Security custom properties
To view security custom properties:
Security | Global security | Custom properties
- Disable the caller list and will not allow the caller list to change. Prevents the creation of multiple sessions.
If this property is set to true as well as com.ibm.CSI.propagateFirstCallerOnly, then com.ibm.CSI.disablePropagationCallerList takes precedence.
- Do not allow the caller list to change and thus prevent the creation of multiple session entries. Limits the caller list to the first caller only.
This property logs the first caller in the propagation token that stays on the thread when security attribute propagation is enabled. Without setting this property, all caller switches get logged, which affects performance. Typically, only the first caller is of interest.
If this property is set to true as well as com.ibm.CSI.disablePropagationCallerList, then com.ibm.CSI.disablePropagationCallerList takes precedence.
- Specify the JAAS login configuration used for RMI requests that are received inbound.
By knowing the login configuration, we can plug in a custom login module that can handle specific cases for RMI logins.
- Define the system JAAS login configuration used to perform application specific principal mapping.
- When set to true, enables the application specific principal mapping capability.
- Specify the JAAS login configuration used for RMI requests that are sent outbound.
Primarily, this property prepares the propagated attributes in the Subject to be sent to the target server. However, we can plug in a custom login module to perform outbound mapping.
- When set to true, enables the original caller subject embedded in the WSSubjectWrapper object to be restored.
- Enable credentials that are authenticated in the current realm to be sent to any realm specified in the Trusted target realms field. The Trusted target realms field is available on the CSIv2 outbound authentication panel. This property enables those realms to perform inbound mapping of the data from the current realm.
It is not recommended that you send authentication information to an unknown realm. Thus, this provides a way to specify that the alternate realms are trusted.
To access the CSIv2 outbound authentication panel...
Security | Global security | RMI/IIOP security \ CSIv2 outbound authentication
- Set to true or false to determine if the CosNamingRead role protects all naming read operations. Setting to true is the equivalent of assigning the CosNamingRead role the Everyone special subject. If this propert is set, then it will override any assignments made to the CosNamingRead role.
- Specifies that FIPS algorithms are used. The appserver uses the IBMJCEFIPS cryptographic provider instead of the IBMJCE cryptographic provider.
- Customize the "from address" of certificate expiration notification e-mail.
The value you assigned to this property should be an internet address, for example "Notification@abc-company.com" If this property is not set, WebSphere uses its e-mail fromAddress: "WebSphereNotification@ibm.com" .
- Customize the text encoding character set for certificate expiration notification e-mail.
WAS sends notification e-mail for certificate expiration in either US-English or the machine default character set (if non-English locale is specified). If we want a different text encoding character set for the certificate expiration notification e-mail, we can use this property to customize the text encoding character set.
- Set when realm registry lookups are performed via an MBean on a remote server if the realm is local OS security.
When dealing with a local OS user registry, lookup should occur on the actual server where the registry resides. In an ND environment that could be a remote machine. To perform lookup on the server process where the registry resides, the com.ibm.websphere.lookupRegistryOnProcess custom property should be set to true.
If com.ibm.websphere.lookupRegistryOnProcess is not set, or set to false, then the lookup is performed on the current process.
- When using application form login and logout we can provide a URL for a custom logout page. By default, the URL must point to the host to which the request is made or to its domain. If this is not done, then a generic logout page is displayed rather than a the custom logout page. To be able to point to any host, then we need to set this property in security.xml to a value of true. There is a risk that setting this property to have a value of true may open the systems to potential URL redirect attacks.
- com.ibm.websphere.security.console.noSSLTreePortEndpoints (FP 3)
- Improve the response time for large topology configurations.
When this property is set to true the status of the of the SSL port endpoints does not display on the Manage endpoint security configurations page in the admin console. Displaying the status of the SSL port endpoints sometimes makes the admin console seem like it is no longer functioning because of a longer than expected response time.
Avoid trouble: Do not use this property unless we are running on V220.127.116.11, or higher.
- Default invocation order of Trust Association Interceptors (TAIs) in relation to Single Sign On (SSO) user authentication can be changed using this property. The default order is to invoke Trust Association Interceptors after SSO. Used to change the default order of TAI invocation with SSO. The property value is a comma (,) separated list of TAI class names to be invoked before SSO.
Default none Type string
- By default, when JAAS authentication data entries are created at the domain security level, the alias name for the entry will be in the format aliasName. . We can enable the addition of the node name to the alias name in order to create the alias name in the format nodeName/aliasName for the entry, by setting the following property at the domain security level.
We can set com.ibm.websphere.security.JAASAuthData.addNodeNameSecDomain=true at the global security level, to enable the addition of the node name to the alias name of JAAS authentication data entries for all security domains.
- By default, when JAAS authentication data entries are created at the global security level, the alias name for the entry will be in the format nodeName/aliasName. We can disable the addition of the node name to the alias name for the entry, by setting a value of true for this property at the global security level.
- Specify (true) or (false) the WAS uses the canonical form of the URL/HTTP host name in authenticating a client.
If this property is set to “false”, a Kerberos ticket can contain a host name that differs from the HTTP host name header. An error can occur as follows:CWSPN0011E: An invalid SPNEGO token has been encountered while authenticating a HttpServletRequestYou can avoid an error message by setting this property to “true” and allowing WAS to authenticate using the canonical form of the URL/HTTP host name.
- When using application form login and logout we can provide a URL for a custom logout page. By default, the URL must point to the host to which the request is made or to its domain. If this is not done, then a generic logout page is displayed rather than a the custom logout page. to point to a different host, then we can populate this property in security.xml with a pipe (|) separated list of URLs that are allowed for the logout page.
- In this release, the actual LTPA token data is not available from a WSCredential.getCredentialToken() call when called from an asynchronous bean. For an existing configuration, we can add the com.ibm.ws.security.createTokenSubjectForAsynchLogin custom property and a true value to allow the LTPAToken to be forwarded to asynchronous beans. Allows portlets to successfully perform LTPA token forwarding. This custom property is case sensitive. You must restart the appserver after you add this custom property.
Default not applicable
- JAAS login configuration used for logins that do not fall under the WEB_INBOUND, RMI_OUTBOUND, or RMI_INBOUND login configuration categories.
Internal authentication and protocols that do not have specific JAAS plug points call the system login configuration that is referenced by com.ibm.ws.security.defaultLoginConfig configuration.
- Determines whether to send LtpaToken2 and LtpaToken cookies in the response to a Web request (interoperable).
When this property value is false, the appserver just sends the new LtpaToken2 cookie which is stronger, but not interoperable with some other products and Application Server releases prior to V 5.1.1. In most cases, the old LtpaToken cookie is not needed and we can set this property to false.
- Determine the behavior of a single sign-on LtpaToken2 login.
If the token contains a custom cache key and the custom Subject cannot be found, then the token is used to log in directly as the custom information needs to be regathered if this property value is set to true. A challenge also occurs so that the user is required to login again. When this property value is set to false and the custom Subject is not found, the LtpaToken2 is used to login and gather all of the registry attributes. However, the token might not obtain any of the special attributes that downstream applications might expect.
- JAAS login configuration used for Web requests that are received inbound.
By knowing the login configuration, we can plug in a custom login module that can handle specific cases for Web logins.
- Determine whether a received LtpaToken2 cookie should search for the propagated attributes locally before searching the original login server specified in the token. After the propagated attributes are received, the Subject is regenerated and the custom attributes are preserved.
Configure the data replication service (DRS) to send the propagated attributes to front-end servers such that a local dynacache lookup can find the propagated attributes. Otherwise, an MBean request is sent to the original login server to retrieve these attributes.
- Specify the Lightweight Third Party Authentication (LTPA) token factories that can be used to validate the LTPA tokens.
Validation occurs in the order in which the token factories are specified because LTPA tokens do not have object identifiers (OIDs) that specify the token type. The Application Server validates the tokens using each token factory until validation is successful. The order specified for this property is the most likely order of the received tokens. Specify multiple token factories by separating them with a pipe (|) without spaces before or following the pipe.
Default com.ibm.ws.security.ltpa.LTPATokenFactory | com.ibm.ws.security.ltpa.LTPAToken2Factory | com.ibm.ws.security.ltpa.AuthzPropTokenFactory
- Specify the implementation used for an authentication token in the attribute propagation framework. The property provides an old LTPA token implementation for use as the authentication token.
- Specify the implementation used for an authorization token. This token factory encodes the authorization information.
- Specify the implementation used for a propagation token. This token factory encodes the propagation token information.
The propagation token is on the thread of execution and is not associated with any specific user Subjects. The token follows the invocation downstream wherever the process leads.
- Specify the implementation used for a Single Sign-on (SSO) token. This implementation is the cookie that is set when propagation is enabled regardless of the state of the com.ibm.ws.security.ssoInteropModeEnabled property.
By default, this implementation is the LtpaToken2 cookie.
- No longer used. Instead, use WEB_INBOUND login configuration.
To modify the WEB_INBOUND login configuration, go to...
Security | Global security | Java Authentication and Authorization Service | System logins
- The NullDynamicPolicy.getPermissions method provides an option to delegate a default policy class to construct a Permissions object when...
security.useDefaultPolicyWhenJ2SDisabled = true
When set to false, an empty Permissions object is returned.
Enable security for the realm
CSIv2 outbound communications settings
System login configuration entry settings for Java Authentication and Authorization Service