GitHubContribute in GitHub: Open doc issue|Edit online

Security settings

Access to the Federated Directory Server console is controlled by a set of properties that specify the security settings.

You must specify the security settings in the solution.properties file in the IBM® Security Verify Directory Integrator solution directory. These properties control the access to all of IBM® Security Verify Directory Integrator web applications, such as the Dashboard, REST API, and Federated Directory Server console.

Local and remote users are distinguished by the client IP address in the incoming access request:

  • If the IP address belongs to one of the network cards on the system where IBM® Security Verify Directory Integrator is running, it is considered a localhost user.
  • All other IP addresses are considered as remote users.

Access permission for localhost users is built in with the following credentials:

  • User name: admin
  • Password: admin

To specify access control and permissions, you can set or modify the following authentication properties:

dashboard.auth=true

Indicates whether users are required to authenticate. Valid values are true if users are required to authenticate or false if no authentication is required.

dashboard.auth.localhost

Indicates the type of authentication that connections from the localhost must use.

Valid values are:

  • properties specifies that property-based authentication must be used.
  • none specifies that authentication is not required.
  • deny specifies that all connections from localhost are denied.
  • ldap specifies that authentication is done by logging in to an LDAP server and optionally validating group membership.

dashboard.auth.remote

Indicates the type of authentication that remote connections must use.

Valid values are:

  • properties specifies that property-based authentication must be used.
  • none specifies that authentication is not required.
  • deny specifies that all remote connections are denied access, that is, all connections that are not from the localhost are denied access.
  • ldap specifies that authentication is done by logging in to an LDAP server and optionally validating group membership.

{protect}-dashboard.auth.user.username=password

Specifies the user credentials for remote access.

The default user name is admin with password admin:

{protect}-dashboard.auth.user.admin=admin

To specify multiple Federated Directory Server user login accounts, see the following example:

{protect}-dashboard.auth.user.admin=admin
{protect}-dashboard.auth.user.user1=user1passwd
{protect}-dashboard.auth.user.user2=user2passwd

dashboard.auth.ldap.url

Specifies the LDAP server address to use for authenticating the user. This property is used only if you specified ldap as the authentication mechanism.

Enter the LDAP host name, port number, and optionally a search base in the following format:

ldap://host:port\[/search-base\]

For example:

ldap://localhost:10389/ou=system

If the user provides an email address in the user name input field, IBM® Security Verify Directory Integrator first searches for a unique entry in the LDAP server from which it extracts the distinguished name (DN). Otherwise, it is expected that the value that is provided is acceptable to the LDAP server. After IBM® Security Verify Directory Integrator obtains a DN for the user name and the password from the user, it does an LDAP basic authentication with the DN and password.

dashboard.auth.ldap.url.group

Specifies the LDAP server address to use for verifying group membership of the user after authentication. This property is used only if you specified ldap as the authentication mechanism.

Enter the LDAP host name, port number, and optionally a search base in the following format:

ldap://host:port\[/search-base\]

For example:

ldap://localhost:389/cn=group1,ou=groups,ou=system

If you specify this property, an additional authentication step is done after a user's credentials are authenticated against the LDAP repository. It checks that the authenticated user is also a member of the specified group before access is permitted.

You can also configure these properties in the IBM® Security Verify Directory Integrator Dashboard graphical user interface. In the Dashboard window, click Actions > Show Server Details > Security and Connection. For more information, see the IBM® Security Verify Directory Integrator documentation and search for configuring Dashboard security settings.

dashboard.auth.max.age

Defines the maximum duration of an authenticated session in seconds. The default value is 1800 seconds. This parameter can only be configured via the properties file and is not accessible through the Dashboard graphical user interface.