Configuration Files
nevisidm-prod.properties
The nevisidm-prod.properties configuration file contains the main configuration of nevisIDM. You can change configurations with the command-line API as described in the chapter nevisIDM Command-Line API
. The default file location of the file is:
/var/opt/nevisidm/nevisidm/conf/nevisidm-prod.properties
The nevisIDM application has to be restarted to activate changes in this configuration file.
The properties support property value expressions that will be replaced on runtime. The next section shows the available syntax:
${exec:command}
- Example: server.tls.keystore-passphrase:
${exec:/var/opt/keys/own/instance/keypass.sh}server.host: ${exec:hostname -f}
- Remarks: Executes the given command and uses its output as value.
${env:variablename}
- Example: server.host: ${env:HOSTNAME}
- Remarks: Uses the value of the specified environment variable.
As of release 2.71.0, the configuration parameters have been renamed. The previous names are deprecated. See Appendix D for the list of previous names.
Server
server.name
- Default:
default
- Mandatory: no
- Name of the server. Give each server a unique name, for the sake of identification. This name will also be logged.
server.port
- Default: 8989
- Mandatory: no
- Configures the port where the server will listen for incoming requests.
server.host
- Default:
0.0.0.0
- Mandatory: no
- Configures the hostname on which the server will listen for incoming requests.
server.max-threads
- Default: 200
- Mandatory: no
- Maximal number of threads used to process incoming requests.
server.tls.enabled
- Default: false
- Mandatory: no
- If set to
true
, this parameter enables TLS for the HTTPS protocol. If disabled, any other server.tls. parameter has no effect.
server.tls.require-client-auth
- Default: false
- Mandatory: no
- Controls if client authentication is required for the TLS connection.-
false
= one-way TLS connection, two-way optional-true
= two-way TLS connection enforced
server.tls.keystore
- Mandatory: no
- Keystore object used for the TLS.
server.tls.keystore-passphrase
- Mandatory: no
server.tls.truststore
- Mandatory: no
- Truststore object used for the TLS. If not specified, then the system's trustore is used.
server.tls.truststore-passphrase
- Mandatory: no
server.tls.crl
- Mandatory: no
- Certificate revocation list.
server.tls.supported-protocols
- Default: -
- Mandatory: no
- Provides a list of protocols that are accepted by the client when trying to initiate a connection with TLS. The default TLS protocol depends on the Java version, that is, the version of the cryptographic provider. For more information see: http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html/
server.tls.cipher-suites
- Default: -
- Mandatory: no
- Provides a list of ciphers that are accepted by the client when trying to initiate a connection with TLS. Which cipher suite is the default depends on the Java version, that is, the version of the cryptographic provider. For more information see: http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html/
server.auth.ninja.truststore
- Mandatory: no
- Path to the truststore object used to verify the Ninja/SecToken.
server.auth.ninja.log-debug
- Default: false
- Mandatory: no
- If set to true, debug-level tracing information is written to logs. This needs to have the Ninja tracegroup set to DEBUG.
server.max-http-header-size
- Default: 8192
- Mandatory: no
- The maximum header size of requests and responses in bytes. If not configured, the default maximum header size of 8192 bytes is used.
management.server.port
- Default: 8998
- Mandatory: no
- Port on which the management service listens.
management.server.host
- Default:
localhost
- Mandatory: no
- Host on which the management service listens.
messaging.server.port
- Default: 61616
- Mandatory: no
- Port on which the messaging service (JMS) listensCan be disabled by setting the value to
-1
. If you do so, turn off the Provisioning feature, otherwise an exception will be thrown and the instance won't start. Alternatively, you could configure a remote messaging queue. For more information, seeProvisioning providers
. Deprecated :server.jms.port
messaging.server.host
- Default:
localhost
- Mandatory: no
- Host on which the messaging service (JMS) listensThe default value
localhost
is only valid for the local host. If the JMS queue must be accessible remotely, set this parameter to0.0.0.0
.
messaging.server.tls.enabled
- Default: false
- Mandatory: no
- If set to
true
, the messaging must be accessed via TLS. If disabled, any otherserver.tls.messaging.*
parameter has no effect.
messaging.server.tls.keystore
- Default: Same keystore as set in server.tls.keystore
- Mandatory: no
- Defines the keystore object used for messaging TLS. If not defined, the system will use the keystore set in the parameter server.tls.keystore.
messaging.server.tls.keystore-passphrase
- Default: Same passphrase as set in server.tls.keystore-passphrase
- Mandatory: no
- Passphrase for the messaging keystore. If the parameter messaging.server.tls.keystore is not defined, the system will use the passphrase set in the parameter server.tls.keystore-passphrase.
messaging.remote.uri
- Default: -
- Mandatory: no
- If configured, the messaging events are provisioned to a remote queue. For more information, see
Remote messaging queue
.
messaging.remote.expiryQueueUri
- Default: -
- Mandatory: no
- If configured, the messaging Expiry events are sent to a remote queue. For more information, see Remote messaging queue.
messaging.remote.tls.truststore
- Mandatory: no
- Defines the truststore object used for the TLS connection with the messaging server. If this parameter is not specified, the system uses the truststore provided in the system property javax.net.ssl.trustStore. There is no fallback mechanism, in case this system property is not set either.
messaging.remote.tls.truststore-passphrase
application.modules. provisioning.jmsqueue.storage.location
- Default:
/var/opt/nevisidm/${server.name}/jmsstorage
- Mandatory: no
- Path to folder where the JMS data should be stored.
application.modules.provisioning.jmsqueue.username
- Default:
nevisidm
- Mandatory: no
- Name of the user who will access the JMS queue.
application.modules.provisioning.jmsqueue.password
- Default:
secret
- Mandatory: no
- Password of the JMS user.
application.modules.provisioning.jmsqueue.page-size-bytes
- Default: 10485760
- Mandatory: no
- Page size for the provisioning JMS queue if it needs paging.
application.modules.provisioning.jmsqueue.max-size-bytes
- Default: -1 (disabled)
- Mandatory: no
- The maximum size the provisioning JMS queue can have before entering page mode.
security.web.hsts.enabled
- Default:
true
- Mandatory: no
- Adds the Strict-Transport-Security response header to requests, with the following configuration: max-age=31536000; includeSubDomains. This means that a ll present and future pages will have the header for a maximum age of 1 year.
application.cache.permission.units
- Default: true
- Mandatory: no
- With this property, you can set whether the unitIds are cached in the session.
- If you change application.cache.permission.units to false then the units of the data room are not loaded and cached during the session creation. This can be useful if the unit hierarchy and unit data room structure is complex and due to this the memory usage of nevisIDM is high.
DB connection
database.connection.url
- Default:
jdbc:oracle:thin:@<host>:<port>:<sid>
- Mandatory: yes
- Configures the JDBC connection URL used to connect to the DB.
If you use Oracle RAC database, set the DB connection URL in one of the following formats:
jdbc:oracle:thin:@<host-vip>:<port>/<dbservice>
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<host-vip>)(PORT=<1521>))(CONNECT_DATA=(SERVICE_NAME=<dbservice>)))
If you use Mariadb database, instead ofautocommit=0
usepinGlobalTxToPhysicalConnection=1
as URL parameter. For example:jdbc:mysql://<Mariadb host>:3306/nevisidm?pinGlobalTxToPhysicalConnection=1
.
database.connection.username
- Default: -
- Mandatory: no
- Name of DB user.
database.connection.password
- Default: -
- Mandatory: no
- Password of DB user.
database.oracle.thinnet-encryption-level
- Default: 60
- Mandatory: no
- Value to be set for Oracle database connection's sqlnet.encryption_client parameter. If the property is not set or IDM is not connecting to an Oracle database, the setting is disregarded.
database.oracle.thinnet-encryption-types
- Default: 60
- Mandatory: no
- Value to be set for Oracle database connection's sqlnet.encryption__types_client parameter. If the property is not set or IDM is not connecting to an Oracle database, the setting is disregarded.
database.oracle.thinnet-checksum-level
- Default: 60
- Mandatory: no
- Value to be set for Oracle database connection's sqlnet.crypto_checksum_client parameter. If the property is not set or IDM is not connecting to an Oracle database, the setting is disregarded.
database.oracle.thinnet-checksum-types
- Default: 60
- Mandatory: no
- Value to be set for Oracle database connection's sqlnet.crypto_checksum_types_client parameter. If the property is not set or IDM is not connecting to an Oracle database, the setting is disregarded.
database.oracle.sqlnet-allow-weak-crypto
- Default: true
- Mandatory: no
- Value to be set for Oracle database connection's sqlnet.allow_weak_crypto_client parameter. If the property is not set or IDM is not connecting to an Oracle database, the setting is disregarded.
database.transaction.timeout
- Default: 60
- Mandatory: no
- Timeout of transactions in seconds
DB connection pooling
- See the c3p0 documentation for details on parameters.
database.pooling.c3p0.acquire.increment
- Default: 3
- Mandatory: no
- Determines how many connections at a time c3p0 will try to acquire when the pool is exhausted.
database.pooling.c3p0.poolsize.min
- Default: 10
- Mandatory: no
- Defines the minimum number of connections a pool will maintain at any given time.
database.pooling.c3p0.poolsize.max
- Default: 100
- Mandatory: no
- Defines the maximum number of connections a pool will maintain at any given time.
database.pooling.c3p0.checkout.timeout
- Default: 10000
- Mandatory: no
- Defines how long a client will wait for a connection to be checked-in or acquired in case the pool is exhausted (in milliseconds). After the specified (positive) number of milliseconds, the getConnection() call will time-out and break with an SQL exception. Setting
0
means that the client will wait indefinitely.
database.pooling.c3p0.num.helerthreads
- Default: 6
- Mandatory: no
- This parameter defines the number of helper threads.c3p0 is very asynchronous. Slow JDBC operations are generally performed by helper threads that do not hold contended locks. Spreading these operations over multiple threads can sigificantly improve performance, as this allows multiple operations to be performed simultaneously.
database.pooling.c3p0.administrativetask.time.max
- Default: 0
- Mandatory: no
- Defines the number of seconds before the c3p0's thread pool will try to interrupt a hanging task.
- Note that this parameter is explicitly meant for indefinitely hanging tasks, not for slow tasks. In case of slow tasks, just increase the number of threads, via the parameter database.pooling.c3p0.num.helperthreads.
database.pooling.c3p0.connection.age.max
- Default: 0
- Mandatory: no
- Defines a connection's time to live, in seconds.
- A connection older than the defined value will be destroyed and purged from the pool. The value
0
means that no maximum absolute age is enforced. This parameter differs from the parameter database.pooling.c3p0.connection.idle.time.max in that it refers to the absolute age.
database.pooling.c3p0.connection.idle.time.max
- Default: 0
- Mandatory: no
- Defines the time a connection can remain pooled but unused before it is discarded (in seconds). The value
0
means that idle connections never expire.
database.pooling.c3p0.connection.idle.time.excessconnections.max
- Default: 0
- Mandatory: no
- Defines the number of seconds that connections are permitted to remain idle in a pool before they are being culled. This parameter is only valid if the number of connections in the pool excesses database.pooling.c3p0.poolsize.min. For the parameter to have any effect, the value must be smaller than the value set in the parameter database.pooling.c3p0.connection.idle.time.max. The value
0
means no enforcement, excess connections are not idled out.
database.pooling.c3p0.connection.idle.testperiod Value: long (seconds)
- Default: 300
- Mandatory: no
- Defines the (repeating) interval, in seconds, after which to test all idle, pooled but un-checked-out connections.
database.pooling.c3p0.connection.idle.test.oncheckin.enabled
- Default: true
- Mandatory: no
- If true, an operation will be performed asynchronously at every connection checkin to verify that the connection is valid.
database.pooling.c3p0.connection.idle.test.oncheckout.enabled
- Default: false
- Mandatory: no
- If true, an operation will be performed at every connection checkout to verify that the connection is valid.
database.pooling.c3p0.connection.testquery
- Default: select 1 from dual
- Mandatory: no
- Defines the query that will be executed for all connection tests.
database.pooling.c3p0.connection.testerclassname
- Default: com.mchange.v2.c3p0.impl.DefaultConnectionTester
- Mandatory: no
- Sets the fully qualified class name of an implementation of the ConnectionTester interface (or the QueryConnectionTester interface, if you would like instances to have access to a user-configured value of database.pooling.c3p0.connection.testquery).
database.pooling.c3p0.acquire.retryattempts
- Default: 30
- Mandatory: no
- Defines how often c3p0 will try to acquire a new connection from the database before giving up.
- If this value is less than or equal to zero, c3p0 will keep trying to fetch a connection indefinitely.
database.pooling.c3p0.acquire.retrydelay Value: long (milliseconds)
- Default: 100
- Mandatory: no
- Defines the time period, in milliseconds, that c3p0 will wait between attempts to acquire a connection.
database.pooling.c3p0.acquire.failure.break.enabled
- Default: false
- Mandatory: no
- If true, a pooled DataSource will declare itself broken and be permanently closed, in case no connection from the database could be obtained after the number of attempts specified by the parameter database.pooling.c3p0.acquire.retryattempts. If false, the DataSource will remain valid if no connection could be obtained, and will retry acquiring, following a call to getConnection(). The threads will throw an exception, but wait for the pool to acquire a connection.
database.pooling.c3p0.forceignore.unresolvedtransactions.enabled
- Default: false
- Mandatory: no
- The parameter's default is
false
. Changing this setting may lead to bugs and is not recommended. There is only one acceptable use case for the valuetrue
: When the used database allows the connections' autoCommit flag to go tofalse
, but offers no other meaningful support of transactions.
database.pooling.c3p0.connection.unreturned.timeout
- Default: 0
- Mandatory: no
- Defines the timeout time period in seconds. The pool will destroy the connection, if the respective application checks out but then fails to check in within the specified time period.
database.pooling.c3p0.connection.unreturned.debug.enabled Value: boolean
Default: false
Mandatory: no
If true, and if database.pooling.c3p0.connection.unreturned.timeout is set to a positive value, the pool will capture the stack trace of all connection checkouts, via an exception. The stack traces will be printed when unreturned checked-out connections time out. The intention is to debug applications with connection leaks. Such applications occasionally fail to return connections, which leads to pool growth and eventually exhaustion. This happens when the pool hits the value of database.pooling.c3p0.poolsize.max, with all connections checked-out and lost.
Only set this parameter while debugging, as capturing the stack trace will slow down every connection checkout.
database.pooling.c3p0.property.cycle
- Default: 0
- Mandatory: no
- Defines the maximum time in seconds before user configuration constraints are enforced.c3p0 periodically checks the age of connections to see whether they have timed out. This parameter defines the time period after which the checks take place. If you set the value
0
, the check is performed automatically, that is, c3p0 will define a suitable time period.
DB statement optimization
database.performance.bindvar.max
- Value: int
- Default: 100
- Mandatory: no
- nevisIDM uses SQL statements of type
WHERE IN ()
. With this configuration parameter, the number of bind variables used in the IN-statement is limited. - The parameter is related to database performance. The default value should be okay for most setups. There is no need to change it unless you encounter database performance problems with the type of submitted queries.
Multi-client
application.feature.multiclientmode.enabled
- Value: boolean
- Default: false
- Mandatory: no
- Enables the multi-client mode in nevisIDM. If the multi-client mode is disabled, the web GUI will hide the client selections.
REST
rest.limits.result.max
- Value: int
- Default: 1000
- Mandatory: no
- The maximum number of search results. The property applies to all REST interface query methods that support the limit parameter. The goal of the limit is to prevent DoS attacks.
SOAP
webservice.versions
- Value: String
- Default:
<all>
- Mandatory: no
- Defines a comma-separated list of web service versions that are enabled and deployed. If you do not set this parameter, that is, do not include it in the nevisidm-prod.properties file, all web service versions including V1 are enabled (this is the default setting).
Possible values:
latest
: The latest web service version (including the LoginService) is deployed on the corresponding version endpoint and the V1 endpoint.previous
: The web service version before the latest web service version is deployed on the corresponding version endpoint.v1_x
: The web service version v1_x is deployed on the V1_X endpoint.v1
: The latest web service versions (including the LoginService) are deployed on the V1 endpoint.
The LoginService is enabled if the parameter webservice.versions is set to v1
or latest
.
Examples:
- webservice.versions=latest,previous: Only enables the last two web service versions (including V1).
- webservice.versions=v1_44,v1_42? Only enables the web service versions v1_44 and v1_42.
- webservice.versions=: If you set the parameter to an empty value, as shown in the previous example, no web service version is enabled at all.
webservice.limits.httpsession.inactiveinterval
- Value: int (seconds)
- Default: -1
- Mandatory: no
- Defines the max. inactive interval for HTTP sessions created due to SOAP requests to nevisIDM.
-1
means that the default value of the container is used, e.g. 1800 seconds. SOAP requests coming from nevisAuth are not affected by this configuration parameter.
This parameter should only be used if there is no other way to integrate a legacy web service client. Rather than using this parameter, the web service client should be changed to use session binding.
webservice.limits.result.recursion.max
- Value: int
- Default: 50
- Mandatory: no
- The maximum recursion depth of the get and query methods of the SOAP interface. The limit exists for DoS prevention.
webservice.limits.result.query.max
- Value: int
- Default: 1000
- Mandatory: no
- The maximum number of search results for all query methods of the SOAP interface. The limit exists for DoS prevention.
webservice.limits.result.units.max
- Value: int
- Default: 10000
- Mandatory: no
- Denotes the maximum number of units returned (including child units). The limit exists for DoS prevention.
webservice.limits.input.max
- Value: int
- Default: 50
- Mandatory: no
- Denotes the maximum number of input elements allowed for list operations such as
deleteCredentials
. Note that this number should be kept as small as possible since increasing it will implicate an increased probability of optimistic locking exceptions.
webservice.property.roleexclusion.enabled
- Value: Boolean
- Default: false
- Mandatory: no
- Parameter for backward compatible handling of the
scopeName
field format of the PropertyValue type. If this parameter is enabled, the scopeName contained in responses will just hold the application name, i.e., the role name is not appended.
QueryService
application.queryservice.enabled
- Value: Boolean
- Default: false
- Mandatory: no
- Enables the queryService that provides a REST API for full-text queries.
application.queryservice.index.dir
- Value: String
- Default: /tmp/lucene/indexes
- Mandatory: no
- Path to the directory where the index for the queryService has to be stored.
application.queryservice.forcedreindex.enabled
- Value: Boolean
- Default: true
- Mandatory: no
- If this is set to true, the index will be recreated on startup even if an index already exists.
application.queryservice.cronjob.enabled
- Value: Boolean
- Default: false
- Mandatory: no
- This is required if one uses the queryService with a multiInstance setup. It will periodically update the index to make sure it is consistent on all instances.
application.queryservice.cronjob.interval
- Values: long (milliseconds)
- Default: 300000
- Mandatory: no
- The time in milliseconds between two runs of the batch job.
application.queryservice.index.length.min
- Default: 3
- Mandatory: no
- The length of the shortest indexed fragment. Note that this is the same as the shortest possible search.
web.gui.quicksearch.fields
- Value: String
- Default: -(all)
- Mandatory: no
- Defines a comma-separated list of field names. The list must only include field names of entities that support the quick search (Users, Clients, Applications, Units). If set, the quick search feature only performs searches on these fields. If you do not specify this parameter, the system queries all fields of the entities supporting the quick search. Invalid field names are silently ignored (that is, no error message will appear).
This parameter is only valid for the quick search feature. The query service (Query Search REST service) ignores this setting.
Authentication (nevisIDM auth state related)
application.feature.loginid.casesensitive.enabled
- Value: boolean
- Default: false
- Mandatory: no
- If set to true, all user searches based on the login ID and triggered by IDM auth states will be case-sensitive. Default is case-insensitive.
application.feature.emaillogin.enabled
- Value: boolean
- Default: false
- Mandatory: no
- If set to
true
, the e-mail address can be used alternatively to the login ID in the IDM auth states. This feature requires e-mail uniqueness per client, which will be enforced automatically. A data consistency check will be performed during start-up of nevisIDM. If e-mail uniqueness per client is violated, start-up of nevisIDM will stop with a corresponding error message (BadConfigurationException: Found duplicate user e-mails on database
) and the violating users will be traced as ERROR in the log file. The non-unique e-mail addresses have to be cleaned up before the feature can be enabled. - If you plan to enable this feature on an existing nevisIDM installation with a large user population, pay attention to the comments concerning migration in the
Client policy
chapter.
This parameter is deprecated. Instead, use the Client policy parameter authentication.loginWithEmail.enabled. For a description of this parameter, see the chapter Client policy.
Vasco Digipass token
application.feature.vascotoken.enabled
- Value: boolean
- Default: false
- Mandatory: no
- Enables support for credentials of type Vasco containing Digipass Tokens.
... of type Vasco Digipass token
if enabled, the java.library.path must also point to the native Vasco library (aal2sdk-3.11 or compatible). Therefore, add the following line to the vmargs.conf of nevisIDM:-Djava.library.path=/path/to/vasco/library
- If disabled, nevisidm will not try to load the native libs, and Vasco Digipass token related operations are prohibited.
Referenced configuration files
application.config.file.idmrole.authorization
- Default: -Loads the file from the classpath (config folder)
- Mandatory: no
- Configures the location of the authorization properties file.
application.config.file.idmrole.mapping
- Default: -Loads the file from the classpath (config folder)
- Mandatory: no
- Configures the location of the role mapping file. This file groups low-level authorizations to form convenient user roles like
nevisIdm.UserAdmin
.
application.config.file.idmrole.assignment
- Default: -Loads the file from the classpath (config folder)
- Mandatory: no
- Configures the location of the roles assignment file. This file defines which nevisidm role is required to assign a given nevisidm role. For example,
nevisIdm.TechUser=nevisIdm.Root,nevisIdm.AppAdmin
defines that you need to be Root or AppAdmin to assign a TechUser role to someone.
application.config.file.attributeaccess
- Default: - Loads the file from the classpath (config folder)
- Mandatory: no
This feature is deprecated. It will be removed in a future version of nevisIDM.
- Configures the location of the attribute access definition file. This file allows defining the
AttributeAccess
parameters for the Unit screens. The following two parameters are available:- AttributeAccess.UnitCreate.Name
- AttributeAccess.UnitModify.Name
- They can be set to
rw
,ro
oroff
.rw
stands for read-write,ro
for read-only andoff
for no rendering of this GUI element. Note that the elementary right EntityAttributeAccessOverride overrides the read-only behavior, rendering it read-write. It does not affect the off setting. - Example:
- AttributeAccess.UnitCreate.Name=off
- AttributeAccess.UnitModify.Name=ro
application.config.file.tldlist
- Default: -Loads the file from the classpath (config folder)
- Mandatory: no
- Location of the file that contains a list of valid top level domains and is used for validating e-mail addresses. Originally downloaded from http://data.iana.org/TLD/tlds-alpha-by-domain.txt. Also see the chapter: Other nevisIDM configuration files.
Audit module
application.modules.auditing.enabled
- Value: boolean
- Default: true
- Mandatory: no
- Enable/disable the audit module.
application.modules.auditing.provider
- Default: jsonAuditProvider
- Mandatory: no
- Configures which audit provider implementation to use. Possible values are:
- jsonAuditProvider: This audit provider implementation logs events in JSON data format into the log file through theapplication.modules.auditing.fileproperty. You can turn it off by leaving theapplication.modules.auditing.file property empty.
- jcanLogAuditProvider: This audit provider implementation uses the configuration from the logging.yml file. You configure the logging.yml file with the nevisIDM config log.
The audit provider jcanLogAuditProvider has been deprecated. Use the jsonAuditProvider instead.
Previously, it was also possible to use a third provider, the fileAuditProvider. However, the fileAuditProvider has been removed in version 2.76. You can use the jsonAuditProvider instead (as it the covers all the functionality of the fileAuditProvider). To migrate from the fileAuditProvider to the jsonAuditProvider, you need to provide a logging.yml file with the desired log format.
application.modules.auditing.file
- Default: -
- Mandatory: no
- Configures the location of the audit file used by the jsonAuditProvider.
application.modules.auditing.repeat.interval
- Value: long (milliseconds)
- Default: 30000
- Mandatory: no
- Configures the interval in milliseconds between two runs of the audit event processing quartz job.
- Do not change this parameter unless the integration partner explicitly recommends it!
application.modules.auditing.repeat.count
- Value: int (-1: unlimited, 0: never)
- Default: -1
- Mandatory: no
- Configures the number of runs of the audit event processing quartz job. Set it to
0
to disable audit event processing on this instance.-1
means unlimited runs. - Do not change this parameter unless the integration partner explicitly recommends it!
application.modules.auditing.autostartup.enabled
- Value: boolean
- Default: true
- Mandatory: no
- Configures whether the audit processing is automatically started after initialization. If it is set to
false
, the audit processing will not start automatically after nevisIDM restart. - To disable the audit processing, set this parameter to
false
, and set the application.modules.auditing.repeat.count parameter to0
. Do not change this parameter unless the integration partner explicitly recommends it!
application.modules.auditing.rolling.daily
- Value: boolean
- Default: true
- Mandatory: no
- Enables a daily rollover of the audit file.
- This property only applies to a jsonAuditProvider (application.modules.auditing.provider=jsonAuditProvider).
application.modules.auditing.rolling.file.size
- Value: string
- Default: -
- Mandatory: no
- Enables a rollover once the file has reached the specified size. Specify the size in bytes, with the suffixes KB, MB or GB. For example: 20MB. This property only applies to a jsonAuditProvider (application.modules.auditing.provider=jsonAuditProvider).
application.modules.auditing.rolling.file.max.backup.count
- Value: int
- Default: 0
- Mandatory: no
- Defines the maximum number of archived log files to keep. For example, if you set the property to
3
, three archived log files are kept, besides the active log file. Zero0
means that all the archived files are kept. This property only applies to a jsonAuditProvider (application.modules.auditing.provider=jsonAuditProvider). Furthermore, have set one of the properties application.modules.auditing.rolling.file.sizeor application.modules.auditing.rolling.daily.
application.modules.auditing.console
- Value: boolean
- Default: false
- Mandatory: no
- Enables the logging of the audit entries to the console. It writes the audit.log prefix to each entry.
- This parameter is supported only by the JSON audit provider ( application.modules.auditing.provider=jsonAuditProvider). Note that console logging ignores rolling configurations.
Event module
application.modules.event.repeat.interval
- Value: long (milliseconds)
- Default: 30000
- Mandatory: no
- Configures the interval in milliseconds between two runs of the batch event processing quartz job.
- Do not change this parameter unless the integration partner explicitly recommends it!
application.modules.event.repeat.count
- Value: int (-1: unlimited, 0: never)
- Default: -1
- Mandatory: no
- Configures the number of runs of the batch event processing quartz job. Set it to
0
to disable batch event processing on this instance.-1
means unlimited runs. - Do not change this parameter unless the integration partner explicitly recommends it!
application.modules.event.retry.interval
- Value: long (milliseconds)
- Default: 360000
- Mandatory: no
- Configures the time after which the handling of an event is stopped, and the state is reset to NEW from EXECUTING.
application.modules.event.chunksize
- Value: int (≤0: unlimited)
- Default: -1
- Mandatory: no
- Configures the maximum number of batch events the batch event processing quartz job processes per run. Parameter could be used for fine-tuning in case the concurrent number of events is too high compared to the heap memory size available. Set chunkSize to 0 or a negative value to apply no chunking, i.e., process all batch events available. Usually, it should not be necessary to change the value of this parameter.
application.modules.event.autostartup.enabled
- Value: boolean
- Default: true
- Mandatory: no
- Configures whether the event processing is automatically started after initialization. If it is set to false, the event processing will not start automatically after nevisIDM restart. To disable the event processing, set this parameter to
false
, and set the application.modules.event.repeat.count parameter to0
. Do not change this parameter unless the integration partner explicitly recommends it!
Provisioning module
application.modules.provisioning.enabled
- Value: boolean
- Default: false
- Mandatory: no
- Enable/disable the provisioning module.
application.modules.provisioning.jmsqueue.username
- Default: -
- Mandatory: no
- The username used for authentication against the JMS destination.
application.modules.provisioning.jmsqueue.password
- Default: -
- Mandatory: no
- The password used for authentication against the JMS destination.
application.modules.provisioning.jmsqueue.msgttl
- Value: long (milliseconds)
- Default: 3600000
- Mandatory: no
- Defines the time-to-live of the JMS queue message.
application.modules.provisioning.erole.enabled
- Value: boolean
- Default: true
- Mandatory: no
- Enable/disable the transparency of the enterprise role provisioning, including the provisioning of adding and deleting of member roles to/from an enterprise role.
Property value encryption
security.properties.key
- Default: (hidden)
- Mandatory: no
- Encryption key. The key value is a base64 encoded string. The key must be explicitly defined for every setup, instead of leaving the default. For AES, the key length can be 8, 16 and 24 bytes.
security.properties.iv
- Default: (hidden)
- Mandatory: no
- Initialization vector
iv
. The vector must be explicitly defined for every setup, instead of leaving the default. For AES, the vector length must be 16 bytes.
This property is deprecated and not of use anymore. The initialization vector is now randomly generated with a secure random number generator for every new encryption. If the property is set, removal of the value requires migrating encryption with EncryptionFallbackCorrectorJob
.
security.properties.algorithm
- Default: AES
- Mandatory: no
- Encryption algorithm.
security.properties.cipher
- Default:
AES/GCM/NoPadding
- Mandatory: no
- Encryption cipher.
security.properties.paddinglength
- Default: 10
- Mandatory: no
- Padding length.
security.properties.fallback.enabled
- Default: false
- Mandatory: no
- Boolean flag to enable fallback mechanism for cases when the default value of
security.properties.key
and/orsecurity.properties.cipher
is changed on a live system.
SMTP server
application.mail.smtp.host
- Default: -
- Mandatory: no
- Host name of the SMTP server.
application.mail.smtp.port
- Default: -
- Mandatory: no
- Port of the SMTP server.
application.mail.smtp.username
- Default: -
- Mandatory: no
- Username used for the SMTP authentication.
application.mail.smtp.password
- Default: -
- Mandatory: no
- Password for the SMTP authentication.
application.mail.smtp.connection.timeout
- Default: 60
- Mandatory: no
application.mail.smtp.timeout
- Default: 60
- Mandatory: no
application.mail.debug.enabled
- Default: false
- Mandatory: no
- If set to
true
, the system will write the debug information to stdout. - In installations using systemd, the output is redirected to the journal. You can retrieve it with the following command (replace
<instance-name>
with the relevant nevisIDM instance name):journalctl -u nevisidm@<instance-name>.service -b
application.mail.sender
- Default: -
- Mandatory: no
- Default sender address in e-mails.
application.mail.htmltemplate.encoding
- Value: string
- Default: ISO-8859-1
- Mandatory: no
- The character encoding of the uploaded HTML email templates.
- Be careful when you change the value of this parameter after you have already uploaded a few templates with the previous character encoding. In this case, you have to re-upload all existing HTML email templates with the new encoding via the Template Store. There is no automatic transcoding of templates in nevisIDM.
application.mail.smtp.starttls.enabled
- Value: Boolean
- Default: false
- Mandatory: no
- Use this parameter to enable or disable STARTTLS for the connection with the SMTP server. If STARTTLS is enabled, the system will use TLS/SSL to connect to the SMTP server to create a secure connection.
application.mail.smtp.tls.truststore
- Default: -
- Mandatory: no
- Truststore object used for the TLS with the SMTP server. If not specified, then the system's trustore is used.
application.mail.smtp.tls.truststore-passphrase
- Default: -
- Mandatory: -
Legacy / backward compatibility
application.feature.legacy.passwordprefix
- Value: string
- Default: none
- Mandatory: no
- Used to smoothly migrate prefixed esadb/esmap passwords to nevisIDM.
GUI
web.gui.languages.default
- Value: {de, fr, it, en}
- Default: de
- Mandatory: no
- Two-letter lowercase ISO 639 code of default language.
- Defines the language of newly created user objects if no language has been set explicitly.
- Defines the default language for GUI sessions
web.gui.languages.list
- Value: {de, fr, it, en}
- Default: de, en, fr, it
- Mandatory: no
- Comma-separated list of ISO 639 codes.
web.gui.facing.location
- Value: string
- Default: -
- Mandatory: no
- Location (directory, JAR or ZIP file) of custom facing. On the top-level, it must contain the directories CSS and/or images.
- Has to be relative to the instance folder (e.g. conf/facing/).
web.gui.facing.cache.size
- Value: int (bytes)
- Default: 100000
- Mandatory: no
- Maximum sizeup to which a facing entry is cached in memory. Files larger than that value are read from the disk on every access.
web.gui.uri.logout
- Value: string
- Default: /?logout
- Mandatory: no
- Defines the URI that will be used upon logout, either
Logout.do
for application logout or/?logout
for SSO logout.
application.config.environment.name
- Value: string
- Default: -
- Mandatory: no
- Displayed in the Configuration Files as
EnvironmentName
(for example:test
,production
).
web.gui.debug.enabled
- Value: boolean
- Default: false
- Mandatory: no
- Configures whether additional debug information should be displayed. NEVER use this in production.
web.gui.messageresource.dir
- Default: -
- Mandatory: no
- Path to the customized LitDict resource files. The customized file should be named as follows:
custLitDict[_<language code>].properties
. The property files will be read with UTF-8 encoding.
web.gui.landingpage
- Default: selfadmin
- Mandatory: no
- Identifier of a nevisIDM subcomponent if the user accesses the nevisIDM top path, e.g., localhost/nevisidm.
- This can be one of the following identifiers: UserSearch, TemplateManager, UnitModify, ProfileSearch, ClientSearch, ApplicationSearch, UnitSearch, PolicyOverview, selfadmin.
If the user does not have read access on the specified component, a fallback to a viewable page is performed. Setting a relative path instead of an identifier is deprecated.
web.gui.personalquestion.enabled
- Value: boolean
- Default: false
- Mandatory: no
- If this parameter is false, the Personal Question functionality will be hidden on the GUI. This parameter must be set to true if security question credentials are used.
Certificate upload
web.gui.certupload.uri
- Value: string (URI)
- Default: /nevisidm/certupload
- Mandatory: no
- Defines the link that will be provided in certificate upload mails.
This parameter is deprecated. If possible, do not use it anymore.
web.gui.certupload.redirect.uri
- Default: -
- Mandatory: no
- Redirect location after successful certificate upload.
This parameter is deprecated. If possible, do not use it anymore.
web.gui.certupload.redirect.onerror.enabled
- Value: boolean
- Default: false
- Mandatory: no
- Enable/disable redirect even if an error occurred during the certificate upload.
This parameter is deprecated. If possible, do not use it anymore.
Batch jobs
application.modules.batch.context
- Value: string
- Default: -
- Mandatory: no
- Location of the spring application context containing the batch jobs expressed as a valid Unix path, e.g.: /var/opt/nevisidm/nevisidm/conf/batchContext.xmlThe file must be accessible in the file system of the server.
application.modules.batch.classpath
- Value: string
- Default: -
- Mandatory: no
- Colon-separated list of JAR files that are searched when defining custom batch job plug-ins.
This parameter is deprecated since custom batch jobs have been deprecated.
Printing
application.modules.printing.host
- Value: string
- Default: localhost
- Mandatory: no
- Host of the OpenOffice daemon (adnooprint).
application.modules.printing.port
- Value: int
- Default: 8912
- Mandatory: no
- Port of the OpenOffice daemon (adnooprint)
application.modules.printing.printer
- Value: string
- Default: -
- Mandatory: no
- CUPS printer to use when printing letters.
application.modules.printing.dir.target
- Default: /var/tmp/nevisidm_pdfs
- Mandatory: yes
- The location where generated PDFs are stored. The location path must be absolute. The location itself has to be writable by the OpenOffice service.
application.modules.printing.retry.count
- Value: int
- Default: 1
- Mandatory: no
- The connection setup to OpenOffice is sometimes unreliable. In that case, a connection setup retry can help.
application.modules.printing.retry.delay
- Value: int (milliseconds)
- Default: 0
- Mandatory: no
- Delay in milliseconds between connection setup retries (see application.modules.printing.retry.count).
application.modules.printing.retry.wait
- Value: int (milliseconds)
- Default: 5000
- Mandatory: no
- If a printing event fails because of an OpenOffice service problem, the event queue will reschedule and retry the failed event after
application.modules.printing.retry.wait milliseconds
. Value-1
means that the automatic retry mechanism is disabled. In that case, a manual retry option is available in the Persistent Queue Manager GUI.
On/off switches for misc. functionality
application.feature.templatecollection.default.enabled
- Value: boolean
- Default: true
- Mandatory: no
- Defines whether the template collection functionality is available. If set to
true
, the default template collection will be used, and all parts related to the handling of template collections in the web GUI will be hidden.
application.feature.email.validation.enabled
- Value: Boolean
- Default: true
- Mandatory: no
Enables/disables e-mail validation.
- If the parameter is set to
false
, the e-mail validation is disabled. This makes it possible to create/update users with an invalid e-mail address. We advise against disabling this parameter. - If it is disabled, you have to ensure valid e-mail addresses by other means. If you do not, follow-up errors, such as e-mail sending failures, will occur.
- If the client policy
user.email.unicode.allowed
is enabled, it is considered over this configuration. For more information, see Configuration Files.
application.feature.impersonation.restriction.enabled
- Value: Boolean
- Default: true
- Mandatory: no
- Defines whether non-technical users can be impersonators.
- If set to
false
, impersonation is not restricted to technical users anymore.
application.feature.propvalsearch.caseinsensitive.enabled
- Value: Boolean
- Default: false
- Mandatory: no
- Defines whether the properties in the extended user search are searched case-insensitively. This may result in performance reduction with MySQL databases. We do not recommend turning on this parameter with MySQL databases.
ID and name generators
application.generators.extid.client
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for clients. Possible values are:
- default: The generator uses the primary key of the entity to build an external ID.
sequence:<seqName>
In this case, the generator derives a value from a DB sequence defined by the name<seqName>
.- uuid: If you select this option, the generator generates a random v4 universally unique identifier (UUID) to build an external ID.
application.generators.extid.user
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for users. For possible values, see the description of the
application.generators.extid.client
parameter.
application.generators.extid.profile
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for profiles. For possible values, see the description of the
application.generators.extid.client
parameter.
application.generators.extid.unit
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for units. For possible values, see the description of the
application.generators.extid.client
parameter.
application.generators.extid.credential
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for credentials. For possible values, see the description of the
application.generators.extid.client
parameter.
application.generators.extid.application
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for applications. For possible values, see the description of the
application.generators.extid.client
parameter.
application.generators.extid.role
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for roles. For possible values, see the description of the
application.generators.extid.client
parameter.
application.generators.extid.policyconfig
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for policies. For possible values, see the description of the
application.generators.extid.client
parameter.
application.generators.extid.template
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for templates. For possible values, see the description of the
application.generators.extid.client
parameter.
application.generators.extid.enterpriserole
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for enterprise roles. For possible values, see the description of the
application.generators.extid.client
parameter.
application.generators.extid.personalquestion
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for personal questions. For possible values, see the description of the
application.generators.extid.client
parameter.
application.generators.extid.authorization
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for authorizations and enterprise authorizations. For possible values, see the description of the
application.generators.extid.client
parameter.
application.generators.name.unit
- Value: {none, copy:primarykey}
- Default: none
- Mandatory: no
- Defines the generator used to build the name of a unit.
Reporting
application.modules.reporting.result.max
- Value: int (
>0
) - Default: 5000
- Mandatory: no
- Maximum result rows that can be exported.
application.modules.reporting.header.enabled
- Value: boolean
- Default: true
- Mandatory: no
- Defines whether the first row of the generated CVS is used as a header and contains the names of the columns.
application.modules.reporting.chunksize
- Value: int (
>0
) - Default: 10000
- Mandatory: no
- Maximum number of records retrieved from the database at once.
application.modules.reporting.separator
- Value: character
- Default: , (comma-separated)
- Mandatory: no
- The separator char Character used to separate columns.
If you set this property to something different than the comma character ,
, the generated reports no longer comply with the standard CSV format (RFC4180). Generated reports may become unreadable by other programs.
application.modules.reporting.characterencoding
- Value: {UTF-8, US-ASCII, ISO-8859-1, UTF-16}
- Default: UTF-8
- Mandatory: no
- Defines the character encoding used for the exported report.
application.modules.reporting.concurrrentrequests.max
- Value: int (
>0
) - Default: 5
- Mandatory: no
- Prevent slow-down of nevisIDM or even DoS caused by too many concurrently generated and, thus, running reports.
application.module.reporting.filter.mandatory.enabled
- Value: boolean
- Default: false
- Mandatory: no
- If set to
true
, report generation requires a filter to be set.
Monitoring
application.feature.statusservlet.enabled
- Value: {true, false, localhost-only}
- Default: localhost-only
- Mandatory: no
- Defines whether the status servlet is enabled (reachable at
<host>:<port>/nevisidm/status
). If the parameter is set tolocalhost-only
, only requests from remote address 127.0.0.1 will be answered. See also chapter: Status servlet.
The status servlet is deprecated. To retrieve runtime and database statistics information, use the management service instead (for more information, see the chapter Management Service).
Enterprise roles
application.feature.enterpriserole.enabled
- Default: false
- Mandatory: no
- Enables the enterprise role feature in nevisIDM. If enterprise roles are disabled, the enterprise role views will be hidden on the Web GUI. Further consequences are:
- Web services: Enterprise role related extensions are not accessible, a business exception is thrown.
- Business tier: Enterprise role related functionality is not accessible, a business exception is thrown.
CSRF Guard
security.web.csrf.enabled Deprecated org.owasp.csrfguard.Enabled is not supported anymore
- Default: true
- Mandatory: no
- Enables/disables the CSRF Guard. The CSRF Guard protects all POST requests against CSRF attacks.
- Setting this parameter to
false
seriously weakens the security of the nevisIDM web GUI and is not recommended!
Dataroom limit
application.limits.dataroom.units.max
- Default: 50
- Mandatory: no
- Limits the number of distinct configured unit data rooms that can be added to a profile. If the limit is exceeded for a user profile, a warning is logged during login.
- Increasing the limit and adding more unit data rooms to a profile can lead to decreased performance of nevisIDM!
nevisIDM logging
nevisIDM log related properties
By default, nevisIDM stores logs in the instance directory (/var/opt/nevisidm/<instance>/log
). However, the logging behavior can be customized through the nevisidm-prod.properties
configuration file.
To configure a custom logging location, you can use the server.log.dir
property in this file.
nevisIDM log levels (file: logging.yml)
- The nevisIDM log levels are defined in the file logging.yml located in the configuration directory of nevisIDM. By default, the log levels aim for productive setups. As a consequence, the log levels are set in such a way that only the most important information is traced.
- For an in-depth analysis in case of problems, you may want to increase the log levels of the right categories.
For every category, you can define the following log levels:
- OFF: no tracing at all.
- ERROR: only errors are traced. Mainly used in productive setups.
- WARN: notifies of issues that should be addressed but do not block the running system. Example: a configuration parameter or SOAP method that is currently used but marked as deprecated.
- INFO: general information is traced. It is more trace than ERROR would produce, but still okay concerning the amount of information in the log file. INFO includes ERROR too.
- DEBUG: very verbose logging output. DEBUG includes ERROR and INFO too.
- TRACE: includes the output of all other log levels and additionally the entering and exiting events of Java methods.
High log levels are likely to slow down nevisIDM. Therefore, use the log levels with care in productive setups or when performance analyses are performed.
Note that in a YAML file, OFF is a reserved keyword. To disable the tracing of the log level, set OFF with double-quotes in the logging.yml file, otherwise it will not be parsed correctly. Example:
level: `OFF`
The following section describes the most important categories:
ch.adnovum.nevisidm.service.properties
- Involved in reading the nevisIDM configuration file nevisidm-prod.properties. By default, this is set to INFO to trace the configuration parameters into the log file.
ch.adnovum.nevisidm.service.dbperformance
- Set this LOG category to INFO to trace the time spent during DB calls. Set it to DEBUG to trace the variables within the SQL statements and how many rows were fetched by the statement.
ch.adnovum.nevisidm.ws.NevisIdmAdminServiceV1BusinessMapper, ch.adnovum.nevisIdm.ws.NevisIdmSelfAdminServiceV1BusinessMapper, ch.adnovum.nevisIdm.ws.NevisIdmLoginServiceV1BusinessMapper
- These classes contain the actual logic of the SOAP interface implementations for all published versions of the SOAP interface.
ch.adnovum.nevisidm.web.filters.UserServiceRequestInjectingFilter
- Increase trace level to observe whether calls to nevisIDM create new HTTP sessions on the container. It is especially useful to find out if SOAP clients use session binding or not (they should because otherwise, a new session is created on every call, which means that nevisIDM will have a high memory consumption).
ch.adnovum.nevisidm.web.filters.RequestInfoFilter
- Traces HTTP request headers and parameters received by nevisIDM.
ch.adnovum.nevisidm.session
- Traces HTTP session size when the session is created.
ch.adnovum.nevisidm.web.listeners.IdmSessionListener
- Traces
HTTP session created/removed
events and the HTTP session size when the session is removed.
Ninja
- Needs to be set to DEBUG such that the debug option server.auth.ninja.log-debug for ninja login module takes effect.
jcan.Op
- By default set to INFO. It will trace information about SOAP method invocations.
jcan.OpContent
- By default set to OFF. If set to DEBUG, all SOAP traffic is dumped into the log file. This is helpful if you want to see the actual SOAP requests and responses.
- Be aware that this log category logs potentially sensitive information. Therefore, do not use this log category in production.
org.springframework.web.filter.CommonsRequestLoggingFilter
- If set to DEBUG, REST requests are dumped into the log file. This is helpful if you want to see the actual REST requests.
org.owasp
- Controls the log entries of the CSRFGuard.
Autodetect logging changes
Autodetect log configuration changes can be done by adding monitorInterval: 5 to the log configuration. The unit of measure for the parameter is seconds, and the minimum interval is 5 seconds. See also the following code snippet as example:
monitorInterval setting
Configuration:
monitorInterval: 5
properties:
property:
name: LOG_PATTERN
value: "%d{ISO8601} %-15.15t %-40.40c %-5.5p %m%n"
appenders:
...
Other nevisIDM configuration files
The following files are also available after a nevisIDM installation and are of interest for further customizing nevisIDM.
conf/batchContext.xml
- This file defines available batch jobs and triggers for the nevisIDM application.
- For example: it defines daily import and export jobs with customer systems or manual cleanup jobs, depending on infrastructure and customer configuration.
conf/dataSource.xml
The dataSource.xml file is an internal detail and not exposed to configuration anymore.
conf/transactionAOP.xml
- Deprecated nevisIDM does no longer use nor support the transactionAOP.xml file.
conf/env.c onf
- Contains environment variable definitions such as JAVA_HOME.
conf/tlds-alpha-by-domain.txt
- Top level domain list file. Contains the list of valid top level domains. Originally downloaded from http://data.iana.org/TLD/tlds-alpha-by-domain.txt
- File format
- first row: comment
- all other rows: one top level domain per line
- Where the comment format is strict, it should look like:
# Version 2015070700, Last Updated Tue Jul 7 07:07:01 2015 UTC
- more precisely:
# Version <version>, Last Updated <weekday> <month> <day> <hour>:<min>:<sec> <year> UTC
- Possible errors:
- file is missing: FileNotFoundException is thrown
- I/O error: IOException is thrown
- malformed file: BadConfigurationException is thrown