Use this page to understand the predefined custom properties that are related to security.
To view this administrative console page, click Security > Secure administration, applications, and infrastructure > Custom properties. You can click New to add a new custom property and its associated value.
This property is used by the auditing service that was introduced as a technical preview in Version 6. The auditing functionality is not available. Do not modify this property.
Default | REQUIRED |
This property is used by the auditing service that was introduced as a technical preview in Version 6. The auditing functionality is not available. Do not modify this property.
Default | 5000 |
This property is used by the auditing service that was introduced as a technical preview in Version 6. The auditing functionality is not available. Do not modify this property.
Default | false |
This property is used by the auditing service that was introduced as a technical preview in Version 6. The auditing functionality is not available. Do not modify this property.
Default | J2EE=AUTHN=failure=enabled:J2EE=AUTHZ=failure=enabled |
This property completely disables the caller list and will not allow the caller list to change. This property prevents the creation of multiple sessions.
Default | false |
This property will not allow the caller list to change and thus prevent the creation of multiple session entries. This property specifically limits the caller list to the first caller only.
Default | false |
This property specifies the Java Authentication and Authorization Service (JAAS) login configuration that is used for Remote Method Invocation (RMI) requests that are received inbound.
By knowing the login configuration, you can plug in a custom login module that can handle specific cases for RMI logins.
Default | system.RMI_INBOUND |
This property defines the system JAAS login configuration that is used to perform application specific principal mapping.
Default | None |
This property, when set to true, enables the application specific principal mapping capability.
Default | false |
This property specifies the JAAS login configuration that is used for RMI requests that are sent outbound.
Primarily, this property prepares the propagated attributes in the Subject to be sent to the target server. However, you can plug in a custom login module to perform outbound mapping.
Default | system.RMI_OUTBOUND |
This property, when set to true, enables the original caller subject embedded in the WSSubjectWrapper object to be restored.
Default | false |
This property enables credentials that are authenticated in the current realm to be sent to any realm that is specified in the Trusted target realms field. The Trusted target realms field is available on the CSIv2 outbound authentication panel. This property enables those realms to perform inbound mapping of the data from the current realm.
Specifies that Federal Information Processing Standard (FIPS) algorithms are used. The application server uses the IBMJCEFIPS cryptographic provider instead of the IBMJCE cryptographic provider.
Default | false |
This property is used by the auditing service that was introduced as a technical preview in Version 6. The auditing functionality is not available. Do not modify this property.
Default | J2EE=com.ibm.ws.security.audit.defaultAuditEventFactoryImpl |
This security property is used to customize the "from address" of certificate expiration notification e-mail.
The value you assigned to this property should be an internet address, for example "Notification@abc-company.com" If this property is not set, WebSphere uses its e-mail fromAddress: "WebSphereNotification@ibm.com" .
Default | None |
This security property is used to customize the text encoding character set for certificate expiration notification e-mail.
WebSphere Application Server sends notification e-mail for certificate expiration in either US-English or the machine default character set (if non-English locale is specified). If you want a different text encoding character set for the certificate expiration notification e-mail, you can use this property to customize the text encoding character set.
Default | None |
This property enables decoding of the DNQUALIFIER attribute in the X.500 distinguished name when set to true and only provides decoding of the standard X.500 distinguished name (as defined by RFC 2253) when set to false.
Default | false |
This property specifies whether (true) or not (false) the WebSphere Application Server uses the canonical form of the URL/HTTP host name in authenticating a client.
CWSPN0011E: An invalid SPNEGO token has been encountered while authenticating a HttpServletRequestYou can avoid an error message by setting this property to “true” and allowing WebSphere Application Server to authenticate using the canonical form of the URL/HTTP host name.
Default | false |
This property sets a size limit for WASPostParam cookies being generated by the security code..
Default | none |
In this release, the actual LTPA token data is not available from a WSCredential.getCredentialToken() call when called from an asynchronous bean. For an existing configuration, you can add the com.ibm.ws.security.createTokenSubjectForAsynchLogin custom property with a true value to allow the LTPAToken to be forwarded to asynchronous beans. This property allows portlets to successfully perform LTPA token forwarding. Make sure that you enter this custom property name as indicated because it is case sensitive. You must restart your application server after you enable this custom property.
Default | not applicable |
This property is the JAAS login configuration that is used for logins that do not fall under the WEB_INBOUND, RMI_OUTBOUND, or RMI_INBOUND login configuration categories.
Internal authentication and protocols that do not have specific JAAS plug points call the system login configuration that is referenced by com.ibm.ws.security.defaultLoginConfig configuration.
Default | system.DEFAULT |
This property determines whether to send LtpaToken2 and LtpaToken cookies in the response to a Web request (interoperable).
When this property value is false, the application server just sends the new LtpaToken2 cookie which is stronger, but not interoperable with some other products and Application Server releases prior to Version 5.1.1. In most cases, the old LtpaToken cookie is not needed and you can set this property to false.
Default | true |
This property determines the behavior of a single sign-on LtpaToken2 login.
When this property value is set to true, the token contains a custom cache key, and the custom Subject cannot be found, the token is used to log in directly as the custom information needs to be gathered again. A challenge occurs so that the user to login again. When this property value is set to false and the custom Subject is not found, the LtpaToken2 is used to login and gather all of the registry attributes. However, the token might not obtain any of the special attributes that downstream applications might expect.
Default | true |
This property is the JAAS login configuration that is used for Web requests that are received inbound.
By knowing the login configuration, you can plug in a custom login module that can handle specific cases for Web logins.
Default | system.WEB_INBOUND |
This property is used to enable a server to use the user identity for the z/OS started task as the server identity when calling transactional methods.
This property is used to enable a server to use the user identity for the z/OS started task as the server identity when calling transactional methods, such as commit(), and prepare(), that require the server identity. This behavior occurs regardless of the server identity setting for that server.
As an example, a server can be configured to use the automatically generated server identity, which is not the actual identity stored in a user repository. Furthermore, this server might need to communicate with CICS 3.2, and CICS 3.2 requires the use of System Authorization Facility (SAF) identities. If com.ibm.ws.security.zOS.useSAFidForTransaction is set to true, then the server uses a System Authorization Facility (SAF) identity to communicate with CICS instead of using the automatically generated identity.
Default | false |
This property determines whether a received LtpaToken2 cookie should search for the propagated attributes locally before searching the original login server that is specified in the token. After the propagated attributes are received, the Subject is regenerated and the custom attributes are preserved.
You can configure the data replication service (DRS) to send the propagated attributes to front-end servers such that a local dynacache lookup can find the propagated attributes. Otherwise, an MBean request is sent to the original login server to retrieve these attributes.
Default | true |
This property is used by the auditing service that was introduced as a technical preview in Version 6. The auditing functionality is not available. Do not modify this property.
Default | DEFAULT = com.ibm.ws.security.audit.defaultAuditServiceProviderImpl |
This property specifies the Lightweight Third Party Authentication (LTPA) token factories that can be used to validate the LTPA tokens.
Validation occurs in the order in which the token factories are specified because LTPA tokens do not have object identifiers (OIDs) that specify the token type. The Application Server validates the tokens using each token factory until validation is successful. The order that is specified for this property is the most likely order of the received tokens. Specify multiple token factories by separating them with a pipe (|) without spaces before or following the pipe.
Default | com.ibm.ws.security.ltpa.LTPATokenFactory | com.ibm.ws.security.ltpa.LTPAToken2Factory | com.ibm.ws.security.ltpa.AuthzPropTokenFactory |
This property specifies the implementation that is used for an authentication token in the attribute propagation framework. The property provides an old LTPA token implementation for use as the authentication token.
Default | com.ibm.ws.security.ltpa.LTPATokenFactory |
This property specifies the implementation that is used for an authorization token. This token factory encodes the authorization information.
Default | com.ibm.ws.security.ltpa.AuthzPropTokenFactory |
This property specifies the implementation that is used for a propagation token. This token factory encodes the propagation token information.
The propagation token is on the thread of execution and is not associated with any specific user Subjects. The token follows the invocation downstream wherever the process leads.
Default | com.ibm.ws.security.ltpa.AuthzPropTokenFactory |
This property specifies the implementation that is used for a Single Sign-on (SSO) token. This implementation is the cookie that is set when propagation is enabled regardless of the state of the com.ibm.ws.security.ssoInteropModeEnabled property.
By default, this implementation is the LtpaToken2 cookie.
Default | com.ibm.ws.security.ltpa.LTPAToken2Factory |
This property is no longer used. Instead, use WEB_INBOUND login configuration.
Default | true |
The NullDynamicPolicy.getPermissions method provides an option to delegate a default policy class to construct a Permissions object when this custom security is set to true. When the security.useDefaultPolicyWhenJ2SDisabled custom property is set to false, an empty Permissions object is returned.
Default | false |
The com.ibm.websphere.security.ldap.groupDnSearchFilter property is used to overwrite the distinguished name group search filter. The value of the property should be the search filter, for example: (objectClass=group)
Default | none |
Type | string |
The com.ibm.websphere.security.ldap.userDnSearchFilter property is used to overwrite the distinguished name user search filter. The value of the property should be the search filter, for example: (objectClass=user)
Default | none |
Type | string |