Configuration options for the IBM Security Verify Access Java API and the Registry Direct API

Java option Registry option Java config Default Valid Range Description
ldap.mgmt enabled [ldap] Optional false true, false Set true to enable LDAP management.
mgmt_domain management-domain [manager] Required   valid domain string Management Domain name. Required to determine the location of subdomain in the registry. Sub domains are located relative to the Management Domain LDAP location.
local_domain ssl-local-domain [ssl] Optional   valid domain string The name of the default domain used when the Management API does not provide a domain name. If we do not provide a value, the value from mgmt_domain configuration option is used.
ldap.basic-user-pwd-policy basic-user-pwd-policy Optional true true, false If basic user support is enabled, this option controls whether global password policies are enabled for basic users.
ldap.dynamic-groups-enabled dynamic-groups-enabled [ldap] Optional false true, false Enables support of dynamic groups for some LDAP server types using the memberURL attribute. ISAM supports dynamic groups with IBM Security Directory Server regardless of this setting. This stanza entry is supported for Oracle System Directory Server.
ldap.enable-last-login enable-last-login [ldap] Optional   true, false Sets an option to store the last login date in LDAP each login.
ldap.enhanced-pwd-policy enhanced-pwd-policy [ldap] Optional false true, false Whether the LDAP registries that ISAM uses provide password policy enforcement for LDAP accounts. The appliance embedded LDAP server does not support this configuration option.
ldap.mgmt-domain-suffix secauthority-suffix [ldap] Optional Automatically located valid LDAP suffix string Specify the valid LDAP suffix string for the Domain Management of the SVA.
ldap.ignore-suffix ignore-suffix [ldap] Optional Empty list list of valid LDAP suffix strings Ignore LDAP server suffix when searching for user and group information. Suffixes cn=localhost, cn=pwdpolicy, cn=configuration, and the suffixes specified in the subschemasubentry and changelog values are always ignored. SvrSslCfg accepts multiple values by using ",," (double comma) separator. The configuration file uses ";" (semicolons) internally as a separator.
ldap.max-server-connections max-server-connections [ldap] Optional 16 2 - 4096 Maximum number of connections that can exist to the LDAP server.
ldap.user-objectclass user-objectclass [ldap] Optional   Defaults vary depending on LDAP server type When provided to the configuration tool, it contains a list of comma-separated object class names to set when creating a native user entry in LDAP. For example: top,person, organizationalPerson, inetOrgPerson,ePerson. SvrSslCfg that modifies the list to be ";" (semicolon) separated when it places it in the configuration properties file.
ldap.static-group-objectclass static-group-objectclass [ldap] Optional   Defaults vary depending on LDAP server type When provided to the configuration tool, it contains a list of comma-separated objectClass names to set when creating a native group entry in LDAP. Only non-dynamic groups are created by SVA. For example, top,groupOfNames. SvrSslCfg modifies the list to be ‘;' (semicolon) separated when it places it in the configuration properties file.
ldap.user-search-filter user-search-filter [ldap] Optional Defaults vary depending on LDAP server type. valid LDAP search filter string An LDAP search filter that selects any native user entry. For example: (|(objectclass=ePerson)(objectclass=Person)).
ldap.group-search-filter group-search-filter [ldap] Optional Defaults vary depending on LDAP server type. valid LDAP search filter string An LDAP search filter that selects any native group entry. For example: (|(objectclass=accessGroup) (objectclass=groupOfNames) (objectclass=groupOfUniqueNames) (objectclass=groupOfURLs))
ldap.svrs host, port, ssl-port, and replica [ldap] Required   valid host string, port 1 - 65535, type readwrite or readonly, pref 0 -> 10 A comma-separated list of LDAP server details. Each server detail is a colon separated set of attributes of the form:

    host:port:type:rank[,host2:port2:type2:rank2[,…]]

where type is either readwrite or readonly and rank is a value from 0 to 10. For example: ldaphost:389:readwrite:5 is modified to a list of LDAP server details that are separated by ';'s.

ldap.ssl-enable ssl-enable [ldap] Optional False true, false Set this option to true to enable SSL to the LDAP server.
ldap.fips ssl-enable-fips [ssl] Optional False true, false Deprecated: replaced by ldap.compliance. Use ldap.compliance=fips for ldap.fips=true. Use ldap.compliance=none for ldap.fips=false. Set this option to true to use FIPS mode with the TLS connections to the LDAP server.
ldap.compliance ssl-compliance [ssl] Optional   none, fips, sp800-131-transition, sp800-131-strict, suite-b-128, suite-b-192 Sets the compliance level for SSL and TLS connections to the LDAP server. Not used when running within a WebSphere JVM because the compliance level is automatically determined based on how WebSphere is configured.
ldap.ssl-v3-enable ssl-v3-enable [ssl] Optional True true, false Enable or disable the use of SSL version 3 to the LDAP server. For some ssl.compliance values, this parameter is always disabled. Always disabled for compliance levels sp800-131-strict, suite-b-128, and suite-b-192.
ldap.tls-v10-enable tls-v10-enable [ssl] Optional True true, false Enable or disable the use of TLS version 1.0 to the LDAP server. For some ssl.compliance values, this parameter is always disabled. Always disabled for compliance levels sp800-131-strict, suite-b-128, and suite-b-192.
ldap.tls-v11-enable tls-v11-enable [ssl] Optional True true, false Enable or disable the use of TLS version 1.1 to the LDAP server. For some ssl.compliance values, this parameter is always disabled. Always disabled for compliance levels sp800-131-strict, suite-b-128, and suite-b-192.
ldap.tls-v12-enable tls-v12-enable [ssl] Optional True true, false Enable or disable the use of TLS version 1.2 to the LDAP server. For some ssl.compliance values, this parameter is always disabled. Always enabled for sp800-131-strict, suite-b-128, and suite-b-192.
ldap.cipher-suites ssl-v3-cipher-specs,[ssl]
tls-v10-cipher-specs,[ssl]
tls-v11-cipher-specs,[ssl]
tls-v12-cipher-specs[ssl]
Optional Java defaults [semicolon list of Java cipher names]
Which cipher suites to use for all SSL and TLS protocols. Example:

SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA; SSL_DHE_DSS_WITH_AES_128_CBC_SHA; SSL_DHE_DSS_WITH_AES_128_CBC_SHA256

ldap.ssl-truststore   Optional   Filename string The file name of a Java JCEKS keystore containing the trusted CA signers for the LDAP server Certificate. The API converts the value that is placed in the configuration file into URL format. The API supports only file: protocol. If we do not provide Filename string in the URL, specify java.naming.ldap.factory.socket, if we enabled ldap.ssl-enable.
ldap.ssl-keystore   Conditional   Filename string If ldap.client-cert-label specified. The file name of a Java JCEKS keystore containing the client certificate to be presented when connecting to the LDAP. The API converts the value that is placed in the configuration file into URL format. The API supports only file: protocol.
ldap.ssl-truststore-pwd   Conditional   Password string If ldap.ssl-truststore specified. The password for the ldap.ssl-truststore. This password is obfuscated by SvrSslCfg and RgyConfig when set. Provide the password if ldap.ssl-truststore is set.
ldap.ssl-keystore-pwd   Conditional.   Password string If ldap.ssl-keystore specified. The password for the ldap.ssl-keystore. This password is obfuscated by SvrSslCfg and RgyConfig when set. Provide the password if ldap.ssl-keystore is set.
ldap.login-failures-persistent login-failures-persistent [ldap] Optional False true, false Login failures are used with the three-strikes policy. If we set this option to false, each process by using this API stores the number of login failures in memory. If multiple servers are involved, the total number of login failures to trigger a strike-out might vary. If we set this option to true, the strike count is stored in LDAP and shared across all servers. An accurate count can be kept in a multiserver environment.
ldap.client-cert-label   Optional   Label string Label of the client certificate to be presented to the LDAP when connecting with mutual SSL. If not specified, the default of the keystore will be selected. Selects the certificate out of the specified ldap.ssl-keystore.
ldap.auth-using-compare auth-using-compare [ldap] Optional Conditional true, false Set this option to false to validate every dn/password using a new connection to LDAP, and a simple bind. Set this option to true to compare the LDAP against the password attribute to validate the password. Some LDAP servers do not support this setting and ignores it.
ldap.bind-dn bind-dn [ldap] Required   valid LDAP DN string The DN to simple bind to LDAP for all management LDAP operations.
ldap.bind-pwd bind-pwd [ldap] Required   valid password string LDAP bind-dn account password. SvrSslCfg and RgyConfig obfuscates this value in the configuration file.
ldap.bind-auth-and-pwdchg bind-auth-and-pwdchg [ldap] Optional False true, false If true, Registry Direct API uses bind to authenticate users and a connection that is bound as the user to change their password in cases where the old and new passwords are provided. ldap.auth-using-compare is ignored for the server. A single LDAP operation that combines both remove old password and add new password are used as required by some LDAP server such as Active Directory. Users must also have appropriate LDAP/AD ACLs that allow them to change their own password. For Active Directory, this setting is the default. For other LDAPs, an ACL may need to be added.
ldap.follow-referrals follow-referrals [ldap] Optional False true, false If true, the LDAP client, JNDI, follows the LDAP referrals to other servers. If false, it ignores referrals.
ldap.return-registry-id cache-return-registry-id [ldap] Optional False true, false If true, RgyUser.RgyEntity.getId() returns the ISAM user ID for the specific user stored in the LDAP registry. If set to false, RgyUser.RgyEntity.getId() returns the ISAM user ID for the user that was passed into the RgyRegistry.getUser() method. ISAM IDs are not case-sensitive. The user ID returned differs if the case of the ID passed to RgyRegistry.getUser() is different from the case of the value stored in LDAP.
ldap.user-self-care-objectclass   Optional Empty valid LDAP objectClass string The name of an AUXILLARY objectClass to confirm information in user entries so that self-care attributes can be added to existing and new native user LDAP entries.
ldap.default-policy-override-support default-policy-override-support [ldap] Optional False true, false If true, the ISAM per-user policy is not used. Instead, the global policy takes effect.
java.naming.ldap.factory.socket   Optional   name of class Makes it possible for the caller to provide their own SSL socket factory to use with JNDI to the LDAP servers.
ldap.cache-policy-expire-time cache-policy-expire-time [ldap] Optional 600 (seconds) 0 - 86400 Duration in seconds for which the global policy is cached in the memory before being read again from LDAP.
ldap.max-auth-connections max-auth-connections [ldap] Optional 0 0 - 32768 Non-zero value that sets the number of simultaneous LDAP connections that are used to authenticate users (when auth-using-compare = false)
ldap.group-map-size     1024 0 - Max integer The number of entries in a map used to convert group native names (DNs) into ISAM IDs. An LRU algorithm to enables creation of new entries.
ldap.group-map-lifespan     60 0 - 86400 Duration in seconds for which the entry stays in the map, used to convert group native names (DNs) into ISAM IDs.
ldap.late-lockout-notification     False true, false Notifies the user when the account is locked due to several password login attempts during the n+1th login rather than the nth. Here, n is the value of maxFailedLogins policy attribute in effect for the user.
ldap.basic-user-support basic-user-support [ldap] Optional False true, false If true, basic user support is enabled. All full and basic ISAM user accounts are located using ldap.basic-user-principal-attribute in their LDAP Native user entry. Includes existing ISAM full users. So if the ISAM Full user principal name does not match the value of their attribute specified by ldap.basic-user-principal-attribute, then their ID will change.
ldap.basic-user-search-suffix basic-user-search-suffix [ldap] Optional     If a value is not provided, uses the set of suffixes normally used by SVA. If specified, list all suffixes to be searched for basic and full ISAM users. If the suffix containing the ISAM domain, sec_master, and ISAM server accounts is not specified, it is automatically added as this suffix is required. Each suffix is separated by a semicolon (;) character.
ldap.basic-user-no-duplicates basic-user-no-duplicates [ldap] Optional True true, false If true, the code searches all ldap.basic-user-search-suffixes for a match to the full or basic user principal ID. If more than one match is found, the user is reported as not-found. If false, then the search stops after a match is found. The search still detects duplicates on the same suffix, but not across different suffixes. The advantage of this option is that if the administrator can guarantee that duplicates do not exist across suffixes, then the user can be located quicker as some suffix searches could be skipped.
ldap.basic-user-suffix-optimizer basic-user-suffix-optimizer [ldap] Optional True true, false This option has no effect if ldap.basic-user-no-duplicates is set to true. If true, then the basic user suffixes are searched in an optimized order based on hit count (successfully locating a user in the suffix). This can help reduce the number of suffixes searched. If false, then the provided order of ldap.basic-user-search-suffix is used. If not, an internally selected order is used.
authz.enable-authorization   Optional False true, false If LdapRgyRegistryFactory.getRgyRegistryInstance(URL propertiesUrl, Map enhancements) is used, ISAM enables the authorization of the API operations. Provide authz.pdauthorizatoncontext-user, used as admin user and authorizes each access.
authz.pdauthorizationcontext-user   Conditional   ISAM user ID When authz.enable-authorization is set, this user ID is authorized in API operations. If authz.pdauthorizatoncontext-pwd is also specified, then the ISAM user account has an additional purpose. The user account is passed with the password to the construction of the PDAuthorizationContext constructed by the API. If required, we can override the joint usage by calling AuthzRgyRegistryFactory. updateAdminId(RgyRegistry rgyRegistry, String adminUserId). Doing so changes the ISAM ID used in the authorization decision.
authz.pdauthorizationcontext-pwd   Optional   ISAM user password If we specify authz.pdauthorizatoncontext-pwd along with authz.pdauthorizatoncontext-user, the ISAM user and password are passed to the construction of the PDAuthorizationContext.This is constructed by the API used to provide authorization decision outcomes for API operations.
authz.enable-audit   Optional False true,false If LdapRgyRegistryFactory.getRgyRegistryInstance(URL propertiesUrl, Map enhancements), is used, ISAM enables the API operation auditing. If we do not enable authz.enable-authorization option, the user who does this operation is an unauthenticated user.
authz.audit-file-pattern   Conditional   File name pattern Enables authz.enable-audit. Pass this attribute to the Javajava.util.logging.FileHandler constructor to provide appropriate description for the documentation.
authz.audit-file-limit   Optional 0 0 - MAXINTEGER Passed to the Java java.util.logging.FileHandler constructor so that documentation has the appropriate description.
authz.audit-file-count   Optional 1 1,8192 Passed to the Java java.util.logging.FileHandler constructor to ensure the documentation has the appropriate description.
appsvr-servername   Conditional   string Set this option if authz.enable-audit is enabled. Use this option to segregate the application using the new Registry Direct Java API in Java Logger name space for audit logging. For example, if the audit names are com.tivoli.pd.rgy.authz. testapp-tam611.mgmt and com.tivoli.pd.rgy.authz.testapp-tam611.authn, then testapp-tam611 is the string passed. Although the audit logger is listed in the Java Logger name space, it outputs the records into its own file. We can enable or disable the output to the audit log file by increasing or decreasing the Java logging level for the audit logger names.
authz.authorize-group-list authorize-group-list [delegated-admin] Optional False true, false Whether the API must check the authorization on the listGroup() and listNativeGroups().
fed-server.serverid.ldap.bind-dn [server:serverid]
bind-dn
Required     The DN to simple bind to LDAP for all management LDAP operations. If this value is set to "anonymous", the appliance uses an anonymous bind to the LDAP directory server. Typically the bind-dn has significant privileges so that it can be used to modify LDAP registry entries, such as creating users and resetting passwords via pdadmin or the Registry Direct Java API. Using an anonymous connection to LDAP typically comes with very limited access, perhaps at most search and view of entries, at the least no access at all. If anonymous access has sufficient privileges, then it might be usable for the WebSEAL level of access on users and groups. This access includes the permission for a user to change password if "ldap.bind-auth-and-pwdchg = true" is set.
fed-server.serverid.ldap.bind-pwd [server:serverid]
bind-pwd
Required     LDAP bind-dn account password. SvrSslCfg and RgyConfig obfuscates this value in the configuration file. If bind DN (bind-dn) is set to anonymous, we can use any non-empty string as the value of bind password (bind-pwd).
fed-server.serverid.ldap.password-attribute [server: serverid]
password-attribute
Optional For RACF suffixes, the default value is racfpassword. For Active Directory, the default value is unicodePwd. For all others, the default value is userPassword.   Attribute used to set or change passwords. This is primarily used to allow RACF suffixes to choose between using "racfpassword" or "racfpassphase".
fed-server.serverid.ldap.racf-suffix [server:serverid]
racf-suffix
Optional False true, false When set to "true", all the suffixes defined under the federated registry stanza will be treated as RACF suffixes. See racf-suffix notes
fed-server.serverid.ldap.ssl-enable [server:serverid]
ssl-enable
Optional False   Set this option to true to enable SSL to the LDAP server.
fed-server.serverid.ldap.ssl-server-start-tls [server:serverid]
ssl-server-start-tls
Optional False true, false If true, Registry Direct API upgrades the unencrypted TCP LDAP connection to encrypted using the LDAP START_TLS extended operation. ldap.ssl-enable must be false if set to true.
fed-server.serverid.ldap.suffix = suffixA;[suffixB];... [server:serverid]
suffix
Required   ';' separated list of LDAP DN strings. Suffixes to use from this federated LDAP server.
fed-server.serverid.ldap.bind-auth-and-pwdchg [server:serverid]
bind-auth-and-pwdchg
Optional False true, false If true, Registry Direct API uses bind to authenticate users and a connection that is bound as the user to change their password in cases where the old and new passwords are provided. ldap.auth-using-compare is ignored for the server. A single LDAP operation that combines both remove old password and add new password are used as required by some LDAP server such as Active Directory. Users must also have appropriate LDAP/AD ACLs that allow them to change their own password. For Active Directory, this setting is the default. For other LDAPs, an ACL may need to be added.
fed-server.serverid.ldap.max-server-connections [server:serverid]
max-server-connections
Optional 16   Maximum number of connections that can exist to the LDAP server.
fed-server.serverid.ldap.dynamic-groups-enabled [server:serverid]
dynamic-groups-enabled
Optional False   Some registries might not support this option. For Tivoli Directory Server, this setting is always enabled because of the use of ibm-allGroups.
fed-server.serverid.ldap.user-objectclass [server:serverid]
user-objectclass
  Default value is LDAP server type dependent.   When provided to the configuration tool, it contains a list of comma-separated object class names to set when creating a native user entry in LDAP. For example: top,person, organizationalPerson, inetOrgPerson,ePerson. SvrSslCfg that modifies the list to be ";" (semicolon) separated when it places it in the configuration properties file.
fed-server.serverid.ldap.static-group-objectclass [server:serverid]
static-group-objectclass
  Default value is LDAP server type dependent.   When provided to the configuration tool, it contains a list of comma-separated objectClass names to set when creating a native group entry in LDAP. Only non-dynamic groups are created by SVA. For example, top,groupOfNames. SvrSslCfg modifies the list to be ‘;' (semicolon) separated when it places it in the configuration properties file.
fed-server.serverid.ldap.user-search-filter [server:serverid]
user-search-filter
  Default value is LDAP server type dependent.   An LDAP search filter that selects any native user entry. For example: (|(objectclass=ePerson)(objectclass=Person)).
fed-server.serverid.ldap.group-search-filter [server:serverid]
group-search-filter
  Default value is LDAP server type dependent.   An LDAP search filter that selects any native group entry. For example: (|(objectclass=accessGroup) (objectclass=groupOfNames) (objectclass=groupOfUniqueNames) (objectclass=groupOfURLs))
fed-server.serverid.ldap.is-member-of-attribute [server:serverid]
is-member-of-attribute
Optional Default value is LDAP server type dependent.   The name of an attribute in user entries that provides a list of group DNs the user is a member of. This is an optimization provided by some LDAP servers.
fed-server.serverid.ldap.follow-referrals [server:serverid]
follow-referrals
Optional False true, false If true, the LDAP client, JNDI, follows the LDAP referrals to other servers. If false, it ignores referrals.
fed-server.serverid.ldap.basic-user-principal-attribute [server:serverid]
basic-user-principal-attribute
Optional     If a value is not provided, the system uses a default value that depends on the type of LDAP server. For example, for ISDS, uid is used by default; for AD, userPrincipalName is used by default.
fed-server.serverid.ldap.basic-user-principal-add [server:serverid]
basic-user-principal-add
Optional     If a value is not specified, it defaults to the empty string. If a value specified, then the value string is appended to the principal ID provided to the API before searching for the basic or full user, and removed whenever the Basic or Full user principal ID is returned by the API. This option is typically used by the AD migration tool to allow Federated AD registries to avoid using the trailing @domain string but still use the userPrincipalName attribute.

Note: fed-server.<serverid>.ldap.racf-suffix

Parent topic: Configuration