Use this page to understand the predefined custom properties that are related to security.
To view this administrative console page, click New to add a new custom property and its associated value.
. ClickThe custom properties in this topic are set in the administrative console through the previously listed path unless otherwise stated in the description.
This property only applies to the SMF Emitter implementation that IBM® provides for the Security Auditing feature. You can use this property to specify, in bytes, the length at which variable-length audit data is truncated. By default, if this custom property is not specified, and the threshold limit of 20480 is exceeded, variable-length audit data fields are truncated to 128 bytes.
The SMF relocation data has a threshold size limit of 20480 bytes. If the audit data exceeds this limit, the audit data is truncated to prevent the loss of audit records.
Default | 20480 |
Type | An integer between 1 and 512 |
Use this property to specify how much auditing data is recorded for each event type. If you only need to record basic information about an event, such as who did what action to what resource, and when, setting this property to high, might improve your application server performance.
You can specify values of high, medium, or low for this property. The default value is low.
Event type | high setting | medium setting | low setting |
---|---|---|---|
SessionContext | sessionId | sessionId, remoteHost | sessionId, remoteHost, remoteAddr, remotePort |
PropagationContext (is only reported if SAP is enabled) | firstCaller (as part of the who) | firstCaller, and if verbose mode is enabled, the callerList | firstCaller, and if verbose mode is enabled, the callerList |
RegistryContext | nothing is recorded | registry type | registry type |
ProcessContext | nothing is recorded | realm | realm, and domain if verbose is enabled |
EventContext | creationTime | creationTime, globalInstanceId | creationTime, globalInstanceId, eventTrailId, and lastTrailId if verbose mode is enabled |
DelegationContext | identityName | delegationType, and identityName | delegationType, roleName, and identityName |
AuthnContext | nothing is recorded | authn type | authn type |
ProviderContext | nothing is recorded | provider | provider, and providerStatus |
AuthnMappingContext | mappedUserName | mappedUserName, and mappedSecurityRealm | mappedUserName, mappedSecurityRealm, and mappedSecurityDomain |
AuthnTermContext | terminateReason | terminateReason | terminateReason |
AccessContext | progName, action, appUserName, and resourceName | progName, action, appUserName, resourceName, registryUserName, and accessDecision | progName, action, appUserName, resourceName, registryUserName, accessDecision, resourceType, permissionsChecked, permissionsGranted, rolesChecked, and rolesGranted |
PolicyContext | nothing is recorded | policyName | policyName, and policyType |
KeyContext | keyLabel | keyLabel, and keyLocation | keyLabel, keyLocation, and certificateLifetime |
MgmtContext | nothing is recorded | mgmtType, and mgmtCommand | mgmtType, mgmtCommand, and targetInfoAttributes |
This property disables the caller list and does not allow the caller list to change. This property prevents the creation of multiple sessions.
Default | false |
This property allows local communication data to be used as authentication material for the CSIv2 transport layer when the user registry is not a LocalOS user registry.
When this property is set to true, the data retrieved from the local communication transport corresponds to the ASID of the local client connecting to a WebSphere® Application Server process. A user that corresponds to the ASID must exist in the user registry. When aWebSphere Application Server process receives a CSIv2 Establish Message, and an Identity Assertion is requested, the data retrieved from the local communication transport is used to validate that the client has permission to assert the user specified in the Identity Token in the Attribute Layer. If the user that the received ASID represents is in the Trusted Identities list on the CSIv2 Inbound Authentication page in the administrative console, then that ID is able to assert the Identity Token.
Default | false |
This property limits the caller list to the first caller only, which means the caller list cannot change. Setting this property to true eliminates the potential for the creation of multiple session entries.
This property logs the first caller in the propagation token that stays on the thread when security attribute propagation is enabled. Without setting this property, all caller switches get logged, which affects performance. Typically, only the first caller is of interest.
Default | false |
This property specifies the Java Authentication and Authorization Service (JAAS) login configuration that is used for Remote Method Invocation (RMI) requests that are received inbound.
By knowing the login configuration, you can plug in a custom login module that can handle specific cases for RMI logins.
Default | system.RMI_INBOUND |
This property defines the system JAAS login configuration that is used to perform application specific principal mapping.
Default | None |
This property, when set to true, enables the application specific principal mapping capability.
Default | false |
This property specifies the JAAS login configuration that is used for RMI requests that are sent outbound.
Primarily, this property prepares the propagated attributes in the Subject to be sent to the target server. However, you can plug in a custom login module to perform outbound mapping.
Default | system.RMI_OUTBOUND |
This property, when set to true, enables the original caller subject embedded in the WSSubjectWrapper object to be restored.
Default | false |
This property enables credentials that are authenticated in the current realm to be sent to any realm that is specified in the Trusted target realms field. The Trusted target realms field is available on the CSIv2 outbound authentication panel. This property enables those realms to perform inbound mapping of the data from the current realm.
This property can be set to true if you want the CosNamingRead role to protect all naming read operations. Setting this property to true is the equivalent of assigning the CosNamingRead role the Everyone special subject. When this property is set, any assignments made to the CosNamingRead role are ignored.
Default | none |
Specifies whether an 8-character limit for the user ID or password information is enforced when a local OS user registry is configured.
When this property is set to true, an 8-character limit for the user ID or password information is enforced when a local OS user registry is configured. If the user name or password that is specified during login contains more than eight characters, the login fails.
Default | false |
Determines whether System Authorization Facility (SAF) delegation can be used independently of SAF authorization. When this property is set to true, SAF delegation can be used whenever the user registry is a Federated Repository user registry, and is configured with a SAF user registry bridge.
There is no default value for this property.
This property can be used to override the value for the APPL profile, specifically for the two RACROUTE calls that are made during server startup. For these calls, the APPL value is not used for the authorization checking process, but is made available to the installation exit routine. The APPL profile value used for authorization checking is not controlled by this property, it is instead set to either CBS390 or the SAF profile prefix value.
Default | none |
This custom property specifies whether to use the APPL profile to restrict access to WebSphere Application Server.
If you have defined an SAF profile prefix, the APPL profile used is the profile prefix. Otherwise, the APPL profile name is CBS390. All of the z/OS® identities using WebSphere services should have READ permission to the APPL profile. This includes all WebSphere Application Server identities, WebSphere Application Server unauthenticated identities, WebSphere Application Server administrative identities, user IDs based on role-to-user mappings, and all user identities for system users. If the APPL class is not active on the z/OS system, then this property has no effect, regardless of its value.
Default | true |
Specifies that Federal Information Processing Standard (FIPS) algorithms are used. The application server uses the IBMJCEFIPS cryptographic provider instead of the IBMJCE cryptographic provider.
Default | false |
This security property is used to customize the "from address" of certificate expiration notification e-mail.
The value you assign to this property should be an internet address, such as "Notification@abc-company.com" If this property is not set, the application server uses the email fromAddress: WebSphereNotification@ibm.com.
Default | None |
This security property is used to customize the text encoding character set for certificate expiration notification e-mail.
WebSphere Application Server sends notification e-mail for certificate expiration in either US-English or the machine default character set (if non-English locale is specified). If you want a different text encoding character set for the certificate expiration notification e-mail, you can use this property to customize the text encoding character set.
Default | None |
This property can be set when realm registry lookups are performed via an MBean on a remote server, and the realm is local OS security.
By default, the user registry tasks listRegistryUsers and listRegistryGroups perform lookups from the current process. In the case of Network Deployment (ND), that is the deployment manager.
When dealing with a local OS user registry, lookup should occur on the actual server where the registry resides. In an ND environment, the server could be a remote machine. To perform a lookup on the server process where the registry resides, set the com.ibm.websphere.lookupRegistryOnProcess custom property to true.
If com.ibm.websphere.lookupRegistryOnProcess is not set, or set to false, then the lookup is performed on the current process. The custom property can be set using the setAdminActiveSecuritySettings task for global security or the setAppActiveSecuritySettings task for a security domain.
When you are using application form login and logout you can provide a URL for a custom logout page. By default, the URL must point to the host to which the request is made or to its domain. If this is not done, then a generic logout page is displayed rather than a the custom logout page. If you want to be able to point to any host, then you need to set this property in the security.xml file to a value of true. Setting this property to true might open your systems to URL redirect attacks.
Default | false |
Use this property to indicate whether a cookie with the value WASReqURL is honored when the custom form login processor is used.
When this property is set to true, the value of WASReqURL takes precedence over the current URL, and the WASReqURL cookie is removed from subsequent requests.
When this property is set to false, the value of the current URL takes precedence, and the WASReqURL cookie is not removed from subsequent requests.
Default | false |
Specifies whether the data replication service (DRS) enables the DRSbootstrap function.
In high volume environments, dynamic cache data replication might increase the amount of time that it takes a server to start. If you experience slow server startups because of data replication, add this property to your server security settings and set it to false. When is property is set to false, the data replication service disables the DRSbootstrap function.
True is the default setting for this property.
This property is used to inherit the global trusted realm settings from the global security configuration in the domain.
Security configuration trusted inbound and outbound realms are not inherited by default. However, there are some cases where the configuration might want to use (inherit) the settings from the global security configuration in the domain.
The value of this property can be either true or false.
Use this property to improve the response time for large topology configurations.
When this property is set to true the status of the of the SSL port endpoints does not display on the Manage endpoint security configurations page in the administrative console. Displaying the status of the SSL port endpoints sometimes makes the administrative console seem like it is no longer functioning because of a longer than expected response time.
Default | false |
Use this property to disable the outbound SOAP call to retrieve the subject from the originating server when Single Sign-On is enabled.
Typically, when Single Sign-On is enabled, and an inbound request needs to be authenticated, the receiving server attempts to retrieve the authentication from the originating server. The connection between the sending and receiving servers never times out during this callback process.
Default | false |
Use this property when the user provided by a TAI is not found in the user registry so that a login page is displayed instead of an error page.
When the user provided by a TAI is not found in the user registry, WebSphere Application Server displays an error page. To adjust this behavior, set this property to true. Then the login page is displayed. The default setting for this property is false and the normal behavior for WebSphere Application Server is to display an error page.
Default | false |
Default invocation order of Trust Association Interceptors (TAIs) in relation to Single Sign On (SSO) user authentication can be changed using this property. The default order is to invoke Trust Association Interceptors after SSO. This property is used to change the default order of TAI invocation with SSO. The property value is a comma (,) separated list of TAI class names to be invoked before SSO.
Default | none |
Type | string |
By default, when JAAS authentication data entries are created at the domain security level, the alias name for the entry will be in the format aliasName. You can enable the addition of the node name to the alias name to create the alias name, in the format nodeName/aliasName, for the entry, by setting the following property at the domain security level.
You can set com.ibm.websphere.security.JAASAuthData.addNodeNameSecDomain=true at the global security level, to enable the addition of the node name to the alias name of JAAS authentication data entries for all security domains.
Default | false |
By default, when JAAS authentication data entries are created at the global security level, the alias name for the entry is in the format nodeName/aliasName. You can disable the addition of the node name to the alias name for the entry, by setting a value of true for this property at the global security level.
Default | false |
This custom property specifies whether the application server uses the canonical form of the URL/HTTP host name in authenticating a client. This property can be used for both SPNEGO TAI and SPNEGO Web.
CWSPN0011E: An invalid SPNEGO token has been encountered while authenticating a HttpServletRequestIf you set this custom property to true, you can avoid this error message and allow the application server to authenticate using the canonical form of the URL/HTTP host name.
Default | true |
This custom property enables you to change the name of the realm that is placed in the token.
This custom property enables you to configure each cell to have its own LDAP host for interoperability and backward compatibility. Also, it provides flexibility for adding or removing the LDAP host dynamically. If you are migrating a previous installation, this modified realm name does not take effect until administrative security is re-enabled. To be compatible with a previous release that does not support the logic realm, the name must be the same name that is used by the previous installation. You must use the LDAP host name, including a trailing colon and port number.
Type | String |
Use this property, when SSL is enabled on the LDAP server, to specify, in milliseconds, the maximum amount of time the Java Virtual Machine (JVM) waits for a socket connection before issuing a timeout.
If one or more standalone LDAP servers are offline when a server process starts, and LDAP-SSL is enabled, there might be a delay of up to three minutes in the startup procedure, even if you specify a value for the com.sun.jndi.ldap.connect.timeout custom property. When LDAP-SSL is enabled, any value specified for the com.sun.jndi.ldap.connect.timeout property is ignored.
When a value is specified for this property, the JVM tries to use this connection timeout value when attempting to complete a socket connection, instead of trying to establish a directory context. When no value is specified for this property, the JVM tries to establish a directory context.
There is no default value for this property.
When you are using application form login and logout, you can provide a URL for a custom logout page. By default, the URL must point to the host to which the request is made or to its domain. If this is not done, then a generic logout page is displayed rather than a the custom logout page. If you need to point to a different host, then you can populate this property in the security.xml file with a pipe (|) separated list of URLs that are allowed for the logout page.
Default | none |
This property is used to control the size of the alias cache.
The default value is 5000 and can be increased for larger deployments.You do not need to add this property unless your Job Manager topology exceeds 5000 registered nodes.
The value must be entered into the range of 1 - N, where N is a valid positive integer that is greater than or equal to the number of nodes registered with the Job Manager.
Default | 5000 |
This property is used to set a unique path name whenever a WASReqURL cookie is generated.
A browser can hold multiple WASReqURL cookies as long as each cookie has a unique path name. When this property is set to true, a unique path name is set whenever a WASReqURL cookie is generated. Therefore, if you have more than one application that is using Form Login as a login method installed on the same application server. you should specify this property as one of your security settings for that application server, and set the property to true.
Default | false |
This property is used to ensure that a mapping from a Kerberos principal to a RACF ID is performed for SPNEGO web authentication.
If you do not add this property to your security settings, and set it to true, a mapping from a Kerberos principal to a RACF ID is not performed for SPNEGO web authentication.
Default | false |
Specifies whether credential expiration check occurs for a local Enterprise JavaBeans (EJB) call. Typically, when an EJB invokes another EJB that is located in a local machine, a direct method invocation occurs even if the credentials of the original invoker expire before the local EJB call occurs.
If this property is set to true, a credential expiration check occurs on a local EJB call before the EJB is invoked on the local machine. If the credentials have expired, the EJB call is rejected.
If this property is set to false, a credential expiration check does not occur for a local EJB call.
Default | false |
Use this property to specify the amount of time the receiving server waits for an outbound SOAP call to retrieve the proper authentication from the originating server when Single Sign-On is enabled.
There is no default value for this property. If no value is specified, the global SOAP timeout value is used as the timeout value for the SOAP connection.
This is a custom property of user registries. This property alters the behavior of creating WSCredential.
A setting of false indicates that the security name returned by a user registry is always used to construct WSCredential.
A setting of true indicates that either a security name that is supplied by login module is used or a display name that was supplied by a user registry is used. This setting is compatible with WebSphere Application Server version 6.0.2 and older releases.
Default | false |
This property specifies the time in milliseconds that a CSIv2 session can remain idle before being deleted. The session is deleted if the com.ibm.websphere.security.util.csiv2SessionCacheLimitEnabled custom property is set to true, and the maximum size of the CSIv2 session cache is exceeded.
The range of values for this custom property is 60,000 to 86,400,000 milliseconds. By default, the value is not set.
This custom property specifies whether to limit the size of the CSIv2 session cache.
When you set this custom property value to true, you must set values for the com.ibm.websphere.security.util.csiv2SessionCacheIdleTime and com.ibm.websphere.security.util.csiv2SessionCacheMaxSize custom properties. When you set this custom property to false, the CSIv2 session cache is not limited. The default property value is false.
Consider setting this custom property to true if your environment uses Kerberos authentication and has a small clock skew for the configured key distribution center (KDC). In this scenario, a small clock skew is defined as less than 20 minutes.
This property specifies the maximum size of the session cache after which expired sessions are deleted from the cache.
Expired sessions are defined as sessions that are idle longer than the time that is specified by the com.ibm.websphere.security.util.csiv2SessionCacheIdleTime custom property. When you use the com.ibm.websphere.security.util.csiv2SessionCacheMaxSize custom property, consider setting its value between 100 and 1000 entries.
Consider specifying a value for this custom property if your environment uses Kerberos authentication and has a small clock skew for the configured key distribution center (KDC). In this scenario, a small clock skew is defined as less than 20 minutes. Consider increasing the value of this custom property if the small cache size causes the garbage collection to run so frequently that it impacts the performance of the application server.
This custom property only applies if you enable stateful sessions, set the com.ibm.websphere.security.util.csiv2SessionCacheLimitEnabled custom property to true, and set a value for the com.ibm.websphere.security.util.csiv2SessionCacheIdleTime custom property.
The range of values for this custom property is 100 to 1000 entries. By default, the value is not set.
This property sets a size limit for WASPostParam cookies being generated by the security code.
Default | none |
This custom property enables you to specify whether a cached object is removed from the authentication cache and the dynamic cache when a form logout occurs. A form logout is a mechanism that enables a user to log out of an application without having to close all Web-browser sessions.
When this property is set to false, corresponding cached entries are not removed from the authentication cache and the dynamic cache when a form logout occurs. As a result, if the same user logs back in after a form logout, the cached object is reused.
When this property is set to true, the cached entries are removed from the authentication cache and the dynamic cache when a form logout occurs.
The default value is true.
This custom property specifies the cookie generation behavior for Lightweight Third Party Authentication (LTPA) tokens for inbound web resource requests.
When this property is true, the application server generates and sets an LTPAToken cookie for all successfully authenticated resource requests, regardless of whether the request is for protected or unprotected web resources. This behavior is different from the behavior in WebSphere Application Server Version 6.1 and can cause some applications developed for Version 6.1 not to work on later versions.
Set this property to false to generate an LTPAToken cookie only for protected web resources. This behavior is compatible with WebSphere Application Server Version 6.1.
The default value is true.
This custom property specifies whether WebSphere Application Server includes Elliptical Curve Cryptography (ECC) ciphers in the default cipher suite.
When this property is not set or is set to false, the application server includes ECC ciphers in the default cipher suite only if FIPS standard SP800-131a strict or Suite B is enabled. Set this property to true to include ECC ciphers in the default cipher suite. Set this property to noECC to not include ECC ciphers regardless of FIPS mode.
Information | Value |
---|---|
Default | false |
Type | string |
This custom property enables the retrieve from port function to retrieve a leaf certificate instead of the root certificate.
Retrieve from port should retrieve leaf certificate instead of the root certificate. To get the leaf certificate, it is necessary to set a custom property, com.ibm.websphere.ssl.retrieveLeafCert to true.
When this property is not set or is set to false, the retrieve from port function retrieves the root certificate. Set this property to true if you want the retrieve from port function to retrieve the leaf certificate instead of the root certificate.
Information | Value |
---|---|
Default | false |
Type | string |
This custom property enables you to set the HTTPOnly attribute for single sign-on (SSO) cookies.
You can use the com.ibm.ws.security.addHttpOnlyAttributeToCookies custom property to protect cookies that contain sensitive values. When you set this custom property value to true, the application server sets the HTTPOnly attribute for SSO cookies whose values are set by the server. The HTTPOnly attribute enables the protection of sensitive values in cookies.
Also, a true value enables the application server to properly recognize, accept, and process inbound cookies with HTTPOnly attributes and inhibit any cross-site scripting from accessing sensitive cookie information.
A common security problem, which impacts Web servers, is cross-site scripting. Cross-site scripting is a server-side vulnerability that is often created when user input is rendered as HTML. Cross-site scripting attacks can expose sensitive information about the users of the Web site. Most modern Web browsers honor the HTTPOnly attribute to prevent this attack. A cookie with this attribute is called an HTTPOnly cookie. Information that exists in an HTTPOnly cookie is less likely to be disclosed to a hacker or a malicious Web site. For more information about the HTTPOnly attribute, see the Open Web Application Security Project (OWASP) Web site.
Default | false |
This property specifies whether the non-admin security roles are allowed to modify the security.xml file. Setting this property to true gives non-admin security roles the ability to modify the security.xml file. In Version 6.1 and later, by default, non-admin security roles have the ability to modify the security.xml file.
Default | false |
Type | Boolean |
In this release, the actual LTPA token data is not available from a WSCredential.getCredentialToken() call when called from an asynchronous bean. For an existing configuration, you can add the com.ibm.ws.security.createTokenSubjectForAsynchLogin custom property and a true value to allow the LTPAToken to be forwarded to asynchronous beans. This property allows portlets to successfully perform LTPA token forwarding. This custom property is case sensitive. You must restart the application server after you add this custom property.
Default | not applicable |
Specifies whether to check or not check the object request broker (ORB) for properties. This property needs to be set as a system property. You set this property to true or yes so that the ORB is checked for properties. For any other setting, the ORB is completely ignored.
The property is to be used when a pluggable application client connects to the WebSphere Application Server. Specifically, this property is used whenever a hashmap containing security properties is passed in a hashmap on a new InitialContext(env) call.
This property is the JAAS login configuration that is used for logins that do not fall under the WEB_INBOUND, RMI_OUTBOUND, or RMI_INBOUND login configuration categories.
Internal authentication and protocols that do not have specific JAAS plug points call the system login configuration that is referenced by com.ibm.ws.security.defaultLoginConfig configuration.
Default | system.DEFAULT |
Use the com.ibm.ws.security.failSSODuringCushion custom property to update custom JAAS Subject data for the LTPA token.
When this custom property is set to true, new JAAS Subjects might not contain the custom JAAS Subject data.
The default value is false.
Starting with Version 7.0.0.13, the default value for this property is true.
Use the com.ibm.ws.security.ltpa.forceSoftwareJCEProviderForLTPA custom property to correct an "invalid library name" error when you attempt to use a PKCS11 type keystore with a Java client.
Also, use this custom property if you are using
the IBMJCECCA provider because distributed and z/OS operating systems use different provider
types for hardware cryptography.
The ssl.client.props file points to a configuration file, which in turn, points to the library name for the cryptographic device. The code for the Java client looks for a keystore type for the correct provider name. Without this custom property, the keystore type constant for PKCS11 is not specified correctly as it references the IBMPKCS11Impl provider instead. Also, the Lightweight Third Party Authentication (LTPA) code uses the provider list to determine the Java Cryptography Extension (JCE) provider. This approach causes a problem when Secure Sockets Layer (SSL) acceleration is attempted because the IBMPKCS11Impl provider needs to be listed before the IBMJCE provider within the java.security file.
This custom property corrects both issues so that SSL and other cryptographic mechanisms can use hardware acceleration.
Set this custom property to true when you want to use a PKCS11 type keystore with a Java client.
Default | false |
Use this property to improve the CPU utilization during the sign() operation that occurs when a new LTPA2 (SSO) token is created. When this property is set to true, the product implements the Chinese Remainder Theorem (CRT) algorithm when signing the new token. This property has no effect on the old style LTPA token.
Default | false |
Use this property to disable the mechanism typically used to check the expiration of a token for an asynchronous beans that is created using a version of the product that does not have the Feature Pack for Web Services installed.
The mechanism typically used to check the expiration of a token for an asynchronous beans that is created using a version of the product that does not include the Feature Pack for Web Services, does not work for an asynchronous beans that is created using a version of the product that includes the Feature Pack for Web Services. If this mechanism is used to check the expiration of a token for an asynchronous beans that is created using a version of the product that includes the Feature Pack for Web Services, a TokenExpirationException occurs.
A different mechanism is provided with the Feature Pack for Web Services that successfully checks the token expiration for both types of asynchronous beans. However you must set this property to true to enable the product uses this other mechanism to check the token expiration for an asynchronous beans. Setting this property to true disables the mechanism typically used to check the expiration of a token for an asynchronous beans that is created using a version of the product that does not include the Feature Pack for Web Services.
Default | false |
This property determines whether to send LtpaToken2 and LtpaToken cookies in the response to a Web request (interoperable).
When this property value is false, the application server just sends the new LtpaToken2 cookie which is stronger, but not interoperable with some other products and WebSphere Application Server releases prior to Version 5.1.1. In most cases, the old LtpaToken cookie is not needed, and you can set this property to false.
Default | true |
Specifies the method names on the UserRegistry interface, such as getRealm, getUsers, and isValidUser, that you do not want protected from remote access. If you specify multiple method names, separate the names with either a space, a comma, a semi-colon, and a separator bar. See your implementation of the UserRegistry interface file for a complete list of valid method names.
If you specify an * as the value for this property, all methods are unprotected from remote access. If a value is not specified for this property, all methods are protected from remote access.
If an attempt is made to remotely access a protected UserRegistry interface method, the remote process receives a CORBA NO_PERMISSION exception with minor code 49421098.
There is no default value for this property.
This property determines the behavior of a single sign-on LtpaToken2 login.
If the token contains a custom cache key and the custom Subject cannot be found, then the token is used to log in directly as the custom information needs to be regathered if this property value is set to true. A challenge also occurs so that the user is required to login again. When this property value is set to false and the custom Subject is not found, the LtpaToken2 is used to login and gather all of the registry attributes. However, the token might not obtain any of the special attributes that downstream applications might expect.
Default | true |
This property is the JAAS login configuration that is used for Web requests that are received inbound.
By knowing the login configuration, you can plug in a custom login module that can handle specific cases for Web logins.
Default | system.WEB_INBOUND |
This property determines whether a received LtpaToken2 cookie should search for the propagated attributes locally before searching the original login server that is specified in the token. After the propagated attributes are received, the Subject is regenerated and the custom attributes are preserved.
You can configure the data replication service (DRS) to send the propagated attributes to front-end servers so that a local dynamic cache lookup can find the propagated attributes. Otherwise, an MBean request is sent to the original login server to retrieve these attributes.
Default | true |
This property is used to enable a server to use the user identity for the z/OS started task as the server identity when calling transactional methods, such as commit(), and prepare(), that require the server identity. This behavior occurs regardless of the server identity setting for that server.
As an example, a server can be configured to use the automatically generated server identity, which is not the actual identity stored in a user repository. Furthermore, this server might need to communicate with CICS® 3.2, and CICS 3.2 requires the use of System Authorization Facility (SAF) identities. If com.ibm.ws.security.zOS.useSAFidForTransaction is set to true, then the server uses a SAF identity to communicate with CICS instead of using the automatically generated identity.
Default | false |
This property specifies the Lightweight Third Party Authentication (LTPA) token factories that can be used to validate the LTPA tokens.
Validation occurs in the order in which the token factories are specified because LTPA tokens do not have object identifiers (OIDs) that specify the token type. The Application Server validates the tokens using each token factory until validation is successful. The order that is specified for this property is the most likely order of the received tokens. Specify multiple token factories by separating them with a pipe (|) without spaces before or following the pipe.
Default | com.ibm.ws.security.ltpa.LTPATokenFactory | com.ibm.ws.security.ltpa.LTPAToken2Factory | com.ibm.ws.security.ltpa.AuthzPropTokenFactory |
This property specifies the implementation that is used for an authentication token in the attribute propagation framework. The property provides an old LTPA token implementation for use as the authentication token.
Default | com.ibm.ws.security.ltpa.LTPATokenFactory |
This property specifies the implementation that is used for an authorization token. This token factory encodes the authorization information.
Default | com.ibm.ws.security.ltpa.AuthzPropTokenFactory |
This property specifies the implementation that is used for a propagation token. This token factory encodes the propagation token information.
The propagation token is on the thread of execution and is not associated with any specific user Subjects. The token follows the invocation downstream flow wherever the process leads.
Default | com.ibm.ws.security.ltpa.AuthzPropTokenFactory |
This property specifies the implementation that is used for a Single Sign-on (SSO) token. This implementation is the cookie that is set when propagation is enabled regardless of the state of the com.ibm.ws.security.ssoInteropModeEnabled property.
By default, this implementation is the LtpaToken2 cookie.
Default | com.ibm.ws.security.ltpa.LTPAToken2Factory |
Use this property to specify how you want the system to handle authentication for a request after the Kerberos token for the request expires.
When this property is set to true, if a Kerberos token cannot be refreshed after it expires, authentication for the request fails.
When this property is set to false, authentication for the request does not fail even if the token has expired.
The default value for this property is false.
Use this custom property to permit custom HTTP methods
The security constraints for a Web module must specify standard HTTP methods and the custom property cannot be one of the HTTP methods in the security constraints.
This property is no longer used. Instead, use WEB_INBOUND login configuration.
Default | true |
The NullDynamicPolicy.getPermissions method provides an option to delegate a default policy class to construct a Permissions object when this property is set to true. When this property is set to false, an empty Permissions object is returned.
Default | false |
This security property is used to plug-in custom UserMapping class. If this value is set at security top level with the custom user mapping class name, it is used for customizing certificate user mapping and/or identity assertion user mapping. It is necessary for user to place jar file that includes the custom class in WAS_HOME/lib/ext.