InfoCenter Home >
5: Securing applications -- special topics >
5.7: The Secure Association Service (SAS) >
5.7.5: SAS properties reference
This following describes the properties used in the configuration files
sas.client.properties and sas.server.properties. These files contain
lists of property-value pairs, using the syntax
<property>=<value> .
The property names are case sensitive, but the values are not; the
values are converted to lower case when the file is read.
Note: Secure Sockets Layer (SSL) settings
are managed by the administrative
console. Any editing changes made to the
following properties in the
sas.server.props file are overwritten at run time.
- com.ibm.CORBA.SSLKeyRing
- com.ibm.CORBA.SSLKeyRingPassword
- com.ibm.CORBA.SSLServerKeyRing
- com.ibm.CORBA.SSLServerKeyRingPassword
- com.ibm.CORBA.SSLClientKeyRing
- com.ibm.CORBA.SSLClientKeyRingPassword
In WebSphere Application Server version 4.0, some properties
do not appear in the sas.server.props file. Instead, these
properties must be configured by using the administrative console.
The entry for each property indicates how it can be modified.
Note: Corruption of the sas.server.props file might
cause the administrative server to fail to
start. The sas.server.props file
contains critical information for the administrative
server. Back up the sas.server.props
file regularly.
Authentication properties
- com.ibm.CORBA.authenticationTarget
- Specifies the mechanism for authenticating principals.
valid values: basicauth
default value: basicauth
client/server usage: can be directly edited in the
sas.client.props file; the server-side value must be
set by using the administrative console
- com.ibm.CORBA.loginUserid
- Holds the name of an authorized user of the user registry, used when the
loginSource property is specified as
properties . The corresponding password is stored
in the loginPassword property.
valid values: a user name in the registry
default value: no default value
client/server usage: can be directly edited in the
sas.client.props file; the server-side value must be
set by using the administrative console
- com.ibm.CORBA.loginPassword
- Holds the password for the user named in the
loginUserid
property, use when the loginSource property is specified
as properties .
valid values: the password for the user named in the
loginUserid property
default value: no default value
client/server usage: can be directly edited in the
sas.client.props file; the server-side value must be
set by using the administrative console
- com.ibm.CORBA.principalName
- Specifies the principal under which the WebSphere administrative
server runs.
valid values: a user name in the registry
default value: no default value
client/server usage: sas.client.props only
- com.ibm.CORBA.loginSource
- Indicates the source for the user IDs and passwords.
valid values: stdin, key file, prompt, properties
default value: prompt
client/server usage: sas.client.props and sas.server.props
- com.ibm.CORBA.loginTimeout
- Specifies the length of time (in seconds) for which
the login window is displayed to a user for entering
login information (realm, user ID, password).
valid values: 0 to 600 (0 to 10 minutes)
default value: 300 (5 minutes)
client/server usage: sas.client.props and sas.server.props
- com.ibm.CORBA.keyFileName
- Specifies the file containing login information.
valid values: a valid, fully qualified path and filename
default value: No default value
client/server usage: sas.server.props only.
SSL Properties
For more information on configuring SSL, see
5.7.3: ORB SSL Configuration.
- com.ibm.CORBA.SSLClientKeyRing
- Specifies the class name for the SSL client keyring file,
for example, DummyKeyring.jks. This is the keyring
file used by a client for outbound SSL connections.
valid values: a class name for an SSL client keyring
default value: no default value, but a default
can be set during installation
client/server usage: can be directly edited in the
sas.client.props file; the server-side value must be
set by using the administrative console
- com.ibm.CORBA.SSLClientKeyRingPassword
- Sets the password for the SSL client keyring file.
valid values: a string
default value: WebAS
client/server usage: can be directly edited in the
sas.client.props file; the server-side value must be
set by using the administrative console
- com.ibm.CORBA.SSLServerKeyRing
- Specifies the class name for the SSL server keyring file,
for example, DummyKeyring.jks. This is the keyring
file used by the server for inbound SSL connections.
valid values: a class name for an SSL server keyring
default value: no default value, but a default
can be set during installation
client/server usage: can be directly edited in the
sas.client.props file; the server-side value must be
set by using the administrative console
- com.ibm.CORBA.SSLServerKeyRingPassword
- Sets the password for the SSL server keyring file.
valid values: a string
default value: WebAS
client/server usage: can be directly edited in the
sas.client.props file; the server-side value must be
set by using the administrative console
- com.ibm.CORBA.SSLKeyRing
- Specifies the default class name for the SSL keyring file
used by both the client and the server, for example,
DummyKeyring.jks.
valid values: a class name for an SSL keyring
default value: no default value, but a default
can be set during installation
client/server usage: can be directly edited in the
sas.client.props file; the server-side value must be
set by using the administrative console
- com.ibm.CORBA.SSLKeyRingPassword
- Sets the password for the SSL keyring file.
valid values: a string
default value: WebAS
client/server usage: can be directly edited in the
sas.client.props file; the server-side value must be
set by using the administrative console
-
- com.ibm.CORBA.SSLTypeIClientAssociationEnabled
- Specifies whether SSL Type I client association is enabled or not.
The value determines whether a server can accept SSL Type I
connections. SSL Type I connections authenticate only
the server using SSL.
valid values: false, no, true, yes
default value: true
client/server usage: sas.client.props and sas.server.props
- com.ibm.CORBA.SSLTypeIServerAssociationEnabled
- Specifies whether SSL Type I server association is enabled or not.
The value determines whether the server permits clients to make
SSL Type I server connections. SSL Type I connections authenticate
only the server using SSL.
valid values: false, no, true, yes
default value: true
client/server usage: sas.client.props and sas.server.props
- com.ibm.CORBA.standardClaimQOPModels
- Specifies the minimum level of security protection
required and supported by a server for inbound connections.
The actual level of protection used on a connection is
based on the server's minimum, but if the client is
prepared to provide a higher level and the server supports
it, the actual protection can exceed the server's stated
minimum requirement.
valid values: authenticity, confidentiality, integrity
default value: confidentiality
client/server usage: sas.client.props and sas.server.props
- com.ibm.CORBA.standardPerformQOPModels
- Specifies the level of security protection that a client, or a
server acting as a client, expects to perform on outbound connections.
The actual level of protection used on a connection is
based on the server's minimum, but if the client is
prepared to provide a higher level and the server supports
it, the actual protection can exceed the server's stated
minimum requirement.
valid values: authenticity, confidentiality, integrity
default value: confidentiality
client/server usage: sas.client.props and sas.server.props
com.ibm.CORBA.SSLClientAuthentication
Requires SSL client authentication from any
client that attempts to connect to the WebSphere
Application Server over SSL. Once you enable
this property, connections to the applictaion
server from clients that do not have an SSL
certificate fail due to an SSL handshake
failure. Only trusted clients can connect
to the WebSphere Application Server.
To enable this property, edit the sas.server.props file and add the following line:
com.ibm.CORBA.SSLClientAuthentication=true
After modifying the sas.server.props file, restart the administrative server.
valid values: true, false
Miscellaneous properties
- com.ibm.CORBA.securityEnabled
- Indicates whether security is enabled or not.
valid values: false, no, true, yes
default value: false
client/server usage: can be directly edited in the
sas.client.props file; the server-side value must be
set by using the administrative console
- com.ibm.CORBA.bootstrapRepositoryLocation
- Holds the full path of the bootstrap repository file, which
contains information about security properties needed during
the boot process.
valid values: the absolute path to the repository file
default value: <server_root>/etc/secbootstrap
client/server usage: sas.server.props only
Trace and message properties
- com.ibm.CORBA.securityDebug
- Specifies whether debugging messages are displayed on
the console or not.
valid values: console, false, no, true
default value: false
client/server usage: sas.client.props and sas.server.props
- com.ibm.CORBA.securityTraceLevel
- Determines the level of tracing provided.
valid values: none, basic, intermediate, advanced
- Trace level
basic reports basic messages
and is rarely used
- Trace level
intermediate is typically used to
troubleshoot long-run problems to minimize tracing
- Trace level
advanced is used in most cases
for troubleshooting
default value: none
client/server usage: sas.client.props and sas.server.props
- com.ibm.CORBA.securityTraceOutput
- Determine the output file for SAS when
file ,
fileappend , or both are chosen for the output
mode properties (securityActivityOutputMode ,
securityErrorsOutputMode ,
securityExceptionsOutputMode , or
securityTraceOutputMode ).
valid values: a valid path and file name in the file system.
default value: <server.root>/logs/sas.log
client/server usage: sas.client.props and sas.server.props
- com.ibm.CORBA.securityActivityOutputMode
- Determines where to direct activity messages.
valid values: none, file, fileappend, console, both
file : output goes to the destination set in the
com.ibm.CORBA.securityTraceOutput property
and a new file is created after each server restart.
fileappend : output goes to the destination in the
com.ibm.CORBA.securityTraceOutput property
and new output is appended after each server restart.
console : output is redirected to the standard
output stream.
both : output is redirected to both the standard
output stream and to the destination set in the
com.ibm.CORBA.securityTraceOutput property,
and a new file is created after each server restart.
none : no output occurs.
default value: file
client/server usage: sas.client.props and sas.server.props
- com.ibm.CORBA.securityErrorsOutputMode
- Determines where to direct error messages.
valid values: none, file, fileappend, console, both
(The values work as described for the
securityActivityOutputMode property.)
default value: both
client/server usage: sas.client.props and sas.server.props
- com.ibm.CORBA.securityExceptionsOutputMode
- Determines where to direct exception messages.
valid values: none, file, fileappend, console, both
(The values work as described for the
securityActivityOutputMode property.)
default value: file
client/server usage: sas.client.props and sas.server.props
- com.ibm.CORBA.securityTraceOutputMode
- Determines where to direct trace messages.
Client and server side.
valid values: none, file, fileappend, console, both
(The values work as described for
the
securityActivityOutputMode property.)
default value: file
client/server usage: sas.client.props and sas.server.props
|
|