+

Search Tips   |   Advanced Search

JMS Password Store configuration

You must set the properties of JMS Password Store in the pwsync.props configuration file. The JMS Password Store properties are set in the pwsync.props general configuration file of the plug-ins. By default, there is one file per each plug-in, for example, TDI_install_dir/pwd_plugins/tds/pwsync.props.Note: In the general configuration file, you must manually encrypt each password property. We can use the encryptPasswd utility to encrypt the password. This utility uses a symmetric algorithm for encryption of the passwords. Make sure that the pwsync.props file is readable only by trusted system users.

In the encryptPasswd utility, pass the password as a parameter. The encrypted password is printed on the standard output. For more information about configuration parameters and encryptPasswd utility, see Common configuration and utilities of password synchronization plug-ins. In the pwsync.props file:

For more information about password message security, see Password message security. The following example shows an extract of the JMS Password Store configuration section of the pwsync.props file: 

#
# This is the configuration file of the Password Synchronizer.
# It is used by all parts of the Password Synchronizer: the Plug-in, 
# the Proxy and the Password Store component.
#
# Enter (name)=(value) to set configuration properties.
#
# Follow the Java properties file format. Backslashes must be escaped:
# e.g. instead of 'c:\myfile.txt' type 'c:\\myfile.txt'.
#




# Executable (binary or shell script) used to start the Java Proxy.
# If this property is set, both 'jvmPath' and 'jvmClassPath' will be ignored.
proxyStartExe=C:\\Program Files\\IBM\\TDI\\V7.2/pwd_plugins/bin/startProxy.bat

# Port number, on which the Java Proxy listens for commands.
serverPort=18001

# The log file of the Plug-in part of the Password Synchronizer.
# If empty, no logging will be done.
logFile=C:\\Program Files\\IBM\\TDI\\V7.2/pwd_plugins/windows/plugin.log

# Whether to reject password changes if the Password Store is down.
checkRepository=true

# The log file of the Java Proxy part of the Password Synchronizer. If empty, 
# no logging will be done.
javaLogFile=C:\\Program Files\\IBM\\TDI\\V7.2/pwd_plugins/windows/proxy.log

# Turn on debug logging for all parts of the Password Synchronizer.
debug=true

# Custom data that will be send with each password change.
# This string can be used to uniquely identify the machine or product that generates 
# the changes (e.g. machine IP, application name and version).
#customData=machine1



#
# User filtering configuration
#

# A list of Windows groups. If a user is a member of some group on the list, 
# the user will be accepted # by the user filter (assuming the user is not 
# excluded by some of the exclude lists).
# Group names must be separated by semicolons. Redundant white-spaces are not allowed.
# includeGroups=



# A list of Windows groups. If a user is a member of some group on the list, the user 
# will not be accepted
# by the user filter.
# Group names must be separated by semicolons. Redundant white-spaces are not allowed.
# excludeGroups=

# A list of DN suffixes. If a user's Distinguished Name matches some suffix on the list,
# the user will be accepted by the user filter 
# (assuming the user is not excluded by some of the exclude lists).
# DN suffixes must be separated by semicolons. Redundant white-spaces are 
# not allowed.
# includeDNs=

# A list of DN suffixes. If a user's Distinguished Name matches some suffix on 
# the list, the user will not
# be accepted by the user filter.
# DN suffixes must be separated by semicolons. Redundant white-spaces are not allowed.
# excludeDNs=

# Types of the accounts for which password changes will be reported.
# It is a space-delimited list of account types. Recoginzed account types are:
#	NORMAL_ACCOUNT
#	TEMP_DUPLICATE_ACCOUNT
#	INTERDOMAIN_TRUST_ACCOUNT
#	WORKSTATION_TRUST_ACCOUNT
#	SERVER_TRUST_ACCOUNT
#
# accountTypes=NORMAL_ACCOUNT




#
# The Password Store component 
#
# Specify the full name of the Java class.
# Choose one of the following:
#	com.ibm.di.plugin.pwstore.log.LogPasswordStore
#	com.ibm.di.plugin.pwstore.jms.JMSPasswordStore
#	com.ibm.di.plugin.pwstore.ldap.LDAPPasswordStore
#
# LogPasswordStore is for testing purposes only - you should NEVER use it in 
# production environment.
#
syncClass=com.ibm.di.plugin.pwstore.log.LogPasswordStore




#
# Public key encryption of passwords
#
# encrypt=true
# encryptKeyStoreFilePath=
# encryptKeyStoreFilePassword=
# encryptKeyStoreCertificate=

# 'encryptKeyPassword' is required by the LDAP Password Store (the rest do not need it)
# encryptKeyPassword=




#
# PKCS7 encapsulation of passwords
#
# pkcs7=true
# pkcs7KeyStoreFilePath=
# pkcs7KeyStoreFilePassword=
# pkcs7MqeStoreCertificateAlias=
# pkcs7MqeConnectorCertificateAlias=




#
# SSL configuration properties
#
# javax.net.ssl.trustStore=
# javax.net.ssl.trustStorePassword=
# javax.net.ssl.trustStoreType=
# javax.net.ssl.keyStore=
# javax.net.ssl.keyStorePassword=
# javax.net.ssl.keyStoreType=




#
# LDAP Password Store Configuration #

# LDAP server host
# ldap.hostname=localhost

# LDAP server port
# ldap.port=389

# LDAP bind dn
# ldap.admindn=cn=root

# LDAP bind password
# This field must be encoded. Use the 'encryptPasswd' utility.
# ldap.password=0c0bf0e3146b

# If set to true, password changes will be committed synchronously 
# to the Password Store when a password change notification is received.
# The source of the password change will be blocked
# until the password change is written to the Password Store.
# 
# If set to false, the commit will be asynchronous. 
# Use the 'ldap.delayMillis' property to configure
# the time to wait before committing the password change.
# ldap.waitForStore=true

# Time to wait (in milliseconds), before committing the password change to the 
# Password Store. Will be ignored if 'waitForStore' is set to true.
# ldap.delayMillis=2000

# Use SSL for LDAP communication.
# If set to true, JSSE must be configured (set the javax.net.ssl.trustStore and 
# javax.net.ssl.keyStore properties).
# ldap.ssl=false

# Location in the LDAP directory tree, where the Password Synchronizer 
# will store data.
# ldap.suffix=dc=carnd11,o=ibm,c=us

# Name of an LDAP object class used to hold information for a given user.
# ldap.schemaPersonObjectName=ibm-diPerson

# Name of an LDAP attribute which represents user identifier.
# This attribute must be a member of the object class specified by the 
# 'ldap.schemaPersonObjectName' property.
# ldap.schemaUseridAttributeName=ibm-diUserId

# Name of an LDAP attribute which represents user password.
# This attribute must be a member of the object class specified by 
# the 'ldap.schemaPersonObjectName' property.
# ldap.schemaPasswordAttributeName=ibm-diPassword




#
# MQe Password Store Configuration #

# JMS driver, used to establish connecton to the message broker.
# jmsDriverClass=com.ibm.di.plugin.pwstore.jms.driver.IBMMQe

# The path to the .ini file of the MQe QueueManager.
# mqe.file.ini=

# The TCP/IP port used when the MQe Connector sends notifications to the 
# Storage Component.
# mqe.notify.port=41002


#
# ActiveMQ Password Store Configuration #

# JMS driver, used to establish connecton to the message broker.
# jmsDriverClass=com.ibm.di.plugin.pwstore.jms.driver.ActiveMQ

# JMS Server address (jms.broker=tcp://<activeMQhost>:61616 or 
# jms.broker=ssl://<activeMQhost>:61617)
# jms.broker=


#
# Websphere MQ Password Store Configuration #

# JMS driver, used to establish connecton to the message broker.
# jmsDriverClass=com.ibm.di.plugin.pwstore.jms.driver.IBMMQ

# The ID of this client. This value is used when connecting to a broker.
# Most brokers do not allow clients to have the same ID.
# jms.clientId=

# JMS Server address (ip host and tcp port number).
# jms.broker=<host>:<port>
# Login username for the password queue.
# jms.username=

# Login password for password queue.
# This field must be encoded. Use the 'encryptPasswd' utility.
# jms.password=

# MQ Server Channel
# jms.serverChannel=

# Queue Manager Name
# jms.qManager=

# Turn on SSL
# jms.sslUseFlag=false

# SSL cipher suite
# (See the WebSphere MQ documentation for a full list of supported cipher suites).
# jms.sslCipher=SSL_RSA_WITH_RC4_128_MD5




#
# IBM Security Identity Manager Integration
#
# Passwords will be be verified by an IBM Security Identity Manager Server's
# Password Strength Servlet prior to synchronization.
# To enable TIM integration, set the 'syncClass' property to one of the following:
#	com.ibm.di.plugin.pwstore.log.LogPasswordStoreITIMDecorator
#	com.ibm.di.plugin.pwstore.jms.JMSPasswordStoreITIMDecorator
#	com.ibm.di.plugin.pwstore.ldap.LDAPPasswordStoreITIMDecorator

# URL of the IBM Security Identity Manager hosted Password Strength Servlet. 
# Note: If https is used, the javax.net.ssl.trustStore* properties must be set. 
# Where the specified truststore contains the IBM Security Identity Manager Server's 
# certificate.
# itimPasswordUrl=https://<host>:<port>/passwordsynch/synch

# IBM Security Identity Manager user account permitted to perform a password check.
# itimPrincipalName=

# The password for the IBM Security Identity Manager user acount specified by 
# the 'itimPrincipalName' property.
# itimPrincipalPassword=

# The IBM Security Identity Manager service name against which the password check 
would be performed.
# itimSourceDN=erservicename=TDIPasswordService, o=IBM, ou=IBM, dc=com

Note:


Parent topic:

JMS Password Store