Advanced configuration properties
Modify the advanced configurations for Advanced Access Control or Federation to meet the requirements of your organization.
Category filter
The category filter displays names of grouping of configuration settings. The groupings correspond to functional areas. When you select a category, the user interface displays only the settings for the category.
WebSEAL Authenticate Callback
- poc.websealAuth.authLevel
- The authentication level of the callback.
- Data type: Integer
- Example: 1
One-time password Authenticate Callback
- poc.otp.authLevel
- The authentication level of the callback.
- Data type: Integer
- Example: 2
- poc.otp.backwardCompatibilityEnabled
- Indicates whether the one-time password authentication mechanism should run in backward compatibility mode. The default value is false if it is a new installation. The default value is true if the installation is an upgrade.
- Data type: Boolean
- Example: true
Authentication-Policy Callback
- poc.authPolicy.allowRequestOverride
- Whether the authentication level, the authentication mode, and the authentication type of the callback can be overwritten by query string parameters.
- Data type: Boolean
- Example: true
- poc.authPolicy.authLevel
- The authentication level of the callback.
- Data type: Integer
- Example: 1
- poc.authPolicy.authType
- The authentication type of the callback.
- Data type: String
- Example: COMPLEMENTARY, HIERARCHICAL
SPS HTTP request claims
- sps.httpRequestClaims.enabled
- Whether HTTP request information is sent to STS as HTTPRequestClaims.
- Data type: Boolean
- Example:false
- sps.httpRequestClaims.filterSpec
- The filter that specifies the HTTP request information that is sent to STS as HTTPRequestClaims.
- Data type: String
- Example: cookies=*:headers=*
Distributed shared data storage
- distributedMap.cleanupWait
- The amount of time, in milliseconds, to wait before it performs another cleanup against the
distributed map.
Distributed map clean up can be disabled by setting the cleanupWait to 0.
- Data type: Integer
- Example: 10000
- distributedMap.defaultTTL
- The amount of time, in seconds, that the entries in the distributed map must live when no lifetime is specified for an entry.
- Data type: Integer
- Example: 3600
- distributedMap.getRetryDelay
- The amount of time, in milliseconds, to wait before it performs another retrieval against the distributed map. The default is 0.
- Data type: Integer
- Example: 500
- distributedMap.getRetryLimit
- The number of retrievals that is done against the distributed map before it returns that the retrieved data is not in the distributed map. The default is 0.
- Data type: Integer
- Example: 10
Attribute matcher properties
- userBehavior.minimumUsageHistoryRequired
- Minimum usage data records required for any usage data analysis; used by LoginTimeMatcher.
- Data type: Integer
- Example: 8
- userBehavior.ipAddressRequestAttribute
- The XACML request attribute to read from the IP address.
- Data type: String
- Example: urn:ibm:security:subject:ipAddress
IP reputation PIP properties
- ip.reputation.ipAddressAdverseReputationThreshold
- The value that an IP classification score must be at or above for an IP address to be considered as that classification.
- Data type: Integer
- Example:50
- ipReputation.dbConnectionTimeout
- Indicates the number of seconds that the IP reputation policy information point (PIP) waits for a connection to the IP reputation database. The ipReputation.dbConnectionTimeout property defaults to 120.
- Data type: Integer
- Example: 60
Attribute collector properties
- attributeCollection.cookieName
- Correlation ID used by the attribute collector.
- Data type: String
- Example: ac.uuid
- attributeCollection.requestServer
- Request server for attribute collector. A list of the allowable hosts where the ajaxRequest can be sent from.
- Data type: String List
- Example: https://rbademo.example.com,https://rbaemo2.example.com
- attributeCollection.serviceLocation
- Location of the attribute collector.
- Data type: String List
- Example: http://rbademo.example.com/mga
- attributeCollection.sessionTimeout
- Number of seconds in which sessions stored in context-based access will automatically expire, unless updated. If any attribute in the session is updated, the session expiry is extended by the specified number of seconds configured in this property. The default is 1800 seconds.
- Data type: Integer
- Example: 1800 seconds
- attributeCollection.enableGetAttributes
- Enables the REST GET method to return attributes.
- Data type: Boolean
- Example: false
- attributeCollection.getAttributesAllowedClients
- A comma-separated list of clients that are allowed to access the ACS REST GET method.
If this property is not set and attributeCollection.enableGetAttributes is set to true, anyone can access the GET method. If this property is set but attributeCollection.enableGetAttributes is set to false, this property is ignored.
- Data type: String List
- Example: hostname1, hostname2
- attributeCollection.hashAlgorithm
- The algorithm that is used to create the hash.
- Data type: String
- Example: SHA256
- attributeCollection.attributesHashEnabled
- A comma-separated list of attribute URI values configured for hashing. Attention: Do not hash the following attributes:
- ipAddress
- geoLocation
- accessTime
- Data type: String List
- Example:
urn:ibm:security:environment:http:userAgent, urn:ibm:security:environment:deviceFonts, urn:ibm:security:environment:browserPlugins
- attributeCollection.authenticationContextAttributes
- Comma-separated lists of attribute names to be collected during an authentication service obligation. The maximum number of characters for this property is 200.
- Data type: String List
- Example: authenticationLevel, http:host
Device registration properties
- deviceRegistration.allowIncompleteFingerprints
- Specifies to allow the device registration obligation to store fingerprints where all the fingerprint attributes are not available on the session information.
- Data type: Boolean
- Example: false
- deviceRegistration.checkForExpiredDevices
- Determines whether registered devices are inactive or expired. If the deviceRegistration.checkForExpiredDevices property is set to true, the risk engine checks whether a device is inactive or expired. The deviceRegistration.checkForExpiredDevices property defaults to false, which means that users can use any of the devices that are registered.
- Date type: Boolean
- Example: true
- deviceRegistration.cleanupThread.batchSize
- Specifies if batch delete is enabled for expired devices and how many records are deleted per batch.
- If the value is defined as 0 or is blank, batch delete is not enabled and all expired devices are deleted using one SLQ delete statement.
- If the value is defined as an integer greater than 0, batch delete is enabled. The number that you specify determines how many records are deleted in each batch. The batch delete continues until all of the expired devices are deleted. The batch process is useful for deleting a large quantity of expired devices.
- Data type: Integer
- Example: 1000 (Batch delete is enabled, with a batch size of 1000 records.)
- deviceRegistration.deviceMatchThreshold
- The risk score threshold where an existing fingerprint is considered to match the incoming device fingerprint.
- Data type: Integer
- Example: 20
- deviceRegistration.inactiveExpirationTime
- Specifies the number of days that a device must be inactive for it to expire. The deviceRegistration.inactiveExpirationTime property defaults to 90.
- Date type: Integer
- Example: 100
- deviceRegistration.maxRegisteredDevices
- Maximum device fingerprint count. The default is 10. Valid values are 1 to 100.
- Data type: Integer
- Example: 10
- deviceRegistration.maxUsageDataPerUser
- Maximum number of historical usage attribute records stored per user. The default is 200. Valid values are 1 to 5000.
- Data type: Integer
- Example: 1000
- deviceRegistration.permitOnIncompleteFingerprints
- Specifies to permit access to the resource if the fingerprint collected by the device registration obligation does not include all fingerprint attributes.
- Data type: Boolean
- Example: false
Runtime properties
- runtime.dbLoggingEnabled
- Enables fine-grained logging for database SQL statements.
- Data type: Boolean
- Example: false
- runtime.hashAlgorithm
- The algorithm that is used for hashing. The supported algorithms are:
- SHA-1
- SHA-256
- SHA-384
- SHA-512
The runtime.hashAlgorithm property defaults to SHA-256.
- Data type: String
- Example: SHA-256
- runtime.verificationHashAlgorithms
- Defines the hashing algorithms that are used to verify a hashed value. The value is typically a comma separated list of hashing algorithms.
- Data type: String
- Example: SHA-256, SHA-1
Single sign-on protocol service
- sps.setCookiesAsSecure
- Determine whether to flag the cookies set by Security Access Manager as secure.
The default value is false.
- Data type: Boolean
- Example: false
- sps.targetURLWhitelist
Specifies a list of allowed target URLs for SAML 2.0, OpenID Connect, and the authentication service. Use this property to prevent an attacker from redirecting a user to malicious target URLs.
The value of this advanced configuration property is a comma-separated string, where each string is a target URL in the form of a regular expression. The regular expression must not contain commas, and spaces between regular expressions are ignored.
- For SAML 2.0 SSO flows, you can specify a Target URL when you configure the initial URL in flows that are initiated by either the Identity Provider or the Service Provider. For more information, see SAML 2.0 profile initial URLs.
- For Open ID Connect flows, you can specify a Target URL when you configure the initial URL for Relying Party initiated single sign-on. For more information, see Relying Party SSO initiation endpoint.
- For the authentication service, you can specify a Target URL when you configure the authentication service trigger URL. For more information, see Configuring authentication.
The default value is “.*”.
Data type String
Example(http|https)://www.app.ibm.com/.*, (http|https)://www.myidp.ibm.com/.*
- sps.illegalUrlSubstrings
- A comma-separated list of strings, the single sign-on service stops processing the request if
the request URL query parameters contain any of the strings.
The default value is "".
Data type: String
Example:"<script"
SPS page
- sps.page.htmlEscapedMacros
- A comma-separated list of macros that is HTML-escaped when it is rendered in pages that are sent to the browser.
- Data type: String
- Example:
@REQ_ADDR@, @DETAIL@, @EXCEPTION_STACK@, @EXCEPTION_MSG@, @OTP_METHOD_ID@, @OTP_METHOD_LABEL@, @OTP_HINT@, @ERROR_MESSAGE@, @MAPPING_RULE_DATA@
- sps.page.exceptionMacros
- A comma-separated list of classname:macro pairs. Classname is the fully qualified name of the exception class. Macro is the name of the macro to which the class maps.
- Data type: String
- Example:
com.tivoli.am.fim.otp.deliveries.OTPDeliveryException = @OTP_DELIVERY_EXCEPTION@, com.tivoli.am.fim.otp.providers.OTPProviderException = @OTP_PROVIDER_EXCEPTION@
- sps.page.notEscapedMacros
- A comma-separated list of macros that are not HTML-escaped when they are rendered in
pages that are sent to the browser. Macros that do not appear in this list or the Macros in the
htmlEscapedMacros list are HTML-escaped.
Data type: String
Example:@COOKIE_NAME@, @SERVER_NAME@, @JUNCTION@
- sps.page.hiddenMacros
- A comma-separated list of macros that are not rendered in the pages that are sent to the
browser. The default value is @EXCEPTION_STACK@.
Data type: String
Example: @EXCEPTION_STACK@
Risk engine properties
- riskEngine.reportsEnabled
- Enables the generation of risk calculation reports.
- Data type: Boolean
- Example: false
- riskEngine.reportsMaxStored
- Specifies the maximum number of reports to store.
- Data type: Integer
- Example: 5
Authentication service properties
- sps.authService.reauthenticationEnabled
- Specifies that the authentication service performs authentication even if the user already has an authenticated session at the required authentication level.
- Data type: Boolean
- Example: true
- sps.authService.policyKickoffMethod
- Specifies whether the URLs /sps/authsvc and
/sps/apiauthsvc can be invoked with the policyId query
string parameter.
If set to true, the authentication service endpoints continue to accept policyId as a query or post parameter.
If set to false, authentication service endpoints are change to:- /sps/apiauthsvc/policy/<shortPolicyId>
- /sps/authsvc/policy/<shortPolicyId>
Where <shortPolicyId> is the value that comes after the prefix urn:ibm:security:authentication:asf:
Authentication service session store properties
- authsvc.stateMgmt.cookieless
- Enables the server side storage of session data for the authentication service. If enabled, this
removes the need for the JSESSIONID cookie.
Data type: Boolean
Example: true
Default value: true
- authsvc.stateMgmt.store
- Specifies the storage type that is used by the Authentication service to cache user session
data. The authentication service can be supported by the DSC, the HVDB, or stored in Memory.
Note: For clustered environments, storage in Memory does not replicate between nodes.
Data type: String
Example: Memory
Default value: HVDB
- authsvc.stateMgmt.HVDB.lifetime
- Length of time in seconds that a session is cached for. Once this time period is exceeded, the
user’s session is removed from the session store. If this value is less than 0, the default lifetime
of 3600 seconds (1 hour) is enforced. This configuration option applies only to session stores
supported by the HVDB or Memory.
Data type: Integer
Example: 60 (1 minute)
Default value: 3600
- authsvc.stateMgmt.HVDB.maxSessions
- Maximum number of user sessions to be cached at any point in time. If the number of sessions in
the store exceeds this value, the oldest session is invalidated. This configuration option only
applies to session stores that are supported by the HVDB or Memory.
Data type: Integer
Example: 10000
Default value: 1000
- authsvc.stateMgmt.HVDB.cleanupWait
- Frequency (in seconds) that expired or excess sessions are removed from the session store.
Setting this entry to -1 disables the cleanup thread. This configuration option only applies to
session stores backed by the HVDB or Memory.
Data type: Integer
Example: 30
Default value: 120
- authsvc.stateMgmt.HVDB.cleanupThread.batchSize
- Maximum number of expired sessions which are removed in a single cleanup operation. If the value
is defined as 0 or is blank, batch delete is not enabled. All expired sessions are deleted by using
one SLQ delete statement. If the value is defined as an integer greater than 0, batch delete is
enabled. The number that you specify determines how many sessions are deleted in each batch. The
batch delete continues until all of the expired sessions are deleted. This configuration option only
applies to sessions that are stored in the HVDB or Memory.
Data type: Integer
Example: 1000
Default value: 0
- authsvc.stateMgmt.HVDB.cleanupOnlyOnPrimaryMaster
- Prevent the cleanup thread from running on non-primary master nodes in a clustered environment.
This configuration option only applies to sessions that are stored in the HVDB or Memory.
Data type: Boolean
Example: true
Default value: true
Session
- distributedSessionCache.enabled
- A switch that dictates if the distributed session cache is used for session failover. If this setting is not enabled, the distributed session cache server still runs as a service, but the client does not use it.
- Data type: Boolean
- Example: false
- distributedSessionCache.localCacheSize
- The number of sessions to be stored on the client as a local cache. A value of 0 or less means that any number of sessions can be cached by the client. A low number requires more connections to the distributed session cache if there are many active sessions. A high number runs the risk of running out of memory if many sessions are locally cached. All sessions are still stored on the distributed session cache when it is enabled.
- Data type: Integer
- Example: 4096
- session.dbCleanupInterval
- Specifies the interval, in seconds, that the database cleanup thread runs to remove expired data
in the runtime database. The default is 86400. The minimum value for
this property is 3600. For more information, see Runtime database tuning parameters
Session database clean up can be disabled by setting the dbCleanupInterval to 0. This is not overridden by the minimum value.
- Data type: Integer
- Example: 90000
Distributed session cache
- distributedSessionCache.enabled
- A switch that dictates if the distributed session cache is used for session failover. If this setting is not enabled, the distributed session cache server still runs as a service, but the client does not use it.
- Data type: Boolean
- Example: false
- distributedSessionCache.localCacheSize
- The number of sessions to be stored on the client as a local cache. A value of 0 or less means that any number of sessions can be cached by the client. A low number requires more connections to the distributed session cache if there are many active sessions. A high number runs the risk of running out of memory if many sessions are locally cached. All sessions are still stored on the distributed session cache when it is enabled.
- Data type: Integer
- Example: 4096
- distributedSessionCache.externalServers
A list of locations of the distributed session cache servers in weighted order.
Syntax:
<primary_address>:<port>[:<ssl>];<secondary_address>:<port>[:<ssl>],...
- <address>
The IP address of the distributed session cache server. For example, 10.150.21.80.
- <port>
The port for the distributed session cache. For example, 2126.
- <ssl>
Whether SSL communication with the distributed session cache is required. The default value is false.
Data type: String
Example:
10.150.21.80:2126:true;10.150.21.81:2126:false,10.150.21.82:2126
- distributedSessionCache.localCacheEnabled
- A switch that dictates whether a local cache of distributed sessions is maintained. If this
setting is disabled a higher load is placed on the distributed session cache server. The local cache
should only be enabled if all requests from the same client is guaranteed to be sent to the same
runtime server (otherwise known as stickiness). Session inconsistencies might occur if the local
cache is enabled and stickiness is not maintained. All sessions are still stored in the distributed
session cache when it is enabled.
Data type: Boolean
Example: False
TOTP and HOTP retry properties
- otp.retry.enabled
- Whether the retry protection is enabled.
- Data type: Boolean
- Example: true
- otp.retry.maxNumberOfAttempts
- The maximum number of strikes the users can have before they are prevented from logging in.
- Data type: Integer
- Example: 5
- otp.retry.otpRetryTimeout
- The number in seconds a strike lasts.
- Data type: Integer
- Example: 600
OAuth20
- oauth20.cleanupThread.batchSize
- Specifies if batch delete is enabled for expired OAuth 2.0 tokens and how many records are deleted per batch.
- If the value is defined as 0 or is blank, batch delete is not enabled and all expired OAuth tokens are deleted using one SQL delete statement.
- If the value is defined as an integer greater than 0, batch delete is enabled. The number that you specify determines how many records are deleted in each batch. The batch delete continues until all of the expired OAuth tokens are deleted. The batch process is useful for deleting a large quantity of expired tokens.
- Data type: Integer
- Example: 1000 (Batch delete is enabled, with a batch size of 1000 records.)
- oauth20.clientDataToInclude
- Specifies the OAuth client information to be returned as JSON data. This property is a
comma-separated list of the JSON Keys. Valid values
are:
You can specify one or more of these keys for this property.contact_type email_address contact_person company_name company_url phone_number other_info
Note: The oauth20.clientDataToInclude property defaults to contact_type, email_address, contact_person, company_name, company_url, phone_number, other_info. - Data type: String
- Example: contact_type, email_address, company_name
- oauth20.doNotSendXFrameOptionsHeader
- Specifies whether an X-Frame-Options header with value SAMEORIGIN must be
returned from the OAuth 2.0 endpoints. When set to true, no X-Frame-Options header
is sent.Note: The oauth20.doNotSendXFrameOptionsHeader property defaults to false.
- Data type: Boolean
- Example: false
- oauth20.hashedTokenStorageEnabled
- Enables hashed storage when set to true. The Security Access Manager
appliance can persist OAuth 2.0 tokens in the clear text form or in the more secure hashed form.
The hashing algorithm set in the runtime.hashAlgorithm property will be used. When verifying hashed tokens, the runtime.verificationHashAlgorithms property will be used. The algorithms listed in the runtime.verificationHashAlgorithms property will be tried in the specified order. This mechanism allows for upgrading of the hashing algorithm while continuing to support old tokens.
Note: The oauth20.hashedTokenStorageEnabled property defaults to false, and the OAuth 2.0 tokens will be stored as-is. - Data type: Boolean
- Example: false
- oauth20.sessionEndpointEnabled
- Enables the ability to return an authenticated session at the point-of-contact when the
oauth20.sessionEndpointEnabled property is set to true. Note: The oauth20.sessionEndpointEnabled property defaults to false.
- Data type: Boolean
- Example: false
- oauth20.tokenCache.cleanupWait
- The amount of time, in seconds, to wait before it performs another cleanup of expired tokens in
the OAuth 2.0 token cache.Note: The oauth20.tokenCache.cleanupWait property defaults to 120.
OAuth token clean up can be disabled by setting the cleanupWait value to 0.
- Data type: Integer
- Example: 120
- oauth20.legacyAttributeHandling
- Changes how associated attributes function across the API Protection and OpenID Connect
solution. This includes:
- OauthMappingExtUtils.retrieveAllAssociations()
OauthMappingExtUtils.getAssociation() calls in mapping rules
- When it is set to True, it does not return READONLY or SENSITIVE attributes.
- When it is set to False, it returns READONLY or SENSITIVE attributes.
- The user self care endpoint /mga/sps/mga/user/mgmt/grant/
- When it is set to True, attributes that are both READONLY and SENSITIVE are returned
- When it is set to False, attributes that are both READONLY and SENSITIVE are not returned.
- Attributes which are saved from attribute sources when performing identity enrichment.
- When it is set to True, attributes are saved against the grant as neither READONLY or SENSITIVE.
- When it is set to False, attributes are saved against the grant as READONLY. The post token rule can be used to update this value if necessary.
- OauthMappingExtUtils.retrieveAllAssociations()
OauthMappingExtUtils.getAssociation() calls in mapping rules
HTTP client
- util.httpClient.defaultTrustStore
- Stores the default truststore that HTTPS connections in HTTP client uses.Note: The util.httpClient.TrustStore property defaults to rt_profile_keys.
- Data type: String
- Example: rt_profile_keys
- util.httpClient.defaultSSLProtocol
- Stores the default SSL protocol configuration that HTTPS connections in HTTP client
uses.Note: The util.httpClient.defaultSSLProtocol property defaults to TLS.
- Data type: String
- Example: TLS
- util.httpClient.maxActiveConnections
- Specifies the maximum number of HTTP and HTTPS connections, per host, between the appliance
runtime and other modules. In a multiple host environment, the runtime might need to establish many
HTTP/HTTPS connections at the same time. By specifying this property, you can limit the number of
active connections for each host. This setting ensures that each host can obtain their fair share of
HTTP/HTTPS connections without being forced to wait for other hosts to release connections.
- Data type: String
- Default: An unlimited number of HTTP/HTTPS connections are permitted
You can specify the maximum number of active connections in one of two ways:
- Specify a maximum number to apply to every host.
Syntax:
"*=<count>"
- Specify a maximum number on a per host basis. Syntax:
"<host1>:<port1>=<count>,<host2>:<port2>=<count>,*=<count>"
- <host>
- The host value can be either an IP address, a hostname or domain name as specified in the
Endpoint URL. Specify the host value based on the URL format. For example:
- IP Address: 192.168.102.192
- Hostname or domain name: www.server1.com
- <port>=<count>
- The communication port on the host. For example, to limit port 80 to only 100 connections, enter 80=100.
- *=<count>
- The count limit for servers that are not specified by a <host> value
in this property. When set to zero (*=0) there is no limit on the number of
HTTP/HTTPS connections that can be created to other servers. When set to an integer greater than
zero, the integer specifies the maximum number of HTTP/HTTPS connections that can be created to each
of the other servers.Note: Ensure that <count> is specified as a value of type integer. Do not use values of type string for <count>.
- Example 1: Specifying a maximum number to apply to every host
For example, your deployment must establish connections to two servers. You want to limit the number of connections to 100 per server. You also want to ensure that when you add additional servers, the number of connections to each additional server is limited to 100.
Use the syntax "*=<count>". For this example:
"*=100"
- Example 2: Specifying maximum numbers on a per host basis
For example, your deployment must establish connections to two servers. You want to limit the number of connections for one server to 100, but allow the other server to have 200 connections. In addition, you do not want to limit the number of connections for any additional servers.
- Use the syntax:
"<host1>:<port1>=<count>,<host2>:<port2>=<count>,*=<count>"
For example, the runtime might need to establish the connections to the following URLs, for an SMS OTP flow and an OIDC flow:
- http://www.server1.com/isam/sms_otp
- https://192.168.102.192/isam/oidc_sts
Example configuration entry:
"www.server1.com:80=100,192.168.102.192:443=200,*=0"
The example configuration entry specifies:
- The maximum number of HTTP/HTTPS connections that can be created to www.server1.com at a time (on port 80) is 100.
- The maximum number of HTTP/HTTPS connections that can be created to 192.168.102.192 at a time (on port 443) is 200.
- There is no limit on the number of HTTP/HTTPS connections that can be created to other hosts.
Demo
- live.demos.enabled
- Enables the mobile demonstration application.
- Data type: Boolean
- Example: False
- live.demos.settings
- This setting can be used to pre-populate the settings of the mobile demo. This is a comma
separated set of key, value pairs that match what is submitted on the settings form.
Data type: String
Example: lmiHostAndPort=lmi.host.com, lmiAdminId=admin, lmiAdminPwd=admin, acHostAndPort=127.0.0.1, websealHostNameAndPort=webseal.host.com
Knowledge questions properties
- knowledge.questions.AnswerValidationRegEx
- Specifies the regular expression used to validate the knowledge question answer value provided
during a knowledge question management operation. The assigned value is the list of invalid
characters to match against to determine if the supplied value is valid.Note: At a minimum, this property must include the following characters: <>:"
- Data type: RegEx
- Example: [\[()<>,;:\\/\"\]=]
- knowledge.questions.QuestionValidationRegEx
- Specifies the regular expression used to validate the knowledge question text value provided
during a knowledge question management operation. The assigned value is the list of invalid
characters to match against to determine if the supplied value is valid.Note: At a minimum, this property must include the following characters: <>:"
- Data type: RegEx
- Example: [\[()<>,;:\\/\"\]=]
Key encryption and signing service (KESS)
- kess.crlEnabled
- Checks the certificate revocation list. Checking is done by the key encryption and signature
service (KESS) for all functions that use an external certificate, except for the audit syslog. If
your configuration does not require CRL checking, you can disable it. For example, if you use if an
internal certificate authority (CA), you might want to disable CRL checking. The
kess.crlEnabled property defaults to true.
- CRL site unavailability scenario
- If you have kess.crlEnabled set to
true and a CRL site becomes unavailable, you cannot determine the
revocation status of the certificate. In this situation, the single sign-on flow will fail.
Confirm a CRL site unavailability issue by looking for the message
FBTKJK056E The CRL site could not be determined.
in the runtime trace.log file.As a temporary workaround, set the CRL checking to false to keep the single sign-on flow running. As soon as the CRL site is working again, set kess.crlEnabled to true so that the single sign-on flow contains the CRL check.
CAUTION:If you do stop CRL checking as a temporary workaround, be aware that the certificate might have already been revoked by the CA. If this type of certificate is allowed to pass the validation, it creates security issues. Therefore, ensure that you enable CRL checking to avoid potential security issues such as this.
- Data type: Boolean
- Example: true
- kess.crlInterval
- The amount of time, in seconds, between successive CRL checks. Using an interval of time between
CRL checks reduces the performance impact of doing the checks every time a certificate needs to be
validated.
A value less than or equal to zero means that the runtime performs a CRL check every time it wants to use a certificate. The default is 0 seconds.
If kess.crlEnabled is set to false, this value is ignored.
- Data type: Integer
- Example: 86400
This value means that a CRL check on a certificate is performed once per day.
- kess.hostnameValidationDisabled
- Determine whether to disable host name verification when establishing an SSL connection. Host
name verification is performed when the host name of the server does not match the CN of the
certificate of the server.
In a test environment, you might want to disable the validation. In a production environment, you might want to enable validation.
The default value is False.
- Data type: Boolean
- Example: False
- kess.keySelectionCriteria
- Specify which key or certificate to use for signing, validating, encrypting, or decrypting
various messages. If there are multiple keys or certificates with the same Subject DN as the key or
certificate with the specified alias, this setting determines which one to use. Use one of the
following selection methods:
- only.alias
- Select the key or certificate with the specified alias. This is the default.
- longest.lifetime
- Select the key or certificate with the longest lifetime.
- shortest.lifetime
- Select the key or certificate with the shortest lifetime.
- Data type: String
- Example: only.alias
- kessjksservice.exclude.inclusive.namespace.prefixes
- Specifies a comma-separated list of prefix names. When this is set, the prefixes in the list are
not added to the InclusiveNamespaces list that is in the Signature Element.
Data type: String
Example: ds
JSON Web Key
- jwks.encryption.keystore
Defines the name of the encryption keystore to be used by the jwks endpoint for the runtime. These certificates will have their public keys exposed, with the 'use' value 'enc'.
Default value: rt_profile_keys
- jwks.signing.keystore
Defines the name of the signing keystore to be used by the jwks endpoint for the runtime. These certificates will have their public keys exposed, with the 'use' value 'sig'.
Default value: rt_profile_keys
Policy information point (PIP)
- pip.uncachedAttributes
- Defines a comma-separated list of attributes that are generated by a policy information point (PIP) that you do not want to be cached.
- Data type: String list
- Example: urn:ibm:security:jdbc:city, urn:ibm:security:ldap:priviledgeUser
Security token service (STS)
- sts.ivcred.unauthenticated.user.name
Set to a special user account for unauthenticated user tokens when using IVCRED STS module in validate mode. The Default value is "".
Data type: String
Example: guest
- sts.ivcred.unauthenticated.user.registry.id
In addition to the user name set in sts.ivcred.unauthenticated.user.name, a user's registry id can also be added when using IVCRED STS module in validate mode. The Default value is "".
This parameter is optional.
Data type: String
Example: cn=guest,o=ibm,c=us
- sts.ivcred.unauthenticated.user.uuid
In addition to the user name set in sts.ivcred.unauthenticated.user.name, a user's UUID can also be added when using IVCRED STS module in validate mode. The Default value is "".
This parameter is optional.
Data type: String
Example: 81a2a65e-0018-0150-8080-3f83b0f74f4c
- sts.ldapAttributeCache.TTL
- Specifies a time-to-live (TTL) value, in seconds, for the amount of time to keep an LDAP
attribute in the cache. Specify 0 to disable.
The default value is 60.
- Data type: Integer
- Example: 60
Mobile Multi-Factor Authentication (MMFA)
- mmfa.authenticator.cleanupWait
The amount of time, in seconds, to wait before another cleanup of expired authenticators is performed.
MMFA authenticator clean up can be disabled by setting cleanupWait to 0.
The default value is 3600.
Data type: Integer
Example: 3600
- mmfa.transactionArchival.maxCompletedPerUser
The number of historical transactions in a completed state to keep in the HVDB before archival to the audit log. The oldest transactions will be removed first. A value of -1 will indicate that no archival should be performed.
The default value is 50.
Data type: Integer
Example: 50
- mmfa.transactionArchival.maxPendingPerUser
The number of transactions to keep in a pending state. Transactions over this number will have their status set to "fail". The oldest transactions will be aborted first. A value of -1 will indicate that no archival should be performed.
The default value is 1.
Data type: Integer
Example: 1
- mmfa.transactionPending.minAgeBeforeAbort
The minimum number of seconds a transaction is in the pending state before being aborted via a cleanup thread. Due to the cleanup thread interval, the total time a transaction can be in the pending state can be between minAgeBeforeAbort and (minAgeBeforeAbort + cleanupInterval) - 1
The default value is 300.
Data type: Integer
Example: 300
- mmfa.transactionPending.cleanupInterval
The number of seconds between each run of the pending transactions cleanup thread.
The default value is 150.
Data type: Integer
Example: 150
- mmfa.transaction.cleanupOnlyOnPrimaryMaster
Indicates whether transaction cleanup should be run on all nodes in a cluster, or only on the primary master. This applies to pending transaction cleanup as well as transaction archival.
The default value is false.
Data type: Boolean
Example: false
- mmfa.devicePrompt.skipIfOneDevice
- Indicates whether to skip the device selection page in an MMFA flow if the user only has one
device or authenticator registered.
The default value is false.
Data type: Boolean
Example: true
WS-Federation
- wsfed.idp.rstr.excluded.elements
- Specifies a comma-separated list of elements to exclude from the WS-Federation request security
token response. Can optionally contain a federation realm and federation partner realm, to indicate
the federation or federation partner that uses the property values.
The default value is default=Forwardable,Delegatable,Status,Renewing.
The syntax for specifying federation and federation partner is:
default=<comma_separated_list_of_elements>:<federation_realm>=<comma_separated_list_of_elements>: <federation_realm>%<partner_realm>=<comma_separated_list_of_elements>
Data type: String
Example:
default=Forwardable,Delegatable,Status,Renewing:fed1-REALM=Forwardable,Delegatable: fed1-REALM%partner1-REALM=Status
SAML 1.1
- saml.use.legacy.clockskew.default
- IBM Security Access Manager can add a clock skew of
60 seconds when validating the SAML assertion timestamps. To enable the 60 second clock skew, add
the custom property:
saml.use.legacy.clockskew.default = true
Default value = False- Value type: Boolean
- Example value: True
Note: This custom property is also applicable for SAML 2.0 - saml.allowDebugMessages
- When specified as true, and a SAML artifact resolution failure occurs, the SystemOut.log and
SystemErr.log contains an informational message. In addition, the message contains extra debug
information about the request that contained the failed artifact and provides a reason for the
event.Note: This message is only available in English.Default value: False
- Value type: Boolean
- Example value: SAML.allowDebugMessage = True
- saml.allowNoRecipient
- Use this custom property if a SAML 1.x service provider needs to accept a samlp:Response that
does not contain a Recipient attribute.
Default value: False
- saml.assertion.IncludeNSPrefixList.DS
- When this custom property is specified as true, ds is included in the Prefix List attribute of
the InclusiveNameSpaces in the SAML assertion. Default value: False
- Value type: Boolean
- Example value: True
Note: This custom property is also applicable for SAML 2.0 - saml.allowSpecificInvalidArtifactMessages
- When this custom property is specified as true, and a SAML artifact resolution failure
occurs, identity provider sends a SAML Response with specific invalid message to tell the service
provider that there is no assertion available. The specific invalid message isFBTSML276E. If not specified, by default it is false, and the invalid message send back
to service provider is FBTSML013E.Default value: False
- Value type: Boolean
- Example value: True
SAML 2.0
- saml20.enableSubjectInAuthnRequest
Set to true if the Subject element is required for the SAML 2.0 AuthnRequest. The Subject element is set to the userid of the existing authenticated session. The Default value is false.
Data type: Boolean
Example: true
OIDC
- oidc.rp.idToken.validationSkew
- The number of seconds of skew allowed on the 'nbf' and 'exp' claims of an idToken when it is
being processed by an OpenID Connect relying party. For instances where the clocks of two systems
are not perfectly synchronized.Note: This advanced configuration does not apply to legacy OpenID Connect relying parties or Reverse Proxy Relying parties.
Default value: 0