Security custom properties

Use this page to understand the predefined custom properties that are related to security.

To view this administrative console page, click Security > Secure administration, applications, and infrastructure > Custom properties. You can click New to add a new custom property and its associated value.

com.ibm.audit.auditPolicy

This property is used by the auditing service that was introduced as a technical preview in Version 6. The auditing functionality is not available. Do not modify this property.

Default REQUIRED

com.ibm.audit.auditQueueSize

This property is used by the auditing service that was introduced as a technical preview in Version 6. The auditing functionality is not available. Do not modify this property.

Default 5000

com.ibm.audit.auditServiceEnabled

This property is used by the auditing service that was introduced as a technical preview in Version 6. The auditing functionality is not available. Do not modify this property.

Default false

com.ibm.audit.auditSpecification

This property is used by the auditing service that was introduced as a technical preview in Version 6. The auditing functionality is not available. Do not modify this property.

Default J2EE=AUTHN=failure=enabled:J2EE=AUTHZ=failure=enabled

com.ibm.CSI.disablePropagationCallerList

This property completely disables the caller list and will not allow the caller list to change. This property prevents the creation of multiple sessions.

This property completely disables adding a caller or host list in the propagation token. Setting this property can be a benefit when the caller or host list in the propagation token is not needed in the environment.
Note: If this property is set to true as well as com.ibm.CSI.propagateFirstCallerOnly, then com.ibm.CSI.disablePropagationCallerList takes precedence.
Default false

com.ibm.CSI.propagateFirstCallerOnly

This property will not allow the caller list to change and thus prevent the creation of multiple session entries. This property specifically limits the caller list to the first caller only.

This property logs the first caller in the propagation token that stays on the thread when security attribute propagation is enabled. Without setting this property, all caller switches get logged, which affects performance. Typically, only the first caller is of interest.
Note: If this property is set to true as well as com.ibm.CSI.disablePropagationCallerList, then com.ibm.CSI.disablePropagationCallerList takes precedence.
Default false

com.ibm.CSI.rmiInboundLoginConfig

This property specifies the Java Authentication and Authorization Service (JAAS) login configuration that is used for Remote Method Invocation (RMI) requests that are received inbound.

By knowing the login configuration, you can plug in a custom login module that can handle specific cases for RMI logins.

Default system.RMI_INBOUND

com.ibm.CSI.rmiOutboundLoginConfig

This property specifies the JAAS login configuration that is used for RMI requests that are sent outbound.

Primarily, this property prepares the propagated attributes in the Subject to be sent to the target server. However, you can plug in a custom login module to perform outbound mapping.

Default system.RMI_OUTBOUND

com.ibm.CSI.supportedTargetRealms

This property enables credentials that are authenticated in the current realm to be sent to any realm that is specified in the Trusted target realms field. The Trusted target realms field is available on the CSIv2 outbound authentication panel. This property enables those realms to perform inbound mapping of the data from the current realm.

You should not send authentication information to an unknown realm. Thus, this provides a way to specify that the alternate realms are trusted. To access the CSIv2 outbound authentication panel, complete the following steps:
  1. Click Security > Secure administration, applications, and infrastructure.
  2. Under RMI/IIOP security, click CSIv2 outbound authentication.

com.ibm.websphere.security.auth.setDRSBootstrap

[Fix Pack 45 or later]

Specifies whether the data replication service (DRS) enables the DRSbootstrap function.

In high volume environments, dynamic cache data replication might increase the amount of time that it takes a server to start. If you experience slow server startups because of data replication, add this property to your server security settings and set it to false. When is property is set to false, the data replication service disables the DRSbootstrap function.

True is the default setting for this property.

com.ibm.websphere.security.registry.ldap.performIdMap

Specifies that the user name credentials will always be filtered based on the User ID Map in the administrative console. This custom property assumes that you have an LDAP user registry.

When you log into the administrative console, the application server creates a user name that is stored in a credential. This user name is displayed and represents the user. The application server calls the getUserDisplayName() method to create the user name, and this API takes into account the User ID Map that is configured in the administrative console. The application server provides the User ID Map filter so you can customize the way user name is created.

If you have Trust Association Interceptor (TAI) configured, TAI creates the user name instead of the application server. When you create this custom property and set the value to true, TAI will also be able to use the User ID Map filter that is configured in the application server.

Default false

com.ibm.security.useFIPS

Specifies that Federal Information Processing Standard (FIPS) algorithms are used. The application server uses the IBMJCEFIPS cryptographic provider instead of the IBMJCE cryptographic provider.

Default false

com.ibm.ssl.disableEmptyCertificateExpirationNotification

[Fix Pack 27 or later]

Use this property to specify whether the Certificate Expiration Monitoring tool should send configured notifications when there are no certificates that are about to expire or within the Expiration notification threshold. Setting this property to true prevents the Certificate Expiration Monitoring tool from sending configured notifications when there are no certificates that are about to expire or within the Expiration notification threshold.

The default value for this property is false

com.ibm.websphere.crypto.config.certexp.notify.fromAddress

This security property is used to customize the "from address" of certificate expiration notification e-mail.

The value you assigned to this property should be an internet address, for example "Notification@abc-company.com" If this property is not set, WebSphere uses its e-mail fromAddress: "WebSphereNotification@ibm.com" .

Default None

com.ibm.websphere.crypto.config.certexp.notify.textEncoding

This security property is used to customize the text encoding character set for certificate expiration notification e-mail.

WebSphere Application Server sends notification e-mail for certificate expiration in either US-English or the machine default character set (if non-English locale is specified). If you want a different text encoding character set for the certificate expiration notification e-mail, you can use this property to customize the text encoding character set.

Default None

com.ibm.websphere.security.alwaysRestoreOriginalURL

[Fix Pack 31 or later]

Use this property to indicate whether a cookie with the value WASReqURL is honored when the custom form login processor is used.

When this property is set to true, the value of WASReqURL takes precedence over the current URL, and the WASReqURL cookie is removed from subsequent requests.

When this property is set to false, the value of the current URL takes precedence, and the WASReqURL cookie is not removed from subsequent requests.

Default false

com.ibm.websphere.security.audit.auditEventFactory

This property is used by the auditing service that was introduced as a technical preview in Version 6. The auditing functionality is not available. Do not modify this property.

Default J2EE=com.ibm.ws.security.audit.defaultAuditEventFactoryImpl

com.ibm.websphere.security.console.noSSLTreePortEndpoints

[Fix Pack 23 or later]

This property is used to improve the response time for large topology configurations.

When this property is set to true the status of the of the SSL port endpoints does not display on the Manage endpoint security configurations page in the administrative console. Displaying the status of the SSL port endpoints sometimes makes the administrative console seem like it is no longer functioning because of a longer than expected response time.

Avoid trouble [Fix Pack 23 or later] Avoid trouble: Do not use this property unless you are running on Version 6.1.0.23, or later.gotcha
Default false

com.ibm.websphere.security.disableGetTokenFromMBean

[Fix Pack 37 or later]

Use this property to disables the outbound SOAP call to retrieve the subject from the originating server when Single Sign-On is enabled.

Typically, when Single Sign-On is enabled, and an inbound request needs to be authenticated, the receiving server attempts to retrieve the authentication from the originating server. The connection between the sending and receiving servers never times out during this callback process.

When this property is set to true, the receiving server does not attempt to authenticate the inbound request.
Default false

com.ibm.websphere.security.expandX500ExtendedAttribute

This property enables decoding of the DNQUALIFIER attribute in the X.500 distinguished name when set to true and only provides decoding of the standard X.500 distinguished name (as defined by RFC 2253) when set to false. Restart the server after you change this value.

Default false

com.ibm.websphere.security.InvokeTAIbeforeSSO

Default invocation order of Trust Association Interceptors (TAIs) in relation to Single Sign On (SSO) user authentication can be changed using this property. The default order is to invoke Trust Association Interceptors after SSO. This property is used to change the default order of TAI invocation with SSO. The property value is a comma (,) separated list of TAI class names to be invoked before SSO.

Default none
Type string
Note: WebSphere Application Server Version 6.1.0.0 has a different default invocation order, the default behavior is TAI before SSO. The default invocation order for Version 6.1.0.1 and later is SSO before TAI.

com.ibm.websphere.security.krb.canonical_host

This property specifies whether (true) or not (false) the WebSphere Application Server uses the canonical form of the URL/HTTP host name in authenticating a client.

If this property is set to “false”, a Kerberos ticket can contain a host name that differs from the HTTP host name header. An error can occur as follows:
CWSPN0011E: An invalid SPNEGO token has been encountered while authenticating a HttpServletRequest
You can avoid an error message by setting this property to “true” and allowing WebSphere Application Server to authenticate using the canonical form of the URL/HTTP host name.
Default false

com.ibm.websphere.security.ldap.groupDnSearchFilter

The com.ibm.websphere.security.ldap.groupDnSearchFilter property is used to overwrite the distinguished name group search filter. The value of the property should be the search filter, for example: (objectClass=group)

Default none
Type string

com.ibm.websphere.security.ldap.logicRealm

This custom property enables you to change the name of the realm that is placed in the token.

This custom property enables you to configure each cell to have its own LDAP host for interoperability and backward compatibility. Also, it provides flexibility for adding or removing the LDAP host dynamically. If you are migrating a previous installation, this modified realm name does not take effect until administrative security is re-enabled. To be compatible with a previous release that does not support the logic realm, the name must be the same name that is used by the previous installation. You must use the LDAP host name, including a trailing colon and port number.

Type String
[Updated in May 2011] This property must be set as the custom property of a stand-alone LDAP registry. To set this custom property, in the administrative console:
  1. Click Security > Secure administration, applications, and infrastructure.
  2. Under User account repository, expand the Available realm definitions list, and select Standalone LDAP registry, and then click Configure.
  3. Under Additional Properties, click Custom properties > New , and then enter com.ibm.websphere.security.ldap.logicRealm in the Name field, and the new name of the realm that is placed in the token in the Value field.
  4. Click Apply or OK.
[Updated in May 2011]
may2011

com.ibm.websphere.security.ldap.userDnSearchFilter

The com.ibm.websphere.security.ldap.userDnSearchFilter property is used to overwrite the distinguished name user search filter. The value of the property should be the search filter, for example: (objectClass=user)

Default none
Type string

com.ibm.websphere.security.strictCredentialExpirationCheck

[Fix Pack 31 or later]

Specifies whether credential expiration check occurs for a local EJB call. Typically, when an EJB invokes another EJB that is located in a local machine, a direct method invocation occurs even if the credentials of the original invoker expire before the local EJB call occurs.

If this property is set to true, a credential expiration check occurs on a local EJB call before the EJB is invoked on the local machine. If the credentials have expired, the EJB call is rejected.

If this property is set to false, a credential expiration check does not occur for a local EJB call.

Default false

com.ibm.websphere.security.tokenFromMBeanSoapTimeout

[Fix Pack 37 or later]

Use this property to specify the amount of time the receiving server waits for an outbound SOAP call to retrieve the proper authentication from the originating server when Single Sign-On is enabled.

There is no default value for this property. If no value is specified, the global SOAP timeout value is used as the timeout value for the SOAP connection.

com.ibm.websphere.security.util.csiv2SessionCacheLimitEnabled

[Fix Pack 29 or later]

This custom property specifies whether to limit the size of the CSIv2 session cache.

When you set this custom property value to true, you must set values for the com.ibm.websphere.security.util.csiv2SessionCacheIdleTime and com.ibm.websphere.security.util.csiv2SessionCacheMaxSize custom properties. When you set this custom property to false, the CSIv2 session cache is not limited. The default property value is false.

Important: This custom property only applies if you enable the stateful sessions.

com.ibm.websphere.security.util.csiv2SessionCacheMaxSize

[Fix Pack 29 or later]

This property specifies the maximum size of the session cache after which expired sessions are deleted from the cache. Expired sessions are defined as sessions that are idle longer than the time that is specified by the com.ibm.websphere.security.util.csiv2SessionCacheIdleTime custom property.

Consider increasing the value of this custom property if a small cache size causes the garbage collection to run so frequently that it impacts the performance of the application server.

The range of values for this custom property is 100 to 1000 entries. By default, a value is not set.

This custom property only applies if you enable stateful sessions, enable the com.ibm.websphere.security.util.csiv2SessionCacheLimitEnabled custom property, and set a value for the com.ibm.websphere.security.util.csiv2SessionCacheIdleTime custom property.

com.ibm.websphere.security.util.csiv2SessionCacheIdleTime

[Fix Pack 29 or later]

This property specifies the time in milliseconds that a CSIv2 session can remain idle before being deleted. The session is deleted if the com.ibm.websphere.security.util.csiv2SessionCacheLimitEnabled custom property is set to a true value and the maximum size of the CSIv2 session cache is exceeded.

With a small value for the com.ibm.websphere.security.util.csiv2SessionCacheIdleTime custom property, the application server can clean out rejected sessions more frequently and potentially reduce resource shortages.

The range of values for this custom property is 60,000 to 86,400,000 milliseconds. By default, a value is not set.

This custom property only applies if you enable stateful sessions, enable the com.ibm.websphere.security.util.csiv2SessionCacheLimitEnabled custom property, and set a value for the com.ibm.websphere.security.util.csiv2SessionCacheMaxSize custom property

com.ibm.websphere.security.web.removeCacheOnFormLogout

[Fix Pack 43 or later]

This custom property enables you to specify whether a cached object is removed from the authentication cache and the dynamic cache when a form logout occurs. A form logout is a mechanism that enables a user to log out of an application without having to close all Web-browser sessions.

When this property is set to false, corresponding cached entries are not removed from the authentication cache and the dynamic cache when a form logout occurs. As a result, if the same user logs back in after a form logout, the cached object is reused.

Avoid trouble Avoid trouble: Because the original cached object was created during a previous login session, the expiration time for the object might be shorter than the configured timeout value. gotcha

When this property is set to true, the cached entries are removed from the authentication cache and the dynamic cache when a form logout occurs.

The default value is true.

com.ibm.ws.security.addHttpOnlyAttributeToCookies

[Fix Pack 29 or later]

This custom property enables you to set the HTTPOnly attribute for single sign-on (SSO) cookies.

You can use the com.ibm.ws.security.addHttpOnlyAttributeToCookies custom property to protect cookies that contain sensitive values. When you set this custom property value to true, the application server sets the secure and HTTPOnly attribute for SSO cookies whose values are set by the server. Also, a true value enables the application server to properly recognize, accept, and process inbound cookies with HTTPOnly attributes and inhibit any cross-site scripting from accessing sensitive cookie information.

A common security problem, which impacts Web servers, is cross-site scripting. Cross-site scripting is a server-side vulnerability that is often created when user input is rendered as HTML. Cross-site scripting attacks can expose sensitive information about the users of the Web site. Most modern Web browsers honor the HTTPOnly attribute to prevent this attack. A cookie with this attribute is called an HTTPOnly cookie. Information that exists in an HTTPOnly cookie is less likely to be disclosed to a hacker or a malicious Web site. For more information about the HTTPOnly attribute, see the Open Web Application Security Project (OWASP) Web site.

Important: When you use this custom property, HTTPOnly attribute is not added to every cookie that passes through the application server. Also, the attribute is not added to other non-secure cookies that are created by the application server. A list of non-HTTPOnly cookies includes:
Default false

com.ibm.ws.security.createTokenSubjectForAsynchLogin

In this release, the actual LTPA token data is not available from a WSCredential.getCredentialToken() call when called from an asynchronous bean. For an existing configuration, you can add the com.ibm.ws.security.createTokenSubjectForAsynchLogin custom property with a true value to allow the LTPAToken to be forwarded to asynchronous beans. This property allows portlets to successfully perform LTPA token forwarding. Make sure that you enter this custom property name as indicated because it is case sensitive. You must restart your application server after you enable this custom property.

Note: This custom property applies only to system conditions where Server A makes EJB calls from asynchronous beans to Server B. This property does not apply for JAAS login situations.
Default not applicable

com.ibm.ws.security.defaultLoginConfig

This property is the JAAS login configuration that is used for logins that do not fall under the WEB_INBOUND, RMI_OUTBOUND, or RMI_INBOUND login configuration categories.

Internal authentication and protocols that do not have specific JAAS plug points call the system login configuration that is referenced by com.ibm.ws.security.defaultLoginConfig configuration.

Default system.DEFAULT

com.ibm.ws.security.failSSODuringCushion

[Fix Pack 29 or later]

Use the com.ibm.ws.security.failSSODuringCushion custom property to update custom JAAS Subject data for the LTPA token.

When you do not set this custom property to true, new JAAS Subjects might not contain the custom JAAS Subject data.

When this custom property is set to true, new JAAS Subjects might not contain the custom JAAS Subject data.

The default value is false.

Starting with Version 6.1.0.35, the default value for this property is true.

com.ibm.ws.security.ltpa.forceSoftwareJCEProviderForLTPA

[Fix Pack 11 or later]

Use the com.ibm.ws.security.ltpa.forceSoftwareJCEProviderForLTPA custom property to correct an "invalid library name" error when you attempt to use a PKCS11 type keystore with a Java client.

The ssl.client.props file points to a configuration file, which in turn, points to the library name for the cryptographic device. The code for the Java client looks for a keystore type for the correct provider name. Without this custom property, the keystore type constant for PKCS11 is not specified correctly as it references the IBMPKCS11Impl provider instead. Also, the Lightweight Third Party Authentication (LTPA) code uses the provider list to determine the Java Cryptography Extension (JCE) provider. This approach causes a problem when Secure Sockets Layer (SSL) acceleration is attempted because the IBMPKCS11Impl provider needs to be listed before the IBMJCE provider within the java.security file.

This custom property corrects both issues so that SSL and other cryptographic mechanisms can use hardware acceleration.

Avoid trouble Avoid trouble: LTPA cannot use hardware acceleration because the software keys for LTPA do not implement the java.security.interfaces.RSAPrivateCrtKey interface, which is required by many accelerator cards.gotcha

Set this custom property to true when you want to use a PKCS11 type keystore with a Java client.

Default false

com.ibm.ws.security.ltpa.useCRT

[Fix Pack 35 or later]

Use this property to improve the CPU utilization during the sign() operation that occurs when a new LTPA2 (SSO) token is created. When this property is set to true, the product implements the Chinese Remainder Theorem (CRT) algorithm when signing the new token. This property has no effect on the old style LTPA token.

Default false

com.ibm.ws.security.spnego.SPNx.hostName

[Fix Pack 27 or later]

Specifies the actual host name to which the application server can resolve an alias host name for SPNEGO single sign-on. You can then dynamically add or modify an alias name in the DNS without changing the application server's configuration.

For more information on how to use this custom property, read the topic on using an alias host name for SPNEGO TAI authentication.

com.ibm.ws.security.ssoInteropModeEnabled

This property determines whether to send LtpaToken2 and LtpaToken cookies in the response to a Web request (interoperable).

When this property value is false, the application server just sends the new LtpaToken2 cookie which is stronger, but not interoperable with some other products and Application Server releases prior to Version 5.1.1. In most cases, the old LtpaToken cookie is not needed and you can set this property to false.

Default true

com.ibm.websphere.security.useLoggedSecurityName

This is a custom property of user registries. This property alters the behavior of creating WSCredential.

A setting of false indicates that the security name returned by a user registry is always used to construct WSCredential.

A setting oftrue indicates that either a security name that is supplied by login module is used or a display name that was supplied by a user registry is used. This setting is compatible with WebSphere Application Server version 6.0.2 and older releases.

Default false

com.ibm.ws.security.unprotectedUserRegistryMethods

[Fix Pack 29 or later]

Specifies the method names on the UserRegistry interface, such as getRealm, getUsers, and isValidUser, that you do not want protected from remote access. If you specify multiple method names, separate the names with either a space, a comma, a semi-colon, and a separator bar. See your implementation of the UserRegistry interface file for a complete list of valid method names.

If you specify an * as the value for this property, all methods are unprotected from remote access.

If a value is not specified for this property, all methods are protected from remote access.

If an attempt is made to remotely access a protected UserRegistry interface method, the remote process receives a CORBA NO_PERMISSION exception with minor code 49421098.

There is no default value for this property.

com.ibm.ws.security.webChallengeIfCustomSubjectNotFound

This property determines the behavior of a single sign-on LtpaToken2 login.

When this property value is set to true, the token contains a custom cache key, and the custom Subject cannot be found, the token is used to log in directly as the custom information needs to be gathered again. A challenge occurs so that the user to login again. When this property value is set to false and the custom Subject is not found, the LtpaToken2 is used to login and gather all of the registry attributes. However, the token might not obtain any of the special attributes that downstream applications might expect.

Default true

com.ibm.ws.security.webInboundLoginConfig

This property is the JAAS login configuration that is used for Web requests that are received inbound.

By knowing the login configuration, you can plug in a custom login module that can handle specific cases for Web logins.

Default system.WEB_INBOUND

com.ibm.ws.security.webInboundPropagationEnabled

This property determines whether a received LtpaToken2 cookie should search for the propagated attributes locally before searching the original login server that is specified in the token. After the propagated attributes are received, the Subject is regenerated and the custom attributes are preserved.

Default true

com.ibm.wsspi.security.audit.auditServiceProvider

This property is used by the auditing service that was introduced as a technical preview in Version 6. The auditing functionality is not available. Do not modify this property.

Default DEFAULT = com.ibm.ws.security.audit.defaultAuditServiceProviderImpl

com.ibm.wsspi.security.ltpa.tokenFactory

This property specifies the Lightweight Third Party Authentication (LTPA) token factories that can be used to validate the LTPA tokens.

Validation occurs in the order in which the token factories are specified because LTPA tokens do not have object identifiers (OIDs) that specify the token type. The Application Server validates the tokens using each token factory until validation is successful. The order that is specified for this property is the most likely order of the received tokens. Specify multiple token factories by separating them with a pipe (|) without spaces before or following the pipe.

Default com.ibm.ws.security.ltpa.LTPATokenFactory | com.ibm.ws.security.ltpa.LTPAToken2Factory | com.ibm.ws.security.ltpa.AuthzPropTokenFactory

com.ibm.wsspi.security.token.authenticationTokenFactory

This property specifies the implementation that is used for an authentication token in the attribute propagation framework. The property provides an old LTPA token implementation for use as the authentication token.

Default com.ibm.ws.security.ltpa.LTPATokenFactory

com.ibm.wsspi.security.token.authorizationTokenFactory

This property specifies the implementation that is used for an authorization token. This token factory encodes the authorization information.

Default com.ibm.ws.security.ltpa.AuthzPropTokenFactory

com.ibm.wsspi.security.token.propagationTokenFactory

This property specifies the implementation that is used for a propagation token. This token factory encodes the propagation token information.

The propagation token is on the thread of execution and is not associated with any specific user Subjects. The token follows the invocation downstream wherever the process leads.

Default com.ibm.ws.security.ltpa.AuthzPropTokenFactory

com.ibm.wsspi.security.token.singleSignonTokenFactory

This property specifies the implementation that is used for a Single Sign-on (SSO) token. This implementation is the cookie that is set when propagation is enabled regardless of the state of the com.ibm.ws.security.ssoInteropModeEnabled property.

By default, this implementation is the LtpaToken2 cookie.

Default com.ibm.ws.security.ltpa.LTPAToken2Factory

IbmPKIX custom properties

The IbmPKIX trust manager is enabled in WebSphere® Application Server by default. The IbmPKIX trust manager allows certificate revocation checking to occur. The following customer properties are available to be used with the IbmPKIX trust manager:

com.ibm.jsse2.checkRevocation

This property configures revocation checking for the Java Virtual Machine (JVM). This property is set to false by default because the default WebSphere certificates used for SSL communication do not contain certificate revocation list (CRL) distribution points or Online Certificate Status Protocol (OCSP) information. The default value is false.

com.ibm.security.enableCRLDP

This property configures CRL distribution point checking for the PKIX trust manager. The default value is false.
Note: If you enable CRL distribution point revocation checking, the certificates used for secure sockets layer (SSL) must contain a valid distribution point and the distribution point must be accessible or else SSL communication will fail and the server will not function correctly.

For certificates that do not contain an internal CRL distribution point, the following properties can used so the revocation status will be checked against a remote LDAP server containing the CRL.

com.ibm.security.ldap.certstore.host

This property specifies the LDAP server host name containing trusted certificates or certificate revocation lists. The target LDAP server host is used to obtain CA certificates or certificate revocation lists when validating a certificate and the local truststore does not contain the required certificate. The local truststore must contain the required certificates if an LDAP server is not specified. In cases when an LDAP server is used, the root CA certificates must also be located in the local truststore as the LDAP server is not a trusted certificate store.
Note: Enabling this property in addition to the com.ibm.jsse2.checkRevocation property enables revocation checking. The remote LDAP server must contain a valid certificate revocation list and the server must be accessible. If the revocation status cannot be determined then the check will fail and SSL communication will fail and the server will not function correctly.

The default value is none.

com.ibm.security.ldap.certstore.port

This property specifies the LDAP server port. A port value of 389 will be used by default if no LDAP server port is specified. The default value is 389.

security.allowCustomHTTPMethods

[Fix Pack 25 or later]

Use this custom property to permit custom HTTP methods

The security constraints for a Web module must specify standard HTTP methods and the custom property cannot be one of the HTTP methods in the security constraints.

security.enablePluggableAuthentication

This property is no longer used. Instead, use WEB_INBOUND login configuration.

Complete the following steps to modify the WEB_INBOUND login configuration:
  1. Click Security > Secure administration, applications, and infrastructure.
  2. Under Java Authentication and Authorization Service, click System logins.
Default true

security.useDefaultPolicyWhenJ2SDisabled

The NullDynamicPolicy.getPermissions method provides an option to delegate a default policy class to construct a Permissions object when this custom security is set to true. When the security.useDefaultPolicyWhenJ2SDisabled custom property is set to false, an empty Permissions object is returned.

Default false

WAS_customUserMappingImpl

This security property is used to plug-in custom UserMapping class. If this value is set at security top level with the custom user mapping class name, it is used for customizing certificate user mapping and/or identity assertion user mapping. It is necessary for user to place jar file that includes the custom class in WAS_HOME/lib/ext.




Related tasks
Enabling security for the realm
[Fix Pack 27 or later] Using an alias host name for SPNEGO TAI authentication using the administrative console
Related reference
Common Secure Interoperability Version 2 outbound authentication settings
System login configuration entry settings for Java Authentication and Authorization Service
Related information
Open Web Application Security Project (OWASP): HTTPOnly flag
Reference topic Reference topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 30, 2013 6:03:36 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-base-iseries&topic=usec_seccustomprop
File name: usec_seccustomprop.html