Advanced configuration properties

Category filter

The category filter displays names of grouping of configuration settings. The groupings correspond to functional areas. When you select a category, the user interface displays only the settings for the category.

WebSEAL Authenticate Callback

poc.websealAuth.authLevel

The authentication level of the callback.

Data type: Integer

Example: 1

One-time password Authenticate Callback

poc.otp.authLevel

The authentication level of the callback.

Data type: Integer

Example: 2

poc.otp.backwardCompatibilityEnabled

Indicates whether the one-time password authentication mechanism should run in backward compatibility mode. The default value is false if it is a new installation. The default value is true if the installation is an upgrade.

Data type: Boolean

Example: true

Authentication-Policy Callback

poc.authPolicy.allowRequestOverride

Whether the authentication level, the authentication mode, and the authentication type of the callback can be overwritten by query string parameters.

Data type: Boolean

Example: true

poc.authPolicy.authLevel

The authentication level of the callback.

Data type: Integer

Example: 1

poc.authPolicy.authType

The authentication type of the callback.

Data type: String

Example: COMPLEMENTARY, HIERARCHICAL

SPS HTTP request claims

sps.httpRequestClaims.enabled

Whether HTTP request information is sent to STS as HTTPRequestClaims.

Data type: Boolean

Example:false

sps.httpRequestClaims.filterSpec

The filter that specifies the HTTP request information that is sent to STS as HTTPRequestClaims.

Data type: String

Example: cookies=*:headers=*

Distributed shared data storage

distributedMap.cleanupWait

The amount of time, in milliseconds, to wait before it performs another cleanup against the distributed map.

Distributed map clean up can be disabled by setting the cleanupWait to 0.

Data type: Integer

Example: 10000

distributedMap.defaultTTL

The amount of time, in seconds, that the entries in the distributed map must live when no lifetime is specified for an entry.

Data type: Integer

Example: 3600

distributedMap.getRetryDelay

The amount of time, in milliseconds, to wait before it performs another retrieval against the distributed map. The default is 0.

Data type: Integer

Example: 500

distributedMap.getRetryLimit

The number of retrievals that is done against the distributed map before it returns that the retrieved data is not in the distributed map. The default is 0.

Data type: Integer

Example: 10

Attribute matcher properties

userBehavior.minimumUsageHistoryRequired

Minimum usage data records required for any usage data analysis; used by LoginTimeMatcher.

Data type: Integer

Example: 8

userBehavior.ipAddressRequestAttribute

The XACML request attribute to read from the IP address.

Data type: String

Example: urn:ibm:security:subject:ipAddress

IP reputation PIP properties

ip.reputation.ipAddressAdverseReputationThreshold

The value that an IP classification score must be at or above for an IP address to be considered as that classification.

Data type: Integer

Example:50

ipReputation.dbConnectionTimeout

Indicates the number of seconds that the IP reputation policy information point (PIP) waits for a connection to the IP reputation database. The ipReputation.dbConnectionTimeout property defaults to 120.

Data type: Integer

Example: 60

Attribute collector properties

attributeCollection.cookieName

Correlation ID used by the attribute collector.

Data type: String

Example: ac.uuid

attributeCollection.requestServer

Request server for attribute collector. A list of the allowable hosts where the ajaxRequest can be sent from.

Data type: String List

Example: https://rbademo.example.com,https://rbaemo2.example.com

attributeCollection.serviceLocation

Location of the attribute collector.

Data type: String List

Example: http://rbademo.example.com/mga

attributeCollection.sessionTimeout

Number of seconds in which sessions stored in context-based access will automatically expire, unless updated. If any attribute in the session is updated, the session expiry is extended by the specified number of seconds configured in this property. The default is 1800 seconds.

Data type: Integer

Example: 1800 seconds

attributeCollection.enableGetAttributes

Enables the REST GET method to return attributes.

Data type: Boolean

Example: false

attributeCollection.getAttributesAllowedClients

A comma-separated list of clients that are allowed to access the ACS REST GET method.

If this property is not set and attributeCollection.enableGetAttributes is set to true, anyone can access the GET method. If this property is set but attributeCollection.enableGetAttributes is set to false, this property is ignored.

Data type: String List

Example: hostname1, hostname2

attributeCollection.hashAlgorithm

The algorithm that is used to create the hash.

Data type: String

Example: SHA256

attributeCollection.attributesHashEnabled

A comma-separated list of attribute URI values configured for hashing.

Attention: Do not hash the following attributes:

• ipAddress
• geoLocation
• accessTime

Data type: String List

Example:

urn:ibm:security:environment:http:userAgent, 
urn:ibm:security:environment:deviceFonts, 
urn:ibm:security:environment:browserPlugins 

attributeCollection.authenticationContextAttributes

Comma-separated lists of attribute names to be collected during an authentication service obligation. The maximum number of characters for this property is 200.

Data type: String List

Example: authenticationLevel, http:host

Device registration properties

deviceRegistration.allowIncompleteFingerprints

Specifies to allow the device registration obligation to store fingerprints where all the fingerprint attributes are not available on the session information.

Data type: Boolean

Example: false

deviceRegistration.checkForExpiredDevices

Determines whether registered devices are inactive or expired. If the deviceRegistration.checkForExpiredDevices property is set to true, the risk engine checks whether a device is inactive or expired. The deviceRegistration.checkForExpiredDevices property defaults to false, which means that users can use any of the devices that are registered.

Date type: Boolean

Example: true

deviceRegistration.cleanupThread.batchSize

Specifies if batch delete is enabled for expired devices and how many records are deleted per batch.

If the value is defined as 0 or is blank, batch delete is not enabled and all expired devices are deleted using one SLQ delete statement.

If the value is defined as an integer greater than 0, batch delete is enabled. The number that you specify determines how many records are deleted in each batch. The batch delete continues until all of the expired devices are deleted. The batch process is useful for deleting a large quantity of expired devices.

Data type: Integer

Example: 1000 (Batch delete is enabled, with a batch size of 1000 records.)

deviceRegistration.deviceMatchThreshold

The risk score threshold where an existing fingerprint is considered to match the incoming device fingerprint.

Data type: Integer

Example: 20

deviceRegistration.inactiveExpirationTime

Specifies the number of days that a device must be inactive for it to expire. The deviceRegistration.inactiveExpirationTime property defaults to 90.

Date type: Integer

Example: 100

deviceRegistration.maxRegisteredDevices

Maximum device fingerprint count. The default is 10. Valid values are 1 to 100.

Data type: Integer

Example: 10

deviceRegistration.maxUsageDataPerUser

Maximum number of historical usage attribute records stored per user. The default is 200. Valid values are 1 to 5000.

Data type: Integer

Example: 1000

deviceRegistration.permitOnIncompleteFingerprints

Specifies to permit access to the resource if the fingerprint collected by the device registration obligation does not include all fingerprint attributes.

Data type: Boolean

Example: false

Runtime properties

runtime.dbLoggingEnabled

Enables fine-grained logging for database SQL statements.

Data type: Boolean

Example: false

runtime.hashAlgorithm

The algorithm that is used for hashing. The supported algorithms are:

• SHA-1
• SHA-256
• SHA-384
• SHA-512

The runtime.hashAlgorithm property defaults to SHA-256.

Data type: String

Example: SHA-256

runtime.verificationHashAlgorithms

Defines the hashing algorithms that are used to verify a hashed value. The value is typically a comma separated list of hashing algorithms.

Data type: String

Example: SHA-256, SHA-1

Single sign-on protocol service

sps.setCookiesAsSecure

Determine whether to flag the cookies set by Security Access Manager as secure.

The default value is false.

Data type: Boolean

Example: false

sps.targetURLWhitelist

Specifies a list of allowed target URLs for SAML 2.0, OpenID Connect, and the authentication service. Use this property to prevent an attacker from redirecting a user to malicious target URLs.

The value of this advanced configuration property is a comma-separated string, where each string is a target URL in the form of a regular expression. The regular expression must not contain commas, and spaces between regular expressions are ignored.

• For SAML 2.0 SSO flows, you can specify a Target URL when you configure the initial URL in flows that are initiated by either the Identity Provider or the Service Provider. For more information, see SAML 2.0 profile initial URLs.
• For Open ID Connect flows, you can specify a Target URL when you configure the initial URL for Relying Party initiated single sign-on. For more information, see Relying Party SSO initiation endpoint.
• For the authentication service, you can specify a Target URL when you configure the authentication service trigger URL. For more information, see Configuring authentication.

The default value is “.*”.

Data type String

Example

 
(http|https)://www.app.ibm.com/.*, (http|https)://www.myidp.ibm.com/.*

sps.illegalUrlSubstrings

A comma-separated list of strings, the single sign-on service stops processing the request if the request URL query parameters contain any of the strings.

The default value is "".

Data type: String

Example:

"<script"

sps.doNotSendXFrameOptionsHeader

Specifies whether an X-Frame-Options header with value SAMEORIGIN must be returned from the SPS endpoints for browser based flows. When this property is set to true, no X-Frame-Options header is sent.

Note: The sps.doNotSendXFrameOptionsHeader property defaults to false.

Data type: Boolean

Example: False

SPS page

sps.page.htmlEscapedMacros

A comma-separated list of macros that is HTML-escaped when it is rendered in pages that are sent to the browser.

Data type: String

Example:

@REQ_ADDR@,
@DETAIL@,
@EXCEPTION_STACK@,
@EXCEPTION_MSG@,
@OTP_METHOD_ID@,
@OTP_METHOD_LABEL@,
@OTP_HINT@,
@ERROR_MESSAGE@,
@MAPPING_RULE_DATA@

sps.page.exceptionMacros

A comma-separated list of classname:macro pairs. Classname is the fully qualified name of the exception class. Macro is the name of the macro to which the class maps.

Data type: String

Example:

com.tivoli.am.fim.otp.deliveries.OTPDeliveryException = 
  @OTP_DELIVERY_EXCEPTION@, 
com.tivoli.am.fim.otp.providers.OTPProviderException = 
  @OTP_PROVIDER_EXCEPTION@

sps.page.notEscapedMacros

A comma-separated list of macros that are not HTML-escaped when they are rendered in pages that are sent to the browser. Macros that do not appear in this list or the Macros in the htmlEscapedMacros list are HTML-escaped.

Data type: String

Example:

@COOKIE_NAME@,
@SERVER_NAME@,
@JUNCTION@

sps.page.hiddenMacros

A comma-separated list of macros that are not rendered in the pages that are sent to the browser. The default value is @EXCEPTION_STACK@.

Data type: String

Example: @EXCEPTION_STACK@

Risk engine properties

riskEngine.reportsEnabled

Enables the generation of risk calculation reports.

Data type: Boolean

Example: false

riskEngine.reportsMaxStored

Specifies the maximum number of reports to store.

Data type: Integer

Example: 5

Authentication service properties

sps.authService.reauthenticationEnabled

Specifies that the authentication service performs authentication even if the user already has an authenticated session at the required authentication level.

Data type: Boolean

Example: true

sps.authService.policyKickoffMethod

Specifies whether the URLs /sps/authsvc and /sps/apiauthsvc can be invoked with the policyId query string parameter.

If set to query, the authentication service endpoints continue to accept policyId as a query or post parameter.

If set to path, authentication service endpoints are changed to:

• /sps/apiauthsvc/policy/<shortPolicyId>
• /sps/authsvc/policy/<shortPolicyId>

Where <shortPolicyId> is the value that comes after the prefix urn:ibm:security:authentication:asf:

By default, the value is set to both.

When set to both, either the path or query parameter can be used to initiate an authentication service flow.

sps.authService.stateIdSource.authsvc

Specifies whether the URL /sps/authsvc can be invoked with the StateId query string parameter.

If set to Body and Query, the authentication service endpoint continues to accept StateId as a query or body parameter.

If set to Body Only, the authentication service endpoint only accepts the StateId as a body parameter (POST or PUT).

Data type: String

Default: Body and Query

Example: Body only

sps.authService.stateIdSource.apiauthsvc

Specifies whether the URL /sps/apiauthsvc can be invoked with the StateId query string parameter.

If set to Body and Query, the API authentication service endpoint continues to accept StateId as a query or body parameter.

If set to Body Only, the API authentication service endpoint only accepts the StateId as a body parameter (POST or PUT).

Data type: String

Default: Body and Query

Example: Body Only

Authentication service session store properties

authsvc.stateMgmt.cookieless

Enables the server side storage of session data for the authentication service. If enabled, this removes the need for the JSESSIONID cookie.

Data type: Boolean

Example: true

Default value: true

authsvc.stateMgmt.store

Specifies the storage type that is used by the Authentication service to cache user session data. The authentication service can be supported by the DSC, the HVDB, or stored in Memory.

Note: For clustered environments, storage in Memory does not replicate between nodes.

Data type: String

Example: Memory

Default value: HVDB

authsvc.stateMgmt.HVDB.lifetime

Length of time in seconds that a session is cached for. Once this time period is exceeded, the user’s session is removed from the session store. If this value is less than 0, the default lifetime of 3600 seconds (1 hour) is enforced. This configuration option applies only to session stores supported by the HVDB or Memory.

Data type: Integer

Example: 60 (1 minute)

Default value: 3600

authsvc.stateMgmt.HVDB.maxSessions

Maximum number of user sessions to be cached at any point in time. If the number of sessions in the store exceeds this value, the oldest session is invalidated. This configuration option only applies to session stores that are supported by the HVDB or Memory.

Data type: Integer

Example: 10000

Default value: 1000

authsvc.stateMgmt.HVDB.cleanupWait

Frequency (in seconds) that expired or excess sessions are removed from the session store. Setting this entry to -1 disables the cleanup thread. This configuration option only applies to session stores backed by the HVDB or Memory.

Data type: Integer

Example: 30

Default value: 120

authsvc.stateMgmt.HVDB.cleanupThread.batchSize

Maximum number of expired sessions which are removed in a single cleanup operation. If the value is defined as 0 or is blank, batch delete is not enabled. All expired sessions are deleted by using one SLQ delete statement. If the value is defined as an integer greater than 0, batch delete is enabled. The number that you specify determines how many sessions are deleted in each batch. The batch delete continues until all of the expired sessions are deleted. This configuration option only applies to sessions that are stored in the HVDB or Memory.

Data type: Integer

Example: 1000

Default value: 0

authsvc.stateMgmt.HVDB.cleanupOnlyOnPrimaryMaster

Prevent the cleanup thread from running on non-primary master nodes in a clustered environment. This configuration option only applies to sessions that are stored in the HVDB or Memory.

Data type: Boolean

Example: true

Default value: true

Session

distributedSessionCache.enabled

A switch that dictates if the distributed session cache is used for session failover. If this setting is not enabled, the distributed session cache server still runs as a service, but the client does not use it.

Data type: Boolean

Example: false

distributedSessionCache.localCacheSize

The number of sessions to be stored on the client as a local cache. A value of 0 or less means that any number of sessions can be cached by the client. A low number requires more connections to the distributed session cache if there are many active sessions. A high number runs the risk of running out of memory if many sessions are locally cached. All sessions are still stored on the distributed session cache when it is enabled.

Data type: Integer

Example: 4096

session.dbCleanupInterval

Specifies the interval, in seconds, that the database cleanup thread runs to remove expired data in the runtime database. The default is 86400. The minimum value for this property is 3600. For more information, see Runtime database tuning parameters

Session database clean up can be disabled by setting the dbCleanupInterval to 0. This is not overridden by the minimum value.

Data type: Integer

Example: 90000

Distributed session cache

distributedSessionCache.enabled

A switch that dictates if the distributed session cache is used for session failover. If this setting is not enabled, the distributed session cache server still runs as a service, but the client does not use it.

Data type: Boolean

Example: false

distributedSessionCache.localCacheSize

The number of sessions to be stored on the client as a local cache. A value of 0 or less means that any number of sessions can be cached by the client. A low number requires more connections to the distributed session cache if there are many active sessions. A high number runs the risk of running out of memory if many sessions are locally cached. All sessions are still stored on the distributed session cache when it is enabled.

Data type: Integer

Example: 4096

distributedSessionCache.externalServers

A list of locations of the distributed session cache servers in weighted order.

Syntax:

<primary_address>:<port>[:<ssl>];<secondary_address>:<port>[:<ssl>],...

<address>

The IP address of the distributed session cache server. For example, 10.150.21.80.

<port>

The port for the distributed session cache. For example, 2126.

<ssl>

Whether SSL communication with the distributed session cache is required. The default value is false.

Data type: String

Example:

10.150.21.80:2126:true;10.150.21.81:2126:false,10.150.21.82:2126

distributedSessionCache.localCacheEnabled

A switch that dictates whether a local cache of distributed sessions is maintained. If this setting is disabled a higher load is placed on the distributed session cache server. The local cache should only be enabled if all requests from the same client is guaranteed to be sent to the same runtime server (otherwise known as stickiness). Session inconsistencies might occur if the local cache is enabled and stickiness is not maintained. All sessions are still stored in the distributed session cache when it is enabled.

Data type: Boolean

Example: False

TOTP and HOTP retry properties

otp.retry.enabled

Whether the retry protection is enabled.

Data type: Boolean

Example: true

otp.retry.maxNumberOfAttempts

The maximum number of strikes the users can have before they are prevented from logging in.

Data type: Integer

Example: 5

otp.retry.otpRetryTimeout

The number in seconds a strike lasts.

Data type: Integer

Example: 600

OAuth20

oauth20.cleanupThread.batchSize

Specifies if batch delete is enabled for expired OAuth 2.0 tokens and how many records are deleted per batch.

If the value is defined as 0 or is blank, batch delete is not enabled and all expired OAuth tokens are deleted using one SQL delete statement.

If the value is defined as an integer greater than 0, batch delete is enabled. The number that you specify determines how many records are deleted in each batch. The batch delete continues until all of the expired OAuth tokens are deleted. The batch process is useful for deleting a large quantity of expired tokens.

Data type: Integer

Example: 1000 (Batch delete is enabled, with a batch size of 1000 records.)

oauth20.clientDataToInclude

Specifies the OAuth client information to be returned as JSON data. This property is a comma-separated list of the JSON Keys. Valid values are:

contact_type
email_address
contact_person
company_name
company_url
phone_number
other_info

You can specify one or more of these keys for this property.

Note: The oauth20.clientDataToInclude property defaults to contact_type, email_address, contact_person, company_name, company_url, phone_number, other_info.

Data type: String

Example: contact_type, email_address, company_name

oauth20.doNotSendXFrameOptionsHeader

Specifies whether an X-Frame-Options header with value SAMEORIGIN must be returned from the OAuth 2.0 endpoints. When set to true, no X-Frame-Options header is sent.

Note: The oauth20.doNotSendXFrameOptionsHeader property defaults to false.

Data type: Boolean

Example: false

oauth20.hashedTokenStorageEnabled

Enables hashed storage when set to true. The Security Access Manager appliance can persist OAuth 2.0 tokens in the clear text form or in the more secure hashed form.

The hashing algorithm set in the runtime.hashAlgorithm property will be used. When verifying hashed tokens, the runtime.verificationHashAlgorithms property will be used. The algorithms listed in the runtime.verificationHashAlgorithms property will be tried in the specified order. This mechanism allows for upgrading of the hashing algorithm while continuing to support old tokens.

Note: The oauth20.hashedTokenStorageEnabled property defaults to false, and the OAuth 2.0 tokens will be stored as-is.

Data type: Boolean

Example: false

oauth20.sessionEndpointEnabled

Enables the ability to return an authenticated session at the point-of-contact when the oauth20.sessionEndpointEnabled property is set to true.

Note: The oauth20.sessionEndpointEnabled property defaults to false.

Data type: Boolean

Example: false

oauth20.tokenCache.cleanupWait

The amount of time, in seconds, to wait before it performs another cleanup of expired tokens in the OAuth 2.0 token cache.

Note: The oauth20.tokenCache.cleanupWait property defaults to 120.

OAuth token clean up can be disabled by setting the cleanupWait value to 0.

Data type: Integer

Example: 120

oauth20.legacyAttributeHandling

Changes how associated attributes function across the API Protection and OpenID Connect solution. This includes:

• OauthMappingExtUtils.retrieveAllAssociations() OauthMappingExtUtils.getAssociation() calls in mapping rules
  • When it is set to True, it does not return READONLY or SENSITIVE attributes.
  • When it is set to False, it returns READONLY or SENSITIVE attributes.
• The user self care endpoint /mga/sps/mga/user/mgmt/grant/
  • When it is set to True, attributes that are both READONLY and SENSITIVE are returned
  • When it is set to False, attributes that are both READONLY and SENSITIVE are not returned.
• Attributes which are saved from attribute sources when performing identity enrichment.
  • When it is set to True, attributes are saved against the grant as neither READONLY or SENSITIVE.
  • When it is set to False, attributes are saved against the grant as READONLY. The post token rule can be used to update this value if necessary.

HTTP client

util.httpClient.defaultTrustStore

Stores the default truststore that HTTPS connections in HTTP client uses.

Note: The util.httpClient.TrustStore property defaults to rt_profile_keys.

Data type: String

Example: rt_profile_keys

util.httpClient.defaultSSLProtocol

Stores the default SSL protocol configuration that HTTPS connections in HTTP client uses.

Note: The util.httpClient.defaultSSLProtocol property defaults to TLS.

Data type: String

Example: TLS

util.httpClient.maxActiveConnections

Specifies the maximum number of HTTP and HTTPS connections, per host, between the appliance runtime and other modules. In a multiple host environment, the runtime might need to establish many HTTP/HTTPS connections at the same time. By specifying this property, you can limit the number of active connections for each host. This setting ensures that each host can obtain their fair share of HTTP/HTTPS connections without being forced to wait for other hosts to release connections.

• Data type: String
• Default: An unlimited number of HTTP/HTTPS connections are permitted

You can specify the maximum number of active connections in one of two ways:

• Specify a maximum number to apply to every host. Syntax:

  "*=<count>"

• Specify a maximum number on a per host basis. Syntax:

  "<host1>:<port1>=<count>,<host2>:<port2>=<count>,*=<count>"

  <host>

  The host value can be either an IP address, a hostname or domain name as specified in the Endpoint URL. Specify the host value based on the URL format. For example:

  • IP Address: 192.168.102.192
  • Hostname or domain name: www.server1.com

  <port>=<count>

  The communication port on the host. For example, to limit port 80 to only 100 connections, enter 80=100.

  *=<count>

  The count limit for servers that are not specified by a <host> value in this property. When set to zero (*=0) there is no limit on the number of HTTP/HTTPS connections that can be created to other servers. When set to an integer greater than zero, the integer specifies the maximum number of HTTP/HTTPS connections that can be created to each of the other servers.

  Note: Ensure that <count> is specified as a value of type integer. Do not use values of type string for <count>.

Example 1: Specifying a maximum number to apply to every host

For example, your deployment must establish connections to two servers. You want to limit the number of connections to 100 per server. You also want to ensure that when you add additional servers, the number of connections to each additional server is limited to 100.

Use the syntax "*=<count>". For this example:

"*=100"

Example 2: Specifying maximum numbers on a per host basis

For example, your deployment must establish connections to two servers. You want to limit the number of connections for one server to 100, but allow the other server to have 200 connections. In addition, you do not want to limit the number of connections for any additional servers.

Use the syntax: "<host1>:<port1>=<count>,<host2>:<port2>=<count>,*=<count>"

For example, the runtime might need to establish the connections to the following URLs, for an SMS OTP flow and an OIDC flow:

• http://www.server1.com/isam/sms_otp
• https://192.168.102.192/isam/oidc_sts

Example configuration entry:

"www.server1.com:80=100,192.168.102.192:443=200,*=0"

The example configuration entry specifies:

• The maximum number of HTTP/HTTPS connections that can be created to www.server1.com at a time (on port 80) is 100.
• The maximum number of HTTP/HTTPS connections that can be created to 192.168.102.192 at a time (on port 443) is 200.
• There is no limit on the number of HTTP/HTTPS connections that can be created to other hosts.

Demo

live.demos.enabled

Enables the mobile demonstration application.

Data type: Boolean

Example: False

live.demos.settings

This setting can be used to pre-populate the settings of the mobile demo. This is a comma separated set of key, value pairs that match what is submitted on the settings form.

Data type: String

Example: lmiHostAndPort=lmi.host.com, lmiAdminId=admin, lmiAdminPwd=admin, acHostAndPort=127.0.0.1, websealHostNameAndPort=webseal.host.com

Knowledge questions properties

knowledge.questions.AnswerValidationRegEx

Specifies the regular expression used to validate the knowledge question answer value provided during a knowledge question management operation. The assigned value is the list of invalid characters to match against to determine if the supplied value is valid.

Note: At a minimum, this property must include the following characters: <>:"

Data type: RegEx

Example: [\[()<>,;:\\/\"\]=]

knowledge.questions.QuestionValidationRegEx

Specifies the regular expression used to validate the knowledge question text value provided during a knowledge question management operation. The assigned value is the list of invalid characters to match against to determine if the supplied value is valid.

Note: At a minimum, this property must include the following characters: <>:"

Data type: RegEx

Example: [\[()<>,;:\\/\"\]=]

Key encryption and signing service (KESS)

kess.crlEnabled

Checks the certificate revocation list. Checking is done by the key encryption and signature service (KESS) for all functions that use an external certificate, except for the audit syslog. If your configuration does not require CRL checking, you can disable it. For example, if you use if an internal certificate authority (CA), you might want to disable CRL checking. The kess.crlEnabled property defaults to true.

CRL site unavailability scenario

If you have kess.crlEnabled set to true and a CRL site becomes unavailable, you cannot determine the revocation status of the certificate. In this situation, the single sign-on flow will fail.

Confirm a CRL site unavailability issue by looking for the message FBTKJK056E The CRL site could not be determined. in the runtime trace.log file.

As a temporary workaround, set the CRL checking to false to keep the single sign-on flow running. As soon as the CRL site is working again, set kess.crlEnabled to true so that the single sign-on flow contains the CRL check.

CAUTION:

If you do stop CRL checking as a temporary workaround, be aware that the certificate might have already been revoked by the CA. If this type of certificate is allowed to pass the validation, it creates security issues. Therefore, ensure that you enable CRL checking to avoid potential security issues such as this.

Data type: Boolean

Example: true

kess.crlInterval

The amount of time, in seconds, between successive CRL checks. Using an interval of time between CRL checks reduces the performance impact of doing the checks every time a certificate needs to be validated.

A value less than or equal to zero means that the runtime performs a CRL check every time it wants to use a certificate. The default is 0 seconds.

If kess.crlEnabled is set to false, this value is ignored.

Data type: Integer

Example: 86400

This value means that a CRL check on a certificate is performed once per day.

kess.hostnameValidationDisabled

Determine whether to disable host name verification when establishing an SSL connection. Host name verification is performed when the host name of the server does not match the CN of the certificate of the server.

In a test environment, you might want to disable the validation. In a production environment, you might want to enable validation.

The default value is False.

Data type: Boolean

Example: False

kess.keySelectionCriteria

Specify which key or certificate to use for signing, validating, encrypting, or decrypting various messages. If there are multiple keys or certificates with the same Subject DN as the key or certificate with the specified alias, this setting determines which one to use. Use one of the following selection methods:

only.alias

Select the key or certificate with the specified alias. This is the default.

longest.lifetime

Select the key or certificate with the longest lifetime.

shortest.lifetime

Select the key or certificate with the shortest lifetime.

Data type: String

Example: only.alias

kessjksservice.exclude.inclusive.namespace.prefixes

Specifies a comma-separated list of prefix names. When this is set, the prefixes in the list are not added to the InclusiveNamespaces list that is in the Signature Element.

Data type: String

Example: ds

JSON Web Key

jwks.encryption.keystore

Defines the name of the encryption keystore to be used by the jwks endpoint for the runtime. These certificates will have their public keys exposed, with the 'use' value 'enc'.

Default value: rt_profile_keys

jwks.signing.keystore

Defines the name of the signing keystore to be used by the jwks endpoint for the runtime. These certificates will have their public keys exposed, with the 'use' value 'sig'.

Default value: rt_profile_keys

Policy information point (PIP)

pip.uncachedAttributes

Defines a comma-separated list of attributes that are generated by a policy information point (PIP) that you do not want to be cached.

Data type: String list

Example: urn:ibm:security:jdbc:city, urn:ibm:security:ldap:priviledgeUser

Security token service (STS)

sts.ivcred.unauthenticated.user.name

Set to a special user account for unauthenticated user tokens when using IVCRED STS module in validate mode. The Default value is "".

Data type: String

Example: guest

sts.ivcred.unauthenticated.user.registry.id

In addition to the user name set in sts.ivcred.unauthenticated.user.name, a user's registry id can also be added when using IVCRED STS module in validate mode. The Default value is "".

This parameter is optional.

Data type: String

Example: cn=guest,o=ibm,c=us

sts.ivcred.unauthenticated.user.uuid

In addition to the user name set in sts.ivcred.unauthenticated.user.name, a user's UUID can also be added when using IVCRED STS module in validate mode. The Default value is "".

This parameter is optional.

Data type: String

Example: 81a2a65e-0018-0150-8080-3f83b0f74f4c

sts.ldapAttributeCache.TTL

Specifies a time-to-live (TTL) value, in seconds, for the amount of time to keep an LDAP attribute in the cache. Specify 0 to disable.

The default value is 60.

Data type: Integer

Example: 60

Mobile Multi-Factor Authentication (MMFA)

mmfa.authenticator.cleanupWait

The amount of time, in seconds, to wait before another cleanup of expired authenticators is performed.

MMFA authenticator clean up can be disabled by setting cleanupWait to 0.

The default value is 3600.

Data type: Integer

Example: 3600

mmfa.transactionArchival.maxCompletedPerUser

The number of historical transactions in a completed state to keep in the HVDB before archival to the audit log. The oldest transactions will be removed first. A value of -1 will indicate that no archival should be performed.

The default value is 50.

Data type: Integer

Example: 50

mmfa.transactionArchival.maxPendingPerUser

The number of transactions to keep in a pending state. Transactions over this number will have their status set to "fail". The oldest transactions will be aborted first. A value of -1 will indicate that no archival should be performed.

The default value is 1.

Data type: Integer

Example: 1

mmfa.transactionPending.minAgeBeforeAbort

The minimum number of seconds a transaction is in the pending state before being aborted via a cleanup thread. Due to the cleanup thread interval, the total time a transaction can be in the pending state can be between minAgeBeforeAbort and (minAgeBeforeAbort + cleanupInterval) - 1

The default value is 300.

Data type: Integer

Example: 300

mmfa.transactionPending.cleanupInterval

The number of seconds between each run of the pending transactions cleanup thread.

The default value is 150.

Data type: Integer

Example: 150

mmfa.transaction.cleanupOnlyOnPrimaryMaster

Indicates whether transaction cleanup should be run on all nodes in a cluster, or only on the primary master. This applies to pending transaction cleanup as well as transaction archival.

The default value is false.

Data type: Boolean

Example: false

mmfa.devicePrompt.skipIfOneDevice

Indicates whether to skip the device selection page in an MMFA flow if the user only has one device or authenticator registered.

The default value is false.

Data type: Boolean

Example: true

WS-Federation

wsfed.idp.rstr.excluded.elements

Specifies a comma-separated list of elements to exclude from the WS-Federation request security token response. Can optionally contain a federation realm and federation partner realm, to indicate the federation or federation partner that uses the property values.

The default value is default=Forwardable,Delegatable,Status,Renewing.

The syntax for specifying federation and federation partner is:

default=<comma_separated_list_of_elements>:<federation_realm>=<comma_separated_list_of_elements>:
            <federation_realm>%<partner_realm>=<comma_separated_list_of_elements>

Data type: String

Example:

default=Forwardable,Delegatable,Status,Renewing:fed1-REALM=Forwardable,Delegatable:
fed1-REALM%partner1-REALM=Status

SAML 1.1

saml.use.legacy.clockskew.default

IBM Security Access Manager can add a clock skew of 60 seconds when validating the SAML assertion timestamps. To enable the 60 second clock skew, add the custom property:

saml.use.legacy.clockskew.default = true

Default value = False

• Value type: Boolean
• Example value: True

Note: This custom property is also applicable for SAML 2.0

saml.allowDebugMessages

When specified as true, and a SAML artifact resolution failure occurs, the SystemOut.log and SystemErr.log contains an informational message. In addition, the message contains extra debug information about the request that contained the failed artifact and provides a reason for the event.

Note: This message is only available in English.

Default value: False

• Value type: Boolean
• Example value: SAML.allowDebugMessage = True

saml.allowNoRecipient

Use this custom property if a SAML 1.x service provider needs to accept a samlp:Response that does not contain a Recipient attribute.

Default value: False

saml.assertion.IncludeNSPrefixList.DS

When this custom property is specified as true, ds is included in the Prefix List attribute of the InclusiveNameSpaces in the SAML assertion.

Default value: False

• Value type: Boolean
• Example value: True

Note: This custom property is also applicable for SAML 2.0

saml.allowSpecificInvalidArtifactMessages

When this custom property is specified as true, and a SAML artifact resolution failure occurs, identity provider sends a SAML Response with specific invalid message to tell the service provider that there is no assertion available. The specific invalid message is FBTSML276E. If not specified, by default it is false, and the invalid message send back to service provider is FBTSML013E.

Default value: False

• Value type: Boolean
• Example value: True

SAML 2.0

saml20.enableSubjectInAuthnRequest

Set to true if the Subject element is required for the SAML 2.0 AuthnRequest. The Subject element is set to the userid of the existing authenticated session. The Default value is false.

Data type: Boolean

Example: true

saml20.idp.acsurlpattern

IBM Security Access Manager uses an exact string comparison between the AssertionConsumerService URL in the AuthnRequest message and the protocol endpoint specified in metadata.

This custom property allows regular expression matching for the AssertionConsumerService URL and the protocol endpoint, so that a dynamic AssertionConsumerService URL that matches the regular expression can be provided in the AuthnRequest.

Data type: String

Note: The binding can be omitted if the configuration applies to all the bindings for that specific federation and partner.

Format:

<FederationId>%<PartnerId>
%<Binding>=<RegularExpression>,<FederationId2>%<PartnerId2>
=<RegularExpression2>

Example:

https://www.myidp.ibm.com/isam/sps/saml20idp/saml20%https://www.mysp.ibm.com
/isam/sps/saml20sp/saml20%urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST=https://.*.ibm.com/isam/sps/.*

OIDC

oidc.rp.idToken.validationSkew

The number of seconds of skew allowed on the 'nbf' and 'exp' claims of an idToken when it is being processed by an OpenID Connect relying party. For instances where the clocks of two systems are not perfectly synchronized.

Note: This advanced configuration does not apply to legacy OpenID Connect relying parties or Reverse Proxy Relying parties.

Default value: 0