Security custom properties
To view or set custom properties, you can use the administrative console. Click New to add a new custom property and its associated value.
. Then clickThe custom properties in this topic are set in the administrative console through the previously listed path unless otherwise stated in the description.
- com.ibm.audit.report.granularity
- com.ibm.audit.terse.form.login
- com.ibm.audit.terse.form.logout
- com.ibm.audit.terse.progname
- com.ibm.CSI.disablePropagationCallerList
- com.ibm.CSI.propagateFirstCallerOnly
- com.ibm.CSI.rmiInboundLoginConfig
- com.ibm.CSI.rmiInboundMappingConfig
- com.ibm.CSI.rmiInboundMappingEnabled
- com.ibm.CSI.rmiOutboundLoginConfig
- com.ibm.CSI.rmiOutboundMappingEnabled
- com.ibm.CSI.supportedTargetRealms
- com.ibm.security.multiDomain.setNamingReadUnprotected
- com.ibm.security.useFIPS
- com.ibm.websphere.certpath.disabledAlgorithms
- com.ibm.websphere.crypto.config.certexp.notify.emailSubject
- com.ibm.websphere.crypto.config.certexp.notify.fromAddress
- com.ibm.websphere.crypto.config.certexp.notify.textEncoding
- com.ibm.websphere.lookupRegistryOnProcess
- com.ibm.websphere.security.addPartitionedAttributeToCookie
- com.ibm.websphere.security.addSameSiteAttributeToCookie
- com.ibm.websphere.security.addSANToSSLCertificate
- com.ibm.websphere.security.allow.committed.response
- com.ibm.websphere.security.allowAnyLogoutExitPageHost
- com.ibm.websphere.security.alwaysRestoreOriginalURL
- com.ibm.websphere.security.audit.includeHostName
- com.ibm.websphere.security.auth.setDRSBootstrap
- com.ibm.websphere.security.cert.authCache.lookup
- com.ibm.websphere.security.config.client.init
- com.ibm.websphere.security.config.inherit.trustedRealms
- com.ibm.websphere.security.console.noSSLTreePortEndpoints
- com.ibm.websphere.security.continueAfterTAIError
- com.ibm.websphere.security.customLTPACookieName
- com.ibm.websphere.security.customSSOCookieName
- com.ibm.websphere.security.DeferTAItoSSO
- com.ibm.websphere.security.disableRemovingUnusedLTPACookie
- com.ibm.websphere.security.displayRealm
- com.ibm.websphere.security.disableGetTokenFromMBean
- com.ibm.websphere.security.dumpJaasConfig
- com.ibm.websphere.security.enableAuditForIsCallerInRole
- com.ibm.websphere.security.goToLoginPageWhenTAIUserNotFound
- com.ibm.websphere.security.initializeRSAProperties
- com.ibm.websphere.security.InvokeTAIbeforeSSO
- com.ibm.websphere.security.ior.hostName
- com.ibm.websphere.security.JAASAuthData.addNodeNameSecDomain
- com.ibm.websphere.security.JAASAuthData.removeNodeNameGlobal
- com.ibm.websphere.security.krb.canonical_host
- com.ibm.websphere.security.krb.s4U2proxyEnabled
- com.ibm.websphere.security.krb.s4U2selfEnabled
- com.ibm.websphere.security.krb.useKrbAuthnTokenAltUniqueId
- com.ibm.websphere.security.ldap.logicRealm
- com.ibm.websphere.security.ldap.suppressICH31005I
- com.ibm.websphere.security.ldapSSLConnectionTimeout
- com.ibm.websphere.security.logoutExitPageDomainList
- com.ibm.websphere.security.ltpa.disableSECJ0371W
- com.ibm.websphere.security.notification.useWebSphereMailSession
- com.ibm.websphere.security.performTAIForUnprotectedURI
- com.ibm.websphere.security.platform.cache.eviction
- com.ibm.websphere.security.ReceiveCertificate
- com.ibm.websphere.security.recoverContextWithNewKeys
- com.ibm.websphere.security.rsaCertificateAliasCache
- com.ibm.websphere.security.setKrbAuthnToken.if.cacheHit
- com.ibm.websphere.security.setContextRootForFormLogin
- com.ibm.websphere.security.skip.save.deleted.certs
- com.ibm.websphere.security.spnego.includeCustomCacheKeyInSubject
- com.ibm.websphere.security.spnego.useBuiltInMappingToSAF
- com.ibm.websphere.security.strictCredentialExpirationCheck
- com.ibm.websphere.security.tokenFromMBeanSoapTimeout
- com.ibm.websphere.security.useActiveRegistryForNewDefaultSSOTokens
- com.ibm.websphere.security.useLoggedSecurityName
- com.ibm.websphere.security.useOnlyCustomCookieName
- com.ibm.websphere.security.util.authCacheEnabled
- com.ibm.websphere.security.util.csiv2SessionCacheIdleTime
- com.ibm.websphere.security.util.csiv2SessionCacheLimitEnabled
- com.ibm.websphere.security.util.csiv2SessionCacheMaxSize
- com.ibm.websphere.security.util.postParamMaxCookieSize
- com.ibm.websphere.security.util.postParamSaveMethod
- com.ibm.websphere.security.web.removeCacheOnFormLogout
- com.ibm.websphere.security.web.setLTPATokenCookieToUnprotectedURI
- com.ibm.websphere.security.webAlwaysLogin
- com.ibm.websphere.ssl.ignore.jvm.keystores
- com.ibm.websphere.ssl.include.ECCiphers
- com.ibm.websphere.ssl.retrieveLeafCert
- com.ibm.websphere.tls.disabledAlgorithms
- com.ibm.ws.security.addHttpOnlyAttributeToCookies
- com.ibm.ws.security.allowNonAdminToSecurityXML
- com.ibm.ws.security.config.SupportORBConfig
- com.ibm.ws.security.createTokenSubjectForAsynchLogin
- com.ibm.ws.security.defaultLoginConfig
- com.ibm.ws.security.failSSODuringCushion
- com.ibm.ws.security.ltpa.forceSoftwareJCEProviderForLTPA
- com.ibm.ws.security.rsa.forceSoftwareJCEProviderForRSA
- com.ibm.ws.security.spnego.useHttpFilterClass2
- com.ibm.ws.security.ssoInteropModeEnabled
- com.ibm.ws.security.web.saml.disableDecodeURL
- com.ibm.ws.security.unprotectedUserRegistryMethods
- com.ibm.ws.security.webChallengeIfCustomSubjectNotFound
- com.ibm.ws.security.webInboundLoginConfig
- com.ibm.ws.security.webInboundPropagationEnabled
- com.ibm.ws.security.web.logoutOnHTTPSessionExpire
- com.ibm.ws.security.WSSecureMapInitAtStartup
- com.ibm.ws.security.WSSecureMapSize
- com.ibm.wsspi.security.cred.refreshGroups
- com.ibm.wsspi.security.cred.verifyUser
- com.ibm.wsspi.security.ltpa.tokenFactory
- com.ibm.wsspi.security.token.authenticationTokenFactory
- com.ibm.wsspi.security.token.authorizationTokenFactory
- com.ibm.wsspi.security.token.propagationTokenFactory
- com.ibm.wsspi.security.token.singleSignonTokenFactory
- com.ibm.wsspi.wssecurity.kerberos.failAuthForExpiredKerberosToken
- security.allowCustomHTTPMethods
- security.enablePluggableAuthentication
- security.registry.ldap.compoundRDNParsingEnable
- security.useDefaultPolicyWhenJ2SDisabled
- WAS_customUserMappingImpl
- com.ibm.websphere.security.useAllSSLClientAuthKeytypes
com.ibm.audit.report.granularity
Use this property to specify how much auditing data is recorded for each event type. If you only need to record basic information about an event, such as who did what action to what resource, and when, setting this property to high, might improve your application server performance.
You can specify values of high, medium, or low for this property. The default value is low.
Event type | high setting | medium setting | low setting |
---|---|---|---|
SessionContext | sessionId | sessionId, remoteHost | sessionId, remoteHost, remoteAddr, remotePort |
PropagationContext (is only reported if SAP is enabled) | firstCaller (as part of the who) | firstCaller, and if verbose mode is enabled, the callerList | firstCaller, and if verbose mode is enabled, the callerList |
RegistryContext | nothing is recorded | registry type | registry type |
ProcessContext | nothing is recorded | realm | realm, and domain if verbose is enabled |
EventContext | creationTime | creationTime, globalInstanceId | creationTime, globalInstanceId, eventTrailId, and lastTrailId if verbose mode is enabled |
DelegationContext | identityName | delegationType, and identityName | delegationType, roleName, and identityName |
AuthnContext | nothing is recorded | authn type | authn type |
ProviderContext | nothing is recorded | provider | provider, and providerStatus |
AuthnMappingContext | mappedUserName | mappedUserName, and mappedSecurityRealm | mappedUserName, mappedSecurityRealm, and mappedSecurityDomain |
AuthnTermContext | terminateReason | terminateReason | terminateReason |
AccessContext | progName, action, appUserName, and resourceName | progName, action, appUserName, resourceName, registryUserName, and accessDecision | progName, action, appUserName, resourceName, registryUserName, accessDecision, resourceType, permissionsChecked, permissionsGranted, rolesChecked, and rolesGranted |
PolicyContext | nothing is recorded | policyName | policyName, and policyType |
KeyContext | keyLabel | keyLabel, and keyLocation | keyLabel, keyLocation, and certificateLifetime |
MgmtContext | nothing is recorded | mgmtType, and mgmtCommand | mgmtType, mgmtCommand, and targetInfoAttributes |
com.ibm.audit.terse.form.login
This property enables the SECURITY_FORM_LOGIN
security audit event.
Specify the outcomes to be included in this audit event in the value
parameter.
In version 8.5.5.21 and later, the
com.ibm.audit.terse.form.login
property enables the
SECURITY_FORM_LOGIN
, SECURITY_KERBEROS_LOGIN
, and
SECURITY_SPNEGO_LOGIN
audit events. Specify the outcomes to be included in these
audit events in the value parameter. When this property added in the
audit.xml file, web logins to environments where Kerberos or SPNEGO are
configured produce a minimum amount of audit data.
This property must be manually specified in an audit.xml file and is not configurable through the administrative console or scripting. For more information, see Terse audit record custom properties.
Information | Value |
---|---|
Default | none |
Type | a space-delimited list of valid outcomes |
com.ibm.audit.terse.form.logout
This property enables the SECURITY_FORM_LOGOUT
security audit event.
Specify the outcomes to be included in this audit event in the value parameter.
In version 8.5.5.21 and later, the
com.ibm.audit.terse.form.logout
property enables the
SECURITY_FORM_LOGOUT
, SECURITY_KERBEROS_LOGOUT
, and
SECURITY_SPNEGO_LOGOUT
audit events. Specify the outcomes to be included in these
audit events in the value parameter. When this property added in the
audit.xml file, web logouts from environments where Kerberos or SPNEGO are
configured produce a minimum amount of audit data.
This property must be manually specified in an audit.xml file and is not configurable through the administrative console or scripting. For more information, see Terse audit record custom properties.
Information | Value |
---|---|
Default | none |
Type | a space-delimited list of valid outcomes |
com.ibm.audit.terse.progname
When this property is set to true
, the name of the application that is
being logged in to and out of is included in the terse audit record. Valid values are
true
or false
. By default, the application name is not included in
the terse audit record.
This property must be manually specified in an audit.xml file and is not configurable through the administrative console or scripting. For more information, see Terse audit record custom properties.
Information | Value |
---|---|
Default | false |
Type | Boolean |
com.ibm.CSI.disablePropagationCallerList
This property disables the caller list and does not allow the caller list to change. This property prevents the creation of multiple sessions.
com.ibm.CSI.propagateFirstCallerOnly
custom property is set to true, that setting takes
precedence over the setting for this property.Information | Value |
---|---|
Default | false |
com.ibm.CSI.propagateFirstCallerOnly
This property limits the caller list to the first caller only, which means the caller list cannot change. Setting this property to true eliminates the potential for the creation of multiple session entries.
This property logs the first caller in the propagation token that stays on the thread when security attribute propagation is enabled. Without setting this property, all caller switches get logged, which affects performance. Typically, only the first caller is of interest.
com.ibm.CSI.disablePropagationCallerList
custom
property is set to true, that setting takes precedence over the setting for this property.Information | Value |
---|---|
Default | true |
The default value of the com.ibm.CSI.propagateFirstCallerOnly security custom property is set to
true
. When this custom property is set to true
, the first caller
in the propagation token that stays on the thread is logged when security attribute propagation is
enabled. When this property is set to false
, all of the caller switches are logged,
which can affect performance.
com.ibm.CSI.rmiInboundLoginConfig
This property specifies the Java Authentication and Authorization Service (JAAS) login configuration that is used for Remote Method Invocation (RMI) requests that are received inbound.
By knowing the login configuration, you can plug in a custom login module that can handle specific cases for RMI logins.
Information | Value |
---|---|
Default | system.RMI_INBOUND |
com.ibm.CSI.rmiInboundMappingConfig
This property defines the system JAAS login configuration that is used to perform application specific principal mapping.
Information | Value |
---|---|
Default | None |
com.ibm.CSI.rmiInboundMappingEnabled
This property, when set to true, enables the application specific principal mapping capability.
Information | Value |
---|---|
Default | false |
com.ibm.CSI.rmiOutboundLoginConfig
This property specifies the JAAS login configuration that is used for RMI requests that are sent outbound.
Primarily, this property prepares the propagated attributes in the Subject to be sent to the target server. However, you can plug in a custom login module to perform outbound mapping.
Information | Value |
---|---|
Default | system.RMI_OUTBOUND |
com.ibm.CSI.rmiOutboundMappingEnabled
This property, when set to true, enables the original caller subject embedded in the WSSubjectWrapper object to be restored.
Information | Value |
---|---|
Default | false |
com.ibm.CSI.supportedTargetRealms
This property enables credentials that are authenticated in the current realm to be sent to any realm that is specified in the Trusted target realms field. The Trusted target realms field is available on the CSIv2 outbound authentication panel. This property enables those realms to perform inbound mapping of the data from the current realm.
- Click .
- Under RMI/IIOP security, click CSIv2 outbound authentication.
com.ibm.security.multiDomain.setNamingReadUnprotected
This property can be set to true if you want the CosNamingRead role to protect all naming read operations. Setting this property to true is the equivalent of assigning the CosNamingRead role the Everyone special subject. When this property is set, any assignments made to the CosNamingRead role are ignored.
Information | Value |
---|---|
Default | none |
com.ibm.security.useFIPS
Specifies that Federal Information Processing Standard (FIPS) algorithms are used. The application server uses the IBMJCEFIPS cryptographic provider instead of the IBMJCE cryptographic provider.
Information | Value |
---|---|
Default | false |
com.ibm.websphere.certpath.disabledAlgorithms
This property is used to customize the server to disable the java security property.
WebSphere Application Server sets the java security property jdk.certpath.disabledAlgorithms to disable algorithms that can be used on certificate path validation.
To tell the custom property not to set com.ibm.websphere.certpath.disabledAlgorithms, set the value to none.
To set jdk.certpath.disabledAlgoriths to a particular set of algorithms, set the security custom property com.ibm.websphere.certpath.disabledAlgorithms to a comma-separated list of algorithms.
Information | Value |
---|---|
Default | MD2, RSA keySize < 1024, MD5 |
Default | MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224 |
com.ibm.websphere.crypto.config.certexp.notify.emailSubject
This security property is used to customize the subject line of a notification email for certificate expiration.
The value that you assign to this property is a custom email subject line, such as North America Certification Monitor Notification. To enhance detail, particularly in environments with multiple cells or management scopes, you can append _addManagementScope to your chosen email subject value. For example, you can set the email subject line as North America Certification Monitor Notification_addManagementScope to use the additional management scope information.
The _addManagementScope is the only suffix to be used with this property. This suffix is not just a label but functional, adding cell and node information to the subject line of the email. For example, if set as North America Certification Monitor Notification_addManagementScope, the email subject line might read as North America Certification Monitor Notification - node:IBM-PF3SQ87FNode01. This inclusion provides a higher level of detail and is especially useful for distinguishing different management scopes in the notification.
On a single server, the _addManagementScope suffix includes only the node information.
The default value for this property is a placeholder, intended to be replaced with a custom email subject line, with or without the _addManagementScope suffix.
com.ibm.websphere.crypto.config.certexp.notify.fromAddress
This security property is used to customize the from address
of
certificate expiration notification email.
The value you assign to this property should be an internet address, such as Notification@abc-company.com. If this property is not set, the application server uses the email fromAddress: WebSphereNotification@ibm.com.
Information | Value |
---|---|
Default | None |
com.ibm.websphere.crypto.config.certexp.notify.textEncoding
This security property is used to customize the text encoding character set for certificate expiration notification email.
WebSphere Application Server sends notification email for certificate expiration in either US-English or the machine default character set (if non-English locale is specified). If you want a different text encoding character set for the certificate expiration notification email, you can use this property to customize the text encoding character set.
Information | Value |
---|---|
Default | None |
com.ibm.websphere.lookupRegistryOnProcess
This property can be set when realm registry lookups are performed using an MBean on a remote server, and the realm is local OS security.
By default, the user registry tasks listRegistryUsers and listRegistryGroups perform lookups from the current process. In the case of Network Deployment (ND), that is the deployment manager.
When dealing with a local OS user registry, lookup should occur on the actual server where the registry resides. In an ND environment, the server could be a remote machine. To perform a lookup on the server process where the registry resides, set the com.ibm.websphere.lookupRegistryOnProcess custom property to true.
If com.ibm.websphere.lookupRegistryOnProcess is not set, or set to false, then the lookup is performed on the current process. The custom property can be set using the setAdminActiveSecuritySettings task for global security or the setAppActiveSecuritySettings task for a security domain.
com.ibm.websphere.security.addPartitionedAttributeToCookie
Use this property to add the Partitioned attribute to the LTPA and TAI cookies. The trust association interceptors (TAIs) that write cookies and the OAuth provider accept the value of this security property. The TAIs include OpenID Connect (OIDC), OpenID, and SAML web SSO.
A true
value for this property specifies that the Partitioned attribute is added
to the cookie if the SameSite attribute on the cookie is set to None
.
This property is browser-dependent. For more information, see the list of supported browsers.
Information | Value |
---|---|
Data type | Boolean |
Default | not set |
com.ibm.websphere.security.addSameSiteAttributeToCookie
Use this property to specify the SameSite attribute value for the single sign-on (SSO) associated with a Lightweight Third Party Authentication (LTPA) cookie. The trust association interceptors (TAIs) that write cookies and the OAuth provider accept the value of this core security property. The TAIs include OpenID Connect (OIDC), OpenID, and SAML.
true
.Value | Information |
---|---|
Lax |
Specify this value to send an LTPA cookie that is associated with SSO and that is for cross-site requests that use a safe HTTP method and for same-site requests. |
Strict |
Specify this value to send an LTPA cookie that is associated with SSO and that is for same-site requests only. |
None |
Specify this value to send an LTPA cookie that is associated with SSO and that is for same-site requests and cross-site requests. |
Information | Value |
---|---|
Default | unset |
Type | string |
com.ibm.websphere.security.addSANToSSLCertificate
When this custom property is enabled, all certificates that are generated by the product automatically include default Subject Alternate Names (SAN) elements.
Information | Value |
---|---|
"user@domain" |
|
Domain name | Certificate_Subject_DN_Name |
URL | http://Certificate_Subject_DN_Name |
IP address | 127.0.0.1 |
URL | http://Certificate_Subject_DN_Name |
Information | Value |
---|---|
Default | false |
Type | string |
com.ibm.websphere.security.allow.committed.response
This custom property specifies whether committed HTTP responses are allowed.
When the application server detects a committed HTTP response, it displays a generic 403 error message. Set this property to true to allow committed HTTP responses and suppress 403 error messages. In configurations that use custom login modules, the module can commit an HTTP response to display a custom error message.
The default value is false.
com.ibm.websphere.security.allowAnyLogoutExitPageHost
When you are using application form login and logout you can provide a URL for a custom logout page. By default, the URL must point to the host to which the request is made or to its domain. If this is not done, then a generic logout page is displayed rather than the custom logout page. If you want to be able to point to any host, then you need to set this property in the security.xml file to a value of true.
Information | Value |
---|---|
Default | false |
com.ibm.websphere.security.alwaysRestoreOriginalURL
Use this property to indicate whether a cookie with the value WASReqURL is honored when the custom form login processor is used.
When this property is set to true, the value of WASReqURL takes precedence over the current URL, and the WASReqURL cookie is removed from subsequent requests.
When this property is set to false, the value of the current URL takes precedence, and the WASReqURL cookie is not removed from subsequent requests.
Information | Value |
---|---|
Default | false |
com.ibm.websphere.security.audit.includeHostName
This property specifies whether audit records include hostname information. When audit records
include remote hostname information, DNS lookup is required. If DNS lookup is slow, it can take a
long time for the server to write audit records. When this property is set to
false
, audit records include the IP address of the remote host but do not include
the remote hostname information.
Information | Value |
---|---|
Default | true |
com.ibm.websphere.security.auth.setDRSBootstrap
Specifies whether the data replication service (DRS) enables the DRSbootstrap function.
In high volume environments, dynamic cache data replication might increase the amount of time that it takes a server to start. If you experience slow server startups because of data replication, add this property to your server security settings and set it to false. When is property is set to false, the data replication service disables the DRSbootstrap function.
True is the default setting for this property.
com.ibm.websphere.security.cert.authCache.lookup
Specifies an option to look up the authentication cache more extensively for certificate login.
The default setting for this property is false.
com.ibm.websphere.security.config.client.init
This custom property enables WebSphere to read the sas.client.props file at the very beginning of the java client startup instead of at the time of ORB initialization.
When com.ibm.websphere.security.config.client.init
is set to
true, WebSphere reads the
sas.client.props file at the very beginning of the java client startup and when
it is set to false (default), WebSphere reads the sas.client.props file at the time of ORB
initialization.
When a client program is invoked with WebSphere v7 and later, the security configuration specified in the sas.client.props file is loaded when ORB is initialized. Prior to loading the sas.client.props file, the default security configuration is applied and enforces security. This may cause an unexpected failure.
com.ibm.CORBA.securityEnabled=false
and specify both of the following custom
properties:
-Dcom.ibm.websphere.security.config.client.init=true
along with
-Dcom.ibm.CORBA.ConfigURL="file:c:/xxx/sas.client.props
Default | false |
---|
com.ibm.websphere.security.config.inherit.trustedRealms
This property is used to inherit the global trusted realm settings from the global security configuration in the domain.
Security configuration trusted inbound and outbound realms are not inherited by default. However, there are some cases where the configuration might want to use (inherit) the settings from the global security configuration in the domain.
The value of this property can be either true or false.
com.ibm.websphere.security.console.noSSLTreePortEndpoints
This property is used to improve the response time for large topology configurations.
When this property is set to true the status of the SSL port endpoints does not display on the Manage endpoint security configurations page in the administrative console. Displaying the status of the SSL port endpoints sometimes makes the administrative console seem like it is no longer functioning because of a longer than expected response time.
Information | Value |
---|---|
Default | false |
com.ibm.websphere.security.continueAfterTAIError
This property automatically directs you to a login page if a custom TAI returns an error.
You do not have to type in a URL in your browser to attempt a login again. The property must be set to true to enable this behavior.
Information | Value |
---|---|
Default | false |
com.ibm.websphere.security.customLTPACookieName
This property is used to customize the name of the cookies used for Lightweight Third Party Authentication (LTPA) tokens.
WebSphere Application Server Version 8.0 enables you to customize the name of the cookies used for LTPA and LTPA2 tokens. Custom cookie names allow you to logically separate authentication between Single Sign-On (SSO) domains and to enable customized authentication to a particular environment.
To take advantage of this functionality, a custom property must be set. For LTPA tokens, the custom property com.ibm.websphere.security.customLTPACookieName can be set to any valid string (special characters and spaces are not permitted) for the LTPA token cookie, and com.ibm.websphere.security.customSSOCookieName for the LTPA2 (SSO) token cookie. Each property is case-sensitive.
The value for this property is a valid string.
- This property, as with most custom properties, can be set at the security domain level. In this manner, a separate login can be forced between an administrative console login and an application login.
- The original default LtpaToken or LtpaToken2 cookie names are accepted and trusted by WebSphere Application Server Version 8.0. This enables compatibility with products such as Lotus® Domino® and WebSphere Portal which both utilize the default cookie name.
- Setting a custom cookie name can cause an authentication failure. For example, a connection to a server that has a custom cookie property set sends this custom cookie to the browser. A subsequent connection to a server that uses either the default cookie name or a different cookie name is not able to authenticate the request via a validation of the inbound cookie.
- This property does not function properly in a mixed-cell environment. For example, a deployment manager in WebSphere Application Server Version 8.0 might be able to create custom cookies. However, a WebSphere Application Server Version 7.0 node or server existing in this same cell does not understand what to do with this cookie and subsequently rejects it.
- If you utilize a product interacting with WebSphere Application Server that generates LTPA tokens, such as Lotus Domino or WebSphere Portal, be aware that these products might not be able to handle custom LTPA cookie names. Please consult the documentation for your product regarding its handling of custom LTPA cookie names.
com.ibm.websphere.security.customSSOCookieName
This property is used to customize the name of the cookies used for Lightweight Third Party Authentication Version 2 (LTPA2) tokens.
WebSphere Application Server Version 8.0 enables you to customize the name of the cookies used for LTPA and LTPA2 tokens. Custom cookie names allow you to logically separate authentication between Single Sign-On (SSO) domains and to enable customized authentication to a particular environment.
To take advantage of this functionality, a custom property must be set. For LTPA tokens, the custom property com.ibm.websphere.security.customLTPACookieName can be set to any valid string (special characters and spaces are not permitted) for the LTPA token cookie, and com.ibm.websphere.security.customSSOCookieName for the LTPA2 (SSO) token cookie. Each property is case-sensitive.
The value for this property is a valid string.
- This property, as with most custom properties, can be set at the security domain level. In this manner, a separate login can be forced between an administrative console login and an application login.
- The original default LtpaToken or LtpaToken2 cookie names are accepted and trusted by WebSphere Application Server Version 8.0. This enables compatibility with products such as Lotus Domino and WebSphere Portal which both utilize the default cookie name.
- Setting a custom cookie name can cause an authentication failure. For example, a connection to a server that has a custom cookie property set sends this custom cookie to the browser. A subsequent connection to a server that uses either the default cookie name or a different cookie name is not able to authenticate the request via a validation of the inbound cookie.
- This property does not function properly in a mixed-cell environment. For example, a deployment manager in WebSphere Application Server Version 8.0 might be able to create custom cookies. However, a WebSphere Application Server Version 7.0 node or server existing in this same cell does not understand what to do with this cookie and subsequently rejects it.
- If you utilize a product interacting with WebSphere Application Server that generates LTPA tokens, such as Lotus Domino or WebSphere Portal, be aware that these products might not be able to handle custom LTPA cookie names. Please consult the documentation for your product regarding its handling of custom LTPA cookie names.
com.ibm.websphere.security.DeferTAItoSSO
This property specifies a comma-separated list of Trust Association Interceptors (TAIs) to invoke both before and after Single Sign On (SSO).
For this property to take action for a TAI class, the class must be specified in both the
com.ibm.websphere.security.DeferTAItoSSO
property and the
com.ibm.websphere.security.InvokeTAIbeforeSSO
property. The order of invocation of
the TAIs within the list is not guaranteed.
Information | Value |
---|---|
Default | com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl |
Example value | com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor |
com.ibm.websphere.security.disableRemovingUnusedLTPACookie
This property specifies whether the server removes all LTPAToken cookies upon logout when the interoperability mode is disabled.
The server removes LTPAToken2 cookies only upon logout if the value is set to true and the interoperability mode is set to false. Otherwise, the server removes both LTPAToken and LTPAToken2 cookies.
Information | Value |
---|---|
Default | false |
com.ibm.websphere.security.displayRealm
This property specifies whether the HTTP basic authentication login window displays the realm name that is not defined in the application web.xml file.
- If the property is set to false, the WebSphere realm name display is Default Realm.
- If this property is set to true, the WebSphere realm name display is the user registry realm name for the LTPA authentication mechanism or the Kerberos realm name for the Kerberos authentication mechanism.
Information | Value |
---|---|
Default | false |
Type | string |
com.ibm.websphere.security.disableGetTokenFromMBean
Use this property to disable the outbound SOAP call to retrieve the subject from the originating server when Single Sign-On is enabled.
Typically, when Single Sign-On is enabled, and an inbound request needs to be authenticated, the receiving server attempts to retrieve the authentication from the originating server. The connection between the sending and receiving servers never times out during this callback process.
Information | Value |
---|---|
Default | false |
com.ibm.websphere.security.dumpJaasConfig
Use this property to indicate whether to write Java Authentication and Authorization Service (JAAS) configuration information to the first failure data capture (FFDC) file.
Because the FFDC feature instantly collects information about events and conditions that might lead to a failure, sensitive JAAS configuration information can be written to the FFDC file.
To ensure that any sensitive JAAS configuration information is not written to the FFDC file, set the com.ibm.websphere.security.dumpJaasConfig property to false.
Information | Value |
---|---|
Default | true |
com.ibm.websphere.security.enableAuditForIsCallerInRole
Use this property to enable audit for the isCallerInRole method call.
If you set this property to false, it disables auditing for the invocation of isCallerInRole. In z/OS, SMF records are not issued for the invocation.
Information | Value |
---|---|
Default | true |
com.ibm.websphere.security.goToLoginPageWhenTAIUserNotFound
Use this property when the user provided by a TAI is not found in the user registry so that a login page is displayed instead of an error page.
When the user provided by a TAI is not found in the user registry, WebSphere Application Server displays an error page. To adjust this behavior, set this property to true. Then the login page is displayed. The default setting for this property is false and the normal behavior for WebSphere Application Server is to display an error page.
Information | Value |
---|---|
Default | false |
com.ibm.websphere.security.initializeRSAProperties
If high CPU utilization is observed in Job Manager or Administrative Agent environment after Certificate Expiration Monitor run, nodes may need to be distributed to multiple servers to reduce the CPU load on one server.
If this property is set to false, WebSphere will not perform re-initialization of RSA token related SSL properties. Before configuring this property to false, make sure Job Manager or Administrative Agent is not used in your environment. These features require RSA tokens and this property should not be used.
Information | Value |
---|---|
Default | true |
com.ibm.websphere.security.InvokeTAIbeforeSSO
This property specifies a comma-separated list of Trust Association Interceptors (TAIs) to invoke before Single Sign On (SSO). By default, all TAIs are invoked after SSO. The order of invocation of the TAIs within the list is not guaranteed.
Information | Value |
---|---|
Default | N/A |
Type | string |
Example value | com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor |
com.ibm.websphere.security.ior.hostName
By default, the product uses an IP address in the IOR instead of a host name. An IOR is a CORBA or RMI-IIOP reference that uniquely identifies an object on a remote CORBA server. When the custom property is set to true, the product uses a host name in the IOR.
Information | Value |
---|---|
Default | false |
Type | Boolean |
com.ibm.websphere.security.JAASAuthData.addNodeNameSecDomain
By default, when JAAS authentication data entries are created at the domain security
level, the alias name for the entry will be in the format aliasName. You can enable the
addition of the node name to the alias name to create the alias name, in the format
nodeName/aliasName
, for the entry, by setting the following property at the domain
security level.
You can set com.ibm.websphere.security.JAASAuthData.addNodeNameSecDomain=true at the global security level, to enable the addition of the node name to the alias name of JAAS authentication data entries for all security domains.
Information | Value |
---|---|
Default | false |
com.ibm.websphere.security.JAASAuthData.removeNodeNameGlobal
By default, when JAAS authentication data entries are created at the global security
level, the alias name for the entry is in the format nodeName/aliasName. You can disable the
addition of the node name to the alias name for the entry, by setting a value of
true
for this property at the global security level.
Information | Value |
---|---|
Default | false |
com.ibm.websphere.security.krb.canonical_host
This custom property specifies whether the application server uses the canonical form of the URL/HTTP host name in authenticating a client. This property can be used for both SPNEGO TAI and SPNEGO Web.
false
, a Kerberos ticket can contain a host
name that differs from the HTTP host name header, and the application server might issue the
following
message:CWSPN0011E: An invalid SPNEGO token has been encountered while authenticating a HttpServletRequest
If
you set this custom property to true
, you can avoid this error message and allow
the application server to authenticate using the canonical form of the URL/HTTP host name.Information | Value |
---|---|
Default | true |
com.ibm.websphere.security.krb.s4U2proxyEnabled
This custom property specifies whether to enable constrained delegation for SPNEGO web authentication. This property enables WebSphere Application Server to obtain service tickets to trusted services on behalf of a user. When you set this custom property to true and enable delegation of Kerberos credentials for SPNEGO web authentication, WebSphere Application Server retrieves the client constrained delegation S4U2proxy credentials from the key distribution center (KDC). It then places it in the client subject during the SPNEGO web authentication process. The services are constrained by the KDC administrator.
You can specify values of true or false for this property. The default value is false.
The constrained delegation feature requires Java 8 and later.
com.ibm.websphere.security.krb.s4U2selfEnabled
This custom property specifies whether to enable constrained delegation for any authentication mechanism other than SPNEGO web authentication. This property enables WebSphere Application Server to obtain a service ticket to itself on behalf of a user. If you have a custom TAI to handle the authentication and need the client-constrained delegation S4U2self credential, set this custom property to true. Additionally, call the S42self API to retrieve the client-constrained delegation S4U2self credential from the KDC and you can place it in the client subject.
You can specify values of true or false for this property. The default value is false.
The constrained delegation feature requires Java 8 and later.
com.ibm.websphere.security.krb.useKrbAuthnTokenAltUniqueId
This custom property specifies whether or not to add the Kerberos realm name to the uniqueId in the KRBAuthnToken in the Subject.
When you set this custom property to true
, WebSphere Application Server adds the Kerberos realm name to the uniqueId
in KRBAuthnToken in the Subject. The custom property is useful to distinguish between users with
same username but with different Kerberos realms, such as "mytester@REALM1"
and
"mytester@REALM2"
.
Information | Value |
---|---|
Default | false |
com.ibm.websphere.security.ldap.logicRealm
This custom property enables you to change the name of the realm that is placed in the token.
This custom property enables you to configure each cell to have its own LDAP host for interoperability and backward compatibility. Also, it provides flexibility for adding or removing the LDAP host dynamically. If you are migrating a previous installation, this modified realm name does not take effect until administrative security is re-enabled. To be compatible with a previous release that does not support the logic realm, the name must be the same name that is used by the previous installation. You must use the LDAP host name, including a trailing colon and port number.
Information | Value |
---|---|
Type | String |
- Click Security > Global security.
- Under User account repository, expand the Available realm definitions list, and select Standalone LDAP registry, and then click Configure.
- Under Custom properties, click New , and then enter com.ibm.websphere.security.ldap.logicRealm in the Name field, and the new name of the realm that is placed in the token in the Value field.
- Select this custom property and then click Apply or OK.
com.ibm.websphere.security.ldap.suppressICH31005I
Set this property to true
so that the application server handles a
javax.naming.Naming Exception exception as an empty result. The exception is sent from an LDAP
server that is RACF enabled.
In this situation, the LDAP server is on the z/OS operating system, but the application server can be on any supported operating system.
Depending on the RACF configuration for the LDAP server, the LDAP server returns a
javax.naming.NamingException exception that embeds the ICH31005I RACF message. This
message is returned as part of the exception when a user is not found for an LDAP user search. This
result can trigger many SECJ0352E messages in the
SystemOut.log file if this com.ibm.websphere.security.ldap.suppressICH31005I
property is set to false
.
The default value is false
.
com.ibm.websphere.security.ldapSSLConnectionTimeout
Use this property, when SSL is enabled on the LDAP server, to specify, in milliseconds, the maximum amount of time the Java Virtual Machine (JVM) waits for a socket connection before issuing a timeout.
If one or more standalone LDAP servers are offline when a server process starts, and LDAP-SSL is enabled, there might be a delay of up to three minutes in the startup procedure, even if you specify a value for the com.sun.jndi.ldap.connect.timeout custom property. When LDAP-SSL is enabled, any value specified for the com.sun.jndi.ldap.connect.timeout property is ignored.
When a value is specified for this property, the JVM tries to use this connection timeout value when attempting to complete a socket connection, instead of trying to establish a directory context. When no value is specified for this property, the JVM tries to establish a directory context.
There is no default value for this property.
com.ibm.websphere.security.logoutExitPageDomainList
When you are using application form login and logout, you can provide a URL for a custom logout page. By default, the URL must point to the host to which the request is made or to its domain. If this is not done, then a generic logout page is displayed rather than the custom logout page. If you need to point to a different host, then you can populate this property in the security.xml file with a pipe (|) separated list of URLs that are allowed for the logout page.
Information | Value |
---|---|
Default | none |
com.ibm.websphere.security.ltpa.disableSECJ0371W
Use this property to disable the logging of message SECJ0371W.
true
or
false
).true
disables the logging of message SECJ0371W.false
enables the logging of message SECJ0371W.
com.ibm.websphere.security.notification.useWebSphereMailSession
Set this custom property to true to allow users to use the WebSphere Mail session resource for the certificate expiration monitor. For the certificate expiration monitor to use the Mail session, it needs to be configured. For information on how to do the configuration, see the topic on configuring mail providers and sessions. Keep note of the JDNI name used in your configured Mail session. To configure your email notification for the certificate expiration monitor on the administrative console, click , and then select email sent to notification list. Add your email address to the Email address to add field. For the Outgoing mail(SMTP) server field, add the JDNI name of the Mail session.
com.ibm.websphere.security.performTAIForUnprotectedURI
This property is used to specify TAI invocation behavior when Use available authentication data when an unprotected URI is accessed is selected in the administrative console.
Information | Value |
---|---|
Default | false |
true
. For WebSphere
Application Server Version 8.0.0.1 and later, the default value is false
.com.ibm.websphere.security.platform.cache.eviction
This property enables z/OS
localOS
registry permission changes to be quickly reflected in the runtime by
forcing the deletion of the z/OS
PlatformCredential
object whenever subjects are removed from the
AuthCache
.
When this property is set to true, if a subject is evicted from the authentication cache for any reason, the platform credential is deleted. The downside of setting this property to true is that it can create multi-thread issues in high volume workloads, where platform credentials are created and removed rapidly. These thread collisions can result in errant authorization errors. If such authorization errors occur, SECJ0129E error messages are issued.
Information | Value |
---|---|
Default | false |
com.ibm.websphere.security.ReceiveCertificate
Set this custom property to true to allow users to re-receive a certificate from a certificate authority.
Information | Value |
---|---|
Default | false |
com.ibm.websphere.security.recoverContextWithNewKeys
This property affects behavior when deserializing a security context that was previously saved as part of asynchronous security processing for Web Services or Asynch Beans.
When this property is set to true, the security context can be de-serialized even when the LTPA keys have changed since the context was serialized out. This property should be set to true if the security context deserialization fails with a WSSecurityException containing this message: Validation of LTPA token failed due to invalid keys or token type.
Information | Value |
---|---|
Default | false |
com.ibm.websphere.security.release.ejb.reference
This property helps improve memory usage.
When the value is set to true, security code keeps references to security-related EJB data, but releases EJB data that is not related to security.
The default value is false.
com.ibm.websphere.security.rsaCertificateAliasCache
This property is used to control the size of the alias cache.
The default value is 5000 and can be increased for larger deployments. You do not need to add this property unless your Job Manager topology exceeds 5000 registered nodes.
The value must be entered into the range of 1 - N, where N is a valid positive integer that is greater than or equal to the number of nodes registered with the Job Manager.
Information | Value |
---|---|
Default | 5000 |
com.ibm.websphere.security.setContextRootForFormLogin
This property is used to set a unique path name whenever a WASReqURL cookie is generated.
A browser can hold multiple WASReqURL cookies as long as each cookie has a unique path name. When this property is set to true, a unique path name is set whenever a WASReqURL cookie is generated. Therefore, if you have more than one application that is using Form Login as a login method installed on the same application server. You should specify this property as one of your security settings for that application server, and set the property to true.
Information | Value |
---|---|
Default | false |
com.ibm.websphere.security.setKrbAuthnToken.if.cacheHit
When this custom property is specified, WebSphere will look for a Kerberos authentication token (KRBAuthnToken
) in
the cache, even if Kerberos authentication is not enabled. If a KRBAuthnToken
exists, this property adds it to the subject.
The outcome of this custom property varies depending on the ltpaToken
timeout
value and the Kerberos ticket timeout value. This property changes the content of the subject. It is
possible that loginModule
interfaces or TrustAssociation
interceptors that use the Kerberos token might behave differently after the property is set.
Information | Value |
---|---|
Default | false |
com.ibm.websphere.security.skip.save.deleted.certs
When this property is set to true, the certificate is deleted without saving to deleted.p12. The default value of this property is false.
When you delete either keystore or truststore certificates, WebSphere Application Server saves a backup in a keystore that is named deleted.p12, so that it can be recovered later. If the deleted.p12 keystore is not found or it is not a valid keystore, WebSphere Application Server does not delete the certificate. If this property is set to true, WebSphere Application Server deletes the certificate without saving it to deleted.p12. The default value of this property is false.
Information | Value |
---|---|
Default | false |
com.ibm.websphere.security.spnego.includeCustomCacheKeyInSubject
When this property is set to true, LTPA tokens that are created from SPNEGO authentication include a custom cache key that is derived from the associated Kerberos credentials. The default value for this property is false.
If the server receives an LTPA token with the custom cache key and the authentication cache is empty, the server initiates a new SPNEGO authentication to obtain new Kerberos credentials.
Information | Value |
---|---|
Default | false |
com.ibm.websphere.security.spnego.useBuiltInMappingToSAF
Use this property to ensure that a mapping from a Kerberos principal to a RACF ID is performed for SPNEGO web authentication.
If you do not add this property to your security settings, and set it to true, a mapping from a Kerberos principal to a RACF ID is not performed for SPNEGO web authentication.
Information | Value |
---|---|
Default | false |
com.ibm.websphere.security.strictCredentialExpirationCheck
Specifies whether credential expiration check occurs for a local Enterprise JavaBeans (EJB) call. Typically, when an EJB invokes another EJB that is located in a local machine, a direct method invocation occurs even if the credentials of the original invoker expire before the local EJB call occurs.
If this property is set to true, a credential expiration check occurs on a local EJB call before the EJB is invoked on the local machine. If the credentials have expired, the EJB call is rejected.
If this property is set to false, a credential expiration check does not occur for a local EJB call.
Information | Value |
---|---|
Default | false |
com.ibm.websphere.security.tokenFromMBeanSoapTimeout
Use this property to specify the amount of time the receiving server waits for an outbound SOAP call to retrieve the proper authentication from the originating server when Single Sign-On is enabled.
There is no default value for this property. If no value is specified, the global SOAP timeout value is used as the timeout value for the SOAP connection.
com.ibm.websphere.security.useActiveRegistryForNewDefaultSSOTokens
Use this property to indicate that the active user registry should be used when creating a new default Single Sign-on (SSO) token.
Typically, a default SSO token is created whenever there is a mismatch between the access ID of the incoming SSO authentication token and the principal name in the authorization token. A possible cause of this mismatch is having different realms. For example, a mismatch occurs if the admin domain is using a LocalOS registry and the active registry is LDAP.
Setting this property to true causes new SSO tokens to be created using the LDAP registry.
The default value for the property is false.
com.ibm.websphere.security.useLoggedSecurityName
This is a custom property of user registries. This property alters the behavior of creating WSCredential.
A setting of false
indicates that the security name returned by a user registry
is always used to construct WSCredential.
A setting of true
indicates that either a security name that is supplied by
login module is used or a display name that was supplied by a user registry is used. This setting is
compatible with WebSphere Application Server version 6.1
and earlier.
Information | Value |
---|---|
Default | false |
com.ibm.websphere.security.useOnlyCustomCookieName
When this property is set to true
, the product only looks for the cookie
with the names that are specified in the following custom properties.
By default, the server evaluates the LtpaToken2
and LtpaToken
cookies in the default name that are specified with the LtpaToken2
and
LtpaToken
values.
Information | Value |
---|---|
Default | false |
com.ibm.websphere.security.util.authCacheEnabled
This property specifies whether to enable, disable, or partially disable authentication
cache. Disabling AuthCache
might impact performance. The property works as a
security custom property and a JVM property.
If specified as a security custom property, this property is propagated from NodeSync. If
specified as JVM property, it works from JVM. Only one server requires different
AuthCache
settings.
A setting of True
, which is the default setting, enables
AuthCache
.
A setting of False
disables AuthCache
.
Disable AuthCache
for userid/password lookup.
Information | Value |
---|---|
Default | true |
com.ibm.websphere.security.util.csiv2SessionCacheIdleTime
This property specifies the time in milliseconds that a CSIv2 session can remain idle before it is deleted. The session is deleted if the com.ibm.websphere.security.util.csiv2SessionCacheLimitEnabled custom property is set to true, and the maximum size of the CSIv2 session cache is exceeded.
- Expand the Security section and click Global security.
- Expand the RMI/IIOP security section and click CSIv2 outbound communications
The range of values for this custom property is 60,000 to 86,400®,000 milliseconds. By default, the value is not set.
com.ibm.websphere.security.util.csiv2SessionCacheLimitEnabled
This custom property specifies whether to limit the size of the CSIv2 session cache.
When you set this custom property value to true, you must set values for the com.ibm.websphere.security.util.csiv2SessionCacheIdleTime and com.ibm.websphere.security.util.csiv2SessionCacheMaxSize custom properties. When you set this custom property to false, the CSIv2 session cache is not limited. The default property value is false.
Consider setting this custom property to true if your environment uses Kerberos authentication and has a small clock skew for the configured key distribution center (KDC). In this scenario, a small clock skew is defined as less than 20 minutes. A small clock skew can result in a larger number of rejected CSIv2 sessions. However, with a smaller value for the com.ibm.websphere.security.util.csiv2SessionCacheIdleTime custom property, the application server can clean out these rejected sessions more frequently and potentially reduce the resource shortages.
- Expand the Security section and click Global security.
- Expand the RMI/IIOP security section and click CSIv2 outbound communications
com.ibm.websphere.security.util.csiv2SessionCacheMaxSize
This property specifies the maximum size of the session cache after which expired sessions are deleted from the cache.
Expired sessions are defined as sessions that are idle longer than the time that is specified by the com.ibm.websphere.security.util.csiv2SessionCacheIdleTime custom property. When you use the com.ibm.websphere.security.util.csiv2SessionCacheMaxSize custom property, consider setting its value between 100 and 1000 entries.
Consider specifying a value for this custom property if your environment uses Kerberos authentication and has a small clock skew for the configured key distribution center (KDC). In this scenario, a small clock skew is defined as less than 20 minutes. Consider increasing the value of this custom property if the small cache size causes the garbage collection to run so frequently that it impacts the performance of the application server.
This custom property only applies if you enable stateful sessions, set the com.ibm.websphere.security.util.csiv2SessionCacheLimitEnabled custom property to true, and set a value for the com.ibm.websphere.security.util.csiv2SessionCacheIdleTime custom property.
- Expand the Security section and click Global security.
- Expand the RMI/IIOP security section and click CSIv2 outbound communications
The range of values for this custom property is 100 to 1000 entries. By default, the value is not set.
com.ibm.websphere.security.util.postParamMaxCookieSize
This property sets a size limit for WASPostParam cookies being generated by the security code.
When the Use available authentication data when an unprotected URI is accessed option is enabled and Form-based authentication is being used this, a WASPOSTParam is generated during the authentication procedure of the HTTP POST request even if the target URL is unprotected. A WASPOSTParam cookie is a temporary cookie used to store HTTP POST parameters. This results in the Web client being sent the unnecessary cookie with an HTTP response. This might cause unexpected behavior when the size of the cookie is larger than the browser limit. To avoid this behavior, com.ibm.websphere.security.util.postParamMaxCookieSize can be set to cause the security code to stop generating the cookie if the maximum size specified by this property is reached. The value of this property must be a positive integer and represents the maximum size of the cookie in bytes.
The default value is 16384.
com.ibm.websphere.security.util.postParamSaveMethod
This property specifies where POST parameters are stored upon redirect.
cookie
: POST parameters are stored in a cookie.session
: POST parameters are stored in the HTTP Session.none
: POST parameters are not preserved.
The default value is cookie
.
com.ibm.websphere.security.web.removeCacheOnFormLogout
This custom property enables you to specify whether a cached object is removed from the authentication cache and the dynamic cache when a form logout occurs. A form logout is a mechanism that enables a user to log out of an application without having to close all Web-browser sessions.
When this property is set to false, corresponding cached entries are not removed from the authentication cache and the dynamic cache when a form logout occurs. As a result, if the same user logs back in after a form logout, the cached object is reused.
When this property is set to true, the cached entries are removed from the authentication cache and the dynamic cache when a form logout occurs.
The default value is true.
com.ibm.websphere.security.web.setLTPATokenCookieToUnprotectedURI
This custom property specifies the cookie generation behavior for Lightweight Third Party Authentication (LTPA) tokens for inbound web resource requests.
When this property is true, the application server generates and sets an LTPAToken cookie for all successfully authenticated resource requests, regardless of whether the request is for protected or unprotected web resources. This behavior is different from the behavior in WebSphere Application Server Version 6.1 and can cause some applications developed for Version 6.1 not to work on later versions.
Set this property to false to generate an LTPAToken cookie only for protected web resources. This behavior is compatible with WebSphere Application Server Version 6.1.
The default value is true.
com.ibm.websphere.security.webAlwaysLogin
This property specifies whether the login() method will throw an exception if an identity had already been authenticated. You can overwrite this behavior by setting this property to true.
Information | Value |
---|---|
Default | false |
Type | string |
com.ibm.websphere.ssl.ignore.jvm.keystores
This custom property allows WebSphere to ignore properties even when JVM keystore properties are found.
When this property is set to false, WebSphere will ignore these properties even when JVM keystore properties are found. The default value is true (WebSphere will honor the JVM keystore properties).
This custom property helps identify the application that sets the JVM keystore properties by
ignoring the settings while keeping other applications from being affected by the JVM properties.
When the application is identified, it is recommended that the application code is reviewed so it
will not set the JVM keystore properties. Once the application is updated,
com.ibm.websphere.ssl.ignore.jvm.keystores=false
can be removed from the
configuration.
Information | Value |
---|---|
Default | true |
Type | string |
com.ibm.websphere.ssl.include.ECCiphers
This custom property specifies whether WebSphere Application Server includes Elliptical Curve Cryptography (ECC) ciphers in the default cipher suite.
When this property is not set or is set to false, the application server does not include ECC ciphers by default. Set the property to true to include ECC ciphers in the list of default cipher suites. If SP800-131a or Suite B is enabled then ECC ciphers are always included by default.
Information | Value |
---|---|
Default | true |
Type | string |
com.ibm.websphere.ssl.include.ECCiphers
custom
property is true
. Before 8.5.5.14, the default value is
false
.com.ibm.websphere.ssl.retrieveLeafCert
This custom property enables the retrieve from port function to retrieve a leaf certificate instead of the root certificate.
Retrieve from port should retrieve leaf certificate instead of the root certificate. To get the leaf certificate, it is necessary to set a custom property, com.ibm.websphere.ssl.retrieveLeafCert to true.
When this property is not set or is set to false, the retrieve from port function retrieves the root certificate. Set this property to true if you want the retrieve from port function to retrieve the leaf certificate instead of the root certificate.
Information | Value |
---|---|
Default | false |
Type | string |
com.ibm.websphere.tls.disabledAlgorithms
This property is used to customize the server to disable the java security property.
WebSphere Application Server sets the java security property jdk.tls.disabledAlogrithms to disable algorithms that can be used on TLS handshake.
To tell the custom property not to set com.ibm.websphere.tls.disabledAlgorithms, set the value to none.
To set jdk.tls.disabledAlgoriths to a particular set of algorithms, set the security custom property com.ibm.websphere.tls.disabledAlgorithms to a comma-separated list of algorithms.
Information | Value |
---|---|
Default | SSLv3, RC4, DH keySize < 768, MD5withRSA |
Default | SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, DES_CBC |
com.ibm.ws.security.addHttpOnlyAttributeToCookies
This custom property enables you to set the HTTPOnly attribute for single sign-on (SSO) cookies.
You can use the com.ibm.ws.security.addHttpOnlyAttributeToCookies custom property to protect cookies that contain sensitive values. When you set this custom property value to true, the application server sets the HTTPOnly attribute for SSO cookies whose values are set by the server. The HTTPOnly attribute enables the protection of sensitive values in cookies.
Also, a true value enables the application server to properly recognize, accept, and process inbound cookies with HTTPOnly attributes and inhibit any cross-site scripting from accessing sensitive cookie information.
A common security problem, which impacts web servers, is cross-site scripting. Cross-site scripting is a server-side vulnerability that is often created when user input is rendered as HTML. Cross-site scripting attacks can expose sensitive information about the users of the website. Most modern web browsers honor the HTTPOnly attribute to prevent this attack. A cookie with this attribute is called an HTTPOnly cookie. Information that exists in an HTTPOnly cookie is less likely to be disclosed to a hacker or a malicious website. For more information about the HTTPOnly attribute, see the Open Web Application Security Project (OWASP) website.
- JSESSIONID cookies
- SSO cookies that are created by authenticators or providers from another software vendor
- Client or browser cookies that do not already contain the HTTPOnly attribute
- Click Security > Global security.
- Under Authentication, click Web and SIP security > Single sign-on (SSO).
Information | Value |
---|---|
Default | true |
Type | Boolean |
com.ibm.ws.security.allowNonAdminToSecurityXML
This property specifies whether the non-admin security roles are allowed to modify the security.xml file. Setting this property to true gives non-admin security roles the ability to modify the security.xml file. In Version 6.1 and later, by default, non-admin security roles have the ability to modify the security.xml file.
Information | Value |
---|---|
Default | false |
Type | Boolean |
com.ibm.ws.security.config.SupportORBConfig
Specifies whether to check or not check the object request broker (ORB) for properties.
This property needs to be set as a system property. You set this property to true
or yes
so that the ORB is checked for properties. For any other setting, the ORB is
completely ignored.
The property is to be used when a pluggable application client connects to the WebSphere Application Server. Specifically, this property is used whenever a hashmap containing security properties is passed in a hashmap on a new InitialContext(env) call.
com.ibm.ws.security.createTokenSubjectForAsynchLogin
In this release, the actual LTPA token data is not available from a
WSCredential.getCredentialToken() call when called from an asynchronous bean. For an existing
configuration, you can add the com.ibm.ws.security.createTokenSubjectForAsynchLogin
custom property and a true
value to allow the LTPAToken to be forwarded to
asynchronous beans. This property allows portlets to successfully perform LTPA token forwarding.
This custom property is case sensitive. You must restart the application server after you add this
custom property.
Information | Value |
---|---|
Default | not applicable |
com.ibm.ws.security.defaultLoginConfig
This property is the JAAS login configuration that is used for logins that do not fall under the WEB_INBOUND, RMI_OUTBOUND, or RMI_INBOUND login configuration categories.
Internal authentication and protocols that do not have specific JAAS plug points call the system login configuration that is referenced by com.ibm.ws.security.defaultLoginConfig configuration.
Information | Value |
---|---|
Default | system.DEFAULT |
com.ibm.ws.security.failSSODuringCushion
Use the com.ibm.ws.security.failSSODuringCushion custom property to update custom JAAS Subject data for the LTPA token.
When you do not set this custom property to true, new JAAS Subjects might not contain the custom JAAS Subject data.
The default value is true.
com.ibm.ws.security.ltpa.forceSoftwareJCEProviderForLTPA
Use the com.ibm.ws.security.ltpa.forceSoftwareJCEProviderForLTPA custom property to
correct an invalid library name
error when you attempt to use a PKCS11 type keystore with a
Java client.
The ssl.client.props file points to a configuration file, which in turn, points to the library name for the cryptographic device. The code for the Java client looks for a keystore type for the correct provider name. Without this custom property, the keystore type constant for PKCS11 is not specified correctly as it references the IBMPKCS11Impl provider instead. Also, the Lightweight Third Party Authentication (LTPA) code uses the provider list to determine the Java Cryptography Extension (JCE) provider. This approach causes a problem when Secure Sockets Layer (SSL) acceleration is attempted because the IBMPKCS11Impl provider needs to be listed before the IBMJCE provider within the java.security file.
This custom property corrects both issues so that SSL and other cryptographic mechanisms can use hardware acceleration.
Set this custom property to true when you want to use a PKCS11 type keystore with a Java client.
Information | Value |
---|---|
Default | false |
com.ibm.ws.security.rsa.forceSoftwareJCEProviderForRSA
Use the com.ibm.ws.security.rsa.forceSoftwareJCEProviderForRSA custom property to force RSA token validation to be done in software.
- In the administrative console, click RSA token. , and unselect
- Select Only use the active application authentication mechanism.
- Click Custom properties, and then click New to add com.ibm.ws.security.rsa.forceSoftwareJCEProviderForRSA custom property to your security settings.
- Add com.ibm.ws.security.rsa.forceSoftwareJCEProviderForRSA in the Name field and true in the Value field.
When this property is set to true, the default software JCE provider, instead of IBMJCECCA, is used for security validation.
Information | Value |
---|---|
Default | false |
com.ibm.ws.security.spnego.useHttpFilterClass2
An alternative SPNEGO filter that supports IP address ranges is available.
To enable the alternative SPNEGO filter, set the customer property to true.
Information | Value |
---|---|
Default | False |
com.ibm.ws.security.ssoInteropModeEnabled
This property determines whether to send LtpaToken2 and LtpaToken cookies in the response to a web request (interoperable).
When this property value is false, the application server just sends the new LtpaToken2 cookie which is stronger, but not interoperable with some other products and WebSphere Application Server releases prior to Version 5.1.1. In most cases, the old LtpaToken cookie is not needed and you can set this property to false.
Information | Value |
---|---|
Default | true |
com.ibm.ws.security.unprotectedUserRegistryMethods
Specifies the method names on the UserRegistry interface, such as getRealm, getUsers, and isValidUser, that you do not want protected from remote access. If you specify multiple method names, separate the names with either a space, a comma, a semi-colon, and a separator bar. See your implementation of the UserRegistry interface file for a complete list of valid method names.
If you specify an * as the value for this property, all methods are unprotected from remote access. If a value is not specified for this property, all methods are protected from remote access.
If an attempt is made to remotely access a protected UserRegistry interface method, the remote process receives a CORBA NO_PERMISSION exception with minor code 49421098.
There is no default value for this property.
com.ibm.ws.security.web.saml.disableDecodeURL
This property provides an option to disable URL decoding.
When SAML Web SSO is enabled and SAML TAI is invoked, a cookie is set to store the original request URL. After authentication, the original URL is decoded before it is sent as a redirect. When this property value is set to true, the original URL for redirect is used without decoding the URL. To set this property with the administrative console, click Security > Global security > Custom properties. Click New to add a new custom property and its associated value.
Information | Value |
---|---|
Default | false |
com.ibm.ws.security.webChallengeIfCustomSubjectNotFound
This property determines the behavior of a single sign-on LtpaToken2 login.
If the token contains a custom cache key and the custom Subject cannot be found, then the token is used to log in directly as the custom information needs to be regathered if this property is set to true. A challenge also occurs so that the user is required to login again. When this property value is set to false and the custom Subject is not found, the LtpaToken2 is used to log in and gather all of the registry attributes. However, the token might not obtain any of the special attributes that downstream applications might expect.
Information | Value |
---|---|
Default | true |
com.ibm.ws.security.webInboundLoginConfig
This property is the JAAS login configuration that is used for web requests that are received inbound.
By knowing the login configuration, you can plug in a custom login module that can handle specific cases for web logins.
Information | Value |
---|---|
Default | system.WEB_INBOUND |
com.ibm.ws.security.webInboundPropagationEnabled
This property determines whether a received LtpaToken2 cookie should search for the propagated attributes locally before searching the original login server that is specified in the token. After the propagated attributes are received, the Subject is regenerated and the custom attributes are preserved.
Information | Value |
---|---|
Default | true |
com.ibm.ws.security.web.logoutOnHTTPSessionExpire
This property specifies whether users will be logged out after the HTTP session timer expires.
com.ibm.ws.security.web.logoutOnHTTPSessionExpire
property only applies to applications using form login.Information | Value |
---|---|
Default | false |
Required | false |
Data Type | boolean |
com.ibm.ws.security.WSSecureMapInitAtStartup
This property establishes that the security cache (WSSecureMap) as part of the dynamic cache is initialized for use in security attribute propagation.
Information | Value |
---|---|
Default | true |
com.ibm.ws.security.WSSecureMapSize
This property specifies the security cache (WSSecureMap) size.
true
.Information | Value |
---|---|
Default | 100 |
com.ibm.wsspi.security.cred.refreshGroups
This property affects behavior when deserializing a security context that was previously saved as part of asynchronous security processing for Web Services or Asynch Beans.
When this property is set to true, the user registry is accessed to get the groups associated with the user. If the user still exists in the registry, the groups from the user registry are used instead of the groups that were serialized in the security context. If the user is not found in the user registry, and the verifyUser property is set to false, the groups from the security context are used.
Information | Value |
---|---|
Default | false |
com.ibm.wsspi.security.cred.verifyUser
This property affects behavior when deserializing a security context that was previously saved as part of asynchronous security processing for Web Services or Asynch Beans.
When this property is set to true, the user registry is accessed to verify that the user from the security context still exists. If it does not exist, a WSLoginFailedException is thrown.
Information | Value |
---|---|
Default | false |
com.ibm.wsspi.security.ltpa.tokenFactory
This property specifies the Lightweight Third Party Authentication (LTPA) token factories that can be used to validate the LTPA tokens.
Validation occurs in the order in which the token factories are specified because LTPA tokens do
not have object identifiers (OIDs) that specify the token type. The Application Server validates the
tokens using each token factory until validation is successful. The order that is specified for this
property is the most likely order of the received tokens. Specify multiple token factories by
separating them with a pipe (|
) without spaces before or following the pipe.
Information | Value |
---|---|
Default | com.ibm.ws.security.ltpa.LTPATokenFactory | com.ibm.ws.security.ltpa.LTPAToken2Factory | com.ibm.ws.security.ltpa.AuthzPropTokenFactory |
com.ibm.wsspi.security.token.authenticationTokenFactory
This property specifies the implementation that is used for an authentication token in the attribute propagation framework. The property provides an old LTPA token implementation for use as the authentication token.
Information | Value |
---|---|
Default | com.ibm.ws.security.ltpa.LTPATokenFactory |
com.ibm.wsspi.security.token.authorizationTokenFactory
This property specifies the implementation that is used for an authorization token. This token factory encodes the authorization information.
Information | Value |
---|---|
Default | com.ibm.ws.security.ltpa.AuthzPropTokenFactory |
com.ibm.wsspi.security.token.propagationTokenFactory
This property specifies the implementation that is used for a propagation token. This token factory encodes the propagation token information.
The propagation token is on the thread of execution and is not associated with any specific user Subjects. The token follows the invocation downstream flow wherever the process leads.
Information | Value |
---|---|
Default | com.ibm.ws.security.ltpa.AuthzPropTokenFactory |
com.ibm.wsspi.security.token.singleSignonTokenFactory
This property specifies the implementation that is used for a Single Sign-on (SSO) token. This implementation is the cookie that is set when propagation is enabled regardless of the state of the com.ibm.ws.security.ssoInteropModeEnabled property.
By default, this implementation is the LtpaToken2 cookie.
Information | Value |
---|---|
Default | com.ibm.ws.security.ltpa.LTPAToken2Factory |
com.ibm.wsspi.wssecurity.kerberos.failAuthForExpiredKerberosToken
Use this property to specify how you want the system to handle authentication for a request after the Kerberos token for the request expires.
When this property is set to true, if a Kerberos token cannot be refreshed after it expires, authentication for the request fails.
When this property is set to false, authentication for the request does not fail even if the token has expired.
The default value for this property is false.
security.allowCustomHTTPMethods
Use this custom property to permit custom HTTP methods. The custom HTTP methods are other than the standard HTTP methods, which are: DELETE, GET, HEAD, OPTIONS, POST, PUT or TRACE.
When this property is set to false, which is the default, if a combination
of a URI pattern and a custom HTTP method are not listed in the security-constraint element, a
search of the security constraint is performed using an URI pattern only. If there is a match, the
value of the <auth-constraints>
element is enforced. This behavior minimizes
a potential security exposure.
When this property is set to true, the custom HTTP methods are treated as the standard HTTP methods. An authorization decision is made by both the URI pattern and the HTTP method. To properly protect a target URI, make sure that the proper HTTP methods are listed in the <web-resource-collection> element.
security.enablePluggableAuthentication
This property is no longer used. Instead, use WEB_INBOUND login configuration.
- Click .
- Under Java Authentication and Authorization Service, click System logins.
Information | Value |
---|---|
Default | true |
security.registry.ldap.compoundRDNParsingEnable
Set this property to true to enable the product to parse compound RDN values that contain
a plus sign character (+
).
- Click .
- In the custom property field after the Ignore case for
authorization checkbox, set the
security.registry.ldap.compoundRDNParsingEnable
custom property totrue
. - Restart the server.
Information | Value |
---|---|
Default | false |
security.useDefaultPolicyWhenJ2SDisabled
The NullDynamicPolicy.getPermissions method provides an option to delegate a default
policy class to construct a Permissions object when this property is set to true
.
When this property is set to false
, an empty Permissions object is
returned.
Information | Value |
---|---|
Default | false |
WAS_customUserMappingImpl
This security property is used to plug-in custom UserMapping class. If this value is set at security top-level with the custom user mapping class name, it is used for customizing certificate user mapping and/or identity assertion user mapping. It is necessary for user to place jar file that includes the custom class in WAS_HOME/lib/ext.
com.ibm.websphere.security.useAllSSLClientAuthKeytypes
This property is used to ensure that when acting as the client during an SSL handshake, utilizing SSL Client Authentication, all SSL keytypes provided by the target server is used in selecting a Client Certificate.
In SSL Client Authentication, WebSphere Application Server does not pick up all of the SSL keytypes provided in the certificate request sent by the target server. WebSphere picks up only the most preferable SSL keytype. If the SSL keytype does not match to the most preferable SSL keytype, WebSphere does not send a client certificate even though there is a correct SSL client certificate in the keystore.