Security custom properties

Use this page to understand the predefined custom properties that are related to security.

To view this administrative console page, click Security > Global security. Under Additional properties, click Custom properties > New.

com.ibm.CSI.rmiInboundPropagationEnabled

This property determines if a server receives propagated attributes from another server.

When the property value is set to true, the server accepts propagated attributes. When the property value is set to false, the server does not accept propagated attributes and therefore, the client should not send those attributes.

Default true

com.ibm.CSI.rmiOutboundLoginEnabled

This property determines if the login configuration that is specified by the com.ibm.CSI.rmiOutboundLoginConfig property is called when it is not already enabled by propagation.

When you enable this property, the login configuration can be called even when propagation is disabled. When propagation is enabled, it is not necessary to enable this property.

Default false

com.ibm.CSI.rmiOutboundPropagationEnabled

This property determines if the client sends propagated attributes if the server supports propagated attributes. When this property is enabled, the JAAS login configuration that is referenced by the com.ibm.CSI.rmiOutboundLoginConfig property is called.

You must specify the com.ibm.ws.security.server.lm.wsMapCSIv2OutboundLoginModule login module in this login configuration for outbound propagation to work.

Default true

com.ibm.websphere.security.console.noSSLTreePortEndpoints

[Fix Pack 33 or later]

This property is used to improve the response time for large topology configurations.

When this property is set to true the status of the of the SSL port endpoints does not display on the Manage endpoint security configurations page in the administrative console. Displaying the status of the SSL port endpoints sometimes makes the administrative console seem like it is no longer functioning because of a longer than expected response time.

[Fix Pack 33 or later] Avoid trouble: Do not use this property unless you are running on Version 6.0.2.33 or latergotcha
Default false

com.ibm.websphere.security.handleTAIBeforeSSO

This property allows you to have the trust association interceptor (TAI) handled before single sign-on (SSO) is handled.

Note: This property is available only for version 6.0.2.11 and later.

By default security handles SSO before TAI is handled. With the default behavior, TAI will be ignored if an SSO token is presented. To handle TAI before SSO, set the following system property: com.ibm.websphere.security.handleTAIBeforeSSO=true

Default false

com.ibm.websphere.security.ldap.logicRealm

This custom property enables you to change the name of the realm that is placed in the token.

This custom property enables you to configure each cell to have its own LDAP host for interoperability and backward compatibility. Also, it provides flexibility for adding or removing the LDAP host dynamically. If you are migrating a previous installation, this modified realm name does not take effect until administrative security is re-enabled. To be compatible with a previous release that does not support the logic realm, the name must be the same name that is used by the previous installation. You must use the LDAP host name, including a trailing colon and port number.

Type String

com.ibm.websphere.security.util.csiv2SessionCacheLimitEnabled

[Fix Pack 39 or later]

This custom property specifies whether to limit the size of the CSIv2 session cache.

When you set this custom property value to true, you must set values for the com.ibm.websphere.security.util.csiv2SessionCacheIdleTime and com.ibm.websphere.security.util.csiv2SessionCacheMaxSize custom properties. When you set this custom property to false, the CSIv2 session cache is not limited. The default property value is false.

Important: This custom property only applies if you enable the stateful sessions.

com.ibm.websphere.security.util.csiv2SessionCacheMaxSize

[Fix Pack 39 or later]

This property specifies the maximum size of the session cache after which expired sessions are deleted from the cache. Expired sessions are defined as sessions that are idle longer than the time that is specified by the com.ibm.websphere.security.util.csiv2SessionCacheIdleTime custom property.

Consider increasing the value of this custom property if a small cache size causes the garbage collection to run so frequently that it impacts the performance of the application server.

The range of values for this custom property is 100 to 1000 entries. By default, a value is not set.

This custom property only applies if you enable stateful sessions, enable the com.ibm.websphere.security.util.csiv2SessionCacheLimitEnabled custom property, and set a value for the com.ibm.websphere.security.util.csiv2SessionCacheIdleTime custom property.

com.ibm.websphere.security.util.csiv2SessionCacheIdleTime

[Fix Pack 39 or later]

This property specifies the time in milliseconds that a CSIv2 session can remain idle before being deleted. The session is deleted if the com.ibm.websphere.security.util.csiv2SessionCacheLimitEnabled custom property is set to a true value and the maximum size of the CSIv2 session cache is exceeded.

With a small value for the com.ibm.websphere.security.util.csiv2SessionCacheIdleTime custom property, the application server can clean out rejected sessions more frequently and potentially reduce resource shortages.

The range of values for this custom property is 60,000 to 86,400,000 milliseconds. By default, a value is not set.

This custom property only applies if you enable stateful sessions, enable the com.ibm.websphere.security.util.csiv2SessionCacheLimitEnabled custom property, and set a value for the com.ibm.websphere.security.util.csiv2SessionCacheMaxSize custom property

com.ibm.ws.security.addHttpOnlyAttributeToCookies

[Fix Pack 39 or later]

This custom property enables you to set the HTTPOnly attribute for single sign-on (SSO) cookies.

You can use the com.ibm.ws.security.addHttpOnlyAttributeToCookies custom property to protect cookies that contain sensitive values. When you set this custom property value to true, the application server sets the secure and HTTPOnly attribute for SSO cookies whose values are set by the server. The HTTPOnly attribute enables the protection of sensitive values in cookies.

Also, a true value enables the application server to properly recognize, accept, and process inbound cookies with HTTPOnly attributes and inhibit any cross-site scripting from accessing sensitive cookie information.

A common security problem, which impacts Web servers, is cross-site scripting. Cross-site scripting is a server-side vulnerability that is often created when user input is rendered as HTML. Cross-site scripting attacks can expose sensitive information about the users of the Web site. Most modern Web browsers honor the HTTPOnly attribute to prevent this attack. A cookie with this attribute is called an HTTPOnly cookie. Information that exists in an HTTPOnly cookie is less likely to be disclosed to a hacker or a malicious Web site. For more information about the HTTPOnly attribute, see the Open Web Application Security Project (OWASP) Web site.

Important: When you use this custom property, HTTPOnly attribute is not added to every cookie that passes through the application server. Also, the attribute is not added to other non-secure cookies that are created by the application server. A list of non-HTTPOnly cookies includes:
Default false
[jan2010]

com.ibm.websphere.security.useLoggedSecurityName

[jan2010]
jan2010

This is a custom property of user registries. This property alters the behavior of creating WSCredential.

A setting of false indicates that the security name returned by a user registry is always used to construct WSCredential.

A setting oftrue indicates that either a security name that is supplied by login module is used or a display name that was supplied by a user registry is used. This setting is compatible with WebSphere Application Server version 6.0.2 and older releases.

Default false

com.ibm.ws.security.unprotectedUserRegistryMethods

[Fix Pack 39 or later]

Specifies the method names on the UserRegistry interface, such as getRealm, getUsers, and isValidUser, that you do not want protected from remote access. If you specify multiple method names, separate the names with either a space, a comma, a semi-colon, and a separator bar. See your implementation of the UserRegistry interface file for a complete list of valid method names.

If you specify an * as the value for this property, all methods are unprotected from remote access.

If a value is not specified for this property, all methods are protected from remote access.

If an attempt is made to remotely access a protected UserRegistry interface method, the remote process receives a CORBA NO_PERMISSION exception with minor code 49421098.

There is no default value for this property.

security.allowCustomHTTPMethods

[Fix Pack 35 or later]

Use this custom property to permit custom HTTP methods

The security constraints for a Web module must specify standard HTTP methods and the custom property cannot be one of the HTTP methods in the security constraints.




Related tasks
Enabling security for the realm
Related reference
Common Secure Interoperability Version 2 outbound authentication settings
System login configuration entry settings for Java Authentication and Authorization Service
Related information
Open Web Application Security Project (OWASP): HTTPOnly flag
Reference topic    

Terms of Use | Feedback

Last updated: Aug 29, 2010 5:25:00 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-base-dist&topic=usec_seccustomprop
File name: usec_seccustomprop.html