- AccountCreateLifetime
- Specifies the amount of time, in seconds, that User Self Care
recognizes the account creation request as valid, and retain the request
in the internal cache. If the Create Account trust chain does not
finish account creation in the specified time, the request is discarded
and account creation terminates.
This property is required.
Type: Integer
Default: 86400
Maximum: none
Minimum: 0
A setting of '0' disables account creations
because entries are not retained in the cache. Larger settings can
affect memory consumption and potentially affect performance in replicated
environments due to increased data being replicated using DynaCache
across nodes.
When setting this property, also consider an appropriate
size for the itfim-usc_accountcreate cache. See: Tuning User Self Care.
- AccountRecoveryFailureLifetime
- Specifies how long, in seconds, the program retains record of
an unsuccessful account validation attempt. When the specified time
period elapses, the record of the unsuccessful attempt is discarded,
and the counter is decremented by one.
Type: Integer
Default: 86400
Maximum: none
Minimum: 0. The value 0 means to disable locking.
When
setting this property, also consider an appropriate size for the itfim-usc_secretquestionfailures cache.
This parameter is configured separately as part of tuning User Self
Care. See: Tuning User Self Care.
- AccountRecoveryFailureLimit
- Specifies the number of times a user can attempt but fail to restore
account access before the program locks the account. If the user does
not supply a correct answer to the secret question, account access
is not restored. When the user fails to restore account access, the
value of this property increments by one. When the value equals the
specified number, the program locks the account.
Type: Integer
Default: 3
Maximum: none
Minimum: 0
A setting of 0 or 1 for the minimum causes the
account to be locked after the first failure.
- AccountRecoveryFailureLockoutTime
- Specifies how long, in seconds, the program keeps the account
locked after the user has exceeded the maximum number of unsuccessful
validation attempts. When the program has locked the account, this
value specifies the amount of time that must pass before the program
unlocks the account.
Type: Integer
Default: 86400
Maximum: none
Minimum: 0. The value 0 disables locking.
- AccountRecoveryLookupAttribute
- Specifies a user attribute used for user ID lookup. This property
specifies a single attribute that the user enters in the Forgotten
user ID form to retrieve their user ID (identity). User Self Care
uses this registry attribute as a lookup field. User Self Care searches
for an entry that contains the attribute supplied by the user, and
returns the matching user ID. The attribute value is assumed to be
an email address. An email containing all the forgotten user IDs are
sent to this address.
Type: string
Default: mail
- AccountRecoveryLookupField
- This field is deprecated. Do not modify.
- AccountRecoveryValidationAttributes
- This field is deprecated. Do not modify.
- AccountRecoveryValidationLifetime
- Specifies the amount of time, in seconds, that User Self Care
considers the account validation request to be valid.
During password
recovery, users must finish a validation step before recovering their
password. The validation step consists of responding to a user self
care e-mail that specifies a link to access. If the user does not
respond within the time period specified by this parameter, the program
invalidates the link in the e-mail.
Type: Integer
Default: 86400
Maximum: none
Minimum: 0
A setting of 0 for the minimum disables the
ability to recover an account.
When setting this property, also
consider an appropriate size for the itfim-usc_forgottenpassword cache.
This parameter is configured separately as part of tuning User Self
Care. See: Tuning User Self Care.
- AttributeMappingFilename
- Specifies the path to the location of a file that contains the
transformation rules for use with the Attribute Mapping STS Module.
This file can be either a JavaScript or
XSLT file.
User Self Care ships with a default JavaScript file named usc.js:
Federated_Identity_Manager_installation_dir/examples/js_mappings
This property is required.
Type: String
Default: none
Example:
/opt/IBM/FIM/examples/js_mappings/usc.js
- BaseURL
- Specifies a fully qualified URL for the root of the User Self
Care federation. User Self Care uses the root to construct dynamic
HTML elements. The syntax is as follows:
method//POC_server:port/FIM_junction/sps
Where:
- method
- Must be either http:or https:
- POC_server:port
- The fully qualified host name, and optional port number, of the
point of contact server.
- FIM_junction
- The name of the WebSEAL junction. This value is only required
when using a WebSEAL point of contact server.
This property is required.
Type: String
Default: none
Example:
https://myWebSEALserver.example.com/myTFIMjct/sps
Note: If
you are using WebSEAL as a point of contact server, you likely have
not yet created a junction to the Tivoli® Federated
Identity Manager server. In most cases,
you create this junction at the end of the User Self Care configuration
steps. However, you must determine the name of the junction now, so
that you can set the BaseURL value in the response file now. You must
remember the junction name, for use later when running the tfimcfg command.
- CaptchaSTSModuleId
- Specifies either the demonstration Captcha module, or specifies
a placeholder module that takes no action. When this value is specified,
User Self Care activates the demonstration Captcha module.
This property is required.
Type: String
Default: none
There are two valid values for this field:
- usc-captcha-demo
Use this value if you want
to activate the demonstration Captcha module. If you use this setting,
you must set the other Captcha settings in this response file. To
use the Captcha demonstration, you must also configure the module.
See: Configuring the Captcha demonstration.
- default-usc-captcha-noop
Use this value if
you want to use the placeholder module USCNoOpsSTSModule.
This module takes no action, but serves as a placeholder for a customer-provided
validation module that can be used, as an example, for Captcha validation.
The USCNoOpsSTSModule makes it easier for customers to provide their
own module without redefining the trust chains.
- DemoCaptchaImageAndKeyList
- This field is required if you are using the Captcha demonstration
module.
The contents are fixed and must not be modified.
Note: The DemoCaptchaImageAndKeyList parameter
has already been set. The program ignores this parameter if you are
not using the demonstration Captcha module.
- DemoCaptchaImageRootURL
- Specifies a URL of a directory that contains the images used for
the demonstration Captcha module provided with User Self Care.
You
must specify a value for this property if you want to use the Captcha
demonstration module.
Example:
https://images.example.com/captcha/demo
- EnrollmentEmailSender
- Specifies a fully qualified e-mail address for the account that
User Self Care uses to send a message to the user. The message validates
the user enrollment. In most cases, this address is an e-mail address
that does not receive responses.
This property is required.
Type: string
Default: none
Example:
no-reply@example.com
- EntitySuffix
- Specifies a suffix where created users are stored in the registry.
This suffix must uniquely identify the registry that User Self Care
uses for all operations.
This property is required.
Type: String
Default: o=ibm,c=us
- GroupMembershipGroups
- Specifies a list of groups to which to add newly enrolled users.
Specifies one or more groups that are defined in the user registry
used by the Create Account trust chain. The group names are specific
to the user registry.
Type: String
Default: none
Example:
<void method="add">
<string>Group1</string>
</void>
<void method="add">
<string>Group2</string>
</void>
- PasswordRecoveryEmailSender
- Specifies a fully qualified e-mail address for the User Self Care
account that sends a message to the user. User Self Care uses the
message to validate a password recovery operation. In most cases,
this e-mail address does not receive responses.
This property is required.
Type: string
Default: none
Example:
no-reply@example.com
- ProfileManagementAttributes
- Defines the set of registry attributes that are used for profile
information. To provide a working prototype, the user self care solution
defines a set of registry attributes for use with the default function.
User Self Care does not modify the schema of the target registry.
For this reason, the number of profile attributes are limited and
use standard LDAP attributes that are present in most cases.
This
property is required. The list of attributes used are:
- businessCategory
- roomNumber
- mobile
- mail
The attributes are represented in the configuration file as
follows:
Figure 1. Profile management
attributes in the response file<object class="java.util.ArrayList">
<void method="add">
<string>businessCategory</string>
</void>
<void method="add">
<string>roomNumber</string>
</void>
<void method="add">
<string>mail</string>
</void>
<void method="add">
<string>mobile</string>
</void>
</object>
- SecretQuestionMinimumNumber
- Specifies the minimum number of required secret questions that
a user must provide answers to during enrollment. Depending on the
configuration, some or all of the secret questions may be presented
to the user for verification purposes when they forget their password.
This property is optional.
Type: Integer
Default: 2
Maximum: none
Minimum: 1
- SecretQuestionMaximumNumber
- Specifies the maximum number of secret questions that a user can
provide answers to during enrollment. Depending on the configuration,
all of the secret questions is presented to the user for verification
purposes when they forget their password.
This property is optional.
Type:
Integer
Default: 3
Maximum: none
Minimum: The
maximum value depends on SecretQuestionMinimumNumber.
The maximum value should at least be the same as the value specified
in the SecretQuestionMinimumNumber parameter.
- SecretQuestionRequiredForValidationNumber
- Specifies the number of secret questions a user must answer correctly
to validate their identity.
During password recovery, users must
provide correct answers to the secret questions presented to them.
The number of questions that they must answer correctly is dependent
on this parameter.
Example scenario:
During enrollment,
a user is presented with 3 secret questions that they must provide
answers to.
An administrator configures the parameter to: SecretQuestionRequiredForValidationNumber=2
When
the user forgets their password, all 3 secret questions are presented
to them. However, since the parameter was set to
SecretQuestionRequiredForValidationNumber=2,
the user only needs to answer 2 out of the 3 questions correctly.
They can leave one of the fields blank. If the user chooses to answer
all the questions presented to them, they must get all the answers
correctly.
In this scenario, if a user chooses to answer
3 questions, they must provide the correct answers for all 3 questions
to be validated. The user cannot be validated either if they only
answer 1 out of the 3 questions correctly.
This property is
optional.
Type: Integer
Default: 2
Maximum: none
Minimum:
The maximum value depends on SecretQuestionMinimumNumber.
The maximum value should at most be the same as the value specified
in the SecretQuestionMaximumNumber parameter.
- SMTPAuthenticatePassword
- The password for the account specified by the SMTPAuthenticateUsername
parameter if using authentication to the SMTP server. This property
is optional.
Type: string
Default: none
- SMTPAuthenticateUsername
- The user name that authenticates to the SMTP server. This property
is optional.
Type: string
Default: none
- SMTPServerName
- The fully qualified host name of the Simple Mail Transport Protocol
(SMTP) server that sends e-mail for the user. This property is required.
Type: string
Default: none