Version: 8.2511.x.x RR

All credential types

This page describes the policy parameters that apply to credentials of all types. Individual credential type pages list additional parameters specific to that type, and may also override the default values defined here.

General

auditCredentialValue

Data type: boolean
Default: false
Description: Determines whether the credential's value attribute should be printed in the audit log. Other attributes are not affected — they are audited regardless of this setting.

credentialLifetime

Data type: long (>0)
Default: 315360000000 (10 years in milliseconds)
Description: The time to live (in milliseconds) of the credential. After the defined period of time, the user will no longer be able to use this credential. Individual credential types may override this default.

validityDateCalculationVersion

Data type: enum
Values: v1, v2
Default: v2
Description: Controls how the credential's validityTo date is calculated when not explicitly defined.
- v1: validityTo is calculated from the date of modification.
- v2: validityTo is calculated from the date of validityFrom.

maxCredFailureCount

Data type: int (>0) or -1
Default: 3
Description: Maximum number of login failures before the credential is permanently locked. If set to -1, the max. failure counter is disabled.

tmpLockingThreshold

Data type: int (>0) or -1
Default: 2
Description: Number of login failures before the credential is temporarily locked. If set to -1, the temporary lock is disabled.

tmpLockingDuration

Data type: long
Default: 60000
Description: Duration of the temporary locking in milliseconds. Use a value of at least 30000 since the exact duration cannot be guaranteed below this value.

tmpLockingMode

Data type: String
Values: strict, threshold
Default: strict
Description: Controls the behavior after the temporary locking period expires.
- strict: when a temporary locking period is over, the user can try to log in only once before the next temporary locking period activates.
- threshold: the user can always try tmpLockingThreshold times to log in before the next temporary locking period activates.

Expiration warnings

closeToExpirationThreshold

Data type: int (days)
Default: 10
Description: Defines the number of days preceding the real expiry date at which the batch job UpdateCredentialStateJob will trigger communication events. Example: if set to 2, all credentials that expire the day after tomorrow (between 00:00 and 23:59) will be affected.

sendWarningWhenCloseToExpiration

Data type: boolean
Default: false
Description: Defines whether the batch job UpdateCredentialStateJob should trigger an expiration warning communication event when closeToExpirationThreshold is reached.

Communication (sending method)

sendingMethod

Data type: Comma-separated list of enums
Values: any subset of PDFstore, Print, Email, HTMLemail, PDFemail, SMS_SMTP, None, or PDFstream alone
Default: Email
Description: Defines a fallback list of different methods of how a credential should be communicated to the user. If the first method fails, the next is tried.
Method Email will fail if the user has no e-mail address or the address is invalid. Method SMS_SMTP will fail if the user has no mobile number or the mobile number is invalid. All methods (except None) will fail if the corresponding template is missing or one or more mandatory placeholders are empty. If sendingMethod was not defined at all, nevisIDM takes the default value. The default value has no fallbacks.
Special sendingMethod for GUI only: PDFstream — this cannot be part of a fallback list. After credential creation or reset, a transient download link appears in the CredentialModify view on the GUI.
If PDFstore is configured, the following additional parameter can be defined:
- PDFstore.destDir (optional): Defines the destination directory where the PDF is to be saved. If not configured, the directory set in nevisidm-prod.properties is used as fallback.
If SMS_SMTP is configured, the following additional parameters must be defined:
- SMS_SMTP.smtp.host (mandatory): Host name of the SMTP server. Availability is checked at startup.
- SMS_SMTP.smtp.port (mandatory): Port of the SMTP server.
- SMS_SMTP.message.from (mandatory): Sender of the SMS message. Must be a valid e-mail address.
- SMS_SMTP.message.to (mandatory): Receiver of the SMS message. Must contain the ${phonenumber} placeholder. Example: ${phonenumber}@sms.mycompany.ch.
- SMS_SMTP.message.subject (mandatory): Subject of the e-mail sent to the SMTP gateway.
The PDFemail method requires two templates: one e-mail and one OpenOffice template. If PDFemail is configured, the following additional parameter can be defined:
- PDFemail.htmlEmail (optional, default: false): If true, an HTML e-mail is sent. Otherwise, a plain text e-mail is sent.

templatePrecedence

Data type: int
Default: null
Description: The precedence number of the template to use during communication with the user. If not set, the default template will be used. If no template exists with the given precedence number, an error will occur.

Hashing

hashAlgorithm

Data type: enum
Values: SSHA, SSHA256, PBKDF2, ARGON2ID
Default: SSHA256
Description: Defines the hash algorithm used for hashing password-like credential values. Supported algorithms are salted SHA-1 (SSHA), salted SHA-256 (SSHA256), PBKDF2 (PBKDF2), and Argon2id (ARGON2ID). Since nevisIDM 2.21.2.0, SSHA has been marked as deprecated because collision attacks faster than brute force attacks have been found. Changing this parameter is fully backward compatible — only newly created credentials are hashed with the defined algorithm.
Note: Password credentials additionally support bcrypt — see Password for details.

PBKDF2 parameters:

hashAlgorithm.pbkdf2.salt.length

Data type: integer (valid interval: 4–128)
Default: 16
Description: Defines the salt length (number of bytes) for the PBKDF2 hashing algorithm.

hashAlgorithm.pbkdf2.iterations

Data type: integer (valid interval: 1–1000000)
Default: 100000
Description: Defines the number of iterations for hashing with the PBKDF2 algorithm.

hashAlgorithm.pbkdf2.key.length

Data type: integer (valid interval: 8–256)
Default: 32
Description: Defines the key length (number of bytes) for the PBKDF2 algorithm.

ARGON2ID parameters:

hashAlgorithm.argon2id.salt.length

Data type: integer (valid interval: 4–128)
Default: 16
Description: Defines the salt length (number of bytes) for the ARGON2ID algorithm.

hashAlgorithm.argon2id.iterations

Data type: integer (valid interval: 1–64)
Default: 2
Description: Defines the number of iterations for hashing with the ARGON2ID algorithm.

hashAlgorithm.argon2id.key.length

Data type: integer (valid interval: 8–256)
Default: 32
Description: Defines the key length (number of bytes) for the ARGON2ID algorithm.

hashAlgorithm.argon2id.memory

Data type: integer (valid interval: 4092–134217728)
Default: 16384
Description: Defines the memory size (in KiB) allowed for the ARGON2ID algorithm.

hashAlgorithm.argon2id.parallelism

Data type: integer (valid interval: 1–64)
Default: 1
Description: Defines the number of parallel threads for the ARGON2ID algorithm.

All credential types

General​

auditCredentialValue​

credentialLifetime​

validityDateCalculationVersion​

Login failure locking​

maxCredFailureCount​

tmpLockingThreshold​

tmpLockingDuration​

tmpLockingMode​

Expiration warnings​

closeToExpirationThreshold​

sendWarningWhenCloseToExpiration​

Communication (sending method)​

sendingMethod​

templatePrecedence​

Hashing​

hashAlgorithm​

hashAlgorithm.pbkdf2.salt.length​

hashAlgorithm.pbkdf2.iterations​

hashAlgorithm.pbkdf2.key.length​

hashAlgorithm.argon2id.salt.length​

hashAlgorithm.argon2id.iterations​

hashAlgorithm.argon2id.key.length​

hashAlgorithm.argon2id.memory​

hashAlgorithm.argon2id.parallelism​