Configuration Files

nevisidm-prod.properties

The nevisidm-prod.properties configuration file contains the main configuration of nevisIDM. You can change configurations with the command-line API as described in the chapter nevisIDM Command-Line API. The default file location of the file is:

/var/opt/nevisidm/nevisidm/conf/nevisidm-prod.properties

The nevisIDM application has to be restarted to activate changes in this configuration file.

The properties support property value expressions that will be replaced on runtime. The next section shows the available syntax:

${exec:command}

• Example: server.tls.keystore-passphrase: ${exec:/var/opt/keys/own/instance/keypass.sh}server.host: ${exec:hostname -f}
• Remarks: Executes the given command and uses its output as value.

${env:variablename}

• Example: server.host: ${env:HOSTNAME}
• Remarks: Uses the value of the specified environment variable.

New names for the configuration parameters

As of release 2.71.0, the configuration parameters have been renamed. The previous names are deprecated. See Appendix D for the list of previous names.

Server (standalone mode only)

server.name

• Default: default
• Mandatory: no
• Name of the server. Give each server a unique name, for the sake of identification. This name will also be logged.

server.port

• Default: 8989
• Mandatory: no
• Configures the port where the server will listen for incoming requests.

server.host

• Default: 0.0.0.0
• Mandatory: no
• Configures the hostname on which the server will listen for incoming requests.

server.max-threads

• Default: 200
• Mandatory: no
• Maximal number of threads used to process incoming requests.

server.tls.enabled

• Default: false
• Mandatory: no
• If set to true, this parameter enables TLS for the HTTPS protocol. If disabled, any other server.tls. parameter has no effect.

server.tls.require-client-auth

• Default: false
• Mandatory: no
• Controls if client authentication is required for the TLS connection.- false = one-way TLS connection, two-way optional- true = two-way TLS connection enforced

server.tls.keystore

• Mandatory: no
• Keystore object used for the TLS.

server.tls.keystore-passphrase

• Mandatory: no

server.tls.truststore

• Mandatory: no
• Truststore object used for the TLS. If not specified, then the system's trustore is used.

server.tls.truststore-passphrase

• Mandatory: no

server.tls.crl

• Mandatory: no
• Certificate revocation list.

server.tls.supported-protocols

• Default: -
• Mandatory: no
• Provides a list of protocols that are accepted by the client when trying to initiate a connection with TLS. The default TLS protocol depends on the Java version, that is, the version of the cryptographic provider. For more information see: http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html/

server.tls.cipher-suites

• Default: -
• Mandatory: no
• Provides a list of ciphers that are accepted by the client when trying to initiate a connection with TLS. Which cipher suite is the default depends on the Java version, that is, the version of the cryptographic provider. For more information see: http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html/

server.auth.ninja.truststore

• Default: "/var/opt/neviskeybox/default/nevis/truststore.jks"
• Mandatory: no
• Path to the truststore object used to verify the Ninja/SecToken.

server.auth.ninja.log-debug

• Default: false
• Mandatory: no
• If set to true, debug-level tracing information is written to logs. This needs to have the Ninja tracegroup set to DEBUG.

server.max-http-header-size

• Default: 8192
• Mandatory: no
• The maximum header size of requests and responses in bytes. If not configured, the default maximum header size of 8192 bytes is used.

management.server.port

• Default: 8998
• Mandatory: no
• Port on which the management service listens.

management.server.host

• Default: localhost
• Mandatory: no
• Host on which the management service listens.

messaging.server.port

• Default: 61616
• Mandatory: no
• Port on which the messaging service (JMS) listensCan be disabled by setting the value to -1. If you do so, turn off the Provisioning feature, otherwise an exception will be thrown and the instance won't start. Alternatively, you could configure a remote messaging queue. For more information, see Provisioning providers. Deprecated : server.jms.port

messaging.server.host

• Default: localhost
• Mandatory: no
• Host on which the messaging service (JMS) listensThe default value localhost is only valid for the local host. If the JMS queue must be accessible remotely, set this parameter to 0.0.0.0.

messaging.server.tls.enabled

• Default: false
• Mandatory: no
• If set to true, the messaging must be accessed via TLS. If disabled, any other server.tls.messaging.* parameter has no effect.

messaging.server.tls.keystore

• Default: Same keystore as set in server.tls.keystore
• Mandatory: no
• Defines the keystore object used for messaging TLS. If not defined, the system will use the keystore set in the parameter server.tls.keystore.

messaging.server.tls.keystore-passphrase

• Default: Same passphrase as set in server.tls.keystore-passphrase
• Mandatory: no
• Passphrase for the messaging keystore. If the parameter messaging.server.tls.keystore is not defined, the system will use the passphrase set in the parameter server.tls.keystore-passphrase.

messaging.remote.uri

• Default: -
• Mandatory: no
• If configured, the messaging events are provisioned to a remote queue. For more information, see Remote messaging queue.

application.modules.provisioning.jmsqueue.storage.location

• Default: /var/opt/nevisidm/${server.name}/jmsstorage
• Mandatory: no
• Path to folder where the JMS data should be stored.

application.modules.provisioning.jmsqueue.username

• Default: nevisidm
• Mandatory: no
• Name of the user who will access the JMS queue.

application.modules.provisioning.jmsqueue.password

• Default: secret
• Mandatory: no
• Password of the JMS user.

application.modules.provisioning.jmsqueue.page-size-bytes

• Default: 10485760
• Mandatory: no
• Page size for the provisioning JMS queue if it needs paging.

application.modules.provisioning.jmsqueue.max-size-bytes

• Default: -1 (disabled)
• Mandatory: no
• The maximum size the provisioning JMS queue can have before entering page mode.

security.web.hsts.enabled

• Default: true
• Mandatory: no
• Adds Strict-Transport-Security header with max-age=31536000; includeSubDomains to /nevisidm/*. This means that a ll present and future pages will have the header for a maximum age of 1 year.

application.cache.permission.units

• Default: true
• Mandatory: no
• With this property, you can set whether the unitIds are cached in the session.
• If you change application.cache.permission.units to false then the units of the data room are not loaded and cached during the session creation. This can be useful if the unit hierarchy and unit data room structure is complex and due to this the memory usage of nevisIDM is high.

DB connection

database.connection.url

• Default: jdbc:oracle:thin:@<host>:<port>:<sid>
• Mandatory: yes
• Configures the JDBC connection URL used to connect to the DB.

If you use Oracle RAC database, set the DB connection URL in one of the following formats:

• jdbc:oracle:thin:@<host-vip>:<port>/<dbservice>
• jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<host-vip>)(PORT=<1521>))(CONNECT_DATA=(SERVICE_NAME=<dbservice>))) If you use Mariadb database, instead of autocommit=0 use pinGlobalTxToPhysicalConnection=1 as URL parameter. For example: jdbc:mysql://<Mariadb host>:3306/nevisidm?pinGlobalTxToPhysicalConnection=1.

database.connection.username

• Default: -
• Mandatory: no
• Name of DB user.

database.connection.password

• Default: -
• Mandatory: no
• Password of DB user.

database.oracle.thinnet-encryption-level

• Default: 60
• Mandatory: no
• Value to be set for Oracle database connection's sqlnet.encryption_client parameter. If the property is not set or IDM is not connecting to an Oracle database, the setting is disregarded.

database.oracle.thinnet-encryption-types

• Default: 60
• Mandatory: no
• Value to be set for Oracle database connection's sqlnet.encryption__types_client parameter. If the property is not set or IDM is not connecting to an Oracle database, the setting is disregarded.

database.oracle.thinnet-checksum-level

• Default: 60
• Mandatory: no
• Value to be set for Oracle database connection's sqlnet.crypto_checksum_client parameter. If the property is not set or IDM is not connecting to an Oracle database, the setting is disregarded.

database.oracle.thinnet-checksum-types

• Default: 60
• Mandatory: no
• Value to be set for Oracle database connection's sqlnet.crypto_checksum_types_client parameter. If the property is not set or IDM is not connecting to an Oracle database, the setting is disregarded.

database.oracle.sqlnet-allow-weak-crypto

• Default: true
• Mandatory: no
• Value to be set for Oracle database connection's sqlnet.allow_weak_crypto_client parameter. If the property is not set or IDM is not connecting to an Oracle database, the setting is disregarded.

database.transaction.timeout

• Default: 60
• Mandatory: no
• Timeout of transactions in seconds

DB connection pooling

• See the c3p0 documentation for details on parameters.

database.pooling.c3p0.acquire.increment

• Default: 3
• Mandatory: no
• Determines how many connections at a time c3p0 will try to acquire when the pool is exhausted.

database.pooling.c3p0.poolsize.min

• Default: 10
• Mandatory: no
• Defines the minimum number of connections a pool will maintain at any given time.

database.pooling.c3p0.poolsize.max

• Default: 100
• Mandatory: no
• Defines the maximum number of connections a pool will maintain at any given time.

database.pooling.c3p0.checkout.timeout

• Default: 10
• Mandatory: no
• Defines how long a client will wait for a connection to be checked-in or acquired in case the pool is exhausted (in milliseconds). After the specified (positive) number of milliseconds, the getConnection() call will time-out and break with an SQL exception. Setting 0 means that the client will wait indefinitely.

database.pooling.c3p0.num.helerthreads

• Default: 6
• Mandatory: no
• This parameter defines the number of helper threads.c3p0 is very asynchronous. Slow JDBC operations are generally performed by helper threads that do not hold contended locks. Spreading these operations over multiple threads can sigificantly improve performance, as this allows multiple operations to be performed simultaneously.

database.pooling.c3p0.administrativetask.time.max

• Default: 0
• Mandatory: no
• Defines the number of seconds before the c3p0's thread pool will try to interrupt a hanging task.
• Note that this parameter is explicitly meant for indefinitely hanging tasks, not for slow tasks. In case of slow tasks, just increase the number of threads, via the parameter database.pooling.c3p0.num.helperthreads.

database.pooling.c3p0.connection.age.max

• Default: 0
• Mandatory: no
• Defines a connection's time to live, in seconds.
• A connection older than the defined value will be destroyed and purged from the pool. The value 0 means that no maximum absolute age is enforced. This parameter differs from the parameter database.pooling.c3p0.connection.idle.time.max in that it refers to the absolute age.

database.pooling.c3p0.connection.idle.time.max

• Default: 0
• Mandatory: no
• Defines the time a connection can remain pooled but unused before it is discarded (in seconds). The value 0 means that idle connections never expire.

database.pooling.c3p0.connection.idle.time.excessconnections.max

• Default: 0
• Mandatory: no
• Defines the number of seconds that connections are permitted to remain idle in a pool before they are being culled. This parameter is only valid if the number of connections in the pool excesses database.pooling.c3p0.poolsize.min. For the parameter to have any effect, the value must be smaller than the value set in the parameter database.pooling.c3p0.connection.idle.time.max. The value 0 means no enforcement, excess connections are not idled out.

database.pooling.c3p0.connection.idle.testperiod Value: long (seconds)

• Default: 300
• Mandatory: no
• Defines the (repeating) interval, in seconds, after which to test all idle, pooled but un-checked-out connections.

database.pooling.c3p0.connection.idle.test.oncheckin.enabled

• Default: true
• Mandatory: no
• If true, an operation will be performed asynchronously at every connection checkin to verify that the connection is valid.

database.pooling.c3p0.connection.idle.test.oncheckout.enabled

• Default: false
• Mandatory: no
• If true, an operation will be performed at every connection checkout to verify that the connection is valid.

database.pooling.c3p0.connection.testquery

• Default: select 1 from dual
• Mandatory: no
• Defines the query that will be executed for all connection tests.

database.pooling.c3p0.connection.testerclassname

• Default: com.mchange.v2.c3p0.impl.DefaultConnectionTester
• Mandatory: no
• Sets the fully qualified class name of an implementation of the ConnectionTester interface (or the QueryConnectionTester interface, if you would like instances to have access to a user-configured value of database.pooling.c3p0.connection.testquery).

database.pooling.c3p0.acquire.retryattempts

• Default: 30
• Mandatory: no
• Defines how often c3p0 will try to acquire a new connection from the database before giving up.
• If this value is less than or equal to zero, c3p0 will keep trying to fetch a connection indefinitely.

database.pooling.c3p0.acquire.retrydelay Value: long (milliseconds)

• Default: 100
• Mandatory: no
• Defines the time period, in milliseconds, that c3p0 will wait between attempts to acquire a connection.

database.pooling.c3p0.acquire.failure.break.enabled

• Default: false
• Mandatory: no
• If true, a pooled DataSource will declare itself broken and be permanently closed, in case no connection from the database could be obtained after the number of attempts specified by the parameter database.pooling.c3p0.acquire.retryattempts. If false, the DataSource will remain valid if no connection could be obtained, and will retry acquiring, following a call to getConnection(). The threads will throw an exception, but wait for the pool to acquire a connection.

database.pooling.c3p0.forceignore.unresolvedtransactions.enabled

• Default: false
• Mandatory: no
• The parameter's default is false. Changing this setting may lead to bugs and is not recommended. There is only one acceptable use case for the value true: When the used database allows the connections' autoCommit flag to go to false, but offers no other meaningful support of transactions.

database.pooling.c3p0.connection.unreturned.timeout

• Default: 0
• Mandatory: no
• Defines the timeout time period in seconds. The pool will destroy the connection, if the respective application checks out but then fails to check in within the specified time period.

database.pooling.c3p0.connection.unreturned.debug.enabled Value: boolean

• Default: false

• Mandatory: no

• If true, and if database.pooling.c3p0.connection.unreturned.timeout is set to a positive value, the pool will capture the stack trace of all connection checkouts, via an exception. The stack traces will be printed when unreturned checked-out connections time out. The intention is to debug applications with connection leaks. Such applications occasionally fail to return connections, which leads to pool growth and eventually exhaustion. This happens when the pool hits the value of database.pooling.c3p0.poolsize.max, with all connections checked-out and lost.

• Only set this parameter while debugging, as capturing the stack trace will slow down every connection checkout.

database.pooling.c3p0.property.cycle

• Default: 0
• Mandatory: no
• Defines the maximum time in seconds before user configuration constraints are enforced.c3p0 periodically checks the age of connections to see whether they have timed out. This parameter defines the time period after which the checks take place. If you set the value 0, the check is performed automatically, that is, c3p0 will define a suitable time period.

DB statement optimization

database.performance.bindvar.max

• Value: int
• Default: 100
• Mandatory: no
• nevisIDM uses SQL statements of type WHERE IN (). With this configuration parameter, the number of bind variables used in the IN-statement is limited.
• The parameter is related to database performance. The default value should be okay for most setups. There is no need to change it unless you encounter database performance problems with the type of submitted queries.

database.performance.bindvar.usersearch.max Value: int

• Default: 100
• Mandatory: no
• Works the same way as database.performance.bindvar.max (see above), but it affects the "Search Users" use case only. The parameter is related to database performance. The default value should be okay for most setups. There is no need to change it unless you encounter database performance problems with the type of submitted queries.

Multi-client

application.feature.multiclientmode.enabled

• Value: boolean
• Default: false
• Mandatory: no
• Enables the multi-client mode in nevisIDM. If the multi-client mode is disabled, the web GUI will hide the client selections.

REST

rest.limits.result.max

• Value: int
• Default: 1000
• Mandatory: no
• The maximum number of search results. The property applies to all REST interface query methods that support the limit parameter. The goal of the limit is to prevent DoS attacks.

SOAP

webservice.versions

• Value: String
• Default: <all>
• Mandatory: no
• Defines a comma-separated list of web service versions that are enabled and deployed. If you do not set this parameter, that is, do not include it in the nevisidm-prod.properties file, all web service versions including V1 are enabled (this is the default setting).

Possible values:

• latest: The latest web service version (including the LoginService) is deployed on the corresponding version endpoint and the V1 endpoint.
• previous: The web service version before the latest web service version is deployed on the corresponding version endpoint.
• v1_x: The web service version v1_x is deployed on the V1_X endpoint.
• v1: The latest web service versions (including the LoginService) are deployed on the V1 endpoint.

The LoginService is enabled if the parameter webservice.versions is set to v1 or latest.

Examples:

• webservice.versions=latest,previous: Only enables the last two web service versions (including V1).
• webservice.versions=v1_44,v1_42? Only enables the web service versions v1_44 and v1_42.
• webservice.versions=: If you set the parameter to an empty value, as shown in the previous example, no web service version is enabled at all.

webservice.limits.httpsession.inactiveinterval

• Value: int (seconds)
• Default: -1
• Mandatory: no
• Defines the max. inactive interval for HTTP sessions created due to SOAP requests to nevisIDM. -1 means that the default value of the container is used, e.g. 1800 seconds. SOAP requests coming from nevisAuth are not affected by this configuration parameter.

note

This parameter should only be used if there is no other way to integrate a legacy web service client. Rather than using this parameter, the web service client should be changed to use session binding.

webservice.limits.result.recursion.max

• Value: int
• Default: 50
• Mandatory: no
• The maximum recursion depth of the get and query methods of the SOAP interface. The limit exists for DoS prevention.

webservice.limits.result.query.max

• Value: int
• Default: 1000
• Mandatory: no
• The maximum number of search results for all query methods of the SOAP interface. The limit exists for DoS prevention.

webservice.limits.result.units.max

• Value: int
• Default: 10000
• Mandatory: no
• Denotes the maximum number of units returned (including child units). The limit exists for DoS prevention.

webservice.limits.input.max

• Value: int
• Default: 50
• Mandatory: no
• Denotes the maximum number of input elements allowed for list operations such as deleteCredentials. Note that this number should be kept as small as possible since increasing it will implicate an increased probability of optimistic locking exceptions.

webservice.property.roleexclusion.enabled

• Value: Boolean
• Default: false
• Mandatory: no
• Parameter for backward compatible handling of the scopeName field format of the PropertyValue type. If this parameter is enabled, the scopeName contained in responses will just hold the application name, i.e., the role name is not appended.

QueryService

application.queryservice.enabled

• Value: Boolean
• Default: false
• Mandatory: no
• Enables the queryService that provides a REST API for full-text queries.

application.queryservice.index.dir

• Value: String
• Default: /tmp/lucene/indexes
• Mandatory: no
• Path to the directory where the index for the queryService has to be stored.

application.queryservice.forcedreindex.enabled

• Value: Boolean
• Default: true
• Mandatory: no
• If this is set to true, the index will be recreated on startup even if an index already exists.

application.queryservice.cronjob.enabled

• Value: Boolean
• Default: false
• Mandatory: no
• This is required if one uses the queryService with a multiInstance setup. It will periodically update the index to make sure it is consistent on all instances.

application.queryservice.cronjob.interval

• Values: long (milliseconds)
• Default: 300000
• Mandatory: no
• The time in milliseconds between two runs of the batch job.

application.queryservice.index.length.min

• Default: 3
• Mandatory: no
• The length of the shortest indexed fragment. Note that this is the same as the shortest possible search.

web.gui.quicksearch.fields

• Value: String
• Default: -(all)
• Mandatory: no
• Defines a comma-separated list of field names. The list must only include field names of entities that support the quick search (Users, Clients, Applications, Units). If set, the quick search feature only performs searches on these fields. If you do not specify this parameter, the system queries all fields of the entities supporting the quick search. Invalid field names are silently ignored (that is, no error message will appear).

note

This parameter is only valid for the quick search feature. The query service (Query Search REST service) ignores this setting.

Authentication (nevisIDM auth state related)

application.feature.loginid.casesensitive.enabled

• Value: boolean
• Default: false
• Mandatory: no
• If set to true, all user searches based on the login ID and triggered by IDM auth states will be case-sensitive. Default is case-insensitive.

application.feature.emaillogin.enabled

• Value: boolean
• Default: false
• Mandatory: no
• If set to true, the e-mail address can be used alternatively to the login ID in the IDM auth states. This feature requires e-mail uniqueness per client, which will be enforced automatically. A data consistency check will be performed during start-up of nevisIDM. If e-mail uniqueness per client is violated, start-up of nevisIDM will stop with a corresponding error message (BadConfigurationException: Found duplicate user e-mails on database) and the violating users will be traced as ERROR in the log file. The non-unique e-mail addresses have to be cleaned up before the feature can be enabled.
• If you plan to enable this feature on an existing nevisIDM installation with a large user population, pay attention to the comments concerning migration in the Client policy chapter.

Deprecated

This parameter is deprecated. Instead, use the Client policy parameter authentication.loginWithEmail.enabled. For a description of this parameter, see the chapter Client policy.

Vasco Digipass token

application.feature.vascotoken.enabled

• Value: boolean
• Default: false
• Mandatory: no
• Enables support for credentials of type Vasco containing Digipass Tokens. ... of type Vasco Digipass token if enabled, the java.library.path must also point to the native Vasco library (aal2sdk-3.11 or compatible). Therefore, add the following line to the vmargs.conf of nevisIDM: -Djava.library.path=/path/to/vasco/library
• If disabled, nevisidm will not try to load the native libs, and Vasco Digipass token related operations are prohibited.

Referenced configuration files

application.config.file.idmrole.authorization

• Default: -Loads the file from the classpath (config folder)
• Mandatory: no
• Configures the location of the authorization properties file.

application.config.file.idmrole.mapping

• Default: -Loads the file from the classpath (config folder)
• Mandatory: no
• Configures the location of the role mapping file. This file groups low-level authorizations to form convenient user roles like nevisIdm.UserAdmin.

application.config.file.idmrole.assignment

• Default: -Loads the file from the classpath (config folder)
• Mandatory: no
• Configures the location of the roles assignment file. This file defines which nevisidm role is required to assign a given nevisidm role. For example, nevisIdm.TechUser=nevisIdm.Root,nevisIdm.AppAdmin defines that you need to be Root or AppAdmin to assign a TechUser role to someone.

application.config.file.attributeaccess

• Default: - Loads the file from the classpath (config folder)
• Mandatory: no

Deprecated

This feature is deprecated. It will be removed in a future version of nevisIDM.

• Configures the location of the attribute access definition file. This file allows defining the AttributeAccess parameters for the Unit screens. The following two parameters are available:
  • AttributeAccess.UnitCreate.Name
  • AttributeAccess.UnitModify.Name
• They can be set to rw, ro or off. rw stands for read-write, ro for read-only and off for no rendering of this GUI element. Note that the elementary right EntityAttributeAccessOverride overrides the read-only behavior, rendering it read-write. It does not affect the off setting.
• Example:
  • AttributeAccess.UnitCreate.Name=off
  • AttributeAccess.UnitModify.Name=ro

application.config.file.tldlist

• Default: -Loads the file from the classpath (config folder)
• Mandatory: no
• Location of the file that contains a list of valid top level domains and is used for validating e-mail addresses. Originally downloaded from http://data.iana.org/TLD/tlds-alpha-by-domain.txt. Also see the chapter: Other nevisIDM configuration files.

Audit module

application.modules.auditing.enabled

• Value: boolean
• Default: true
• Mandatory: no
• Enable/disable the audit module.

application.modules.auditing.provider

• Default: fileAuditProvider
• Mandatory: no
• Configures which audit provider implementation to use. Possible values are:
• jsonAuditProvider: This audit provider implementation logs events in JSON data format into the log file through theapplication.modules.auditing.fileproperty. You can turn it off by leaving theapplication.modules.auditing.file property empty.
• jcanLogAuditProvider: This audit provider implementation uses the configuration from the log4j.xml file. You configure the log4j.xml file with the nevisIDM config log.
• fileAuditProvider: This audit provider implementation logs events into the file set through the application.modules.auditing.file property. You can turn it off by leaving the application.modules.auditing.file property empty.

Deprecated

The audit provider fileAuditProvider (see above) has been deprecated. Use the jcanLogAuditProvider instead (as it the covers all the functionality of the fileAuditProvider). To migrate from the fileAuditProvider to the jcanLogAuditProvider, provide a log4j.xml file with the desired log format.

application.modules.auditing.file

• Default: -
• Mandatory: no
• Configures the location of the audit file used by the jsonAuditProvider.

application.modules.auditing.repeat.interval

• Value: long (milliseconds)
• Default: 30000
• Mandatory: no
• Configures the interval in milliseconds between two runs of the audit event processing quartz job.
• Do not change this parameter unless the integration partner explicitly recommends it!

application.modules.auditing.repeat.count

• Value: int (-1: unlimited, 0: never)
• Default: -1
• Mandatory: no
• Configures the number of runs of the audit event processing quartz job. Set it to 0 to disable audit event processing on this instance. -1 means unlimited runs.
• Do not change this parameter unless the integration partner explicitly recommends it!

application.modules.auditing.autostartup.enabled

• Value: boolean
• Default: true
• Mandatory: no
• Configures whether the audit processing is automatically started after initialization. If it is set to false, the audit processing will not start automatically after nevisIDM restart.
• To disable the audit processing, set this parameter to false, and set the application.modules.auditing.repeat.count parameter to 0. Do not change this parameter unless the integration partner explicitly recommends it!

Event module

application.modules.event.repeat.interval

• Value: long (milliseconds)
• Default: 30000
• Mandatory: no
• Configures the interval in milliseconds between two runs of the batch event processing quartz job.
• Do not change this parameter unless the integration partner explicitly recommends it!

application.modules.event.repeat.count

• Value: int (-1: unlimited, 0: never)
• Default: -1
• Mandatory: no
• Configures the number of runs of the batch event processing quartz job. Set it to 0 to disable batch event processing on this instance.-1 means unlimited runs.
• Do not change this parameter unless the integration partner explicitly recommends it!

application.modules.event.chunksize

• Value: int (≤0: unlimited)
• Default: -1
• Mandatory: no
• Configures the maximum number of batch events the batch event processing quartz job processes per run. Parameter could be used for fine-tuning in case the concurrent number of events is too high compared to the heap memory size available. Set chunkSize to 0 or a negative value to apply no chunking, i.e., process all batch events available. Usually, it should not be necessary to change the value of this parameter.

application.modules.event.autostartup.enabled

• Value: boolean
• Default: true
• Mandatory: no
• Configures whether the event processing is automatically started after initialization. If it is set to false, the event processing will not start automatically after nevisIDM restart. To disable the event processing, set this parameter to false, and set the application.modules.event.repeat.count parameter to 0. Do not change this parameter unless the integration partner explicitly recommends it!

Provisioning module

application.modules.provisioning.enabled

• Value: boolean
• Default: false
• Mandatory: no
• Enable/disable the provisioning module.

application.modules.provisioning.jmsqueue.username

• Default: -
• Mandatory: no
• The username used for authentication against the JMS destination.

application.modules.provisioning.jmsqueue.password

• Default: -
• Mandatory: no
• The password used for authentication against the JMS destination.

application.modules.provisioning.jmsqueue.msgttl

• Value: long (milliseconds)
• Default: 3600000
• Mandatory: no
• Defines the time-to-live of the JMS queue message.

application.modules.provisioning.erole.enabled

• Value: boolean
• Default: true
• Mandatory: no
• Enable/disable the transparency of the enterprise role provisioning, including the provisioning of adding and deleting of member roles to/from an enterprise role.

application.modules.provisioning.jmsqueue.name Value: string

• Default: provisioning
• Mandatory: no
• The name of the JMS provisioning queue. The queue will then be located at /queue/<name>.

Removed

Support for external JMS Providers has been removed. Only internal JMS provider is supported from nevisIDM 2.71.0.x.

application.modules.provisioning.jmsqueue.connectionfactory.nameValue: string

• Default: [java:/ConnectionFactory](http://java/ConnectionFactory)
• Mandatory: no
• The name of the JMS connection factory that is set in the standalone.xml configuration file.

Removed

Support for external JMS Providers has been removed. Only internal JMS provider is supported from nevisIDM 2.71.0.x.

Property value encryption

security.properties.key

• Default: (hidden)
• Mandatory: no
• Encryption key. The key value is a base64 encoded string. The key must be explicitly defined for every setup, instead of leaving the default. For AES, the key length can be 8, 16 and 24 bytes.

security.properties.iv

• Default: (hidden)
• Mandatory: no
• Initialization vector iv. The vector must be explicitly defined for every setup, instead of leaving the default. For AES, the vector length must be 16 bytes.

security.properties.algorithm

• Default: AES
• Mandatory: no
• Encryption algorithm.

security.properties.cipher

• Default: AES/CBC/PKCS5Padding
• Mandatory: no
• Encryption cipher.

security.properties.paddinglength

• Default: 10
• Mandatory: no
• Padding length.

SMTP server

application.mail.smtp.host

• Default: -
• Mandatory: no
• Host name of the SMTP server.

application.mail.smtp.port

• Default: -
• Mandatory: no
• Port of the SMTP server.

application.mail.smtp.username

• Default: -
• Mandatory: no
• Username used for the SMTP authentication.

application.mail.smtp.password

• Default: -
• Mandatory: no
• Password for the SMTP authentication.

application.mail.smtp.connection.timeout

• Default: 60
• Mandatory: no

application.mail.smtp.timeout

• Default: 60
• Mandatory: no

application.mail.debug.enabled

• Default: false
• Mandatory: no
• If set to true, the system will write the debug information to stdout.
• In installations using systemd, the output is redirected to the journal. You can retrieve it with the following command (replace <instance-name> with the relevant nevisIDM instance name): journalctl -u nevisidm@<instance-name>.service -b

application.mail.sender

• Default: -
• Mandatory: no
• Default sender address in e-mails.

application.mail.htmltemplate.encoding

• Value: string
• Default: ISO-8859-1
• Mandatory: no
• The character encoding of the uploaded HTML email templates.
• Be careful when you change the value of this parameter after you have already uploaded a few templates with the previous character encoding. In this case, you have to re-upload all existing HTML email templates with the new encoding via the Template Store. There is no automatic transcoding of templates in nevisIDM.

application.mail.smtp.starttls.enabled

• Value: Boolean
• Default: false
• Mandatory: no
• Use this parameter to enable or disable STARTTLS for the connection with the SMTP server. If STARTTLS is enabled, the system will use TLS/SSL to connect to the SMTP server to create a secure connection.

Legacy / backward compatibility

application.feature.legacy.passwordprefix

• Value: string
• Default: none
• Mandatory: no
• Used to smoothly migrate prefixed esadb/esmap passwords to nevisIDM.

GUI

web.gui.languages.default

• Value: {de, fr, it, en}
• Default: de
• Mandatory: no
• Two-letter lowercase ISO 639 code of default language.
• Defines the language of newly created user objects if no language has been set explicitly.
• Defines the default language for GUI sessions

web.gui.languages.list

• Value: {de, fr, it, en}
• Default: de, en, fr, it
• Mandatory: no
• Comma-separated list of ISO 639 codes.

web.gui.facing.location

• Value: string
• Default: -
• Mandatory: no
• Location (directory, JAR or ZIP file) of custom facing. On the top-level, it must contain the directories CSS and/or images.
• In case of standalone deployment, this has to be relative to the instance folder (e.g. conf/facing/).

web.gui.facing.cache.size

• Value: int (bytes)
• Default: 100000
• Mandatory: no
• Maximum sizeup to which a facing entry is cached in memory. Files larger than that value are read from the disk on every access.

web.gui.uri.logout

• Value: string
• Default: /?logout
• Mandatory: no
• Defines the URI that will be used upon logout, either Logout.do for application logout or /?logout for SSO logout.

application.config.environment.name

• Value: string
• Default: -
• Mandatory: no
• Displayed in the Status servlet as EnvironmentName (for example: test, production).

web.gui.debug.enabled

• Value: boolean
• Default: false
• Mandatory: no
• Configures whether additional debug information should be displayed. NEVER use this in production.

web.gui.messageresource.dir

• Default: -
• Mandatory: no
• Path to the customized LitDict resource files. The customized file should be named as follows: custLitDict[_<language code>].properties. The property files will be read with UTF-8 encoding.

web.gui.landingpage

• Default: selfadmin
• Mandatory: no
• Identifier of a nevisIDM subcomponent if the user accesses the nevisIDM top path, e.g., localhost/nevisidm.
• This can be one of the following identifiers: UserSearch, TemplateManager, UnitModify, ProfileSearch, ClientSearch, ApplicationSearch, UnitSearch, PolicyOverview, selfadmin.

Deprecated

If the user does not have read access on the specified component, a fallback to a viewable page is performed. Setting a relative path instead of an identifier is deprecated.

web.gui.personalquestion.enabled

• Value: boolean
• Default: false
• Mandatory: no
• If this parameter is false, the Personal Question functionality will be hidden on the GUI. This parameter must be set to true if security question credentials are used.

Certificate upload

web.gui.certupload.uri

• Value: string (URI)
• Default: /nevisidm/certupload
• Mandatory: no
• Defines the link that will be provided in certificate upload mails.

Deprecated

This parameter is deprecated. If possible, do not use it anymore.

web.gui.certupload.redirect.uri

• Default: -
• Mandatory: no
• Redirect location after successful certificate upload.

Deprecated

This parameter is deprecated. If possible, do not use it anymore.

web.gui.certupload.redirect.onerror.enabled

• Value: boolean
• Default: false
• Mandatory: no
• Enable/disable redirect even if an error occurred during the certificate upload.

Deprecated

This parameter is deprecated. If possible, do not use it anymore.

Batch jobs

application.modules.batch.context

• Value: string
• Default: -
• Mandatory: no
• Location of the spring application context containing the batch jobs expressed as a valid Unix path, e.g.: /var/opt/nevisidm/nevisidm/conf/batchContext.xmlThe file must be accessible in the file system of the server.

application.modules.batch.classpath

• Value: string
• Default: -
• Mandatory: no
• Colon-separated list of JAR files that are searched when defining custom batch job plug-ins.

Deprecated

This parameter is deprecated since custom batch jobs have been deprecated.

Printing

application.modules.printing.host

• Value: string
• Default: localhost
• Mandatory: no
• Host of the OpenOffice daemon (adnooprint).

application.modules.printing.port

• Value: int
• Default: 8912
• Mandatory: no
• Port of the OpenOffice daemon (adnooprint)

application.modules.printing.printer

• Value: string
• Default: -
• Mandatory: no
• CUPS printer to use when printing letters.

application.modules.printing.dir.target

• Default: /var/tmp/nevisidm_pdfs
• Mandatory: yes
• The location where generated PDFs are stored. The location path must be absolute. The location itself has to be writable by the OpenOffice service.

application.modules.printing.retry.count

• Value: int
• Default: 1
• Mandatory: no
• The connection setup to OpenOffice is sometimes unreliable. In that case, a connection setup retry can help.

application.modules.printing.retry.delay

• Value: int (milliseconds)
• Default: 0
• Mandatory: no
• Delay in milliseconds between connection setup retries (see application.modules.printing.retry.count).

application.modules.printing.retry.wait

• Value: int (milliseconds)
• Default: 5000
• Mandatory: no
• If a printing event fails because of an OpenOffice service problem, the event queue will reschedule and retry the failed event after application.modules.printing.retry.wait milliseconds. Value -1 means that the automatic retry mechanism is disabled. In that case, a manual retry option is available in the Persistent Queue Manager GUI.

On/off switches for misc. functionality

application.feature.templatecollection.default.enabled

• Value: boolean
• Default: true
• Mandatory: no
• Defines whether the template collection functionality is available. If set to true, the default template collection will be used, and all parts related to the handling of template collections in the web GUI will be hidden.

application.feature.email.validation.enabled

• Value: Boolean
• Default: true
• Mandatory: no

Enables/disables e-mail validation.

• If the parameter is set to false, the e-mail validation is disabled. This makes it possible to create/update users with an invalid e-mail address. We advise against disabling this parameter.
• If it is disabled, you have to ensure valid e-mail addresses by other means. If you do not, follow-up errors, such as e-mail sending failures, will occur.
• If the client policy user.email.unicode.allowed is enabled, it is considered over this configuration. For more information, see Client policy.

application.feature.impersonation.restriction.enabled

• Value: Boolean
• Default: true
• Mandatory: no
• Defines whether non-technical users can be impersonators.
• If set to false, impersonation is not restricted to technical users anymore.

application.feature.propvalsearch.caseinsensitive.enabled

• Value: Boolean
• Default: false
• Mandatory: no
• Defines whether the properties in the extended user search are searched case-insensitively. This may result in performance reduction with MySQL databases. We do not recommend turning on this parameter with MySQL databases.

ID and name generators

application.generators.extid.client

• Value: {default, sequence:<seqName>, uuid}
• Default: default
• Mandatory: no
• Defines the generator used to build external IDs (extIds) for clients. Possible values are:
• default: The generator uses the primary key of the entity to build an external ID.
• sequence:<seqName> In this case, the generator derives a value from a DB sequence defined by the name <seqName>.
• uuid: If you select this option, the generator generates a random v4 universally unique identifier (UUID) to build an external ID.

application.generators.extid.user

• Value: {default, sequence:<seqName>, uuid}
• Default: default
• Mandatory: no
• Defines the generator used to build external IDs (extIds) for users. For possible values, see the description of the application.generators.extid.client parameter.

application.generators.extid.profile

• Value: {default, sequence:<seqName>, uuid}
• Default: default
• Mandatory: no
• Defines the generator used to build external IDs (extIds) for profiles. For possible values, see the description of the application.generators.extid.client parameter.

application.generators.extid.unit

• Value: {default, sequence:<seqName>, uuid}
• Default: default
• Mandatory: no
• Defines the generator used to build external IDs (extIds) for units. For possible values, see the description of the application.generators.extid.client parameter.

application.generators.extid.credential

• Value: {default, sequence:<seqName>, uuid}
• Default: default
• Mandatory: no
• Defines the generator used to build external IDs (extIds) for credentials. For possible values, see the description of the application.generators.extid.client parameter.

application.generators.extid.application

• Value: {default, sequence:<seqName>, uuid}
• Default: default
• Mandatory: no
• Defines the generator used to build external IDs (extIds) for applications. For possible values, see the description of the application.generators.extid.client parameter.

application.generators.extid.role

• Value: {default, sequence:<seqName>, uuid}
• Default: default
• Mandatory: no
• Defines the generator used to build external IDs (extIds) for roles. For possible values, see the description of the application.generators.extid.client parameter.

application.generators.extid.policyconfig

• Value: {default, sequence:<seqName>, uuid}
• Default: default
• Mandatory: no
• Defines the generator used to build external IDs (extIds) for policies. For possible values, see the description of the application.generators.extid.client parameter.

application.generators.extid.template

• Value: {default, sequence:<seqName>, uuid}
• Default: default
• Mandatory: no
• Defines the generator used to build external IDs (extIds) for templates. For possible values, see the description of the application.generators.extid.client parameter.

application.generators.extid.enterpriserole

• Value: {default, sequence:<seqName>, uuid}
• Default: default
• Mandatory: no
• Defines the generator used to build external IDs (extIds) for enterprise roles. For possible values, see the description of the application.generators.extid.client parameter.

application.generators.extid.personalquestion

• Value: {default, sequence:<seqName>, uuid}
• Default: default
• Mandatory: no
• Defines the generator used to build external IDs (extIds) for personal questions. For possible values, see the description of the application.generators.extid.client parameter.

application.generators.extid.authorization

• Value: {default, sequence:<seqName>, uuid}
• Default: default
• Mandatory: no
• Defines the generator used to build external IDs (extIds) for authorizations and enterprise authorizations. For possible values, see the description of the application.generators.extid.client parameter.

application.generators.name.unit

• Value: {none, copy:primarykey}
• Default: none
• Mandatory: no
• Defines the generator used to build the name of a unit.

Reporting

application.modules.reporting.result.max

• Value: int (>0)
• Default: 5000
• Mandatory: no
• Maximum result rows that can be exported.

application.modules.reporting.header.enabled

• Value: boolean
• Default: true
• Mandatory: no
• Defines whether the first row of the generated CVS is used as a header and contains the names of the columns.

application.modules.reporting.chunksize

• Value: int (>0)
• Default: 10000
• Mandatory: no
• Maximum number of records retrieved from the database at once.

application.modules.reporting.separator

• Value: character
• Default: , (comma-separated)
• Mandatory: no
• The separator char Character used to separate columns.

note

If you set this property to something different than the comma character ,, the generated reports no longer comply with the standard CSV format (RFC4180). Generated reports may become unreadable by other programs.

application.modules.reporting.characterencoding

• Value: {UTF-8, US-ASCII, ISO-8859-1, UTF-16}
• Default: UTF-8
• Mandatory: no
• Defines the character encoding used for the exported report.

application.modules.reporting.concurrrentrequests.max

• Value: int (>0)
• Default: 5
• Mandatory: no
• Prevent slow-down of nevisIDM or even DoS caused by too many concurrently generated and, thus, running reports.

application.module.reporting.filter.mandatory.enabled

• Value: boolean
• Default: false
• Mandatory: no
• If set to true, report generation requires a filter to be set.

Monitoring

application.feature.statusservlet.enabled

• Value: {true, false, localhost-only}
• Default: localhost-only
• Mandatory: no
• Defines whether the status servlet is enabled (reachable at <host>:<port>/nevisidm/status). If the parameter is set to localhost-only, only requests from remote address 127.0.0.1 will be answered. See also chapter: Status servlet.

Deprecated

The status servlet is deprecated. To retrieve runtime and database statistics information, use the management service instead (for more information, see the chapter Management Service).

Enterprise roles

application.feature.enterpriserole.enabled

• Default: false
• Mandatory: no
• Enables the enterprise role feature in nevisIDM. If enterprise roles are disabled, the enterprise role views will be hidden on the Web GUI. Further consequences are:
  • Web services: Enterprise role related extensions are not accessible, a business exception is thrown.
  • Business tier: Enterprise role related functionality is not accessible, a business exception is thrown.

CSRF Guard

security.web.csrf.enabled Deprecated org.owasp.csrfguard.Enabled is not supported anymore

• Default: true
• Mandatory: no
• Enables/disables the CSRF Guard. The CSRF Guard protects all POST requests against CSRF attacks.
• Setting this parameter to false seriously weakens the security of the nevisIDM web GUI and is not recommended!

Dataroom limit

application.limits.dataroom.units.max

• Default: 50
• Mandatory: no
• Limits the number of distinct configured unit data rooms that can be added to a profile. If the limit is exceeded for a user profile, a warning is logged during login.
• Increasing the limit and adding more unit data rooms to a profile can lead to decreased performance of nevisIDM!

Migration hints for "login with e-mail" feature

For the "login with e-mail" feature (see parameter authentication.loginWithEmail.enabled above), an additional attribute on the user table TIDMA_USER has been introduced. For small user populations (less than 1000 users), this derived attribute will be initialized automatically during startup of nevisIDM. Any larger user population has to be migrated manually. For this purpose, connect to the database, e.g., with "nevisidmdb sqlplus owner", and submit a statement such as the following samples:

• before enabling:

UPDATE TIDMA_USER SET unique_email = email, ctl_mod_uid = 'migration', ctl_mod_dat = SYSDATE, ctl_tcn = ctl_tcn + 1
WHERE unique_email is null AND email is not null;

• before disabling:

UPDATE TIDMA_USER SET unique_email = null, ctl_mod_uid = 'migration', ctl_mod_dat = SYSDATE, ctl_tcn = ctl_tcn + 1
WHERE unique_email is not null;

nevisIDM log levels (file: log4j.xml)

• The nevisIDM log levels are defined in the file log4j.xml located in the configuration directory of nevisIDM. By default, the log levels aim for productive setups. As a consequence, the log levels are set in such a way that only the most important information is traced.
• For an in-depth analysis in case of problems, you may want to increase the log levels of the right categories.

For every category, you can define the following log levels:

• OFF: no tracing at all.
• ERROR: only errors are traced. Mainly used in productive setups.
• WARN: notifies of issues that should be addressed but do not block the running system. Example: a configuration parameter or SOAP method that is currently used but marked as deprecated.
• INFO: general information is traced. It is more trace than ERROR would produce, but still okay concerning the amount of information in the log file. INFO includes ERROR too.
• DEBUG: very verbose logging output. DEBUG includes ERROR and INFO too.
• TRACE: includes the output of all other log levels and additionally the entering and exiting events of Java methods.

High log levels are likely to slow down nevisIDM. Therefore, use the log levels with care in productive setups or when performance analyses are performed.

ch.adnovum.nevisidm.service.properties

• Involved in reading the nevisIDM configuration file nevisidm-prod.properties. By default, this is set to INFO to trace the configuration parameters into the log file.

ch.adnovum.nevisidm.service.dbperformance

• Set this LOG category to INFO to trace the time spent during DB calls. Set it to DEBUG to trace the variables within the SQL statements and how many rows were fetched by the statement.

ch.adnovum.nevisidm.ws.NevisIdmAdminServiceV1BusinessMapper, ch.adnovum.nevisIdm.ws.NevisIdmSelfAdminServiceV1BusinessMapper, ch.adnovum.nevisIdm.ws.NevisIdmLoginServiceV1BusinessMapper

• These classes contain the actual logic of the SOAP interface implementations for all published versions of the SOAP interface.

ch.adnovum.nevisidm.filters.UserServiceRequestInjectingFilter

• Increase trace level to observe whether calls to nevisIDM create new HTTP sessions on the container. It is especially useful to find out if SOAP clients use session binding or not (they should because otherwise, a new session is created on every call, which means that nevisIDM will have a high memory consumption).

ch.adnovum.nevisidm.web.filters.RequestInfoFilter

• Traces HTTP request headers and parameters received by nevisIDM.

ch.adnovum.nevisidm.session

• Traces HTTP session size when the session is created.

ch.adnovum.nevisidm.web.listeners.IdmSessionListener

• Traces HTTP session created/removed events and the HTTP session size when the session is removed.

Ninja

• Needs to be set to DEBUG such that the debug option server.auth.ninja.log-debug for ninja login module takes effect.

jcan.Op

• By default set to INFO. It will trace information about SOAP method invocations.

jcan.OpContent

• By default set to OFF. If set to DEBUG, all SOAP traffic is dumped into the log file. This is helpful if you want to see the actual SOAP requests and responses.
• Be aware that this log category logs potentially sensitive information. Therefore, do not use this log category in production.

org.springframework.web.filter.CommonsRequestLoggingFilter

• If set to DEBUG, REST requests are dumped into the log file. This is helpful if you want to see the actual REST requests. For Widlfy deployments this has to be configured in the standalone.xml (nevisidm config server). Adjust the log level in the logging subsystem.

Other nevisIDM configuration files

The following files are also available after a nevisIDM installation and are of interest for further customizing nevisIDM.

conf/batchContext.xml

• This file defines available batch jobs and triggers for the nevisIDM application.
  • For example: it defines daily import and export jobs with customer systems or manual cleanup jobs, depending on infrastructure and customer configuration.

configuration/standalone.xml

Deprecated

The Wildfly 10 deployment type has been deprecated in release 2.72.0.x. For future setups, consider using the standalone deployment type. For more information, see Standalone deployment.

• Part of adnwildfly. Configuration of application server parameters such as extensions, profiles and subsystems, paths, interfaces, socket bindings and socket binding groups, system properties, etc.

conf/env.conf

• Contains environment variable definitions such as JAVA_HOME.

conf/vmargs.conf

Deprecated

The Wildfly 10 deployment type has been deprecated in release 2.72.0.x. For future setups, consider using the standalone deployment type. For more information, see Standalone deployment.

• Arguments of the Java Virtual Machine. Example:-Xmx: Defines the maximum size in bytes of the process' heap memory. -Dfile.encoding: character file encoding. This can also be used to define keystores or debug levels for the whole JVM.

conf/dataSource.xml

Deprecated

The dataSource.xml file is an internal detail and not exposed to configuration anymore.

conf/transactionAOP.xml

• Deprecated nevisIDM does no longer use nor support the transactionAOP.xml file.

conf/tlds-alpha-by-domain.txt

• Top level domain list file. Contains the list of valid top level domains. Originally downloaded from http://data.iana.org/TLD/tlds-alpha-by-domain.txt
• File format
  • first row: comment
  • all other rows: one top level domain per line
  • Where the comment format is strict, it should look like: # Version 2015070700, Last Updated Tue Jul 7 07:07:01 2015 UTC
  • more precisely: # Version <version>, Last Updated <weekday> <month> <day> <hour>:<min>:<sec> <year> UTC
• Possible errors:
  • file is missing: FileNotFoundException is thrown
  • I/O error: IOException is thrown
  • malformed file: BadConfigurationException is thrown