scriptframework.properties (Suggested)

For all new JavaScript extensions, use the scriptframework.properties file to configure script extensions and other scripting functions.

JavaScript is used in IBM Security Identity Manager to specify identity policies, provisioning policy parameters, service selection policies, placement rules for identity feeds, and orphan account adoption.

In addition, JavaScript is used in workflows to specify transition conditions, loop conditions, JavaScript activities, activity postscripts, and workflow notification. Various scripting extensions are provided by IBM Security Identity Manager to expose useful data and services to each of these scripts. In addition to these extensions, system administrators can configure IBM Security Identity Manager to load custom JavaScript extensions..

The file scriptframework.properties is used to configure all parts of scripting support in IBM Security Identity Manager. It includes which script extensions to use, which script interpreter to use, and other properties that relate to scripting..

The major parts of the scriptframework.properties are divided by these host components: PostOffice, ProvisioningPolicy, AccountTemplate, HostSelection, PersonPlacementRules, Workflow, Reminder, IdentityPolicy, Notification, and OrphanAdoption. The most heavily used section of the property file is for configuring which extensions to load for each host component. To have the script framework load an extension, add a key-value line to the scriptframework.propertiesfile that is similar to this example:

where ITIM.extension.{Host Component}is the key and com.ibm.itim.class_name is the value. The value of {Host Component}can be any of the previously listed components. If you want to load more than a single extension for a host component, you can add a suffix to host component, such as:

The only rule is that each key must be unique in the file.

The scriptframework.properties file comes pre-configured to load the extensions necessary to use IBM Security Identity Manager with its default scripts. Do not remove any lines in scriptframework.properties because removal might cause IBM Security Identity Manager to stop functioning properly..

The next section of the scriptframework.properties file configures which script interpreter to use for each host component. IBM Security Identity Manager currently supports two different script interpreters, the IBM JSEngine and the FESI JavaScript Interpreter. To configure which interpreter to use for each host component, there is a line in the file that looks like:

The value of {Host Component}can be any of the previously listed components. The value of {Engine}can be either IBMJS or FESI. The {Engine}variable is not case-sensitive, so typing fesi works as well as typing FESI. IBMJS is the default scripting engine, so any value for {Engine} other than IBMJS or FESI, or no value, uses the IBMJS engine. The FESI engine is deprecated. Use it only if you upgraded from IBM Security Identity Manager Version 4.6 or earlier and have custom FESI extensions.

The next section in the configuration file enables configuring custom JavaScript wrappers. For security reasons, IBM Security Identity Manager does not expose all objects to the scripting environment. Instead, most objects are wrapped in a more restrictive wrapper class that exposes only certain methods. IBM Security Identity Manager has a default wrapper configuration that you can override or extend in this section. This feature is for an advanced user; in most cases do not use it. For more details on how to configure custom wrappers, see the comments in the scriptframework.properties file.

In the next section, you can configure direct Java™ access from scripts run by the IBM JSEngine interpreter. Direct Java access is powerful, but scripts can bypass some of the security built into the script framework. Consider carefully before you do so. See the comments in the scriptframework.properties file for more information about how to enable direct Java access.

The final section of the configuration file configures specific properties that might be useful. Each specific property is explained in comments in the scriptframework.properties file, including default and allowed values.


Error handling

To enable retry of an activity in the workflow, when the script evaluation fails, due to Directory Server being down, add the following new property.

ITIM.script.extension.retryOn=standardException.jndiCommunicationException, standardException.jndiServiceUnavailabl.

Additionally any custom IBMJS code, used in the workflow, which performs any LDAP operation, must be modified to throw ScriptException, with the exception message set to either standardException.jndiCommunicationException, or standardException.jndiServiceUnavailable".

For example.

Alternatively, the exception message that is thrown by a custom script extension, can be included as another value for 'ITIM.script.extension.retryOn' property. Multiple values that are specified for this property must be comma separated.

Parent topic: Supplemental property files