Security properties

These properties apply to security.

Fix Pack 3 com.ibm.cdb.secure.server=false
The default value is false.
This property specifies whether all TADDM services from the public and external RMI registries are secure. If set to true, all public services that are not secure (ClientProxyServer and API Server) are moved to the internal RMI registry. Also, the SSL protocol is enforced on external services, for example, RegistriesURLProvider, SecurityManager, and TopologyManager.
If you set this property to true, set also the com.collation.security.enablesslforconsole and com.collation.security.enforceSSL properties to true.
This property might affect the integration with other products that connect to TADDM with unsecured connection.
If you modify the default value of this property, set it in the following locations:
  • $COLLATION_HOME/dist/etc/collation.properties
  • $COLLATION_HOME/dist/sdk/etc/collation.properties
  • sdk/etc/collation.properties of every TADDM SDK installation.
Fix Pack 5 com.ibm.cdb.rmi.registry.secure=false
The default value is false.
Valid values are true or false. To enable secure registry mode set this flag to true.
If the server is running in Secure Registry mode (com.ibm.cdb.rmi.registry.secure=true), the following port will be secured with SSL protocol: com.ibm.cdb.service.registry.public.port(Default Value:9433)
If server is running in Secure Registry mode (com.ibm.cdb.rmi.registry.secure=true), then while launching the Data Management Console, check box 'Establish a secure (SSL) session' must be checked.
Fix Pack 1 com.ibm.cdb.secure.liberty=false
The default value is false.

Valid values are true or false. To disable the non-secure HTTP port, set this flag to true.

com.collation.security.privatetruststore=true
The default value is true.

Valid values are true or false. The value must be true when SSL is enabled.

com.collation.security.enablesslforconsole=true
The default value is true.

Valid values are true or false.

com.collation.security.enabledatalevelsecurity=false
The default value is false.

Valid values are true or false. To restrict access to collections of TADDM objects by user or user group, set this value to true.

com.collation.security.enforceSSL=false
The default value is false.

Valid values are true or false. To disable non-secure connections and force the use of SSL connections, set this flag to true.

com.collation.security.usermanagementmodule=file
The default value is file.
There are three options for this property:
  • file for a TADDM file-based user registry
  • ldap for an LDAP user registry
  • vmm for a user registry that uses the federated repositories of WebSphere® Application Server
com.collation.security.auth.sessionTimeout=240
The default value is 240. The value must be an integer.
com.collation.security.auth.searchResultLimit=100
The default value is 100. The value must be an integer.
Use this property if you have many users.
Important: If you have more than 100 users in an LDAP or WebSphere Federated repository, increase this value to support the expected number of users. For example, com.collation.security.auth.searchResultLimit=150
com.collation.security.auth.websphereHost=localhost
The default value is localhost.

Type the fully qualified domain name of the system that hosts the federated repositories functionality of the WebSphere Application Server.

com.collation.security.auth.webspherePort=2809
The default value is 2809.

It must be an integer value. This value indicates the WebSphere system port.

com.ibm.cdb.service.SecurityManager.port=9540
For servers other than a synchronization server:

The default value is 9540.

Specifies the firewall port that is used by the security manager.

For a synchronization server:

The default value is not set.

Domains communicate with a synchronization server by using a port that is specified in the com.collation.EnterpriseSecurityManager.port parameter. The default value for this property is 19433.

com.collation.cdm.analytics.authorizedRole=

The Analytics pane can be restricted to a specific role. By default, this property is not defined in the collation.properties file and the Analytics pane is available for everyone. The value of the property must be the name of the role that is allowed to access the pane.

The access to the following areas of the Analytics pane can be subject to the specified role:
  • Fix Pack 2 Grouping Patterns
  • Inventory Summary
  • Application Summary
  • Service Summary
  • System Inventory
  • Software Server Inventory
  • BIRT Reports
com.collation.security.discoverOutsideScope=true
The default value is true.

Valid values are true or false. To disable discovering elements which are not inside the scope, set this flag to false.

com.ibm.cdb.secure.tomcat=false (TADDM 7.3.0 only)
The default value is false.

Valid values are true or false. To disable the non-secure HTTP port, set this flag to true.

com.ibm.cdb.http.ssl.protocol=TLS
The default value is TLS.
This property modifies the SSL protocol that is used by Web SSL port (HTTPS port), by default 9431. You can set the port by using the com.ibm.cdb.service.web.secure.port property.
For the list of supported values, see IBM® Java™ 7 documentation at http://www-01.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/jsse2Docs/protocols.html. If you use the most secure protocols, for example TLS v1.1 or TLS v1.2, you must first configure your web browser to support them. Additionally, too strong protocols might affect integration with other products that connect to TADDM through Web SSL port.
Fix Pack 5When com.ibm.cdb.http.ssl.protocol=TLSv1.2 and JAVA7 is being used at the client side, the following settings need to be updated: 
<JAVA_HOME>/jre/lib/security/java.security
jdk.tls.disabledAlgorithms=SSLv2, SSLv3, TLSv1, TLSv1.1
Also TLSv1 and TLSv1.1 should be disabled in the browser.
com.ibm.cdb.ssl.protocol=TLS
This property is not added to the collation.properties file by default. If it is not added, the default value is TLS. To modify it, add this property to the collation.properties file manually with the new value.
This property modifies the SSL protocol that is used by the following ports:
  • The port that the API server listens on for SSL requests, by default 9531. You can set the port by using the com.ibm.cdb.service.SecureApiServer.secure.port property.
  • The RMI data port to use with SSL, by default 9434. You can set the port by using the com.ibm.cdb.service.SecureClientProxyServer.secure.port property.
For the list of supported values, see IBM Java 7 documentation at http://www-01.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/jsse2Docs/protocols.html. If you use the most secure protocols, for example TLS v1.1 or TLS v1.2, you must first configure your web browser to support them. Additionally, too strong protocols might affect integration with other products that connect to TADDM through the listed ports.
com.ibm.cdb.http.ssl.ciphers=
Ciphers are getting set to the LibertyServer and communication will be done on the given ciphers only. Otherwise it will pick the default ciphers which could be the weak algorithms.
com.ibm.cdb.rmi.ssl.protocol=
This property com.ibm.cdb.rmi.ssl.protocol helps to enable specific protocol on SSL Connection which was created on com.ibm.cdb.ssl.protocol.
com.ibm.cdb.rmi.ssl.protocol must be from supported protocol list on com.ibm.cdb.ssl.protocol.
com.ibm.cdb.rmi.ssl.ciphers=
With this property you can set the ciphers algorithms for RMI data port and port on that API server listens.