Security custom properties
To set predefined custom properties related to security...
Security | Global security | Custom properties | New
Custom properties include...
- com.ibm.audit.report.granularity
- com.ibm.CSI.disablePropagationCallerList
- com.ibm.CSI.propagateFirstCallerOnly
- com.ibm.CSI.rmiInboundLoginConfig
- com.ibm.CSI.rmiOutboundLoginConfig
- com.ibm.CSI.supportedTargetRealms
- com.ibm.security.multiDomain.setNamingReadUnprotected
- com.ibm.security.useFIPS
- com.ibm.websphere.crypto.config.certexp.notify.fromAddress
- com.ibm.websphere.crypto.config.certexp.notify.textEncoding
- com.ibm.websphere.lookupRegistryOnProcess
- com.ibm.websphere.security.allow.committed.response
- com.ibm.websphere.security.allowAnyLogoutExitPageHost
- com.ibm.websphere.security.alwaysRestoreOriginalURL
- com.ibm.websphere.security.auth.setDRSBootstrap
- com.ibm.websphere.security.config.inherit.trustedRealms
- com.ibm.websphere.security.console.noSSLTreePortEndpoints
- com.ibm.websphere.security.continueAfterTAIError
- com.ibm.websphere.security.customLTPACookieName
- com.ibm.websphere.security.customSSOCookieName
- com.ibm.websphere.security.delegateStarStarRoleAuthorization
- com.ibm.websphere.security.displayRealm
- com.ibm.websphere.security.disableGetTokenFromMBean
- com.ibm.websphere.security.enableAuditForIsCallerInRole
- com.ibm.websphere.security.goToLoginPageWhenTAIUserNotFound
- com.ibm.websphere.security.initializeRSAProperties
- com.ibm.websphere.security.InvokeTAIbeforeSSO
- com.ibm.websphere.security.JAASAuthData.addNodeNameSecDomain
- com.ibm.websphere.security.JAASAuthData.removeNodeNameGlobal
- com.ibm.websphere.security.krb.canonical_host
- com.ibm.websphere.security.ldap.logicRealm
- com.ibm.websphere.security.ldapSSLConnectionTimeout
- com.ibm.websphere.security.logoutExitPageDomainList
- com.ibm.websphere.security.performTAIForUnprotectedURI
- com.ibm.websphere.security.recoverContextWithNewKeys
- com.ibm.websphere.security.release.ejb.reference
- com.ibm.websphere.security.rsaCertificateAliasCache
- com.ibm.websphere.security.setContextRootForFormLogin
- com.ibm.websphere.security.skip.canonical.lookup
- com.ibm.websphere.security.spnego.useBuiltInMappingToSAF
- com.ibm.websphere.security.strictCredentialExpirationCheck
- com.ibm.websphere.security.tokenFromMBeanSoapTimeout
- com.ibm.websphere.security.useActiveRegistryForNewDefaultSSOTokens
- com.ibm.websphere.security.useLoggedSecurityName
- com.ibm.websphere.security.util.csiv2SessionCacheIdleTime
- com.ibm.websphere.security.util.csiv2SessionCacheLimitEnabled
- com.ibm.websphere.security.util.csiv2SessionCacheMaxSize
- com.ibm.websphere.security.web.removeCacheOnFormLogout
- com.ibm.websphere.security.web.setLTPATokenCookieToUnprotectedURI
- com.ibm.websphere.security.webAlwaysLogin
- com.ibm.websphere.ssl.include.ECCiphers
- com.ibm.websphere.ssl.retrieveLeafCert
- com.ibm.ws.security.addHttpOnlyAttributeToCookies
- com.ibm.ws.security.allowNonAdminToSecurityXML
- com.ibm.ws.security.config.SupportORBConfig
- com.ibm.ws.security.createTokenSubjectForAsynchLogin
- com.ibm.ws.security.defaultLoginConfig
- com.ibm.ws.security.failSSODuringCushion
- com.ibm.ws.security.ltpa.forceSoftwareJCEProviderForLTPA
- com.ibm.ws.security.ltpa.useCRT
- com.ibm.ws.security.rsa.forceSoftwareJCEProviderForRSA
- com.ibm.ws.security.ssoInteropModeEnabled
- com.ibm.ws.security.unprotectedUserRegistryMethods
- com.ibm.ws.security.web.saml.disableDecodeURL
- com.ibm.ws.security.webChallengeIfCustomSubjectNotFound
- com.ibm.ws.security.webInboundLoginConfig
- com.ibm.ws.security.webInboundPropagationEnabled
- com.ibm.ws.security.web.logoutOnHTTPSessionExpire
- com.ibm.ws.security.WSSecureMapInitAtStartup
- com.ibm.ws.security.WSSecureMapSize
- com.ibm.wsspi.security.cred.refreshGroups
- com.ibm.wsspi.security.cred.verifyUser
- com.ibm.wsspi.security.ltpa.tokenFactory
- com.ibm.wsspi.security.token.authenticationTokenFactory
- com.ibm.wsspi.security.token.authorizationTokenFactory
- com.ibm.wsspi.security.token.propagationTokenFactory
- com.ibm.wsspi.security.token.singleSignonTokenFactory
- com.ibm.wsspi.wssecurity.kerberos.failAuthForExpiredKerberosToken
- security.allowCustomHTTPMethods
- security.enablePluggableAuthentication
- security.useDefaultPolicyWhenJ2SDisabled
- security.useAllSSLClientAuthKeytypes
- WAS_customUserMappingImpl
com.ibm.audit.report.granularity
Specify how much auditing data is recorded for each event type. If we only need to record basic information about an event, such as who did what action to what resource, and when, setting this property to high, might improve the application server performance.
We can specify values of high, medium, or low for this property. The default is low.
Event type high setting medium setting low setting SessionContext sessionId sessionId, remoteHost sessionId, remoteHost, remoteAddr, remotePort PropagationContext (is only reported if SAP is enabled) firstCaller (as part of the who) firstCaller, and if verbose mode is enabled, the callerList firstCaller, and if verbose mode is enabled, the callerList RegistryContext nothing is recorded registry type registry type ProcessContext nothing is recorded realm realm, and domain if verbose is enabled EventContext creationTime creationTime, globalInstanceId creationTime, globalInstanceId, eventTrailId, and lastTrailId if verbose mode is enabled DelegationContext identityName delegationType, and identityName delegationType, roleName, and identityName AuthnContext nothing is recorded authn type authn type ProviderContext nothing is recorded provider provider, and providerStatus AuthnMappingContext mappedUserName mappedUserName, and mappedSecurityRealm mappedUserName, mappedSecurityRealm, and mappedSecurityDomain AuthnTermContext terminateReason terminateReason terminateReason AccessContext progName, action, appUserName, and resourceName progName, action, appUserName, resourceName, registryUserName, and accessDecision progName, action, appUserName, resourceName, registryUserName, accessDecision, resourceType, permissionsChecked, permissionsGranted, rolesChecked, and rolesGranted PolicyContext nothing is recorded policyName policyName, and policyType KeyContext keyLabel keyLabel, and keyLocation keyLabel, keyLocation, and certificateLifetime MgmtContext nothing is recorded mgmtType, and mgmtCommand mgmtType, mgmtCommand, and targetInfoAttributes com.ibm.CSI.disablePropagationCallerList
Disable the caller list and do not allow the caller list to change. This property prevents the creation of multiple sessions.
This property completely disables adding a caller or host list in the propagation token. Setting this property can be a benefit when the caller or host list in the propagation token is not needed in the environment.
If the com.ibm.CSI.propagateFirstCallerOnly custom property is set to true, that setting takes precedence over the setting for this property.
Information Value Default false com.ibm.CSI.propagateFirstCallerOnly
Limit the caller list to the first caller only, which means the caller list cannot change. Setting this property to true eliminates the potential for the creation of multiple session entries.
This property logs the first caller in the propagation token that stays on the thread when security attribute propagation is enabled. Without setting this property, all caller switches get logged, which affects performance. Typically, only the first caller is of interest.
If the com.ibm.CSI.disablePropagationCallerList custom property is set to true, that setting takes precedence over the setting for this property.
Information Value Default true When true, the first caller in the propagation token that stays on the thread is logged when security attribute propagation is enabled. When false, all of the caller switches are logged, which can affect performance. Default is true.
com.ibm.CSI.rmiInboundLoginConfig
JAAS login configuration used for RMI requests received inbound.
By knowing the login configuration, we can plug in a custom login module that can handle specific cases for RMI logins.
Information Value Default system.RMI_INBOUND
com.ibm.CSI.rmiInboundMappingConfig
System JAAS login configuration used to perform application specific principal mapping.
Information Value Default None
com.ibm.CSI.rmiInboundMappingEnabled
When true, enables the application specific principal mapping capability.
Information Value Default false com.ibm.CSI.rmiOutboundLoginConfig
JAAS login configuration used for RMI requests sent outbound.
Primarily, this property prepares the propagated attributes in the Subject to be sent to the target server. However, we can plug in a custom login module to perform outbound mapping.
Information Value Default system.RMI_OUTBOUND
com.ibm.CSI.rmiOutboundMappingEnabled
When true, enables the original caller subject embedded in the WSSubjectWrapper object to be restored.
Information Value Default false com.ibm.CSI.supportedTargetRealms
Enable credentials that are authenticated in the current realm to be sent to any realm specified in the Trusted target realms field. The Trusted target realms field is available on the CSIv2 outbound authentication panel. Enable those realms to perform inbound mapping of the data from the current realm.
We should not send authentication information to an unknown realm. Thus, this property provides a way to specify that the alternate realms are trusted. To access the CSIv2 outbound authentication panel:
- Click Security > Global security.
- Under RMI/IIOP security, click CSIv2 outbound authentication.
com.ibm.security.multiDomain.setNamingReadUnprotected
Set true to have the CosNamingRead role protect all naming read operations. Setting true is the equivalent of assigning the CosNamingRead role the Everyone special subject. When this property is set, any assignments made to the CosNamingRead role are ignored.
Information Value Default none com.ibm.security.useFIPS
That Federal Information Processing Standard (FIPS) algorithms are used. The application server uses the IBMJCEFIPS cryptographic provider instead of the IBMJCE cryptographic provider.
Information Value Default false com.ibm.websphere.crypto.config.certexp.notify.fromAddress
This security property is used to customize the from address of certificate expiration notification email.
The value we assign to this property should be an internet address, such as Notification@abc-company.com If this property is not set, the application server uses the email fromAddress: WebSphereNotification@ibm.com.
Information Value Default None com.ibm.websphere.crypto.config.certexp.notify.textEncoding
This security property is used to customize the text encoding character set for certificate expiration notification email.
WAS sends notification email for certificate expiration in either US-English or the machine default character set (if non-English locale is specified). To have a different text encoding character set for the certificate expiration notification email, we can use this property to customize the text encoding character set.
Information Value Default None com.ibm.websphere.lookupRegistryOnProcess
This property can be set when realm registry lookups are performed using an MBean on a remote server, and the realm is local OS security.
By default, the user registry tasks listRegistryUsers and listRegistryGroups perform lookups from the current process. In the case of Network Deployment (ND), that is the deployment manager.
When dealing with a local OS user registry, lookup should occur on the actual server where the registry resides. In an ND environment, the server could be a remote machine. To perform a lookup on the server process where the registry resides, set this property true.
If this property not set, or set to false, then the lookup is performed on the current process. The custom property can be set using the setAdminActiveSecuritySettings task for global security or the setAppActiveSecuritySettings task for a security domain.
com.ibm.websphere.security.allow.committed.response
Specify whether committed HTTP responses are allowed.
When the application server detects a committed HTTP response, it displays a generic 403 error message. Set to true to allow committed HTTP responses and suppress 403 error messages. In configurations that use custom login modules, the module can commit an HTTP response to display a custom error message.
The default is false.
com.ibm.websphere.security.allowAnyLogoutExitPageHost
When using application form login and logout we can provide a URL for a custom logout page. By default, the URL must point to the host to which the request is made or to its domain. If this is not done, then a generic logout page is displayed rather than the custom logout page. To be able to point to any host, set this property in the security.xml file to a value of true. Setting this property to true might open the systems to URL redirect attacks.
Information Value Default false com.ibm.websphere.security.alwaysRestoreOriginalURL
Indicate whether a cookie with the value WASReqURL is honored when the custom form login processor is used.
When true, the value of WASReqURL takes precedence over the current URL, and the WASReqURL cookie is removed from subsequent requests.
When false, the value of the current URL takes precedence, and the WASReqURL cookie is not removed from subsequent requests.
Information Value Default false com.ibm.websphere.security.auth.setDRSBootstrap
Specifies whether the data replication service (DRS) enables the DRSbootstrap function.
In high volume environments, dynamic cache data replication might increase the amount of time that it takes a server to start. If we experience slow server startups because of data replication, add this property to the server security settings and set it to false. When is property is set to false, the data replication service disables the DRSbootstrap function.
True is the default setting for this property.
com.ibm.websphere.security.config.inherit.trustedRealms
Inherit the global trusted realm settings from the global security configuration in the domain.
Security configuration trusted inbound and outbound realms are not inherited by default. However, there are some cases where the configuration might want to use (inherit) the settings from the global security configuration in the domain.
The value of this property can be either true or false.
com.ibm.websphere.security.console.noSSLTreePortEndpoints
Improve the response time for large topology configurations.
When true the status of the SSL port endpoints does not display on the Manage endpoint security configurations page in the administrative console. Displaying the status of the SSL port endpoints sometimes makes the administrative console seem like it is no longer functioning because of a longer than expected response time.
Information Value Default false com.ibm.websphere.security.continueAfterTAIError
This property automatically directs you to a login page if a custom TAI returns an error.
We do not have to type in a URL in your browser to attempt a login again. The property must be set to true to enable this behavior.
Information Value Default false com.ibm.websphere.security.customLTPACookieName
Customize the name of the cookies used for Lightweight Third Party Authentication (LTPA) tokens.
WAS v8.0 enables us to customize the name of the cookies used for LTPA and LTPA2 tokens. Custom cookie names allow us to logically separate authentication between Single Sign-On (SSO) domains and to enable customized authentication to a particular environment.
To take advantage of this functionality, a custom property must be set. For LTPA tokens, the custom property com.ibm.websphere.security.customLTPACookieName can be set to any valid string (special characters and spaces are not permitted) for the LTPA token cookie, and com.ibm.websphere.security.customSSOCookieName for the LTPA2 (SSO) token cookie. Each property is case-sensitive.
The value for this property is a valid string.
Before we set this custom property, consider the following:
- This property, as with most custom properties, can be set at the security domain level. In this manner, a separate login can be forced between an administrative console login and an application login.
- The original default LtpaToken or LtpaToken2 cookie names are accepted and trusted by WAS v8.0. This enables compatibility with products such as Lotus Domino and WebSphere Portal which both utilize the default cookie name.
- Setting a custom cookie name can cause an authentication failure. For example, a connection to a server that has a custom cookie property set sends this custom cookie to the browser. A subsequent connection to a server that uses either the default cookie name or a different cookie name is not able to authenticate the request via a validation of the inbound cookie.
- This property does not function properly in a mixed-cell environment. For example, a deployment manager in WAS v8.0 might be able to create custom cookies. However, a WAS v7.0 node or server existing in this same cell does not understand what to do with this cookie and subsequently rejects it.
- If we utilize a product interacting with WAS that generates LTPA tokens, such as Lotus Domino or WebSphere Portal, be aware that these products might not be able to handle custom LTPA cookie names. Please consult the documentation for our product regarding its handling of custom LTPA cookie names.
To activate this property, a restart of WAS is necessary.
com.ibm.websphere.security.customSSOCookieName
Customize the name of the cookies used for Lightweight Third Party Authentication v2 (LTPA2) tokens.
WAS v8.0 enables us to customize the name of the cookies used for LTPA and LTPA2 tokens. Custom cookie names allow us to logically separate authentication between Single Sign-On (SSO) domains and to enable customized authentication to a particular environment.
To take advantage of this functionality, a custom property must be set. For LTPA tokens, the custom property com.ibm.websphere.security.customLTPACookieName can be set to any valid string (special characters and spaces are not permitted) for the LTPA token cookie, and com.ibm.websphere.security.customSSOCookieName for the LTPA2 (SSO) token cookie. Each property is case-sensitive.
The value for this property is a valid string.
Before we set this custom property, consider the following:
- This property, as with most custom properties, can be set at the security domain level. In this manner, a separate login can be forced between an administrative console login and an application login.
- The original default LtpaToken or LtpaToken2 cookie names are accepted and trusted by WAS v8.0. This enables compatibility with products such as Lotus Domino and WebSphere Portal which both utilize the default cookie name.
- Setting a custom cookie name can cause an authentication failure. For example, a connection to a server that has a custom cookie property set sends this custom cookie to the browser. A subsequent connection to a server that uses either the default cookie name or a different cookie name is not able to authenticate the request via a validation of the inbound cookie.
- This property does not function properly in a mixed-cell environment. For example, a deployment manager in WAS v8.0 might be able to create custom cookies. However, a WAS v7.0 node or server existing in this same cell does not understand what to do with this cookie and subsequently rejects it.
- If we utilize a product interacting with WAS that generates LTPA tokens, such as Lotus Domino or WebSphere Portal, be aware that these products might not be able to handle custom LTPA cookie names. Please consult the documentation for our product regarding its handling of custom LTPA cookie names.
To activate this property, a restart of WAS is necessary.
com.ibm.websphere.security.delegateStarStarRoleAuthorization
Define whether the security code grants the access to all authenticated users when the role name is **.
- true - The security code grants the access without interacting the pluggable authorization table.
- false - The security code delegates the decision to the pluggable authorization table. This is the default value.
com.ibm.websphere.security.disableRemovingUnusedLTPACookie
This property specifies whether the server removes all LTPAToken cookies upon logout when the interoperability mode is disabled.
The server removes LTPAToken2 cookies only upon logout if the value is set to true and the interoperability mode is set to false. Otherwise, the server removes both LTPAToken and LTPAToken2 cookies.
Information Value Default false
com.ibm.websphere.security.displayRealm
This property specifies whether the HTTP basic authentication login window displays the realm name that is not defined in the application web.xml file.
If the realm name is defined in the application web.xml file, this property is ignored.
If the realm name is not defined in the web.xml file, one of the following occurs:
- If the property is set to false, the WebSphere realm name display is Default Realm.
- If set to true, the WebSphere realm name display is the user registry realm name for the LTPA authentication mechanism or the Kerberos realm name for the Kerberos authentication mechanism.
If set to true, and the user registry's realm name contains sensitive information, it is displayed to the user. For example, if standalone LDAP configuration is used, the LDAP server hostname and port are displayed. For LocalOS, the hostname is displayed.
Information Value Default false Type string com.ibm.websphere.security.disableGetTokenFromMBean
Disable the outbound SOAP call to retrieve the subject from the originating server when Single Sign-On is enabled.
Typically, when Single Sign-On is enabled, and an inbound request needs to be authenticated, the receiving server attempts to retrieve the authentication from the originating server. The connection between the sending and receiving servers never times out during this callback process.
When true, the receiving server does not attempt to authenticate the inbound request.
Information Value Default false com.ibm.websphere.security.enableAuditForIsCallerInRole
Enable audit for the isCallerInRole method call.
If set to false, it disables auditing for the invocation of isCallerInRole. In z/OS, SMF records are not issued for the invocation.
Information Value Default true com.ibm.websphere.security.goToLoginPageWhenTAIUserNotFound
Use this property when the user provided by a TAI is not found in the user registry so that a login page is displayed instead of an error page.
When the user provided by a TAI is not found in the user registry, WAS displays an error page. To adjust this behavior, set this property to true. Then the login page is displayed. Default is false.and the normal behavior for WAS is to display an error page.
When true, the login page is displayed.
Information Value Default false com.ibm.websphere.security.initializeRSAProperties
If high CPU utilization is observed in Job Manager or Administrative Agent environment after Certificate Expiration Monitor run, nodes may need to be distributed to multiple servers to reduce the CPU load on one server.
If set to false, WebSphere will not perform re-initialization of RSA token related SSL properties. Before configuring this property to false, make sure Job Manager or Administrative Agent is not used in the environment. These features require RSA tokens and this property should not be used.
Information Value Default true com.ibm.websphere.security.InvokeTAIbeforeSSO
Default invocation order of Trust Association Interceptors (TAIs) in relation to Single Sign On (SSO) user authentication can be changed using this property. The default order is to invoke Trust Association Interceptors after SSO. This property is used to change the default order of TAI invocation with SSO. The property value is a comma (,) separated list of TAI class names to be invoked before SSO.
Information Value Default com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl Type string com.ibm.websphere.security.JAASAuthData.addNodeNameSecDomain
By default, when JAAS authentication data entries are created at the domain security level, the alias name for the entry will be in the format aliasName. We can enable the addition of the node name to the alias name to create the alias name, in the format nodeName/aliasName, for the entry, by setting the following property at the domain security level.
We can set com.ibm.websphere.security.JAASAuthData.addNodeNameSecDomain=true at the global security level, to enable the addition of the node name to the alias name of JAAS authentication data entries for all security domains.
Information Value Default false com.ibm.websphere.security.JAASAuthData.removeNodeNameGlobal
By default, when JAAS authentication data entries are created at the global security level, the alias name for the entry is in the format nodeName/aliasName. We can disable the addition of the node name to the alias name for the entry, by setting a value of true for this property at the global security level.
Information Value Default false com.ibm.websphere.security.krb.canonical_host
Specify whether the application server uses the canonical form of the URL/HTTP host name in authenticating a client. This property can be used for both SPNEGO TAI and SPNEGO Web.
If we set this custom property to false, a Kerberos ticket can contain a host name that differs from the HTTP host name header, and the application server might issue the following message:
CWSPN0011E: An invalid SPNEGO token has been encountered while authenticating a HttpServletRequestIf we set this custom property to true, we can avoid this error message and allow the application server to authenticate using the canonical form of the URL/HTTP host name.
Information Value Default true com.ibm.websphere.security.ldap.logicRealm
Enable changing the name of the realm that is placed in the token.
Enable you to configure each cell to have its own LDAP host for interoperability and backward compatibility. Also, it provides flexibility for adding or removing the LDAP host dynamically. If we are migrating a previous installation, this modified realm name does not take effect until administrative security is re-enabled. To be compatible with a previous release that does not support the logic realm, the name must be the same name used by the previous installation. Use the LDAP host name, including a trailing colon and port number.
Information Value Type String This property must be set as the custom property of a stand-alone LDAP registry. To set this custom property, in the administrative console:
- Click Security > Global security.
- Under User account repository, expand the Available realm definitions list, and select Standalone LDAP registry> Configure.
- Under Custom properties, click New, and then enter com.ibm.websphere.security.ldap.logicRealm in the Name field, and the new name of the realm that is placed in the token in the Value field.
- Select this custom property and then click Apply or OK.
com.ibm.websphere.security.ldapSSLConnectionTimeout
Use this property, when SSL is enabled on the LDAP server, to specify, in milliseconds, the maximum amount of time the JVM waits for a socket connection before issuing a timeout.
If one or more standalone LDAP servers are offline when a server process starts, and LDAP-SSL is enabled, there might be a delay of up to three minutes in the startup procedure, even if we specify a value for the com.sun.jndi.ldap.connect.timeout custom property. When LDAP-SSL is enabled, any value specified for the com.sun.jndi.ldap.connect.timeout property is ignored.
When a value is specified for this property, the JVM tries to use this connection timeout value when attempting to complete a socket connection, instead of trying to establish a directory context. When no value is specified for this property, the JVM tries to establish a directory context.
There is no default value for this property.
com.ibm.websphere.security.logoutExitPageDomainList
When using application form login and logout, we can provide a URL for a custom logout page. By default, the URL must point to the host to which the request is made or to its domain. If this is not done, then a generic logout page is displayed rather than the custom logout page. If we need to point to a different host, then we can populate this property in the security.xml file with a pipe (|) separated list of URLs allowed for the logout page.
Information Value Default none com.ibm.websphere.security.performTAIForUnprotectedURI
Specify TAI invocation behavior when Use available authentication data when an unprotected URI is accessed is selected in the administrative console.
Information Value Default false
In previous versions of WAS, the default value of this custom property was true. For WAS v8.0.0.1, the default value is now false.
com.ibm.websphere.security.recoverContextWithNewKeys
This property affects behavior when deserializing a security context that was previously saved as part of asynchronous security processing for Web Services or Asynch Beans.
When true, the security context can be de-serialized even when the LTPA keys have changed since the context was serialized out. This property should be set to true if the security context deserialization fails with a WSSecurityException containing this message: Validation of LTPA token failed due to invalid keys or token type.
Information Value Default false com.ibm.websphere.security.release.ejb.reference
This property helps improve memory usage.
When the value is set to true, security code keeps references to security-related EJB data, but releases EJB data that is not related to security.
The default is false.
com.ibm.websphere.security.rsaCertificateAliasCache
Control the size of the alias cache.
The default is 5000 and can be increased for larger deployments. We do not need to add this property unless your Job Manager topology exceeds 5000 registered nodes.
The value must be entered into the range of 1 - N, where N is a valid positive integer that is greater than or equal to the number of nodes registered with the Job Manager.
Information Value Default 5000 com.ibm.websphere.security.setContextRootForFormLogin
Set a unique path name whenever a WASReqURL cookie is generated.
A browser can hold multiple WASReqURL cookies as long as each cookie has a unique path name. When set to true, a unique path name is set whenever a WASReqURL cookie is generated. Therefore, if we have more than one application that is using Form Login as a login method installed on the same application server. We should specify this property as one of our security settings for that application server, and set the property to true.
Information Value Default false com.ibm.websphere.security.skip.canonical.lookup
Use this property if we need to skip canonical lookup for a specific hostname. The value we specify for this property is case sensitive and has to match the hostname in the SPNEGO filter.
WAS expects the java.net.InetAddress #getCanonicalHostName() Java API to return an actual hostname. In some situations, this API returns a string representation of an IP address instead of a hostname. When this scenario occurs, WAS is not able to recognize that the incoming request needs to be evaluated for SPNEGO authentication.
If we experience this situation, add this custom property to the security configuration settings and set it to the hostname for which we do not want a canonical lookup to occur.
To specify multiple hostnames as the value for this property, use the | symbol as the separator between the hostnames needed to specify. For example, if we do not want canonical lookup to occur for the host names myhost1.mycompany.com and myhost2.mycompany.com, specify the following value for this property:
myhost1.mycompany.com|myhost2.mycompany.com
Information Value Default None com.ibm.websphere.security.spnego.useBuiltInMappingToSAF
Ensure that a mapping from a Kerberos principal to a RACF ID is performed for SPNEGO web authentication.
If we do not add this property to our security settings, and set it to true, a mapping from a Kerberos principal to a RACF ID is not performed for SPNEGO web authentication.
If Kerberos authentication is used in combination with SPNEGO Web authentication, configuring a built-in mapping for either Kerberos or SPNEGO results in a mapping being done for both.
Information Value Default false com.ibm.websphere.security.strictCredentialExpirationCheck
Specifies whether credential expiration check occurs for a local EJB call. Typically, when an EJB invokes another EJB located in a local machine, a direct method invocation occurs even if the credentials of the original invoker expire before the local EJB call occurs.
If set to true, a credential expiration check occurs on a local EJB call before the EJB is invoked on the local machine. If the credentials have expired, the EJB call is rejected.
If set to false, a credential expiration check does not occur for a local EJB call.
Information Value Default false com.ibm.websphere.security.tokenFromMBeanSoapTimeout
Amount of time the receiving server waits for an outbound SOAP call to retrieve the proper authentication from the originating server when Single Sign-On is enabled.
There is no default value for this property. If no value is specified, the global SOAP timeout value is used as the timeout value for the SOAP connection.
com.ibm.websphere.security.useActiveRegistryForNewDefaultSSOTokens
Indicate that the active user registry should be used when creating a new default Single Sign-on (SSO) token.
Typically, a default SSO token is created whenever there is a mismatch between the access ID of the incoming SSO authentication token and the principal name in the authorization token. A possible cause of this mismatch is having different realms. For example, a mismatch occurs if the admin domain is using a LocalOS registry and the active registry is LDAP.
Set to true causes new SSO tokens to be created using the LDAP registry.
The default value for the property is false.
com.ibm.websphere.security.useLoggedSecurityName
This is a custom property of user registries. This property alters the behavior of creating WSCredential.
A setting of false indicates that the security name returned by a user registry is always used to construct WSCredential.
A setting of true indicates that either a security name supplied by login module is used or a display name that was supplied by a user registry is used. This setting is compatible with WAS version 6.1 and earlier.
Information Value Default false com.ibm.websphere.security.util.csiv2SessionCacheIdleTime
Time in milliseconds that a CSIv2 session can remain idle before being deleted. The session is deleted if the com.ibm.websphere.security.util.csiv2SessionCacheLimitEnabled custom property is set to true, and the maximum size of the CSIv2 session cache is exceeded.
This custom property only applies if we enable stateful sessions, set the com.ibm.websphere.security.util.csiv2SessionCacheLimitEnabled custom property to true, and set a value for the com.ibm.websphere.security.util.csiv2SessionCacheMaxSize custom property. Consider decreasing the value for this custom property if the environment uses Kerberos authentication and has a short clock skew for the configured key distribution center (KDC). In this scenario, a short clock skew is defined as less than 20 minutes.
Important: Do not set a value for this function through the custom property panel because the value is not validated against the expected range of values. Instead, set the value on the CSIv2 outbound communications panel, which is available in the administrative console by completing the following steps:
- Expand the Security section and click Global security.
- Expand the RMI/IIOP security section and click CSIv2 outbound communications
We can set the value in the Idle session timeout field. However, when we specify this value on the CSIv2 outbound communications panel, the administrative console value is expected in seconds and not milliseconds.
The range of values for this custom property is 60,000 to 86,400,000 milliseconds. By default, the value is not set.
com.ibm.websphere.security.util.csiv2SessionCacheLimitEnabled
Specify whether to limit the size of the CSIv2 session cache.
When we set this custom property value to true, we must set values for the com.ibm.websphere.security.util.csiv2SessionCacheIdleTime and com.ibm.websphere.security.util.csiv2SessionCacheMaxSize custom properties. When we set this custom property to false, the CSIv2 session cache is not limited. The default property value is false.
Consider setting this custom property to true if the environment uses Kerberos authentication and has a small clock skew for the configured key distribution center (KDC). In this scenario, a small clock skew is defined as less than 20 minutes. A small clock skew can result in a larger number of rejected CSIv2 sessions. However, with a smaller value for the com.ibm.websphere.security.util.csiv2SessionCacheIdleTime custom property, the application server can clean out these rejected sessions more frequently and potentially reduce the resource shortages.
Important: This custom property only applies if we enable the stateful sessions.
Important: Although we can enable the CSIv2 session cache limit option as a custom property, it is advisable that we enable the option on the CSIv2 outbound communications panel, which is available in the administrative console by completing the following steps:
- Expand the Security section and click Global security.
- Expand the RMI/IIOP security section and click CSIv2 outbound communications
We can enable the Enable CSIv2 session cache limit option. The default is false.
com.ibm.websphere.security.util.csiv2SessionCacheMaxSize
Maximum size of the session cache after which expired sessions are deleted from the cache.
Expired sessions are defined as sessions that are idle longer than the time specified by the com.ibm.websphere.security.util.csiv2SessionCacheIdleTime custom property. When we use the com.ibm.websphere.security.util.csiv2SessionCacheMaxSize custom property, consider setting its value between 100 and 1000 entries.
Consider specifying a value for this custom property if the environment uses Kerberos authentication and has a small clock skew for the configured key distribution center (KDC). In this scenario, a small clock skew is defined as less than 20 minutes. Consider increasing the value of this custom property if the small cache size causes the garbage collection to run so frequently that it impacts the performance of the application server.
This custom property only applies if we enable stateful sessions, set the com.ibm.websphere.security.util.csiv2SessionCacheLimitEnabled custom property to true, and set a value for the com.ibm.websphere.security.util.csiv2SessionCacheIdleTime custom property.
Important: Do not set a value for this function through the custom property panel because the value is not validated against the expected range of values. Instead, set the value on the CSIv2 outbound communications panel, which is available in the administrative console by completing the following steps:
- Expand the Security section and click Global security.
- Expand the RMI/IIOP security section and click CSIv2 outbound communications
We can set the value in the Maximum cache size field.
The range of values for this custom property is 100 to 1000 entries. By default, the value is not set.
com.ibm.websphere.security.util.postParamMaxCookieSize
Set a size limit for WASPostParam cookies being generated by the security code.
When the Use available authentication data when an unprotected URI is accessed option is enabled and Form-based authentication is being used this, a WASPOSTParam is generated during the authentication procedure of the HTTP POST request even if the target URL is unprotected. A WASPOSTParam cookie is a temporary cookie used to store HTTP POST parameters. This results in the Web client being sent the unnecessary cookie with an HTTP response. This might cause unexpected behavior when the size of the cookie is larger than the browser limit. To avoid this behavior, com.ibm.websphere.security.util.postParamMaxCookieSize can be set to cause the security code to stop generating the cookie if the maximum size specified by this property is reached. The value of this property must be a positive integer and represents the maximum size of the cookie in bytes.
Information Value Default none com.ibm.websphere.security.web.removeCacheOnFormLogout
Specify whether a cached object is removed from the authentication cache and the dynamic cache when a form logout occurs. A form logout is a mechanism that enables a user to log out of an application without having to close all Web-browser sessions.
When false, corresponding cached entries are not removed from the authentication cache and the dynamic cache when a form logout occurs. As a result, if the same user logs back in after a form logout, the cached object is reused.
Because the original cached object was created during a previous login session, the expiration time for the object might be shorter than the configured timeout value..
When true, the cached entries are removed from the authentication cache and the dynamic cache when a form logout occurs.
Default is true.
com.ibm.websphere.security.web.setLTPATokenCookieToUnprotectedURI
Specify the cookie generation behavior for Lightweight Third Party Authentication (LTPA) tokens for inbound web resource requests.
When this property is true, the application server generates and sets an LTPAToken cookie for all successfully authenticated resource requests, regardless of whether the request is for protected or unprotected web resources. This behavior is different from the behavior in WAS v6.1 and can cause some applications developed for v6.1 not to work on later versions.
Set to false to generate an LTPAToken cookie only for protected web resources. This behavior is compatible with WAS v6.1.
Default is true.
com.ibm.websphere.security.webAlwaysLogin
This property specifies whether the login() method will throw an exception if an identity had already been authenticated. We can overwrite this behavior by setting this property to true.
Information Value Default false Type string
The login() method always uses the user ID and password to authenticate to the WebSphere application server irrespective of the presence of the SSO information in the HttpServletRequest.
com.ibm.websphere.ssl.include.ECCiphers
Specify whether WAS includes Elliptical Curve Cryptography (ECC) ciphers in the default cipher suite.
When this property is not set or is set to false, the application server does not include ECC ciphers by default. Set the property to true to include ECC ciphers in the list of default cipher suites. If SP800-131a or Suite B is enabled then ECC ciphers are always included by default.
Information Value Default true Type string com.ibm.websphere.ssl.retrieveLeafCert
Enable the retrieve from port function to retrieve a leaf certificate instead of the root certificate.
Retrieve from port should retrieve leaf certificate instead of the root certificate. To get the leaf certificate, it is necessary to set a custom property, com.ibm.websphere.ssl.retrieveLeafCert to true.
When this property is not set or is set to false, the retrieve from port function retrieves the root certificate. Set to true if we want the retrieve from port function to retrieve the leaf certificate instead of the root certificate.
Information Value Default false Type string com.ibm.ws.security.addHttpOnlyAttributeToCookies
Enable you to set the HTTPOnly attribute for single sign-on (SSO) cookies.
Use the com.ibm.ws.security.addHttpOnlyAttributeToCookies custom property to protect cookies that contain sensitive values. When we set this custom property value to true, the application server sets the HTTPOnly attribute for SSO cookies whose values are set by the server. The HTTPOnly attribute enables the protection of sensitive values in cookies.
Also, a true value enables the application server to properly recognize, accept, and process inbound cookies with HTTPOnly attributes and inhibit any cross-site scripting from accessing sensitive cookie information.
A common security problem, which impacts web servers, is cross-site scripting. Cross-site scripting is a server-side vulnerability that is often created when user input is rendered as HTML. Cross-site scripting attacks can expose sensitive information about the users of the website. Most modern web browsers honor the HTTPOnly attribute to prevent this attack. A cookie with this attribute is called an HTTPOnly cookie. Information that exists in an HTTPOnly cookie is less likely to be disclosed to a hacker or a malicious website. For more information about the HTTPOnly attribute, see the Open Web Application Security Project (OWASP) website.
Important: When we use this custom property, HTTPOnly attribute is not added to every cookie that passes through the application server. Also, the attribute is not added to other non-secure cookies created by the application server. A list of non-HTTPOnly cookies includes:
- JSESSIONID cookies
- SSO cookies created by authenticators or providers from another software vendor
- Client or browser cookies that do not already contain the HTTPOnly attribute
We can set or remove this custom property from the Single sign-on panel in the administrative console by doing the following:
- Click Security > Global security.
- Under Authentication, click Web and SIP security > Single sign-on (SSO).
Information Value Default true Type Boolean com.ibm.ws.security.allowNonAdminToSecurityXML
This property specifies whether the non-admin security roles are allowed to modify the security.xml file. Setting this property to true gives non-admin security roles the ability to modify the security.xml file. In v6.1 and later, by default, non-admin security roles have the ability to modify the security.xml file.
Information Value Default false Type Boolean com.ibm.ws.security.config.SupportORBConfig
Check or not check the object request broker (ORB) for properties. This property needs to be set as a system property. You set this property to true or yes so that the ORB is checked for properties. For any other setting, the ORB is completely ignored.
The property is to be used when a pluggable application client connects to the WAS. Specifically, this property is used whenever a hashmap containing security properties is passed in a hashmap on a new InitialContext(env) call.
com.ibm.ws.security.createTokenSubjectForAsynchLogin
In this release, the actual LTPA token data is not available from a WSCredential.getCredentialToken() call when called from a contextual proxy or asynchronous bean. For an existing configuration, we can add the com.ibm.ws.security.createTokenSubjectForAsynchLogin custom property and a true value to allow the LTPAToken to be forwarded to contextual proxies and asynchronous beans. Allow portlets to successfully perform LTPA token forwarding. This custom property is case sensitive. We must restart the application server after we add this custom property.
This custom property applies only to system conditions where Server A makes EJB calls from contextual proxies or asynchronous beans to Server B. This property does not apply for JAAS login situations.
Information Value Default not applicable com.ibm.ws.security.defaultLoginConfig
This property is the JAAS login configuration used for logins that do not fall under the WEB_INBOUND, RMI_OUTBOUND, or RMI_INBOUND login configuration categories.
Internal authentication and protocols that do not have specific JAAS plug points call the system login configuration referenced by com.ibm.ws.security.defaultLoginConfig configuration.
Information Value Default system.DEFAULT com.ibm.ws.security.failSSODuringCushion
Use the com.ibm.ws.security.failSSODuringCushion custom property to update custom JAAS Subject data for the LTPA token.
When we do not set this custom property to true, new JAAS Subjects might not contain the custom JAAS Subject data.
Default is true.
com.ibm.ws.security.ltpa.forceSoftwareJCEProviderForLTPA
Correct an "invalid library name" error when we attempt to use a PKCS11 type keystore with a Java client.
(ZOS) Also, use this custom property if we are using the IBMJCECCA provider because distributed and z/OS operating systems use different provider types for hardware cryptography.The ssl.client.props file points to a configuration file, which in turn, points to the library name for the cryptographic device. The code for the Java client looks for a keystore type for the correct provider name. Without this custom property, the keystore type constant for PKCS11 is not specified correctly as it references the IBMPKCS11Impl provider instead. Also, the LTPA code uses the provider list to determine the Java Cryptography Extension (JCE) provider. This approach causes a problem when SSL acceleration is attempted because the IBMPKCS11Impl provider needs to be listed before the IBMJCE provider within the java.security file.
This custom property corrects both issues so that SSL and other cryptographic mechanisms can use hardware acceleration.
LTPA cannot use hardware acceleration because the software keys for LTPA do not implement the java.security.interfaces.RSAPrivateCrtKey interface, which is required by many accelerator cards.
Set true when we want to use a PKCS11 type keystore with a Java client.
Information Value Default false com.ibm.ws.security.ltpa.useCRT
Improve the CPU utilization during the sign() operation that occurs when a new LTPA2 (SSO) token is created. When true, the product implements the Chinese Remainder Theorem (CRT) algorithm when signing the new token. This property has no effect on the old style LTPA token.
Information Value Default false com.ibm.ws.security.rsa.forceSoftwareJCEProviderForRSA
Force RSA token validation to be done in software.
Some hardware crypto cards are not compatible with the RSA tokens. If we receive the message The signature of the rsa token was not verified, we might need to use the LTPA authentication mechanism instead of RSA tokens for security validation. To change our security validation settings:
- In the administrative console, click Global security > Administrative authentication, and unselect RSA token.
- Select Only use the active application authentication mechanism.
- Click Custom properties> New to add com.ibm.ws.security.rsa.forceSoftwareJCEProviderForRSA custom property to our security settings.
- Add com.ibm.ws.security.rsa.forceSoftwareJCEProviderForRSA in the Name field and true in the Value field.
When true, the default software JCE provider, instead of IBMJCECCA, is used for security validation.
Information Value Default false com.ibm.ws.security.ssoInteropModeEnabled
This property determines whether to send LtpaToken2 and LtpaToken cookies in the response to a web request (interoperable).
When this property value is false, the application server just sends the new LtpaToken2 cookie which is stronger, but not interoperable with some other products and WAS releases prior to v5.1.1. In most cases, the old LtpaToken cookie is not needed and we can set this property to false.
Information Value Default true com.ibm.ws.security.unprotectedUserRegistryMethods
Method names on the UserRegistry interface, such as getRealm, getUsers, and isValidUser, that we do not want protected from remote access. If we specify multiple method names, separate the names with either a space, a comma, a semi-colon, and a separator bar. See your implementation of the UserRegistry interface file for a complete list of valid method names.
If we specify an * as the value for this property, all methods are unprotected from remote access. If a value is not specified for this property, all methods are protected from remote access.
If an attempt is made to remotely access a protected UserRegistry interface method, the remote process receives a CORBA NO_PERMISSION exception with minor code 49421098.
There is no default value for this property.
com.ibm.ws.security.web.saml.disableDecodeURL
This property provides an option to disable URL decoding.
When SAML Web SSO is enabled and SAML TAI is invoked, a cookie is set to store the original request URL. After authentication, the original URL is decoded before it is sent as a redirect. When this property value is set to true, the original URL for redirect is used without decoding the URL. To set this property with the administrative console, click Security > Global security > Custom properties. Click New to add a new custom property and its associated value.
Information Value Default false com.ibm.ws.security.webChallengeIfCustomSubjectNotFound
This property determines the behavior of a single sign-on LtpaToken2 login.
If the token contains a custom cache key and the custom Subject cannot be found, then the token is used to log in directly as the custom information needs to be regathered if this property is set to true. A challenge also occurs so that the user is required to login again. When this property value is set to false and the custom Subject is not found, the LtpaToken2 is used to log in and gather all of the registry attributes. However, the token might not obtain any of the special attributes that downstream applications might expect.
Information Value Default true com.ibm.ws.security.webInboundLoginConfig
JAAS login configuration used for web requests received inbound.
By knowing the login configuration, we can plug in a custom login module that can handle specific cases for web logins.
Information Value Default system.WEB_INBOUND com.ibm.ws.security.webInboundPropagationEnabled
This property determines whether a received LtpaToken2 cookie should search for the propagated attributes locally before searching the original login server specified in the token. After the propagated attributes are received, the Subject is regenerated and the custom attributes are preserved.
We can configure the data replication service (DRS) to send the propagated attributes to front-end servers so that a local dynamic cache lookup can find the propagated attributes. Otherwise, an MBean request is sent to the original login server to retrieve these attributes.
Information Value Default true com.ibm.ws.security.web.logoutOnHTTPSessionExpire
This property specifies whether users will be logged out after the HTTP session timer expires.
If set to false, the user credential will stay active until the Single Sign-On token timeout occurs.
The com.ibm.ws.security.web.logoutOnHTTPSessionExpire property only applies to applications using form login.
Information Value Default false Required false Data Type boolean com.ibm.ws.security.WSSecureMapInitAtStartup
This property establishes that the security cache (WSSecureMap) as part of the dynamic cache is initialized for use in security attribute propagation.
Information Value Default true com.ibm.ws.security.WSSecureMapSize
This property specifies the security cache (WSSecureMap) size.
The size specified for com.ibm.ws.security.WSSecureMapSize is ONLY used if com.ibm.ws.security.WSSecureMapInitAtStartup is set to true.
Information Value Default 100 com.ibm.wsspi.security.cred.refreshGroups
This property affects behavior when deserializing a security context that was previously saved as part of asynchronous security processing for web services, Concurrency Utilities for Java EE, or asynchronous beans.
When true, the user registry is accessed to get the groups associated with the user. If the user still exists in the registry, the groups from the user registry are used instead of the groups that were serialized in the security context. If the user is not found in the user registry, and the verifyUser property is set to false, the groups from the security context are used.
Information Value Default false com.ibm.wsspi.security.cred.verifyUser
This property affects behavior when deserializing a security context that was previously saved as part of asynchronous security processing for Web Services or Asynch Beans.
When true, the user registry is accessed to verify that the user from the security context still exists. If it does not exist, a WSLoginFailedException is thrown.
Information Value Default false com.ibm.wsspi.security.ltpa.tokenFactory
LTPA token factories used to validate the LTPA tokens.
Validation occurs in the order in which the token factories are specified because LTPA tokens do not have object identifiers (OIDs) that specify the token type. The Application Server validates the tokens using each token factory until validation is successful. The order specified for this property is the most likely order of the received tokens. Specify multiple token factories by separating them with a pipe (|) without spaces before or following the pipe.
Information Value Default com.ibm.ws.security.ltpa.LTPATokenFactory | com.ibm.ws.security.ltpa.LTPAToken2Factory | com.ibm.ws.security.ltpa.AuthzPropTokenFactory com.ibm.wsspi.security.token.authenticationTokenFactory
Implementation used for an authentication token in the attribute propagation framework. The property provides an old LTPA token implementation for use as the authentication token.
Information Value Default com.ibm.ws.security.ltpa.LTPATokenFactory com.ibm.wsspi.security.token.authorizationTokenFactory
Implementation used for an authorization token. This token factory encodes the authorization information.
Information Value Default com.ibm.ws.security.ltpa.AuthzPropTokenFactory com.ibm.wsspi.security.token.propagationTokenFactory
Implementation used for a propagation token. This token factory encodes the propagation token information.
The propagation token is on the thread of execution and is not associated with any specific user Subjects. The token follows the invocation downstream flow wherever the process leads.
Information Value Default com.ibm.ws.security.ltpa.AuthzPropTokenFactory com.ibm.wsspi.security.token.singleSignonTokenFactory
Implementation used for a Single Sign-on (SSO) token. This implementation is the cookie that is set when propagation is enabled regardless of the state of the com.ibm.ws.security.ssoInteropModeEnabled property.
By default, this implementation is the LtpaToken2 cookie.
Information Value Default com.ibm.ws.security.ltpa.LTPAToken2Factory com.ibm.wsspi.wssecurity.kerberos.failAuthForExpiredKerberosToken
Specify how we want the system to handle authentication for a request after the Kerberos token for the request expires.
When true, if a Kerberos token cannot be refreshed after it expires, authentication for the request fails.
When false, authentication for the request does not fail even if the token has expired.
The default value for this property is false.
security.allowCustomHTTPMethods
Use this custom property to permit custom HTTP methods. The custom HTTP methods are other than the standard HTTP methods, which are: DELETE, GET, HEAD, OPTIONS, POST, PUT or TRACE.
When false, which is the default, if a combination of a URI pattern and a custom HTTP method are not listed in the security-constraint element, a search of the security constraint is performed using an URI pattern only. If there is a match, the value of the <auth-constraints> element is enforced. This behavior minimizes a potential security exposure.
When true, the custom HTTP methods are treated as the standard HTTP methods. An authorization decision is made by both the URI pattern and the HTTP method. To properly protect a target URI, make sure that the proper HTTP methods are listed in the <web-resource-collection> element.
security.enablePluggableAuthentication
This property is no longer used. Instead, use WEB_INBOUND login configuration.
Complete the following steps to modify the WEB_INBOUND login configuration:
- Click Security > Global security.
- Under JAAS, click System logins.
Information Value Default true security.useDefaultPolicyWhenJ2SDisabled
The NullDynamicPolicy.getPermissions method provides an option to delegate a default policy class to construct a Permissions object when this property is set to true. When false, an empty Permissions object is returned.
Information Value Default false security.useAllSSLClientAuthKeytypes
This property is used ensure that when acting as the client during an SSL handshake, utilizing SSL Client Authentication, all SSL keytypes provided by the target server is used in selecting a Client Certificate.
In SSL Client Authentication, WAS does not pick up all of the SSL keytypes provided in the certificate request sent by the target server. WebSphere picks up only the most preferable SSL keytype. If the SSL keytype does not match to the most preferable SSL keytype, WebSphere does not send a client certificate even though there is a correct SSL client certificate in the keystore.
WAS_customUserMappingImpl
This security property is used to plug-in custom UserMapping class. If this value is set at security top level with the custom user mapping class name, it is used for customizing certificate user mapping and/or identity assertion user mapping. It is necessary for user to place jar file that includes the custom class in WAS_HOME/lib/ext.
Enable WebSphere Application Server security Use an alias host name for SPNEGO TAI or SPENGO web authentication using the administrative console (deprecated) CSIv2 outbound communications settings System login configuration entry settings for JAAS