Modify the advanced configurations to meet the requirements
of your organization.
Category filter
The category filter displays
names of grouping of configuration settings. The groupings correspond
to functional areas. When you select a category, the user interface
displays only the settings for the category.
WebSEAL Sign-In Callback
- poc.signIn.attributesResponseHeader
- The name of the header that contains the attributes of the user.
- Data type: String
- Example: am-fim-eai-xattrs
- poc.signIn.credResponseHeader
- The name of the header that contains the IVCred of the user.
- Data type: String
- Example: am-fim-eai-pac
- poc.signIn.groupsResponseHeader
- The name of the header that contains the groups of the user.
- Data type: String
- Example: fim.groups
- poc.signIn.serverResponseHeader
- The name of the header that contains the hostname that authenticates
the user.
- Data type: String
- Example: fim.server
- poc.signIn.targetResponseHeader
- The name of the header that contains the redirect URL.
- Data type: String
- Example: am-fim-eai-redir-url
- poc.signIn.urlEncodingEnabled
- Indicates whether the EAI header names and values are URL encoded.
The default setting for this property is false.
The EAI header names and values are not URL encoded.
- Data type: Boolean
- Example: false
- poc.signIn.userRequestHeader
- The name of the header that contains the user name of the user.
- Data type: String
- Example: iv-user
- poc.signIn.userResponseHeader
- The name of the header that contains the user name of the user.
- Data type: String
- Example: am-fim-eai-user-id
- poc.signIn.userSessionResponseHeader
- The name of the header that contains the authentication level
of the user.
- Data type: String
- Example: am-eai-auth-level
WebSEAL Local Identity
Callback
- poc.localIdentity.attributesRequestHeader
- The name of the header that contains the attributes of the user.
- Data type: String
- Example: fim.attributes
- poc.localIdentity.credRequestHeader
- The header that contains the IVCred of the user.
- Data type: String
- Example: iv-creds
- poc.localIdentity.groupsRequestHeader
- The name of the header that contains the groups of the user.
- Data type: String
- Example: iv-groups
- poc.localIdentity.userRequestHeader
- The name of the header that contains the user name of the user.
- Data type: String
- Example: iv-user
WebSEAL Authenticate
Callback
- poc.websealAuth.authLevel
- The authentication level of the callback.
- Data type: Integer
- Example: 1
- poc.websealAuth.userRequestHeader
- The name of the header that contains the user name of the user.
- Data type: String
- Example: iv-user
One-time
password Authenticate Callback
- poc.otp.authLevel
- The authentication level of the callback.
- Data type: Integer
- Example: 2
- poc.otp.backwardCompatibilityEnabled
- Indicates whether the one-time password authentication mechanism
should run in backward compatibility mode. The default
value is false if it is a new installation.
The default value is true if the installation is
an upgrade.
- Data type: Boolean
- Example: true
Authentication-Policy
Callback
- poc.authPolicy.allowRequestOverride
- Whether the authentication level, the authentication mode, and
the authentication type of the callback can be overwritten by query
string parameters.
- Data type: Boolean
- Example: true
- poc.authPolicy.authLevel
- The authentication level of the callback.
- Data type: Integer
- Example: 1
- poc.authPolicy.authType
- The authentication type of the callback.
- Data type: String
- Example: COMPLEMENTARY, HIERARCHICAL
SPS HTTP request claims
- sps.httpRequestClaims.enabled
- Whether HTTP request information is sent to STS as HTTPRequestClaims.
- Data type: Boolean
- Example:false
- sps.httpRequestClaims.filterSpec
- The filter that specifies the HTTP request information that is
sent to STS as HTTPRequestClaims.
- Data type: String
- Example: cookies=*:headers=*
Distributed shared
data storage
- distributedMap.cleanupWait
- The amount of time, in milliseconds, to wait before it performs
another cleanup against the distributed map.
- Data type: Integer
- Example: 10000
- distributedMap.defaultTTL
- The amount of time, in seconds, that the entries in the distributed
map must live when no lifetime is specified for an entry.
- Data type: Integer
- Example: 3600
- distributedMap.getRetryDelay
- The amount of time, in milliseconds, to wait before it performs
another retrieval against the distributed map. The default
is 0.
- Data type: Integer
- Example: 500
- distributedMap.getRetryLimit
- The number of retrievals that is done against the distributed
map before it returns that the retrieved data is not in
the distributed map. The default is 0.
- Data type: Integer
- Example: 10
Attribute matcher
properties
- userBehavior.minimumUsageHistoryRequired
- Minimum usage data records required for any usage data analysis;
used by LoginTimeMatcher.
- Data type: Integer
- Example: 8
- userBehavior.ipAddressRequestAttribute
- The XACML request attribute to read from the IP address.
- Data type: String
- Example: urn:ibm:security:subject:ipAddress
IP reputation
PIP properties
- ip.reputation.ipAddressAdverseReputationThreshold
- The value that an IP classification score must be at or above
for an IP address to be considered as that classification.
- Data type: Integer
- Example:50
- ipReputation.dbConnectionTimeout
- Indicates the number of seconds that the IP reputation policy
information point (PIP) waits for a connection to the
IP reputation database. The ipReputation.dbConnectionTimeout property
defaults to 120.
- Data type: Integer
- Example: 60
Attribute collector
properties
- attributeCollection.cookieName
- Correlation ID used by the attribute collector.
- Data type: String
- Example: ac.uuid
- attributeCollection.requestServer
- Request server for attribute collector. A list of the allowable
hosts where the ajaxRequest can be sent from.
- Data type: String List
- Example: https://rbademo.example.com,https://rbaemo2.example.com
- attributeCollection.serviceLocation
- Location of the attribute collector.
- Data type: String List
- Example: http://rbademo.example.com/mga
- attributeCollection.sessionTimeout
- Number of seconds in which sessions stored in context-based access
will automatically expire, unless updated. If any attribute
in the session is updated, the session expiry is extended
by the specified number of seconds configured in this property. The
default is 1800 seconds.
- Data type: Integer
- Example: 1800 seconds
- attributeCollection.enableGetAttributes
- Enables the REST GET method to return attributes.
- Data type: Boolean
- Example: False
- attributeCollection.getAttributesAllowedClients
- A comma-separated list of clients that are allowed to access the
ACS REST GET method.
If this property is not set and attributeCollection.enableGetAttributes is
set to true, anyone can access the GET method.
If this property is set but attributeCollection.enableGetAttributes is
set to false, this property is ignored.
- Data type: String List
- Example: hostname1, hostname2
- attributeCollection.hashAlgorithm
- The algorithm that is used to create the hash.
- Data type: String
- Example: SHA256
- attributeCollection.attributesHashEnabled
- A comma-separated list of attribute URI values configured for
hashing.
Attention: Do not hash the following
attributes:
- ipAddress
- geoLocation
- accessTime
- Data type: String List
- Example:
urn:ibm:security:environment:http:userAgent,
urn:ibm:security:environment:deviceFonts,
urn:ibm:security:environment:browserPlugins
- attributeCollection.authenticationContextAttributes
- Comma-separated lists of attribute names to be collected during
an authentication service obligation. The maximum number
of characters for this property is 200.
- Data type: String List
- Example: authenticationLevel, http:host
Device registration
properties
- deviceRegistration.maxRegisteredDevices
- Maximum device fingerprint count. The default is 10.
Valid values are 1 to 100.
- Data type: Integer
- Example: 10
- deviceRegistration.maxUsageDataPerUser
- Maximum number of historical usage attribute records stored per
user. The default is 200. Valid values are 1 to 5000.
- Data type: Integer
- Example: 1000
- deviceRegistration.deviceMatchThreshold
- The risk score threshold where an existing fingerprint is considered
to match the incoming device fingerprint.
- Data type: Integer
- Example: 20
- deviceRegistration.allowIncompleteFingerprints
- Specifies to allow the device registration obligation to store
fingerprints where all the fingerprint attributes are not available
on the session information.
- Data type: Boolean
- Example: False
- deviceRegistration.permitOnIncompleteFingerprints
- Specifies to permit access to the resource if the fingerprint
collected by the device registration obligation does not include all
fingerprint attributes.
- Data type: Boolean
- Example: False
- deviceRegistration.checkForExpiredDevices
- Determines whether registered devices are inactive or expired.
If the deviceRegistration.checkForExpiredDevices property
is set to true, the risk engine
checks whether a device is inactive or expired. The deviceRegistration.checkForExpiredDevices property
defaults to false, which means
that users can use any of the devices that are registered.
- Date type: Boolean
- Example: true
- deviceRegistration.inactiveExpirationTime
- Specifies the number of days that a device must be inactive for
it to expire. The deviceRegistration.inactiveExpirationTime property
defaults to 90.
- Date type: Integer
- Example: 100
Runtime properties
- runtime.dbLoggingEnabled
- Enables fine-grained logging for database SQL statements.
- Data type: Boolean
- Example: False
- runtime.hashAlgorithm
- The algorithm that is used for hashing. The supported algorithms
are:
The runtime.hashAlgorithm property defaults
to SHA-256.
- Data type: String
- Example: SHA-256
SPS page
- sps.page.htmlEscapedMacros
- A comma-separated list of macros that is HTML-escaped when it
is rendered in pages that are sent to the browser.
- Data type: String
- Example:
@REQ_ADDR@,
@DETAIL@,
@EXCEPTION_STACK@,
@EXCEPTION_MSG@,
@OTP_METHOD_ID@,
@OTP_METHOD_LABEL@,
@OTP_HINT@,
@ERROR_MESSAGE@,
@MAPPING_RULE_DATA@
- sps.page.exceptionMacros
- A comma-separated list of classname:macro pairs. Classname is
the fully qualified name of the exception class. Macro is the name
of the macro to which the class maps.
- Data type: String
- Example:
com.tivoli.am.fim.otp.deliveries.OTPDeliveryException =
@OTP_DELIVERY_EXCEPTION@,
com.tivoli.am.fim.otp.providers.OTPProviderException =
@OTP_PROVIDER_EXCEPTION@
Risk engine properties
- riskEngine.reportsEnabled
- Enables the generation of risk calculation reports.
- Data type: Boolean
- Example: False
- riskEngine.reportsMaxStored
- Specifies the maximum number of reports to store.
- Data type: Integer
- Example: 5
Authentication
service properties
- sps.authService.reauthenticationEnabled
- Specifies that the authentication service performs authentication
even if the user already has an authenticated session at the required
authentication level.
- Data type: Boolean
- Example: true
Session
- distributedSessionCache.enabled
- A switch that dictates if the distributed session cache is used
for session failover. If this setting is not enabled, the distributed
session cache server still runs as a service, but the client does
not use it.
- Data type: Boolean
- Example: false
- distributedSessionCache.localCacheSize
- The number of sessions to be stored on the client as a local cache.
A value of 0 or less means that any number of sessions can be cached
by the client. A low number requires more connections to the distributed
session cache if there are many active sessions. A high number runs
the risk of running out of memory if many sessions are locally cached.
All sessions are still stored on the distributed session cache when
it is enabled.
- Data type: Integer
- Example: 4096
- session.dbCleanupInterval
- Specifies the interval, in seconds, that the database cleanup
thread runs to remove expired data in the runtime database.
The default is 86400. The minimum
value for this property is 3600.
For more information, see Runtime database tuning parameters
- Data type: Integer
- Example: 90000
Distributed session cache
- distributedSessionCache.enabled
- A switch that dictates if the distributed session cache is used
for session failover. If this setting is not enabled, the distributed
session cache server still runs as a service, but the client does
not use it.
- Data type: Boolean
- Example: false
- distributedSessionCache.localCacheSize
- The number of sessions to be stored on the client as a local cache.
A value of 0 or less means that any number of sessions can be cached
by the client. A low number requires more connections to the distributed
session cache if there are many active sessions. A high number runs
the risk of running out of memory if many sessions are locally cached.
All sessions are still stored on the distributed session cache when
it is enabled.
- Data type: Integer
- Example: 4096
TOTP and HOTP retry properties
- otp.retry.enabled
- Whether the retry protection is enabled.
- Data type: Boolean
- Example: true
- otp.retry.maxNumberOfAttempts
- The maximum number of strikes the users can have before they are
prevented from logging in.
- Data type: Integer
- Example: 5
- otp.retry.otpRetryTimeout
- The number in seconds a strike lasts.
- Data type: Integer
- Example: 600
OAuth20
- oauth20.sessionEndpointEnabled
- Enables the ability to return an authenticated session at the
point-of-contact when the oauth20.sessionEndpointEnabled property
is set to true.
Note: The oauth20.sessionEndpointEnabled property
defaults to false.
- Data type: Boolean
- Example: false
- oauth20.tokenCache.cleanupWait
- The amount of time, in seconds, to wait before it performs another
cleanup of expired tokens in the OAuth 2.0 token cache.
Note: The oauth20.tokenCache.cleanupWait property
defaults to 120.
- Data type: Integer
- Example: 120
- oauth20.doNotSendXFrameOptionsHeader
- Specifies whether an X-Frame-Options header with value SAMEORIGIN must
be returned from the OAuth 2.0 endpoints. When set to true,
no X-Frame-Options header is sent.
Note: The oauth20.doNotSendXFrameOptionsHeader property
defaults to false.
- Data type: Boolean
- Example: false
HTTP client
- util.httpClient.defaultTrustStore
- Stores the default truststore that HTTPS connections in HTTP client
uses.
Note: The util.httpClient.TrustStore property
defaults to rt_profile_keys.
- Data type: String
- Example: rt_profile_keys
- util.httpClient.defaultSSLProtocol
- Stores the default SSL protocol configuration that HTTPS connections
in HTTP client uses.
Note: The util.httpClient.defaultSSLProtocol property
defaults to TLS.
- Data type: String
- Example: TLS
CRL checking
- kess.crlEnabled
- Checks the certificate revocation list. Checking is done by the
key encryption and signature service (KESS) for all functions
that use an external certificate, except for the audit
syslog. If your configuration does not require CRL checking, you
can disable it. For example, if you use if an internal
certificate authority (CA), you might want to disable
CRL checking. The kess.crlEnabled property
defaults to true.
- Data type: Boolean
- Example: True
Demo
- live.demos.enabled
- Enables the mobile demonstration application.
- Data type: Boolean
- Example: False
Knowledge
questions properties
- knowledge.questions.AnswerValidationRegEx
- Specifies the regular expression used to validate the knowledge
question answer value provided during a knowledge question
management operation. The assigned value is the list of
invalid characters to match against to determine if the supplied value
is valid.
Note: At a minimum, this property must include
the following characters: <>:"
- Data type: RegEx
- Example: [\[()<>,;:\\/\"\]=]
- knowledge.questions.QuestionValidationRegEx
- Specifies the regular expression used to validate the knowledge
question text value provided during a knowledge question
management operation. The assigned value is the list of
invalid characters to match against to determine if the supplied value
is valid.
Note: At a minimum, this property must include
the following characters: <>:"
- Data type: RegEx
- Example: [\[()<>,;:\\/\"\]=]