Security custom properties
To review predefined custom properties related to security, go to...
-
Security | Secure administration, applications, and infrastructure | Custom properties
You can click New to add a new custom property and its associated value.
Properties
- com.ibm.audit.auditPolicy
- Used by the auditing service. The auditing functionality is not available.
Do not modify this property.
Default REQUIRED - com.ibm.audit.auditQueueSize
- Used by the auditing service. The auditing functionality is not available.
Do not modify this property.
Default 5000 - com.ibm.audit.auditServiceEnabled
- Used by the auditing service. The auditing functionality is not available.
Do not modify this property.
Default false - com.ibm.audit.auditSpecification
- Used by the auditing service. The auditing functionality is not available.
Do not modify this property.
Default J2EE=AUTHN=failure=enabled:J2EE=AUTHZ=failure=enabled - com.ibm.CSI.disablePropagationCallerList
- Disable the caller list and not allow the caller list to change.
This property prevents the creation of multiple sessions.
This property completely disables adding a caller or host list in the propagation token. Can be a benefit when the caller or host list in the propagation token is not needed in the environment.
If set to true as well as com.ibm.CSI.propagateFirstCallerOnly, then com.ibm.CSI.disablePropagationCallerList takes precedence.
Default false - com.ibm.CSI.propagateFirstCallerOnly
- Do not allow the caller list to change, preventing the creation of multiple session entries. Specifically limits the caller list to the first caller only.
This property logs the first caller in the propagation token that stays on the thread when security attribute propagation is enabled. Without setting this property, all caller switches get logged, which affects performance. Typically, only the first caller is of interest.
If this property is set to true as well as com.ibm.CSI.disablePropagationCallerList, then com.ibm.CSI.disablePropagationCallerList takes precedence.
Default false - com.ibm.CSI.rmiInboundLoginConfig
- Java Authentication and Authorization Service (JAAS) login configuration used for RMI requests that are received inbound.
By knowing the login configuration, you can plug in a custom login module that can handle specific cases for RMI logins.
Default system.RMI_INBOUND - com.ibm.CSI.rmiInboundMappingConfig
- System JAAS login configuration used to perform application specific principal mapping.
Default None - com.ibm.CSI.rmiInboundMappingEnabled
- When true, enables the application specific principal mapping capability.
Default false - com.ibm.CSI.rmiOutboundLoginConfig
- JAAS login configuration used for RMI requests that are sent outbound.
Primarily, this property prepares the propagated attributes in the Subject to be sent to the target server. However, you can plug in a custom login module to perform outbound mapping.
Default system.RMI_OUTBOUND - com.ibm.CSI.rmiOutboundMappingEnabled
- When set to true, enables the original caller subject embedded in the WSSubjectWrapper object to be restored.
Default false - com.ibm.CSI.supportedTargetRealms
- Enable credentials authenticated in the current realm to be sent to any realm specified in the Trusted target
realms field. The Trusted target realms field is available on the CSIv2 outbound authentication panel.
This property enables those realms to perform inbound mapping of the data from the current realm. It is not recommended that you send authentication information to an unknown realm. Thus, this provides a way to specify that the alternate realms are trusted. To access the CSIv2 outbound authentication panel, complete the following steps:
- Click Security > Secure administration, applications, and infrastructure.
- Under RMI/IIOP security, click CSIv2 outbound authentication.
- com.ibm.security.useFIPS
- Specifies that Federal Information Processing Standard (FIPS) algorithms are used. The application server uses the IBMJCEFIPS cryptographic provider instead of the IBMJCE cryptographic provider.
Default false - com.ibm.websphere.security.audit.auditEventFactory
- Used by the auditing service. The auditing functionality is not available.
Do not modify this property.
Default J2EE=com.ibm.ws.security.audit.defaultAuditEventFactoryImpl - com.ibm.websphere.crypto.config.certexp.notify.fromAddress
- This security property is used to customize the "from address" of certificate expiration notification e-mail.
The value you assigned to this property should be an internet address, for example "Notification@abc-company.com" If this property is not set, WebSphere uses its e-mail fromAddress: "WebSphereNotification@ibm.com" .
Default None - com.ibm.websphere.crypto.config.certexp.notify.textEncoding
- This security property is used to customize the text encoding character set for certificate expiration notification e-mail.
WebSphere Application Server sends notification e-mail for certificate expiration in either US-English or the machine default character set (if non-English locale is specified). If you want a different text encoding character set for the certificate expiration notification e-mail, you can use this property to customize the text encoding character set.
Default None - com.ibm.websphere.security.console.noSSLTreePortEndpoints
- Used to improve the response time for large topology configurations.
When this property is set to true the status of the of the SSL port endpoints does not display on the Manage endpoint security configurations page in the administrative console. Displaying the status of the SSL port endpoints sometimes makes the administrative console seem like it is no longer functioning because of a longer than expected response time.
Avoid trouble: Do not use this property unless you are running on V6.0.2.33 or latergotcha
Avoid trouble: Do not use this property unless you are running on V6.1.0.23, or later.gotcha
Default false - com.ibm.websphere.security.expandX500ExtendedAttribute
- Decode the DNQUALIFIER attribute in the X.500 distinguished name when set to true and only provides decoding of the standard X.500 distinguished name (as defined by RFC 2253) when set to false.
Complete the following steps to set this property:
- Log in to the administrative console.
- Click Security > Secure administration, applications, and infrastructure > Custom properties.
- Click New and add the following values:
- Name field
- com.ibm.websphere.security.expandX500ExtendedAttribute
- Value field
- true
- Click OK, then Save the configuration.
- Restart the server.
Default false - com.ibm.websphere.security.krb.canonical_host
- Whether (true) or not (false) the WebSphere Application Server uses the canonical form of the URL/HTTP host name in authenticating a client.
If this property is set to false, a Kerberos ticket can contain a host name that differs from the HTTP host name header. An error can occur as follows:
CWSPN0011E: An invalid SPNEGO token has been encountered while authenticating a HttpServletRequest
You can avoid an error message by setting this property to true and allowing WebSphere Application Server to authenticate using the canonical form of the URL/HTTP host name.
Default false - com.ibm.websphere.security.util.postParamMaxCookieSize
- Size limit for WASPostParam cookies being generated by the security code.
When the Use available authentication data when an unprotected URI is accessed option is enabled and Form-based authentication is being used this, a WASPOSTParam is generated during the authentication procedure of the HTTP POST request even if the target URL is unprotected. A WASPOSTParam cookie is a temporary cookie used to store HTTP POST parameters. This results in the Web client being sent the unnecessary cookie with an HTTP response. This might cause unexpected behavior when the size of the cookie is larger than the browser limit. To avoid this behavior, com.ibm.websphere.security.util.postParamMaxCookieSize can be set to cause the security code to stop generating the cookie if the maximum size specified by this property is reached. The value of this property must be a positive integer and represents the maximum size of the cookie in bytes.
Default none - com.ibm.ws.security.createTokenSubjectForAsynchLogin
- In this release, the actual LTPA token data is not available from a WSCredential.getCredentialToken() call when called from an asynchronous bean. For an existing configuration, you can add the com.ibm.ws.security.createTokenSubjectForAsynchLogin custom property with a true value to allow the LTPAToken to be forwarded to asynchronous beans.
This property allows portlets to successfully perform LTPA token forwarding. Make sure that you enter this custom property name as indicated because it is case sensitive. You must restart your application server after you enable this custom property.
This custom property applies only to system conditions where Server A makes EJB calls from asynchronous beans to Server B.
This property does not apply for JAAS login situations.
Default not applicable - com.ibm.ws.security.defaultLoginConfig
- JAAS login configuration used for logins that do not fall under the WEB_INBOUND, RMI_OUTBOUND, or RMI_INBOUND login configuration categories.
Internal authentication and protocols that do not have specific JAAS plug points call the system login configuration that is referenced by com.ibm.ws.security.defaultLoginConfig configuration.
Default system.DEFAULT - com.ibm.ws.security.ssoInteropModeEnabled
- Whether to send LtpaToken2 and LtpaToken cookies in the response to a Web request (interoperable).
When this property value is false, the application server just sends the new LtpaToken2 cookie which is stronger, but not interoperable with some other products and Application Server releases prior to V5.1.1. In most cases, the old LtpaToken cookie is not needed and you can set this property to false.
Default true - com.ibm.ws.security.webChallengeIfCustomSubjectNotFound
- Determines the behavior of a single sign-on LtpaToken2 login.
When this property value is set to true, the token contains a custom cache key, and the custom Subject cannot be found, the token is used to log in directly as the custom information needs to be gathered again. A challenge occurs so that the user to login again. When this property value is set to false and the custom Subject is not found, the LtpaToken2 is used to login and gather all of the registry attributes. However, the token might not obtain any of the special attributes that downstream applications might expect.
Default true - com.ibm.ws.security.webInboundLoginConfig
- JAAS login configuration used for Web requests that are received inbound.
By knowing the login configuration, you can plug in a custom login module that can handle specific cases for Web logins.
Default system.WEB_INBOUND - com.ibm.ws.security.webInboundPropagationEnabled
- Whether a received LtpaToken2 cookie should search for the propagated attributes locally before searching the original login server specified in the token. After the propagated attributes are received, the Subject is regenerated and the custom attributes are preserved.
Default true - com.ibm.wsspi.security.audit.auditServiceProvider
- Used by the auditing service. The auditing functionality is not available.
Do not modify this property.
Default DEFAULT = com.ibm.ws.security.audit.defaultAuditServiceProviderImpl - com.ibm.wsspi.security.ltpa.tokenFactory
- LTPA token factories that can be used to validate the LTPA tokens.
Validation occurs in the order in which the token factories are specified because LTPA tokens do not have object identifiers (OIDs) that specify the token type. The Application Server validates the tokens using each token factory until validation is successful. The order specified for this property is the most likely order of the received tokens. Specify multiple token factories by separating them with a pipe (|) without spaces before or following the pipe.
Default com.ibm.ws.security.ltpa.LTPATokenFactory | com.ibm.ws.security.ltpa.LTPAToken2Factory | com.ibm.ws.security.ltpa.AuthzPropTokenFactory - com.ibm.wsspi.security.token.authenticationTokenFactory
- Implementation used for an authentication token in the attribute propagation framework. The property provides an old LTPA token implementation for use as the authentication token.
Default com.ibm.ws.security.ltpa.LTPATokenFactory - com.ibm.wsspi.security.token.authorizationTokenFactory
- Implementation used for an authorization token. This token factory encodes the authorization information.
Default com.ibm.ws.security.ltpa.AuthzPropTokenFactory - com.ibm.wsspi.security.token.propagationTokenFactory
- Implementation used for a propagation token. This token factory encodes the propagation token information.
The propagation token is on the thread of execution and is not associated with any specific user Subjects. The token follows the invocation downstream wherever the process leads.
Default com.ibm.ws.security.ltpa.AuthzPropTokenFactory - com.ibm.wsspi.security.token.singleSignonTokenFactory
- Implementation used for a Single Sign-on (SSO) token. This implementation is the cookie that is set when propagation is enabled regardless of the state of the property...
-
com.ibm.ws.security.ssoInteropModeEnabled
By default, this implementation is the LtpaToken2 cookie.
Default com.ibm.ws.security.ltpa.LTPAToken2Factory - security.enablePluggableAuthentication
- No longer used. Instead, use WEB_INBOUND login configuration.
Complete the following steps to modify the WEB_INBOUND login configuration:
- Click Security > Secure administration, applications, and infrastructure.
- Under Java Authentication and Authorization Service, click System logins.
Default true - security.useDefaultPolicyWhenJ2SDisabled
-
The NullDynamicPolicy.getPermissions method provides an option to delegate a default policy class to construct a Permissions object when this custom security is set to true. When the security.useDefaultPolicyWhenJ2SDisabled custom property is set to false, an empty Permissions object is returned.
Default false - com.ibm.websphere.security.ldap.groupDnSearchFilter
- Overwrite the distinguished name group search filter. The value of the property should be the search filter, for example: (objectClass=group)
Default none Type string - com.ibm.websphere.security.ldap.userDnSearchFilter
- Overwrite the distinguished name user search filter. The value of the property should be the search filter, for example: (objectClass=user)
Default none Type string - IbmPKIX custom properties
- The IbmPKIX trust manager is enabled in WebSphere® Application Server by default. The IbmPKIX trust manager allows certificate revocation checking to occur. These customer properties are available to be used with the IbmPKIX trust manager.
- com.ibm.jsse2.checkRevocation
- Configure revocation checking for the JVM. Set to false by default because the default WebSphere certificates used for SSL communication do not contain certificate revocation list (CRL) distribution points or Online Certificate Status Protocol (OCSP) information.
- default
- false
- com.ibm.security.enableCRLDP
- Configure CRL distribution point checking for the PKIX trust manager.
If you enable CRL distribution point revocation checking, the certificates used for secure sockets layer (SSL) must contain a valid distribution point and the distribution point must be accessible or else SSL communication will fail and the server will not function correctly.
- default
- false
For certificates that do not contain an internal CRL distribution point, the following properties can used so the revocation status will be checked against a remote LDAP server containing the CRL.
- com.ibm.security.ldap.certstore.host
- LDAP server host name containing trusted certificates or certificate revocation lists. The target LDAP server host is used to obtain CA certificates or certificate revocation lists when validating a certificate and the local truststore does not contain the required certificate. The local truststore must contain the required certificates if an LDAP server is not specified. In cases when an LDAP server is used, the root CA certificates must also be located in the local truststore as the LDAP server is not a trusted certificate store.
Enabling this property in addition to the com.ibm.jsse2.checkRevocation property enables revocation checking. The remote LDAP server must contain a valid certificate revocation list and the server must be accessible. If the revocation status cannot be determined then the check will fail and SSL communication will fail and the server will not function correctly.
- default
- none
- com.ibm.security.ldap.certstore.port
- LDAP server port. A port value of 389 will be used by default if no LDAP server port is specified.
- default
- 389
- com.ibm.websphere.security.InvokeTAIbeforeSSO
- Default invocation order of Trust Association Interceptors (TAIs) in relation to Single Sign On (SSO) user authentication can be changed using this property. The default order is to invoke Trust Association Interceptors after SSO. Used to change the default order of TAI invocation with SSO. The property value is a comma (,) separated list of TAI class names to be invoked before SSO.
Default none Type string WebSphere Application Server V6.1.0.0 has a different default invocation order, the default behavior is TAI before SSO. The default invocation order for V6.1.0.1 and later is SSO before TAI.
Related tasks
Enabling security for the realm
Related reference
Common Secure Interoperability V2 outbound authentication settings
System login configuration entry settings for Java Authentication and Authorization Service