivcred.unauthenticated.user.name, a user's UUID can also be added when using IVCRED STS module in validate mode. The Default value is "".

This parameter is optional.

Data type: String

Example: 81a2a65e-0018-0150-8080-3f83b0f74f4c

sts.ldapAttributeCache.TTL

Specifies a time-to-live (TTL) value, in seconds, for the amount of time to keep an LDAP attribute in the cache. Specify 0 to disable.

The default value is 60.

Data type: Integer

Example: 60

sts.wstrust.error.shortexception

Set this parameter to True to provide a short exception in the 'wst:Reason' for STS exceptions. When this parameter is set to False, the entire exception stack is provided in 'wst:Reason'.

Type: Boolean

Default: False

Example: False

sts.uuser.attributes.donottrim.list

Specifies a space-separated list of STS universal user attributes that keep whitespace in the value when retrieved. All other attributes are trimmed and set as null if empty.

The default value is None.

Data type: String

Example: value1 value2 value3

Mobile Multi-Factor Authentication (MMFA)

mmfa.authenticator.cleanupWait

The amount of time, in seconds, to wait before another cleanup of expired authenticators is performed.

MMFA authenticator clean up can be disabled by setting cleanupWait to 0.

The default value is 3600.

Data type: Integer

Example: 3600

mmfa.authenticator.maxCleanupSize

Specifies the maximum number of expired authenticators to remove in a single cleanup operation. When this limit is reached, the cleanup stops, even if more expired entries remain. A value of 0 means that there is no maximum.

The default value is 0.

Data type: Integer

Example: 1000

mmfa.authenticator.cleanupQueryTimeout

Specifies the maximum duration, in seconds, for a single authenticator cleanup operation. The operation stops when the timeout is reached. A value of 0 means that there is no timeout.

The default value is 0.

Data type: Integer

Example: 1000

mmfa.authenticator.batchCleanupSize

Specifies whether batch deletion is enabled for expired authenticators and the number of records deleted per batch.

If the value is defined as 0 or is blank, batch delete is not enabled. If the value is defined as an integer greater than 0, batch delete is enabled. The number that you specify determines how many records are deleted in each batch. The batch delete continues until all of the expired devices are deleted or the maximum cleanup size is reached. The batch process is useful for deleting a large quantity of expired authenticators.

Note: A database commit is performed after each batch delete.

The default value is 0.

Data type: Integer

Example: 1000

mmfa.authenticator.cleanupOnlyOnPrimaryMaster

Specifies whether the cleanup thread for expired authenticators runs only on the primary node.

The default value is false.

Data type: Boolean

Example: false

mmfa.transactionArchival.maxCompletedPerUser

The number of historical transactions in a completed state to keep in the HVDB before archival to the audit log. The oldest transactions will be removed first. A value of -1 will indicate that no archival should be performed.

The default value is 50.

Data type: Integer

Example: 50

mmfa.transactionArchival.maxPendingPerUser

The number of transactions to keep in a pending state. Transactions over this number will have their status set to "fail". The oldest transactions will be aborted first. A value of -1 will indicate that no archival should be performed.

The default value is 1.

Data type: Integer

Example: 1

mmfa.transactionPending.minAgeBeforeAbort

The minimum number of seconds a transaction is in the pending state before being aborted via a cleanup thread. Due to the cleanup thread interval, the total time a transaction can be in the pending state can be between minAgeBeforeAbort and (minAgeBeforeAbort + cleanupInterval) - 1

The default value is 300.

Data type: Integer

Example: 300

mmfa.transactionPending.cleanupInterval

The number of seconds between each run of the pending transactions cleanup thread.

The default value is 150.

Data type: Integer

Example: 150

mmfa.transaction.cleanupOnlyOnPrimaryMaster

Indicates whether transaction cleanup should be run on all nodes in a cluster, or only on the primary master. This applies to pending transaction cleanup as well as transaction archival.

The default value is false.

Data type: Boolean

Example: false

mmfa.transactionArchival.maxCleanupSize

Specifies the maximum number of expired transactions that can be removed in a single cleanup operation. When this limit is reached, the cleanup stops, even if more expired entries remain. A value of 0 means that there is no maximum.

The default value is 0.

Data type: Integer

Example: 1000

mmfa.transactionArchival.queryTimeout

Specifies the maximum time, in seconds, for a single transaction cleanup operation. The current cleanup operation stops when the timeout is reached. A value of 0 means that there is no timeout.

The default value is 0.

Data type: Integer

Example: 1000

mmfa.devicePrompt.skipIfOneDevice

Indicates whether to skip the device selection page in an MMFA flow if the user only has one device or authenticator registered.

The default value is false.

Data type: Boolean

Example: true

mmfa.silentpush.enabled

Indicates whether the IBM Verify silent push payload is enabled or disabled. For more information see: Push notification registration.

The default value is true.

Data type: Boolean

Example: false

mmfa.transactionArchival.cleanupInterval

The number of seconds between each run of the transaction archival clean-up thread. Only applies to mmfa.transactionArchival.maxCompletedPerUser. A value of -1 causes the thread to poll for configuration changes, but not perform any clean-up.

The default value is 120

Data type: Integer

Example :120

mmfa.transactionArchival.batchSize

The maximum number of transactions that are removed in a single commit when the transaction archival clean-up thread is run. A value of 0 causes the clean-up thread to remove a single transaction at a time.

Note: A database commit is performed after each batch delete.

The default value is 1000

Data type: Integer

Example: 1000

mmfa.completionResponse.legacyBehaviour

If a transaction completes before the login wait page is returned older versions used to return a JSON success payload. This process was changed to ensure that the login wait page is returned at least once. If this property is set to true, the behavior will revert to the returning of the JSON success payload.

The default value is false

Data type: Boolean

Example :true

mmfa.devicePrompt.validateChosen

Specifies whether or not to validate that the device performing verification is the same device that was chosen at the device selection step. If set to false a different device than the one selected by the user can be used to verify the transaction.

The default value is true

Data type: Boolean

Example:true

WS-Federation

wsfed.idp.rstr.excluded.elements

Specifies a comma-separated list of elements to exclude from the WS-Federation request security token response. Can optionally contain a federation realm and federation partner realm, to indicate the federation or federation partner that uses the property values.

The default value is default=Forwardable,Delegatable,Status,Renewing.

The syntax for specifying federation and federation partner is:

default=<comma_separated_list_of_elements>:<federation_realm>=<comma_separated_list_of_elements>:
            <federation_realm>%<partner_realm>=<comma_separated_list_of_elements>

Data type: String

Example:

default=Forwardable,Delegatable,Status,Renewing:fed1-REALM=Forwardable,Delegatable:
fed1-REALM%partner1-REALM=Status

SAML 1.1

saml.use.legacy.clockskew.default

IBM Verify Identity Access can add a clock skew of 60 seconds when validating the SAML assertion timestamps. To enable the 60 second clock skew, add the custom property:

saml.use.legacy.clockskew.default = true

Default value = False

Value type: Boolean
Example value: True

Note: This custom property is also applicable for SAML 2.0

saml.allowDebugMessages

When specified as true, and a SAML artifact resolution failure occurs, the SystemOut.log and SystemErr.log contains an informational message. In addition, the message contains extra debug information about the request that contained the failed artifact and provides a reason for the event.

Note: This message is only available in English.

Default value: False

Value type: Boolean
Example value: SAML.allowDebugMessage = True

saml.allowNoRecipient

Use this custom property if a SAML 1.x service provider needs to accept a samlp:Response that does not contain a Recipient attribute.

Default value: False

saml.assertion.IncludeNSPrefixList.DS

When this custom property is specified as true, ds is included in the Prefix List attribute of the InclusiveNameSpaces in the SAML assertion.

Default value: False

Value type: Boolean
Example value: True

Note: This custom property is also applicable for SAML 2.0

saml.allowSpecificInvalidArtifactMessages

When this custom property is specified as true, and a SAML artifact resolution failure occurs, identity provider sends a SAML Response with specific invalid message to tell the service provider that there is no assertion available. The specific invalid message is FBTSML276E. If not specified, by default it is false, and the invalid message send back to service provider is FBTSML013E.

Default value: False

Value type: Boolean
Example value: True

SAML 2.0

saml20.enableSubjectInAuthnRequest

Set to true if the Subject element is required for the SAML 2.0 AuthnRequest. The Subject element is set to the userid of the existing authenticated session. The Default value is false.

Data type: Boolean

Example: true

saml20.idp.acsurlpattern

IBM Verify Identity Access uses an exact string comparison between the AssertionConsumerService URL in the AuthnRequest message and the protocol endpoint specified in metadata.

This custom property allows regular expression matching for the AssertionConsumerService URL and the protocol endpoint, so that a dynamic AssertionConsumerService URL that matches the regular expression can be provided in the AuthnRequest.

Data type: String

Note: The binding can be omitted if the configuration applies to all the bindings for that specific federation and partner.

Format:

<FederationId>%<PartnerId>
%<Binding>=<RegularExpression>,<FederationId2>%<PartnerId2>
=<RegularExpression2>

Example:

https://www.myidp.ibm.com/isam/sps/saml20idp/saml20%https://www.mysp.ibm.com
/isam/sps/saml20sp/saml20%urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST=https://.*.ibm.com/isam/sps/.*

saml20.sessionStore

Specifies the SAML 2.0 session footprint store.

SAML session footprint can be stored in HVDB, Redis or DSC. Select Distributed Map (DMap) if the SAML session needs to be stored in HVDB or Redis. When the option is switched to DSC, the SAML session gets stored in Distributed Session Cache.

Data type: String

Note: The selection for the SAML 2.0 session footprint store is drop-down list with the following options:

DMap
DSC

Example: DMap

Note: This configuration affects SAML 1.1 and SAML 2.0.

saml20.authn.request.provider.name.enabled

Set to true to add ProviderName value to SAML2.0 AuthnRequests.

Data type: Boolean

Example: False

Note: The default value is False.

saml20.signatureValidation.policy

Allowed Values: LENIENT/STRICT

Example: STRICT

Note: The default value is STRICT.

If STRICT is specified, the signature must be included in the received request and it will be validated. If LENIENT is specified, the signature, if it exists, will be validated and if no signature is included in the request, no error is reported.

OIDC

oidc.rp.idToken.validationSkew: The number of seconds of skew allowed on the 'nbf' and 'exp' claims of an idToken when it is being processed by an OpenID Connect relying party. For instances where the clocks of two systems are not perfectly synchronized.
Note: This advanced configuration does not apply to legacy OpenID Connect relying parties or Reverse Proxy Relying parties.; Default value: 0; Data type: Integer
oidc.rp.metadata.cache.maxsize: Specifies the maximum number of entries the OpenID Connect provider metadata cache can hold before older entries are purged. Setting this value to 0 disables the metadata cache.; Default value: 4096; Data type: Integer
oidc.rp.metadata.cache.lifetime: Defines the number of seconds an OpenID Connect relying party partner caches the metadata that is retrieved from an OpenID Connect provider. Setting this value to 0 disables the metadata cache.; Default value: 60; Data type: Integer

Rhino Javascript Engine

js.version: Specifies the Rhino Javascript version.; Supported values: Context.VERSION_ES6, Context.VERSION_1_7, Context.VERSION_1_8; Default value: Context.VERSION_ES6; Data type: String; Example: Context.VERSION_ES6
js.optimizationLevel: Specifies the Rhino Java optimization level.; Default value: 0; Data type: String; Example: 0
js.blocked.properties: Specifies a comma separated list of JavaScript objects and functions that are blocked from use in mapping rules.; Default value: eval, uneval, Function; Data Type: String; Example: eval, uneval, Function

Basic LDAP User

basicLdapUser.ldap.minBinds: Specifies the minimum number of binds to the LDAP server.; Default value: 1; Data type: Integer; Example: 1
basicLdapUser.ldap.maxBinds: Specifies the maximum number of binds to the LDAP server.; Default value: 1; Data type: Integer; Example: 1

Consent Device Registration

consentDeviceRegistration.authLevelHeaderEnabled: Specifies whether to add the authentication level header to the value set in the consentDeviceRegistration.authLevelHeaderValue. This property is in the response of the Consent Register Device authentication policy.; Default value: false; Data type: Boolean; Example: true
consentDeviceRegistration.authLevelHeaderValue: Specifies the value to set in the authentication level header in the response of the Consent Register Device authentication policy if the consentDeviceRegistration.authLevelHeaderEnabled property is set to true.; Default value: 2; Data type: Integer; Example: 1

FIDO2

fido2.u2fMigration.autoMigrate: Specifies whether to auto migrate a user's U2F device registrations to FIDO2/WebAuthn.; Default value: false; Data type: Boolean; Example: true

HTTP Session

httpSession.disableSerialization: Specifies whether to disable serialization in the HTTP session.; Default value: true; Data type: Boolean; Example: true

Info Map

infomap.email.smtpStartTls: Specifies whether to use the StartTLS protocol command for communication with the SMTP server.; Default value: false; Data type: Boolean; Example: true
infomap.email.smtpTlsProtocol: Specifies the TLS protocol that is used for communication with the SMTP server.; Default value: None; Data type: String; Example: TLS

WebSEAL POC

poc.webseal.poc.sms.enabled: Specifies whether SMS is enabled on the point of contact environment.; Default value: false; Data type: Boolean; Example: true

Username

username.legacyBehavior: Specifies whether usernames that are retrieved from a database record are handled as is (true) or converted to lowercase (false). For more information, see https://www.ibm.com/support/pages/advanced-access-control-username-case-sensitivity.; Default value: false; Data type: Boolean; Example: true

Audit

audit.disabledScimActions

Specifies a comma separated list of SCIM actions that are excluded from auditing.

Note: This parameter is ignored if SCIM runtime auditing is not enabled.

Default value: GET

Data type: String

Example: GET,POST,PATCH

audit.maskAttributes

Specifies a space separated list of attribute values that should be masked when added to the audit log.

The supported audit components include:

SCIM
To add SCIM schema attributes to the list use the format SCIM:<schema_name>::<attributes>. Where attributes is a comma separated list of values for the specific schema.

Default value: SCIM:urn:ietf:params:scim:schemas:core:2.0:User::password,passwordNoPolicy SCIM:urn:ietf:params:scim:schemas:extension:isam:1.0:User::password SCIM:urn:ietf:params:scim:schemas:extension:isam:1.0:Password::currentPassword,newPassword SCIM:urn:ietf:params:scim:schemas:extension:isam:1.0:UserKnowledgeQuestions::questions.answer

Data type: String

Example: SCIM:urn:ietf:params:scim:schemas:core:2.0:User::password,passwordNoPolicy

SCIM

scim.legacyAuthzBehavior: Enables the legacy authorization for SCIM POST operations.
Note: Enable this only if you are certain of the consequences.; Data type: Boolean; Default Value: false; Example: false
scim.legacyAuthzForbiddenResponseCode: Enables the legacy response for unauthorized SCIM requests. When set to true the response code will be 401 Unauthorized. When set to false it will be 403 Forbidden.; Data type: Boolean; Default Value: false; Example: false