Federation - Advanced configuration

1. Category filter
2. WebSEAL Authenticate Callback
3. One-time password Authenticate Callback
4. Authentication-Policy Callback
5. SPS HTTP request claims
6. Distributed shared data storage
7. Attribute matcher
8. IP reputation PIP
9. Attribute collector properties
10. Device registration properties
11. Runtime properties
12. Single sign-on protocol service
13. SPS page
14. Risk engine properties
15. Authentication service properties
16. Authentication service session store properties
17. Session
18. Distributed session cache
19. TOTP and HOTP retry properties
20. OAuth20
21. HTTP client
22. HTTP Client version 2
23. Demo
24. Knowledge questions properties
25. Key encryption and signing service (KESS)
26. JSON Web Key
27. Policy information point (PIP)
28. Security token service (STS)
29. Mobile Multi-Factor Authentication (MMFA)
30. WS-Federation
31. SAML 1.1
32. SAML 2.0
33. OIDC
34. Rhino Javascript Engine

Modify the advanced configurations for Advanced Access Control or Federation to meet the requirements of your organization.

Category filter

The category filter displays names of grouping of configuration settings. The groupings correspond to functional areas. When we select a category, the user interface displays only the settings for the category.

Category	Displays values for:
All	All keys
poc.websealAuth	WebSEAL Authenticate Callback
poc.otpAuth	One-time password Authenticate Callback
poc.authPolicy	Authentication-Policy Callback
sps.httpRequestClaims	SPS HTTP request claims
distributedMap	Distributed shared data storage
userBehavior	Attribute matcher properties
ipReputation	IP reputation PIP properties
attributeCollection	Attribute collector properties
deviceRegistration	Device registration properties
runtime	Runtime properties
sps.page	SPS page
sps	Single sign-on protocol service
riskEngine	Risk engine properties
sps.authService	Authentication service properties
authsvc.stateMgmt	Authentication service session store properties
session	Session
distributedSessionCache	Distributed session cache
otp.retry	TOTP and HOTP retry properties
oauth20	OAuth20
util.httpClient	HTTP client
util.httpClient v2	HTTP Client version 2
demo	Demo
knowledge.questions	Knowledge questions properties
kess	Key encryption and signing service (KESS)
jwks	JSON Web Key
pip	Policy information point (PIP)
sts	Security token service (STS)
mmfa	Mobile Multi-Factor Authentication (MMFA)
wsfed	WS-Federation
saml20	SAML 2.0
demo	Demo
saml11	SAML 1.1
oidc	OIDC
js	Rhino Javascript Engine

WebSEAL Authenticate Callback

poc.websealAuth.authLevel

The authentication level of the callback.

Data type: Integer

Example: 1

One-time password Authenticate Callback

poc.otp.authLevel

The authentication level of the callback.

Data type: Integer

Example: 2

poc.otp.backwardCompatibilityEnabled

One-time password authentication mechanism should run in backward compatibility mode. Default is false if it is a new installation. The default value is true if the installation is an upgrade.

Data type: Boolean

Example: true

Authentication-Policy Callback

poc.authPolicy.allowRequestOverride

Authentication level, the authentication mode, and the authentication type of the callback can be overwritten by query string parameters.

Data type: Boolean

Example: true

poc.authPolicy.authLevel

The authentication level of the callback.

Data type: Integer

Example: 1

poc.authPolicy.authType

The authentication type of the callback.

Data type: String

Example: COMPLEMENTARY, HIERARCHICAL

SPS HTTP request claims

sps.httpRequestClaims.enabled

HTTP request information is sent to STS as HTTPRequestClaims. This flag additionally makes HTTP Request attributes (Headers, Cookies and Parameters) available to administrators in OIDC, OAuth, and SAML (see HTTP Claims in OIDC, OAuth and SAML JavaScript Mapping Rules), Authsvc and InfoMap (see HTTP Claims in Authsvc and InfoMap JavaScript Mapping Rules) and FIDO2 (see HTTP Claims in FIDO2 Mediator JavaScript Mapping Rules) JavaScript Mapping rules.

Data type: Boolean

Example:false

sps.httpRequestClaims.filterSpec

The filter that specifies the HTTP request information sent to STS as HTTPRequestClaims.

Data type: String

Example: cookies=*:headers=*

Distributed shared data storage

distributedMap.cleanupWait

The amount of time, in milliseconds, to wait before it performs another cleanup against the distributed map.

Distributed map clean up can be disabled by setting the cleanupWait to 0.

Data type: Integer

Example: 10000

distributedMap.defaultTTL

The amount of time, in seconds, the entries in the distributed map must live when no lifetime is specified for an entry.

Data type: Integer

Example: 3600

distributedMap.getRetryDelay

The amount of time, in milliseconds, to wait before it performs another retrieval against the distributed map. The default is 0.

Data type: Integer

Example: 500

distributedMap.getRetryLimit

The number of retrievals that is done against the distributed map before it returns the retrieved data is not in the distributed map. The default is 0.

Data type: Integer

Example: 10

Attribute matcher properties

userBehavior.minimumUsageHistoryRequired

Minimum usage data records required for any usage data analysis; used by LoginTimeMatcher.

Data type: Integer

Example: 8

userBehavior.ipAddressRequestAttribute

The XACML request attribute to read from the IP address.

Data type: String

Example: urn:ibm:security:subject:ipAddress

IP reputation PIP properties

ip.reputation.ipAddressAdverseReputationThreshold

The value that an IP classification score must be at or above for an IP address to be considered as that classification.

Data type: Integer

Example:50

ipReputation.dbConnectionTimeout

The number of seconds the IP reputation policy information point (PIP) waits for a connection to the IP reputation database. The ipReputation.dbConnectionTimeout property defaults to 120.

Data type: Integer

Example: 60

Attribute collector properties

attributeCollection.cookieName

Correlation ID used by the attribute collector.

Data type: String

Example: ac.uuid

attributeCollection.requestServer

Request server for attribute collector. A list of the allowable hosts where the ajaxRequest can be sent from.

Data type: String List

Example: https://rbademo.example.com,https://rbaemo2.example.com

attributeCollection.serviceLocation

Location of the attribute collector.

Data type: String List

Example: http://rbademo.example.com/mga

attributeCollection.sessionTimeout

Number of seconds in which sessions stored in context-based access will automatically expire, unless updated. If any attribute in the session is updated, the session expiry is extended by the specified number of seconds configured in this property. The default is 1800 seconds.

Data type: Integer

Example: 1800 seconds

attributeCollection.enableGetAttributes

Enables the REST GET method to return attributes.

Data type: Boolean

Example: false

attributeCollection.getAttributesAllowedClients

A comma-separated list of clients allowed to access the ACS REST GET method.

If this property is not set and attributeCollection.enableGetAttributes is set to true, anyone can access the GET method. If this property is set but attributeCollection.enableGetAttributes is set to false, this property is ignored.

Data type: String List

Example: hostname1, hostname2

attributeCollection.hashAlgorithm

The algorithm used to create the hash.

Data type: String

Example: SHA256

attributeCollection.attributesHashEnabled

A comma-separated list of attribute URI values configured for hashing. Attention: Do not hash the following attributes:

• ipAddress
• geoLocation
• accessTime

Data type: String List

Example:

>urn:ibm:security:environment:http:userAgent, 
urn:ibm:security:environment:deviceFonts, 
urn:ibm:security:environment:browserPlugins 

attributeCollection.authenticationContextAttributes

Comma-separated lists of attribute names to be collected during an authentication service obligation. The maximum number of characters for this property is 200.

Data type: String List

Example: authenticationLevel, http:host

Device registration properties

deviceRegistration.allowIncompleteFingerprints

Specifies to allow the device registration obligation to store fingerprints where all the fingerprint attributes are not available on the session information.

Data type: Boolean

Example: false

deviceRegistration.checkForExpiredDevices

Determines whether registered devices are inactive or expired. If the deviceRegistration.checkForExpiredDevices property is set to true, the risk engine checks Whether a device is inactive or expired. The deviceRegistration.checkForExpiredDevices property defaults to false, which means that users can use any of the devices that are registered.

Date type: Boolean

Example: true

deviceRegistration.cleanupThread.batchSize

Specifies if batch delete is enabled for expired devices and how many records are deleted per batch.

If the value is defined as 0 or is blank, batch delete is not enabled and all expired devices are deleted using one SLQ delete statement.

If the value is defined as an integer greater than 0, batch delete is enabled. The number that we specify determines how many records are deleted in each batch. The batch delete continues until all of the expired devices are deleted. The batch process is useful for deleting a large quantity of expired devices.

Data type: Integer

Example: 1000 (Batch delete is enabled, with a batch size of 1000 records.)

deviceRegistration.deviceMatchThreshold

The risk score threshold where an existing fingerprint is considered to match the incoming device fingerprint.

Data type: Integer

Example: 20

deviceRegistration.inactiveExpirationTime

Number of days that a device must be inactive for it to expire. The deviceRegistration.inactiveExpirationTime property defaults to 90.

Date type: Integer

Example: 100

deviceRegistration.maxRegisteredDevices

Maximum device fingerprint count. The default is 10. Valid values are 1 to 100.

Data type: Integer

Example: 10

deviceRegistration.maxUsageDataPerUser

Maximum number of historical usage attribute records stored per user. The default is 200. Valid values are 1 to 5000.

Data type: Integer

Example: 1000

deviceRegistration.permitOnIncompleteFingerprints

Specifies to permit access to the resource if the fingerprint collected by the device registration obligation does not include all fingerprint attributes.

Data type: Boolean

Example: false

Runtime properties

runtime.dbLoggingEnabled

Enables fine-grained logging for database SQL statements.

Data type: Boolean

Example: false

runtime.hashAlgorithm

The algorithm used for hashing. The supported algorithms are:

• SHA-1
• SHA-256
• SHA-384
• SHA-512

The runtime.hashAlgorithm property defaults to SHA-256.

Data type: String

Example: SHA-256

runtime.verificationHashAlgorithms

Hashing algorithms used to verify a hashed value. The value is typically a comma separated list of hashing algorithms.

Data type: String

Example: SHA-256, SHA-1

Single sign-on protocol service

sps.setCookiesAsSecure

Determine Whether to flag the cookies set by ISAM as secure.

The default value is false.

Data type: Boolean

Example: false

sps.targetURLWhitelist

Specifies a list of allowed target URLs for SAML 2.0, OpenID Connect, and the authentication service. Use this property to prevent an attacker from redirecting a user to malicious target URLs.

The value of this advanced configuration property is a comma-separated string, where each string is a target URL in the form of a regular expression. The regular expression must not contain commas, and spaces between regular expressions are ignored.

• For SAML 2.0 SSO flows, we can specify a Target URL when we configure the initial URL in flows that are initiated by either the Identity Provider or the Service Provider. For information, see SAML 2.0 profile initial URLs.
• For Open ID Connect flows, we can specify a Target URL when we configure the initial URL for Relying Party initiated single sign-on. For information, see Relying Party SSO initiation endpoint.
• For the authentication service, we can specify a Target URL when we configure the authentication service trigger URL. For information, see Configure authentication.

Default is “.*”.

Data type String Example

 
(http|https)://www.app.ibm.com/.*, (http|https)://www.myidp.ibm.com/.*

sps.illegalUrlSubstrings

A comma-separated list of strings, the single sign-on service stops processing the request if the request URL query parameters contain any of the strings.

Default is "".

Data type: String Example:

"<script"

sps.doNotSendXFrameOptionsHeader

Whether an X-Frame-Options header with value SAMEORIGIN must be returned from the SPS endpoints for browser based flows. When this property is set to true, no X-Frame-Options header is sent. The sps.doNotSendXFrameOptionsHeader property defaults to false.

Data type: Boolean

Example: False

SPS page

sps.page.htmlEscapedMacros

A comma-separated list of macros that is HTML-escaped when it is rendered in pages that are sent to the browser.

Data type: String

Example:

>@REQ_ADDR@,
@DETAIL@,
@EXCEPTION_STACK@,
@EXCEPTION_MSG@,
@OTP_METHOD_ID@,
@OTP_METHOD_LABEL@,
@OTP_HINT@,
@ERROR_MESSAGE@,
@MAPPING_RULE_DATA@

sps.page.exceptionMacros

A comma-separated list of classname:macro pairs. Classname is the fully qualified name of the exception class. Macro is the name of the macro to which the class maps.

Data type: String

Example:

com.tivoli.am.fim.otp.deliveries.OTPDeliveryException = @OTP_DELIVERY_EXCEPTION@,
com.tivoli.am.fim.otp.providers.OTPProviderException = @OTP_PROVIDER_EXCEPTION@

sps.page.notEscapedMacros

A comma-separated list of macros that are not HTML-escaped when they are rendered in pages that are sent to the browser. Macros that do not appear in this list or the Macros in the htmlEscapedMacros list are HTML-escaped.

Data type: String Example:

>
@COOKIE_NAME@,
@SERVER_NAME@,
@JUNCTION@

sps.page.hiddenMacros

A comma-separated list of macros that are not rendered in the pages that are sent to the browser. Default is @EXCEPTION_STACK@.

Data type: String

Example: @EXCEPTION_STACK@

Risk engine properties

riskEngine.reportsEnabled

Enables the generation of risk calculation reports.

Data type: Boolean

Example: false

riskEngine.reportsMaxStored

Maximum number of reports to store.

Data type: Integer

Example: 5

Authentication service properties

sps.authService.reauthenticationEnabled

The authentication service performs authentication even if the user already has an authenticated session at the required authentication level.

Data type: Boolean

Example: true

sps.authService.policyKickoffMethod

Whether the URLs /sps/authsvc and /sps/apiauthsvc can be invoked with the policyId query string parameter.

If set to query, the authentication service endpoints continue to accept policyId as a query or post parameter. If set to path, authentication service endpoints are changed to:

• /sps/apiauthsvc/policy/<shortPolicyId>
• /sps/authsvc/policy/<shortPolicyId>

Where <shortPolicyId> is the value that comes after the prefix urn:ibm:security:authentication:asf:

By default, the value is set to both.

When set to both, either the path or query parameter can be used to initiate an authentication service flow.

sps.authService.stateIdSource.authsvc

Whether the URL /sps/authsvc can be invoked with the StateId query string parameter.

If set to Body and Query, the authentication service endpoint continues to accept StateId as a query or body parameter.

If set to Body Only, the authentication service endpoint only accepts the StateId as a body parameter (POST or PUT).

Data type: String

Default: Body and Query

Example: Body only

sps.authService.stateIdSource.apiauthsvc

Whether the URL /sps/apiauthsvc can be invoked with the StateId query string parameter.

If set to Body and Query, the API authentication service endpoint continues to accept StateId as a query or body parameter.

If set to Body Only, the API authentication service endpoint only accepts the StateId as a body parameter (POST or PUT).

Data type: String

Default: Body and Query

Example: Body Only

Authentication service session store properties

authsvc.stateMgmt.cookieless

Enables the server side storage of session data for the authentication service. If enabled, this removes the need for the JSESSIONID cookie.

Data type: Boolean

Example: true

Default value: true

authsvc.stateMgmt.store

Storage type used by the Authentication service to cache user session data. The authentication service can be supported by the DSC, the HVDB, or stored in Memory. For clustered environments, storage in Memory does not replicate between nodes.

Data type: String

Example: Memory

Default value: HVDB

authsvc.stateMgmt.HVDB.lifetime

Length of time in seconds that a session is cached for. Once this time period is exceeded, the user’s session is removed from the session store. If this value is less than 0, the default lifetime of 3600 seconds (1 hour) is enforced. This configuration option applies only to session stores supported by the HVDB or Memory.

Data type: Integer

Example: 60 (1 minute)

Default value: 3600

authsvc.stateMgmt.HVDB.maxSessions

Maximum number of user sessions to be cached at any point in time. If the number of sessions in the store exceeds this value, the oldest session is invalidated. This configuration option only applies to session stores supported by the HVDB or Memory.

Data type: Integer

Example: 10000

Default value: 1000

authsvc.stateMgmt.HVDB.cleanupWait

Frequency (in seconds) that expired or excess sessions are removed from the session store. Setting this entry to -1 disables the cleanup thread. This configuration option only applies to session stores backed by the HVDB or Memory.

Data type: Integer

Example: 30

Default value: 120

authsvc.stateMgmt.HVDB.cleanupThread.batchSize

Maximum number of expired sessions which are removed in a single cleanup operation. If the value is defined as 0 or is blank, batch delete is not enabled. All expired sessions are deleted by using one SLQ delete statement. If the value is defined as an integer greater than 0, batch delete is enabled. The number that we specify determines how many sessions are deleted in each batch. The batch delete continues until all of the expired sessions are deleted. This configuration option only applies to sessions that are stored in the HVDB or Memory.

Data type: Integer

Example: 1000

Default value: 0

authsvc.stateMgmt.HVDB.cleanupOnlyOnPrimaryMaster

Prevent the cleanup thread from running on non-primary master nodes in a clustered environment. This configuration option only applies to sessions that are stored in the HVDB or Memory.

Data type: Boolean

Example: true

Default value: true

Session

distributedSessionCache.enabled

A switch that dictates if the distributed session cache is used for session failover. If this setting is not enabled, the distributed session cache server still runs as a service, but the client does not use it.

Data type: Boolean

Example: false

distributedSessionCache.localCacheSize

The number of sessions to be stored on the client as a local cache. A value of 0 or less means that any number of sessions can be cached by the client. A low number requires more connections to the distributed session cache if there are many active sessions. A high number runs the risk of running out of memory if many sessions are locally cached. All sessions are still stored on the distributed session cache when it is enabled.

Data type: Integer

Example: 4096

session.dbCleanupInterval

Interval, in seconds, the database cleanup thread runs to remove expired data in the runtime database. The default is 86400. The minimum value for this property is 3600. For information, see Runtime database tuning parameters

Session database clean up can be disabled by setting the dbCleanupInterval to 0. This is not overridden by the minimum value.

Data type: Integer

Example: 90000

Distributed session cache

distributedSessionCache.enabled

A switch that dictates if the distributed session cache is used for session failover. If this setting is not enabled, the distributed session cache server still runs as a service, but the client does not use it.

Data type: Boolean

Example: false

distributedSessionCache.localCacheSize

The number of sessions to be stored on the client as a local cache. A value of 0 or less means that any number of sessions can be cached by the client. A low number requires more connections to the distributed session cache if there are many active sessions. A high number runs the risk of running out of memory if many sessions are locally cached. All sessions are still stored on the distributed session cache when it is enabled.

Data type: Integer

Example: 4096

distributedSessionCache.externalServers

A list of locations of the distributed session cache servers in weighted order.

Syntax:

<primary_address>:<port>[:<ssl>];<secondary_address>:<port>[:<ssl>],...

<address>

The IP address of the distributed session cache server. For example, 10.150.21.80.

<port>

The port for the distributed session cache. For example, 2126.

<ssl>

Whether SSL communication with the distributed session cache is required. Default is false.

Data type: String

Example:

10.150.21.80:2126:true;10.150.21.81:2126:false,10.150.21.82:2126

distributedSessionCache.localCacheEnabled

A switch that dictates Whether a local cache of distributed sessions is maintained. If this setting is disabled a higher load is placed on the distributed session cache server. The local cache should only be enabled if all requests from the same client is guaranteed to be sent to the same runtime server (otherwise known as stickiness). Session inconsistencies might occur if the local cache is enabled and stickiness is not maintained. All sessions are still stored in the distributed session cache when it is enabled.

Data type: Boolean

Example: False

TOTP and HOTP retry properties

otp.retry.enabled

Whether the retry protection is enabled.

Data type: Boolean

Example: true

otp.retry.maxNumberOfAttempts

The maximum number of strikes the users can have before they are prevented from logging in.

Data type: Integer

Example: 5

otp.retry.otpRetryTimeout

The number in seconds a strike lasts.

Data type: Integer

Example: 600

OAuth20

oauth20.clientDataToInclude

Specifies the OAuth client information to be returned as JSON data. This property is a comma-separated list of the JSON Keys. Valid values are:

>
contact_type
email_address
contact_person
company_name
company_url
phone_number
other_info

We can specify one or more of these keys for this property. The oauth20.clientDataToInclude property defaults to contact_type, email_address, contact_person, company_name, company_url, phone_number, other_info.

Data type: String

Example: contact_type, email_address, company_name

oauth20.doNotSendXFrameOptionsHeader

Whether an X-Frame-Options header with value SAMEORIGIN must be returned from the OAuth 2.0 endpoints. When set to true, no X-Frame-Options header is sent. The oauth20.doNotSendXFrameOptionsHeader property defaults to false.

Data type: Boolean

Example: false

oauth20.hashedTokenStorageEnabled

Enables hashed storage when set to true. The ISAM appliance can persist OAuth 2.0 tokens in the clear text form or in the more secure hashed form.

The hashing algorithm set in the runtime.hashAlgorithm property will be used. When verifying hashed tokens, the runtime.verificationHashAlgorithms property will be used. The algorithms listed in the runtime.verificationHashAlgorithms property will be tried in the specified order. This mechanism allows for upgrading of the hashing algorithm while continuing to support old tokens. The oauth20.hashedTokenStorageEnabled property defaults to false, and the OAuth 2.0 tokens will be stored as-is.

Data type: Boolean

Example: false

oauth20.sessionEndpointEnabled

Enables the ability to return an authenticated session at the point-of-contact when the oauth20.sessionEndpointEnabled property is set to true. The oauth20.sessionEndpointEnabled property defaults to false.

Data type: Boolean

Example: false

oauth20.tokenCache.cleanupWait

The amount of time, in seconds, to wait before it performs another cleanup of expired tokens in the OAuth 2.0 token cache. The oauth20.tokenCache.cleanupWait property defaults to 120.

OAuth token clean up can be disabled by setting the cleanupWait value to 0.

Data type: Integer

Example: 120

oauth20.legacyAttributeHandling

Changes how associated attributes function across the API Protection and OpenID Connect solution. This includes:

• OauthMappingExtUtils.retrieveAllAssociations() OauthMappingExtUtils.getAssociation() calls in mapping rules
  • When it is set to True, it does not return READONLY or SENSITIVE attributes.
  • When it is set to False, it returns READONLY or SENSITIVE attributes.

• The user self care endpoint /mga/sps/mga/user/mgmt/grant/
  • When it is set to True, attributes that are both READONLY and SENSITIVE are returned
  • When it is set to False, attributes that are both READONLY and SENSITIVE are not returned.

• Attributes which are saved from attribute sources when performing identity enrichment.
  • When it is set to True, attributes are saved against the grant as neither READONLY or SENSITIVE.
  • When it is set to False, attributes are saved against the grant as READONLY. The post token rule can be used to update this value if necessary.

HTTP client

util.httpClient.defaultTrustStore

Stores the default truststore that HTTPS connections in HTTP client uses. The util.httpClient.TrustStore property defaults to rt_profile_keys.

Data type: String

Example: rt_profile_keys

util.httpClient.defaultSSLProtocol

Stores the default SSL protocol configuration that HTTPS connections in HTTP client uses. The util.httpClient.defaultSSLProtocol property defaults to TLS.

Data type: String

Example: TLS

util.httpClient.maxActiveConnections

Maximum number of HTTP and HTTPS connections, per host, between the appliance runtime and other modules. In a multiple host environment, the runtime might need to establish many HTTP/HTTPS connections at the same time. By specifying this property, we can limit the number of active connections for each host. This setting ensures that each host can obtain their fair share of HTTP/HTTPS connections without being forced to wait for other hosts to release connections.

• Data type: String
• Default: An unlimited number of HTTP/HTTPS connections are permitted

We can specify the maximum number of active connections in one of two ways:

• Specify a maximum number to apply to every host. Syntax:

  >"*=<count>"

• Specify a maximum number on a per host basis. Syntax:

  >"<host1>:<port1>=<count>,<host2>:<port2>=<count>,*=<count>"

  <host>

  The host value can be either an IP address, a hostname or domain name as specified in the Endpoint URL. Specify the host value based on the URL format. For example:

  • IP Address: 192.168.102.192
  • Hostname or domain name: www.server1.com

  <port>=<count>

  The communication port on the host. For example, to limit port 80 to only 100 connections, enter 80=100.

  *=<count>

  The count limit for servers that are not specified by a <host> value in this property. When set to zero (*=0) there is no limit on the number of HTTP/HTTPS connections that can be created to other servers. When set to an integer greater than zero, the integer specifies the maximum number of HTTP/HTTPS connections that can be created to each of the other servers. Ensure that <count> is specified as a value of type integer. Do not use values of type string for <count>.

Example 1: Specifying a maximum number to apply to every host

For example, your deployment must establish connections to two servers. You want to limit the number of connections to 100 per server. We also want to ensure that when we add additional servers, the number of connections to each additional server is limited to 100.

Use the syntax "*=<count>". For this example:

"*=100"

Example 2: Specifying maximum numbers on a per host basis

For example, your deployment must establish connections to two servers. You want to limit the number of connections for one server to 100, but allow the other server to have 200 connections. In addition, we do not want to limit the number of connections for any additional servers.

Use the syntax: "<host1>:<port1>=<count>,<host2>:<port2>=<count>,*=<count>"

For example, the runtime might need to establish the connections to the following URLs, for an SMS OTP flow and an OIDC flow:

• http://www.server1.com/isam/sms_otp
• https://192.168.102.192/isam/oidc_sts

Example configuration entry:

"www.server1.com:80=100,192.168.102.192:443=200,*=0"

The example configuration entry specifies:

• The maximum number of HTTP/HTTPS connections that can be created to www.server1.com at a time (on port 80) is 100.
• The maximum number of HTTP/HTTPS connections that can be created to 192.168.102.192 at a time (on port 443) is 200.
• There is no limit on the number of HTTP/HTTPS connections that can be created to other hosts.

HTTP Client version 2

util.httpClientv2.getConnectionTimeout

Timeout for retrieving a connection from the connection pool. Value is in seconds. The util.httpClientv2.getConnectionTimeout property defaults to 5 seconds for every host (*=5)

Data type: String

Example: *=5 We can specify the timeout by using one of the following methods:

• Specify a timeout that applies to every host and port.

  “*=<timeout>”

Specify a timeout on a per host and port basis

“<host1>:<port1>=<timeout>,<host2>:<port2>=<timeout2>,*=<timeout3>

util.httpClientv2.connectTimeout

Timeout for establishing a connection with the remote host. Value is in seconds. The util.httpClientv2.connectTimeout property defaults to 5 seconds for every host (*=5).

Data type: String

Example: (*=5) We can specify the timeout by using one of the following methods:

• Specify a timeout that applies to every host and port.

  “*=<timeout>”

Specify a timeout on a per host and port basis

“<host1>:<port1>=<timeout>,<host2>:<port2>=<timeout2>,*=<timeout3>

util.httpClientv2.connectionInactiveValidate

Period of inactivity in milliseconds after which pooled connections must be re-validated prior to being reused. Value is in seconds. The util.httpClientv2.connectionInactiveValidate property defaults to 2 seconds for every host (*=2).

Data type: String

Example: *=2 We can specify the value by using one of the following methods:

• Specify a value that applies to every host and port.

  “*=<value>”

Specify a value on a per host and port basis

“<host1>:<port1>=<value>,<host2>:<port2>=<value2>,*=<value3>

util.httpClientv2.connectionTimeToLive

Maximum time a connection stays open. After which it automatically closes. Value is in seconds. The util.httpClientv2.connectionTimeToLive property defaults to no timeout.

Data type: String

Example: *=30 You can specify the value by using one of the following methods:

• Specify a value that applies to every host and port.

  “*=<value>”

Specify a value on a per host and port basis

“<host1>:<port1>=<value>,<host2>:<port2>=<value2>,*=<value3>

util.httpClientv2.socketTimeout

Timeout to wait for packets to arrive on an established connection. Value is in seconds. The util.httpClientv2.socketTimeout property defaults to 5 seconds for every host (*=5).

Data type: String

Example: *=5 We can specify the timeout by using one of the following methods:

• Specify a timeout that applies to every host and port.

  “*=<timeout>”

Specify a timeout on a per host and port basis

“<host1>:<port1>=<timeout>,<host2>:<port2>=<timeout2>,*=<timeout3>

util.httpClientv2.defaultSSLProtocol

Default SSL protocol configuration that HTTPS connections in HTTP client uses.The following values are valid:

• TLSv1
• TLSv1.1
• TLSv1.2
• TLS (This value enables all of the above protocols)

The util.httpClientv2.defaultSSLProtocol property defaults to TLS.

Data type: String

Example: TLS

util.httpClientv2.defaultTrustStore

Default truststore that HTTPS connections in HTTP client uses. The util.httpClientv2.defaultTrustStore property defaults to rt_profile_keys.

Data type: String

Example: rt_profile_keys

util.httpClientv2.disableAutoRetries

Whether or not to disable automatic request recovery and re-execution. The util.httpClientv2.disableAutoRetries property defaults to false for every host (*=false).

Data type: String

Example: *=false We can specify the value by using one of the following methods:

• Specify a value that applies to every host and port.

  “*=<value>”

Specify a value on a per host and port basis

“<host1>:<port1>=<value>,<host2>:<port2>=<value2>,*=<value3>

util.httpClientv2.enableHostNameVerification

Whether or not to enable hostname verification. If enabled it verifies the target hostname matches the names that are stored inside the server’s X.509 certificate once the connection is established. The util.httpClientv2.enableHostNameVerification property defaults to true for every host (*=host).

Data type: String

Example: *=true We can specify the value by using one of the following methods:

• Specify a value that applies to every host and port.

  “*=<value>”

Specify a value on a per host and port basis

“<host1>:<port1>=<value>,<host2>:<port2>=<value2>,*=<value3>

util.httpClientv2.disablePublicSuffixVerification

Whether or not to disable hostname verification using the list of valid public suffixes. HttpClient uses the public suffix list to ensure that wildcards in SSL certificates cannot be misused to apply to multiple domains with a common top-level domain. The HTTP Client ships with a copy of the list retrieved at the time of the release. The local copy is a configuration file named local-copy-effective_tld_names.dat and can be updated following the instructions at Manage advanced configuration. The util.httpClientv2.disablePublicSuffixVerification property defaults to false for every host (*=false).

Data type: String

Example: *=false We can specify the value by using one of the following methods:

• Specify a value that applies to every host and port.

  “*=<value>”

Specify a value on a per host and port basis

“<host1>:<port1>=<value>,<host2>:<port2>=<value2>,*=<value3>

util.httpClientv2.disableRedirectHandling

Whether or not the HTTP Client automatically handles redirects. The util.httpClientv2.disableRedirectHandling property defaults to false for every host (*=false).

Data type: String

Example: *=false We can specify the value by using one of the following methods:

• Specify a value that applies to every host and port.

  “*=<value>”

Specify a value on a per host and port basis

“<host1>:<port1>=<value>,<host2>:<port2>=<value2>,*=<value3>

util.httpClientv2.maxConnections

Maximum number of connections created in each connection pool.

• There is a separate connection pool that is created for each unique SSL connection key. This key is generated using the URL hostname and port, truststore, client keystore, client key alias, protocol, and proxy server values specified in the HTTP Client V2 usage.
• The util.httpClientv2.maxConnections property defaults to 200 for every host (*=200).

Data type: String

Example: *=200 We can specify the value by using one of the following methods:

• Specify a value that applies to every host and port.

  “*=<value>”

Specify a value on a per host and port basis

“<host1>:<port1>=<value>,<host2>:<port2>=<value2>,*=<value3>

util.httpClientv2.maxRouteConnections

Maximum number of connections in a connection pool available for each unique route.

The util.httpClientv2.maxRouteConnections property defaults to 20 for every host (*=20).

Data type: String

Example: *=20 We can specify the value by using one of the following methods:

• Specify a value that applies to every host and port.

  “*=<value>”

Specify a value on a per host and port basis

“<host1>:<port1>=<value>,<host2>:<port2>=<value2>,*=<value3>

util.httpClientv2.proxyHost

Hostname of the proxy server if requests must go through a proxy.

To disable the use of a proxy, leave this value, proxyPort and/or proxyProtocol empty. The util.httpClientv2.proxyHost defaults to none.

Data type: String

Example: test.com

util.httpClientv2.proxyPort

Port of the proxy server if requests must go through a proxy.

To disable the use of a proxy, leave this value, proxyHost and/or proxyProtocol empty. The util.httpClientv2.proxyPort property defaults to none.

Data type: Integer

Example: 443

util.httpClientv2.proxyProtocol

Protocol for the proxy server if requests must go through a proxy.

To disable the use of a proxy, leave this value, proxyHost and/or proxyPort empty. The util.httpClientv2.proxyProtocol property defaults to none.

Data type: String

Example: test.com

Demo

live.demos.enabled

Enables the mobile demonstration application.

Data type: Boolean

Example: False

live.demos.settings

This setting can be used to pre-populate the settings of the mobile demo. This is a comma separated set of key, value pairs that match what is submitted on the settings form.

Data type: String

Example: lmiHostAndPort=lmi.host.com, lmiAdminId=admin, lmiAdminPwd=admin, acHostAndPort=127.0.0.1, websealHostNameAndPort=webseal.host.com

Knowledge questions properties

knowledge.questions.AnswerValidationRegEx

Regular expression used to validate the knowledge question answer value provided during a knowledge question management operation. The assigned value is the list of invalid characters to match against to determine if the supplied value is valid. At a minimum, this property must include the following characters: <>:"

Data type: RegEx

Example: [\[()<>,;:\\/\"\]=]

knowledge.questions.QuestionValidationRegEx

Regular expression used to validate the knowledge question text value provided during a knowledge question management operation. The assigned value is the list of invalid characters to match against to determine if the supplied value is valid. At a minimum, this property must include the following characters: <>:"

Data type: RegEx

Example: [\[()<>,;:\\/\"\]=]

Key encryption and signing service (KESS)

kess.crlEnabled

Checks the certificate revocation list. Checking is done by the key encryption and signature service (KESS) for all functions that use an external certificate, except for the audit syslog. If your configuration does not require CRL checking, we can disable it. For example, if we use if an internal certificate authority (CA), we might want to disable CRL checking. The kess.crlEnabled property defaults to true.

CRL site unavailability scenario

If we have kess.crlEnabled set to true and a CRL site becomes unavailable, we cannot determine the revocation status of the certificate. In this situation, the single sign-on flow will fail.

Confirm a CRL site unavailability issue by looking for the message FBTKJK056E The CRL site could not be determined. in the runtime trace.log file.

As a temporary workaround, set the CRL checking to false to keep the single sign-on flow running. As soon as the CRL site is working again, set kess.crlEnabled to true so the single sign-on flow contains the CRL check. CAUTION:If we do stop CRL checking as a temporary workaround, be aware the certificate might have already been revoked by the CA. If this type of certificate is allowed to pass the validation, it creates security issues. Therefore, ensure that we enable CRL checking to avoid potential security issues such as this.

Data type: Boolean

Example: true

kess.crlInterval

The amount of time, in seconds, between successive CRL checks. Using an interval of time between CRL checks reduces the performance impact of doing the checks every time a certificate needs to be validated.

A value less than or equal to zero means the runtime performs a CRL check every time it wants to use a certificate. The default is 0 seconds.

If kess.crlEnabled is set to false, this value is ignored.

Data type: Integer

Example: 86400

This value means that a CRL check on a certificate is performed once per day.

kess.hostnameValidationDisabled

Determine Whether to disable host name verification when establishing an SSL connection. Host name verification is performed when the host name of the server does not match the CN of the certificate of the server.

In a test environment, we might want to disable the validation. In a production environment, we might want to enable validation.

Default is False.

Data type: Boolean

Example: False

kess.keySelectionCriteria

Specify which key or certificate to use for signing, validating, encrypting, or decrypting various messages. If there are multiple keys or certificates with the same Subject DN as the key or certificate with the specified alias, this setting determines which one to use. Use one of the following selection methods:

only.alias

Select the key or certificate with the specified alias. This is the default.

longest.lifetime

Select the key or certificate with the longest lifetime.

shortest.lifetime

Select the key or certificate with the shortest lifetime.

Data type: String

Example: only.alias

kessjksservice.exclude.inclusive.namespace.prefixes

Specifies a comma-separated list of prefix names. When this is set, the prefixes in the list are not added to the InclusiveNamespaces list that is in the Signature Element.

Data type: String

Example: ds

JSON Web Key

jwks.encryption.keystore

Define the name of the encryption keystore to be used by the jwks endpoint for the runtime. These certificates will have their public keys exposed, with the 'use' value 'enc'.

Default value: rt_profile_keys

jwks.signing.keystore

Define the name of the signing keystore to be used by the jwks endpoint for the runtime. These certificates will have their public keys exposed, with the 'use' value 'sig'.

Default value: rt_profile_keys

Policy information point (PIP)

pip.uncachedAttributes

Define a comma-separated list of attributes generated by a policy information point (PIP) that we do not want to be cached.

Data type: String list

Example: urn:ibm:security:jdbc:city, urn:ibm:security:ldap:priviledgeUser

Security token service (STS)

sts.ivcred.unauthenticated.user.name

Set to a special user account for unauthenticated user tokens when using IVCRED STS module in validate mode. The Default value is "".

Data type: String

Example: guest

sts.ivcred.unauthenticated.user.registry.id

In addition to the user name set in sts.ivcred.unauthenticated.user.name, a user's registry id can also be added when using IVCRED STS module in validate mode. The Default value is "".

This parameter is optional.

Data type: String

Example: cn=guest,o=ibm,c=us

sts.ivcred.unauthenticated.user.uuid

In addition to the user name set in sts.ivcred.unauthenticated.user.name, a user's UUID can also be added when using IVCRED STS module in validate mode. The Default value is "".

This parameter is optional.

Data type: String

Example: 81a2a65e-0018-0150-8080-3f83b0f74f4c

sts.ldapAttributeCache.TTL

Specifies a time-to-live (TTL) value, in seconds, for the amount of time to keep an LDAP attribute in the cache. Specify 0 to disable.

Default is 60.

Data type: Integer

Example: 60

sts.wstrust.error.shortexception

Set this parameter to True to provide a short exception in the 'wst:Reason' for STS exceptions. When this parameter is set to False, the entire exception stack is provided in 'wst:Reason'.

Type: Boolean

Default: False

Example: False

Mobile Multi-Factor Authentication (MMFA)

mmfa.authenticator.cleanupWait

The amount of time, in seconds, to wait before another cleanup of expired authenticators is performed.

MMFA authenticator clean up can be disabled by setting cleanupWait to 0.

Default is 3600.

Data type: Integer

Example: 3600

mmfa.transactionArchival.maxCompletedPerUser

The number of historical transactions in a completed state to keep in the HVDB before archival to the audit log. The oldest transactions will be removed first. A value of -1 will indicate that no archival should be performed.

Default is 50.

Data type: Integer

Example: 50

mmfa.transactionArchival.maxPendingPerUser

The number of transactions to keep in a pending state. Transactions over this number will have their status set to "fail". The oldest transactions will be aborted first. A value of -1 will indicate that no archival should be performed.

Default is 1.

Data type: Integer

Example: 1

mmfa.transactionPending.minAgeBeforeAbort

The minimum number of seconds a transaction is in the pending state before being aborted via a cleanup thread. Due to the cleanup thread interval, the total time a transaction can be in the pending state can be between minAgeBeforeAbort and (minAgeBeforeAbort + cleanupInterval) - 1

Default is 300.

Data type: Integer

Example: 300

mmfa.transactionPending.cleanupInterval

The number of seconds between each run of the pending transactions cleanup thread.

Default is 150.

Data type: Integer

Example: 150

mmfa.transaction.cleanupOnlyOnPrimaryMaster

Whether transaction cleanup should be run on all nodes in a cluster, or only on the primary master. This applies to pending transaction cleanup as well as transaction archival.

Default is false.

Data type: Boolean

Example: false

mmfa.devicePrompt.skipIfOneDevice

Whether to skip the device selection page in an MMFA flow if the user only has one device or authenticator registered.

Default is false.

Data type: Boolean

Example: true

WS-Federation

wsfed.idp.rstr.excluded.elements

Specifies a comma-separated list of elements to exclude from the WS-Federation request security token response. Can optionally contain a federation realm and federation partner realm, to indicate the federation or federation partner that uses the property values.

Default is default=Forwardable,Delegatable,Status,Renewing.

The syntax for specifying federation and federation partner is:

default=<comma_separated_list_of_elements>:<federation_realm>=<comma_separated_list_of_elements>:
            <federation_realm>%<partner_realm>=<comma_separated_list_of_elements>

Data type: String

Example:

default=Forwardable,Delegatable,Status,Renewing:fed1-REALM=Forwardable,Delegatable:
fed1-REALM%partner1-REALM=Status

SAML 1.1

saml.use.legacy.clockskew.default

IBM Security Verify Access can add a clock skew of 60 seconds when validating the SAML assertion timestamps. To enable the 60 second clock skew, add the custom property:

saml.use.legacy.clockskew.default = true Default value = False

• Value type: Boolean
• Example value: True

This custom property is also applicable for SAML 2.0

saml.allowDebugMessages

When specified as true, and a SAML artifact resolution failure occurs, the SystemOut.log and SystemErr.log contains an informational message. In addition, the message contains extra debug information about the request that contained the failed artifact and provides a reason for the event. This message is only available in English. Default value: False

• Value type: Boolean
• Example value: SAML.allowDebugMessage = True

saml.allowNoRecipient

Use this custom property if a SAML 1.x service provider needs to accept a samlp:Response that does not contain a Recipient attribute.

Default value: False

saml.assertion.IncludeNSPrefixList.DS

When this custom property is specified as true, ds is included in the Prefix List attribute of the InclusiveNameSpaces in the SAML assertion. Default value: False

• Value type: Boolean
• Example value: True

This custom property is also applicable for SAML 2.0

saml.allowSpecificInvalidArtifactMessages

When this custom property is specified as true, and a SAML artifact resolution failure occurs, identity provider sends a SAML Response with specific invalid message to tell the service provider there is no assertion available. The specific invalid message is FBTSML276E. If not specified, by default it is false, and the invalid message send back to service provider is FBTSML013E.Default value: False

• Value type: Boolean
• Example value: True

SAML 2.0

saml20.enableSubjectInAuthnRequest

Set to true if the Subject element is required for the SAML 2.0 AuthnRequest. The Subject element is set to the userid of the existing authenticated session. The Default value is false.

Data type: Boolean

Example: true

saml20.idp.acsurlpattern

ISAM uses an exact string comparison between the AssertionConsumerService URL in the AuthnRequest message and the protocol endpoint specified in metadata.

This custom property allows regular expression matching for the AssertionConsumerService URL and the protocol endpoint, so that a dynamic AssertionConsumerService URL matching the regular expression can be provided in the AuthnRequest.

Data type: String The binding can be omitted if the configuration applies to all the bindings for that specific federation and partner. Format:

<FederationId>%<PartnerId>
%<Binding>=<RegularExpression>,<FederationId2>%<PartnerId2>
=<RegularExpression2>

Example:

>https://www.myidp.ibm.com/isam/sps/saml20idp/saml20%https://www.mysp.ibm.com
/isam/sps/saml20sp/saml20%urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST=https://.*.ibm.com/isam/sps/.*

saml20.sessionStore

Specifies the SAML 2.0 session footprint store.

The SAML 2.0 is stored in the HVDB by default. When the option is switched to DSC the SAML 2.0 session gets stored in Distributed Session Cache. The Distributed Session Cache (DSC) is an independent service that acts as a centralized session repository for a clustered server environment. Servers in the cluster can use the DSC to provide failover for sessions

DSC as session storage helps to remove the dependency on HVDB for federated single sign-on by using SAML 2.0 protocol (except Alias Service). Data type: String The selection for the SAML 2.0 session footprint store is drop-down list with the following options:

• HVDB
• DSC

Example: HVDB Default is HVDB.

saml20.authn.request.provider.name.enabled

Set to true to add ProviderName value to SAML2.0 AuthnRequests.

Data type: Boolean Example: False Default is False.

OIDC

oidc.rp.idToken.validationSkew

The number of seconds of skew allowed on the 'nbf' and 'exp' claims of an idToken when it is being processed by an OpenID Connect relying party. For instances where the clocks of two systems are not perfectly synchronized. This advanced configuration does not apply to legacy OpenID Connect relying parties or Reverse Proxy Relying parties.

Default value: 0

Rhino Javascript Engine

js.optimizationLevel

*js.version *Supported values Context.VERSION_ES6, Context.VERSION_1_7, Context.VERSION_1_8

This is the rhino javascript version indicator.

Default values: js.optimizationLevel =0 and js.version=Context.VERSION_ES6

Parent topic: Manage advanced configuration