InfoCenter Home >
5: Securing applications -- special topics >
5.7: The Secure Association Service (SAS) >
5.7.5: SAS properties reference

5.7.5: SAS properties reference

This following describes the properties used in the configuration files sas.client.properties and sas.server.properties. These files contain lists of property-value pairs, using the syntax <property>=<value>.

The property names are case sensitive, but the values are not; the values are converted to lower case when the file is read. Note:  Secure Sockets Layer (SSL) settings are managed by the administrative console. Any editing changes made to the following properties in the sas.server.props file are overwritten at run time.

  • com.ibm.CORBA.SSLKeyRing
  • com.ibm.CORBA.SSLKeyRingPassword
  • com.ibm.CORBA.SSLServerKeyRing
  • com.ibm.CORBA.SSLServerKeyRingPassword
  • com.ibm.CORBA.SSLClientKeyRing
  • com.ibm.CORBA.SSLClientKeyRingPassword

In WebSphere Application Server version 4.0, some properties do not appear in the sas.server.props file. Instead, these properties must be configured by using the administrative console. The entry for each property indicates how it can be modified. Note:  Corruption of the sas.server.props file might cause the administrative server to fail to start. The sas.server.props file contains critical information for the administrative server. Back up the sas.server.props file regularly.

Authentication properties

com.ibm.CORBA.authenticationTarget
Specifies the mechanism for authenticating principals.

valid values: basicauth

default value: basicauth

client/server usage: can be directly edited in the sas.client.props file; the server-side value must be set by using the administrative console

com.ibm.CORBA.loginUserid
Holds the name of an authorized user of the user registry, used when the loginSource property is specified as properties. The corresponding password is stored in the loginPassword property.

valid values: a user name in the registry

default value: no default value

client/server usage: can be directly edited in the sas.client.props file; the server-side value must be set by using the administrative console

com.ibm.CORBA.loginPassword
Holds the password for the user named in the loginUserid property, use when the loginSource property is specified as properties.

valid values: the password for the user named in the loginUserid property

default value: no default value

client/server usage: can be directly edited in the sas.client.props file; the server-side value must be set by using the administrative console

com.ibm.CORBA.principalName
Specifies the principal under which the WebSphere administrative server runs.

valid values: a user name in the registry

default value: no default value

client/server usage: sas.client.props only

com.ibm.CORBA.loginSource
Indicates the source for the user IDs and passwords.

valid values: stdin, key file, prompt, properties

default value: prompt

client/server usage: sas.client.props and sas.server.props

com.ibm.CORBA.loginTimeout
Specifies the length of time (in seconds) for which the login window is displayed to a user for entering login information (realm, user ID, password).

valid values: 0 to 600 (0 to 10 minutes)

default value: 300 (5 minutes)

client/server usage: sas.client.props and sas.server.props

com.ibm.CORBA.keyFileName
Specifies the file containing login information.

valid values: a valid, fully qualified path and filename

default value: No default value

client/server usage: sas.server.props only.

SSL Properties

For more information on configuring SSL, see 5.7.3: ORB SSL Configuration.

com.ibm.CORBA.SSLClientKeyRing
Specifies the class name for the SSL client keyring file, for example, DummyKeyring.jks. This is the keyring file used by a client for outbound SSL connections.

valid values: a class name for an SSL client keyring

default value: no default value, but a default can be set during installation

client/server usage: can be directly edited in the sas.client.props file; the server-side value must be set by using the administrative console

com.ibm.CORBA.SSLClientKeyRingPassword
Sets the password for the SSL client keyring file.

valid values: a string

default value: WebAS

client/server usage: can be directly edited in the sas.client.props file; the server-side value must be set by using the administrative console

com.ibm.CORBA.SSLServerKeyRing
Specifies the class name for the SSL server keyring file, for example, DummyKeyring.jks. This is the keyring file used by the server for inbound SSL connections.

valid values: a class name for an SSL server keyring

default value: no default value, but a default can be set during installation

client/server usage: can be directly edited in the sas.client.props file; the server-side value must be set by using the administrative console

com.ibm.CORBA.SSLServerKeyRingPassword
Sets the password for the SSL server keyring file.

valid values: a string

default value: WebAS

client/server usage: can be directly edited in the sas.client.props file; the server-side value must be set by using the administrative console

com.ibm.CORBA.SSLKeyRing
Specifies the default class name for the SSL keyring file used by both the client and the server, for example, DummyKeyring.jks.

valid values: a class name for an SSL keyring

default value: no default value, but a default can be set during installation

client/server usage: can be directly edited in the sas.client.props file; the server-side value must be set by using the administrative console

com.ibm.CORBA.SSLKeyRingPassword
Sets the password for the SSL keyring file.

valid values: a string

default value: WebAS

client/server usage: can be directly edited in the sas.client.props file; the server-side value must be set by using the administrative console

com.ibm.CORBA.SSLTypeIClientAssociationEnabled
Specifies whether SSL Type I client association is enabled or not. The value determines whether a server can accept SSL Type I connections. SSL Type I connections authenticate only the server using SSL.

valid values: false, no, true, yes

default value: true

client/server usage: sas.client.props and sas.server.props

com.ibm.CORBA.SSLTypeIServerAssociationEnabled
Specifies whether SSL Type I server association is enabled or not. The value determines whether the server permits clients to make SSL Type I server connections. SSL Type I connections authenticate only the server using SSL.

valid values: false, no, true, yes

default value: true

client/server usage: sas.client.props and sas.server.props

com.ibm.CORBA.standardClaimQOPModels
Specifies the minimum level of security protection required and supported by a server for inbound connections. The actual level of protection used on a connection is based on the server's minimum, but if the client is prepared to provide a higher level and the server supports it, the actual protection can exceed the server's stated minimum requirement.

valid values: authenticity, confidentiality, integrity

default value: confidentiality

client/server usage: sas.client.props and sas.server.props

com.ibm.CORBA.standardPerformQOPModels
Specifies the level of security protection that a client, or a server acting as a client, expects to perform on outbound connections. The actual level of protection used on a connection is based on the server's minimum, but if the client is prepared to provide a higher level and the server supports it, the actual protection can exceed the server's stated minimum requirement.

valid values: authenticity, confidentiality, integrity

default value: confidentiality

client/server usage: sas.client.props and sas.server.props

com.ibm.CORBA.SSLClientAuthentication

Requires SSL client authentication from any client that attempts to connect to the WebSphere Application Server over SSL. Once you enable this property, connections to the applictaion server from clients that do not have an SSL certificate fail due to an SSL handshake failure. Only trusted clients can connect to the WebSphere Application Server.

To enable this property, edit the sas.server.props file and add the following line:
com.ibm.CORBA.SSLClientAuthentication=true
After modifying the sas.server.props file, restart the administrative server.
valid values: true, false

Miscellaneous properties

com.ibm.CORBA.securityEnabled
Indicates whether security is enabled or not.

valid values: false, no, true, yes

default value: false

client/server usage: can be directly edited in the sas.client.props file; the server-side value must be set by using the administrative console

com.ibm.CORBA.bootstrapRepositoryLocation
Holds the full path of the bootstrap repository file, which contains information about security properties needed during the boot process.

valid values: the absolute path to the repository file

default value: <server_root>/etc/secbootstrap

client/server usage: sas.server.props only

Trace and message properties

com.ibm.CORBA.securityDebug
Specifies whether debugging messages are displayed on the console or not.

valid values: console, false, no, true

default value: false

client/server usage: sas.client.props and sas.server.props

com.ibm.CORBA.securityTraceLevel
Determines the level of tracing provided.

valid values: none, basic, intermediate, advanced

  • Trace level basic reports basic messages and is rarely used
  • Trace level intermediate is typically used to troubleshoot long-run problems to minimize tracing
  • Trace level advanced is used in most cases for troubleshooting

default value: none

client/server usage: sas.client.props and sas.server.props

com.ibm.CORBA.securityTraceOutput
Determine the output file for SAS when file, fileappend, or both are chosen for the output mode properties (securityActivityOutputMode, securityErrorsOutputMode, securityExceptionsOutputMode, or securityTraceOutputMode).

valid values: a valid path and file name in the file system.

default value: <server.root>/logs/sas.log

client/server usage: sas.client.props and sas.server.props

com.ibm.CORBA.securityActivityOutputMode
Determines where to direct activity messages.

valid values: none, file, fileappend, console, both

  • file: output goes to the destination set in the com.ibm.CORBA.securityTraceOutput property and a new file is created after each server restart.
  • fileappend: output goes to the destination in the com.ibm.CORBA.securityTraceOutput property and new output is appended after each server restart.
  • console: output is redirected to the standard output stream.
  • both: output is redirected to both the standard output stream and to the destination set in the com.ibm.CORBA.securityTraceOutput property, and a new file is created after each server restart.
  • none: no output occurs.

default value: file

client/server usage: sas.client.props and sas.server.props

com.ibm.CORBA.securityErrorsOutputMode
Determines where to direct error messages.

valid values: none, file, fileappend, console, both
(The values work as described for the securityActivityOutputMode property.)

default value: both

client/server usage: sas.client.props and sas.server.props

com.ibm.CORBA.securityExceptionsOutputMode
Determines where to direct exception messages.

valid values: none, file, fileappend, console, both
(The values work as described for the securityActivityOutputMode property.)

default value: file

client/server usage: sas.client.props and sas.server.props

com.ibm.CORBA.securityTraceOutputMode
Determines where to direct trace messages. Client and server side.

valid values: none, file, fileappend, console, both
(The values work as described for the securityActivityOutputMode property.)

default value: file

client/server usage: sas.client.props and sas.server.props

Go to previous article: SAS Trace Go to next article: SAS Programming Introduction

 

 
Go to previous article: SAS Trace Go to next article: SAS Programming Introduction