Configuration Files
nevisidm-prod.properties
The nevisidm-prod.properties configuration file contains the main configuration of nevisIDM. You can change configurations with the command-line API as described in the chapter nevisIDM Command-Line API
. The default file location of the file is:
/var/opt/nevisidm/nevisidm/conf/nevisidm-prod.properties
The nevisIDM application has to be restarted to activate changes in this configuration file.
The properties support property value expressions that will be replaced on runtime. The next section shows the available syntax:
${exec:command}
- Example: server.tls.keystore-passphrase:
${exec:/var/opt/keys/own/instance/keypass.sh}server.host: ${exec:hostname -f}
- Remarks: Executes the given command and uses its output as value.
${env:variablename}
- Example: server.host: ${env:HOSTNAME}
- Remarks: Uses the value of the specified environment variable.
As of release 2.71.0, the configuration parameters have been renamed. The previous names are deprecated. See Appendix D for the list of previous names.
Server
server.name
- Default:
default
- Mandatory: no
- Name of the server. Give each server a unique name, for the sake of identification. This name will also be logged.
server.port
- Default: 8989
- Mandatory: no
- Configures the port where the server will listen for incoming requests.
server.host
- Default:
0.0.0.0
- Mandatory: no
- Configures the hostname on which the server will listen for incoming requests.
server.max-threads
- Default: 200
- Mandatory: no
- Maximal number of threads used to process incoming requests.
server.tls.enabled
- Default: false
- Mandatory: no
- If set to
true
, this parameter enables TLS for the HTTPS protocol. If disabled, any other server.tls. parameter has no effect.
server.tls.require-client-auth
- Default: false
- Mandatory: no
- Controls if client authentication is required for the TLS connection.-
false
= one-way TLS connection, two-way optional-true
= two-way TLS connection enforced
server.tls.keystore
- Mandatory: no
- Keystore object used for the TLS.
server.tls.keystore-passphrase
- Mandatory: no
server.tls.truststore
- Mandatory: no
- Truststore object used for the TLS. If not specified, then the system's trustore is used.
server.tls.truststore-passphrase
- Mandatory: no
server.tls.crl
- Mandatory: no
- Certificate revocation list.
server.tls.supported-protocols
- Default: -
- Mandatory: no
- Provides a list of protocols that are accepted by the client when trying to initiate a connection with TLS. The default TLS protocol depends on the Java version, that is, the version of the cryptographic provider. For more information see: http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html/
server.tls.cipher-suites
- Default: -
- Mandatory: no
- Provides a list of ciphers that are accepted by the client when trying to initiate a connection with TLS. Which cipher suite is the default depends on the Java version, that is, the version of the cryptographic provider. For more information see: http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html/
server.auth.ninja.truststore
- Mandatory: no
- Path to the truststore object used to verify the Ninja/SecToken.
server.max-http-header-size
- Default: 8192
- Mandatory: no
- The maximum header size of requests and responses in bytes. If not configured, the default maximum header size of 8192 bytes is used.
management.server.port
- Default: 8998
- Mandatory: no
- Port on which the management service listens.
management.server.host
- Default:
localhost
- Mandatory: no
- Host on which the management service listens.
server.max-form-content-size
- Default: 200000
- Mandatory: no
- If set, it defines the max size, in bytes, of the content of forms used in nevisIDM. Change may be needed if a large input field is needed. If not configured, the default size of 200.000 bytes is set.
server.max-form-keys
- Default: 1000
- Mandatory: no
- If set, it defines the max size in number of keys used in nevisIDM. Change may be needed if many input field is needed. If not configured, the default value of 1000 keys is set.
messaging.server.port
- Default: 61616
- Mandatory: no
- Port on which the messaging service (JMS) listensCan be disabled by setting the value to
-1
. If you do so, turn off the Provisioning feature, otherwise an exception will be thrown and the instance won't start. Alternatively, you could configure a remote messaging queue. For more information, seeProvisioning providers
. Deprecated :server.jms.port
messaging.server.host
- Default:
localhost
- Mandatory: no
- Host on which the messaging service (JMS) listensThe default value
localhost
is only valid for the local host. If the JMS queue must be accessible remotely, set this parameter to0.0.0.0
.
messaging.server.tls.enabled
- Default: false
- Mandatory: no
- If set to
true
, the messaging must be accessed via TLS. If disabled, any otherserver.tls.messaging.*
parameter has no effect.
messaging.server.tls.keystore
- Default: Same keystore as set in server.tls.keystore
- Mandatory: no
- Defines the keystore object used for messaging TLS. If not defined, the system will use the keystore set in the parameter server.tls.keystore.
messaging.server.tls.keystore-passphrase
- Default: Same passphrase as set in server.tls.keystore-passphrase
- Mandatory: no
- Passphrase for the messaging keystore. If the parameter messaging.server.tls.keystore is not defined, the system will use the passphrase set in the parameter server.tls.keystore-passphrase.
messaging.remote.uri
- Default: -
- Mandatory: no
- If configured, the messaging events are provisioned to a remote queue. For more information, see
Remote messaging queue
.
messaging.remote.expiryQueueUri
- Default: -
- Mandatory: no
- If configured, the messaging Expiry events are sent to a remote queue. For more information, see Remote messaging queue.
messaging.remote.dlqUri
- Default: -
- Mandatory: no
- If configured, the messaging DeadLetter events are sent to a remote queue. For more information, see Remote messaging queue.
messaging.remote.tls.truststore
- Mandatory: no
- Defines the truststore object used for the TLS connection with the messaging server. If this parameter is not specified, the system uses the truststore provided in the system property javax.net.ssl.trustStore. There is no fallback mechanism, in case this system property is not set either.
messaging.remote.tls.truststore-passphrase
- Mandatory: no
- Passphrase for
messaging.remote.tls.truststore
.
messaging.bridge.failure.retry.interval
- Default: 10000
- Mandatory: no
- This number of milliseconds are waited between reconnection to bridge target by Artemis JMS bridge.
- It is passed to
org.apache.activemq.artemis.jms.bridge.impl.JMSBridgeImpl
asfailureRetryInterval
property.
- It is passed to
messaging.bridge.max.retries.on.failure
- Default: 6
- Mandatory: no
- Number of reconnection attempts performed by the Artemis JSM bridge on connection or message sending failure.
- It is passed to
org.apache.activemq.artemis.jms.bridge.impl.JMSBridgeImpl
asmaxRetries
property.
- It is passed to
application.modules.provisioning.jmsqueue.storage.location
- Default:
/var/opt/nevisidm/${server.name}/jmsstorage
- Mandatory: no
- Path to folder where the JMS data should be stored.
application.modules.provisioning.jmsqueue.username
- Default:
nevisidm
- Mandatory: no
- Name of the user who will access the JMS queue.
application.modules.provisioning.jmsqueue.password
- Default:
secret
- Mandatory: no
- Password of the JMS user.
application.modules.provisioning.jmsqueue.page-size-bytes
- Default: 10485760
- Mandatory: no
- Page size for the provisioning JMS queue if it needs paging.
application.modules.provisioning.jmsqueue.max-size-bytes
- Default: -1 (disabled)
- Mandatory: no
- The maximum size the provisioning JMS queue can have before entering page mode.
application.modules.provisioning.connection.factory.classname
- Default: by default IDM uses the embedded Artemis broker.
- Mandatory: no
- Connection factory class name.
- The class must implement
jakarta.jms.XAConnectionFactory
- E.g.
org.apache.activemq.artemis.jms.client.ActiveMQXAConnectionFactory
.
- The class must implement
application.modules.provisioning.connection.factory.xa.properties
- Default: by default IDM uses the embedded Artemis broker.
- Mandatory: no
- Initialization properties for
application.modules.provisioning.connection.factory.classname
.- E.g.
{"brokerURL": "https://artemis-server:61616", "user": "producer", "password": "secret"}
.
- E.g.
application.modules.provisioning.destination.classname
- Default: by default IDM uses the embedded Artemis broker.
- Mandatory: no
- JMS destination class name.
- The class must implement
jakarta.jms.Destination
- E.g.
org.apache.activemq.artemis.jms.client.ActiveMQQueue
.
- The class must implement
application.modules.provisioning.destination.name
- Default: by default IDM uses the embedded Artemis broker.
- Mandatory: no
- JMS queue name; constructor parameter for
application.modules.provisioning.destination.classname
.- E.g.
Provisioning
.
- E.g.
application.modules.provisioning.destination.properties
- Default: by default IDM uses the embedded Artemis broker.
- Mandatory: no
- Possible initialization properties for
application.modules.provisioning.destination.classname
.
security.web.hsts.enabled
- Default:
true
- Mandatory: no
- Adds the Strict-Transport-Security response header to requests, with the following configuration: max-age=31536000; includeSubDomains. This means that a ll present and future pages will have the header for a maximum age of 1 year.
application.cache.permission.units
- Default: true
- Mandatory: no
- With this property, you can set whether the unitIds are cached in the session.
- If you change application.cache.permission.units to false then the units of the data room are not loaded and cached during the session creation. This can be useful if the unit hierarchy and unit data room structure is complex and due to this the memory usage of nevisIDM is high.
DB connection
database.connection.url
- Default:
jdbc:oracle:thin:@<host>:<port>:<sid>
- Mandatory: yes
- Configures the JDBC connection URL used to connect to the DB.
If you use Oracle RAC database, set the DB connection URL in one of the following formats:
jdbc:oracle:thin:@<host-vip>:<port>/<dbservice>
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=<host-vip>)(PORT=<1521>))(CONNECT_DATA=(SERVICE_NAME=<dbservice>)))
If you use Mariadb database, instead ofautocommit=0
usepinGlobalTxToPhysicalConnection=1
as URL parameter. For example:jdbc:mysql://<Mariadb host>:3306/nevisidm?pinGlobalTxToPhysicalConnection=1
.
database.connection.username
- Default: -
- Mandatory: no
- Name of DB user.
database.connection.password
- Default: -
- Mandatory: no
- Password of DB user.
database.oracle.thinnet-encryption-level
- Default: 60
- Mandatory: no
- Value to be set for Oracle database connection's sqlnet.encryption_client parameter. If the property is not set or IDM is not connecting to an Oracle database, the setting is disregarded.
database.oracle.thinnet-encryption-types
- Default: 60
- Mandatory: no
- Value to be set for Oracle database connection's sqlnet.encryption__types_client parameter. If the property is not set or IDM is not connecting to an Oracle database, the setting is disregarded.
database.oracle.thinnet-checksum-level
- Default: 60
- Mandatory: no
- Value to be set for Oracle database connection's sqlnet.crypto_checksum_client parameter. If the property is not set or IDM is not connecting to an Oracle database, the setting is disregarded.
database.oracle.thinnet-checksum-types
- Default: 60
- Mandatory: no
- Value to be set for Oracle database connection's sqlnet.crypto_checksum_types_client parameter. If the property is not set or IDM is not connecting to an Oracle database, the setting is disregarded.
database.oracle.sqlnet-allow-weak-crypto
- Default: true
- Mandatory: no
- Value to be set for Oracle database connection's sqlnet.allow_weak_crypto_client parameter. If the property is not set or IDM is not connecting to an Oracle database, the setting is disregarded.
database.transaction.timeout
- Default: 60
- Mandatory: no
- Timeout of transactions in seconds
database.connection.read.only.url
- Default: value of
database.connection.url
attribute. - Mandatory: no
- Configures the read-only JDBC connection URL used to connect to the DB if is XA enabled. If XA is disabled, this configuration is not used.
database.connection.read.only.username
- Default: value of
database.connection.username
attribute. - Mandatory: no
- Name of DB user if XA is enabled. If XA is disabled, this configuration is not used.
database.connection.read.only.password
- Default: value of
database.connection.password
attribute. - Mandatory: no
- Password of DB user if XA is enabled. If XA is disabled, this configuration is not used.
DB connection pooling
- See the Atomikos TransactionsEssentials https://www.atomikos.com/Main/TransactionsEssentials documentation for details on parameters.
database.connection.pool.size.min
- Default: 3
- Mandatory: no
- Sets the minimum pool size. The amount of pooled connections does not go below that value. The pool opens this amount of connections during initialization.
database.connection.pool.size.max
- Default: 100
- Mandatory: no
- Sets the maximum pool size. The amount of pooled connections does not go above this value.
database.connection.login.timeout
- Default: 30
- Mandatory: no
- Sets the maximum time in seconds that this data source waits while attempting to connect to a database.
- A value of zero specifies that the timeout is the default system timeout if there is one; otherwise, it specifies that there is no timeout.
- When a DataSource object is created, the login timeout is initially zero.
database.connection.max.lifetime
- Default: 0
- Mandatory: no
- Sets the maximum amount of seconds that a connection is kept in the pool before it is destroyed automatically. The default 0 means no limit.
database.connection.borrow.connection.timeout
- Default: 30
- Mandatory: no
- Sets the maximum amount of time in seconds the pool will block waiting for a connection to become available in the pool when it is empty.
database.connection.max.idle.time
- Default: 60
- Mandatory: no
- Sets the maximum amount of seconds that unused excess connections stay in the pool.
Excess connections are connections that are created above the minPoolSize limit.
database.connection.test.query
- Default:
select 1 from DUAL
- Mandatory: no
- Sets the SQL query or statement used to validate a connection before returning it.
database.connection.reap.timeout
- Default: 0
- Mandatory: no
- Sets the amount of time (in seconds) that the connection pool allows a connection to be in use, before claiming it back.
database.connection.read.only.pool.size.min
- Default: value of
database.connection.pool.size.min
attribute or 3. - Mandatory: no
- Sets the minimum pool size if XA is enabled. The amount of pooled connections does not go below that value. The pool opens this amount of connections during initialization.
database.connection.read.only.pool.size.max
- Default: value of
database.connection.pool.size.max
attribute or 100. - Mandatory: no
- Sets the maximum pool size if XA is enabled. The amount of pooled connections does not go above this value.
database.connection.read.only.login.timeout
- Default: value of
database.connection.pool.login.timeout
attribute or 30. - Mandatory: no
- Sets the maximum time in seconds that this data source waits while attempting to connect to a database if XA is enabled.
- A value of zero specifies that the timeout is the default system timeout if there is one; otherwise, it specifies that there is no timeout.
- When a DataSource object is created, the login timeout is initially zero.
database.connection.read.only.max.lifetime
- Default: value of
database.connection.max.lifetime
attribute or 0. - Mandatory: no
- Sets the maximum amount of seconds that a connection is kept in the pool before it is destroyed automatically if XA is enabled. The default 0 means no limit.
database.connection.read.only.borrow.connection.timeout
- Default: value of
database.connection.borrow.connection.timeout
attribute or 30 - Mandatory: no
- Sets the maximum amount of time in seconds the pool will block waiting for a connection to become available in the pool when it is empty if XA is enabled.
database.connection.read.only.max.idle.time
- Default: value of
database.connection.max.idle.time
attribute or 60 - Mandatory: no
- Sets the maximum amount of seconds that unused excess connections stay in the pool if XA is enabled.
- Note: excess connections are connections that are created above the minPoolSize limit.
database.connection.read.only.test.query
- Default: value of
database.connection.test.query
attribute orselect 1 from DUAL
- Mandatory: no
- Sets the SQL query or statement used to validate a connection before returning it if XA is enabled.
database.connection.read.only.reap.timeout
- Default: value of
database.connection.reap.timeout
attribute or 0. - Mandatory: no
- Sets the amount of time (in seconds) that the connection pool allows a connection to be in use, before claiming it back if XA is enabled.
database.connection.xa.enabled
- Default: true
- Mandatory: no
- Enable/disable XA (two-phase commit protocol) for database communication and transaction mechanism. This setting can be
false
only if provisioning is disabled (application.modules.provisioning.enabled = false
). - In case the IDM uses more than one transaction based resources (such as database and JMS), XA transaction handling is required to ensure data consistency.
database.connection.healthcheck.refresh
- Default: false
- Mandatory: no
- If set to true, then the connection pools are refreshed before providing the actual metrics on the
health
endpoint.
database.connection.healthcheck.retrycount
- Default: -1
- Mandatory: no
- If set, adds a retry to the health check mechanism. If database health check fails, it retries
database.connection.healthcheck.retrycount
times withdatabase.connection.healthcheck.retrydelay
ms wait between tries. - The value is the number of retries, if set to -1, no retry is performed.
database.connection.healthcheck.retrydelay
- Default: 0
- Mandatory: no
- If
database.connection.healthcheck.retrycount
set and database health check fails, it retriesdatabase.connection.healthcheck.retrycount
times withdatabase.connection.healthcheck.retrydelay
ms wait between tries. - The value is the number of milliseconds to wait between retries.
DB statement optimization
database.performance.bindvar.max
- Value: int
- Default: 100
- Mandatory: no
- nevisIDM uses SQL statements of type
WHERE IN ()
. With this configuration parameter, the number of bind variables used in the IN-statement is limited. - The parameter is related to database performance. The default value should be okay for most setups. There is no need to change it unless you encounter database performance problems with the type of submitted queries.
application.subunits.queryviacte.enabled
- Value: boolean
- Default: true
- Mandatory: no
- Defines whether the subunits are queried via CTE (Common Table Expressions) or not. If set to
true
, the subunits are queried via CTE. If set tofalse
, the subunits are queried via a string search omTIDMA_UNIT_PATH
table.
Credential Locking for Uniqueness Check
application.config.credentialTypesToBeLockedInDatabase
- Value: String
- Default: -
- Mandatory: no
- Example values
- Configures the credential types that should be locked in the database for uniqueness check. The value is a comma-separated list of credential types. If the value is not set, then no credential types are locked in the database.
- Possible values: PASSWORD, CERTIFICATE, SECURID, TICKET, SAFEWORDUSER, OTP, TEMPSTRONGPASSWORD, GENERIC, KERBEROS, MTAN, VASCO, PUK, URLTICKET, DEVICEPASSWORD, MOBILESIGNATURE, SAMLFEDERATION, SECURITYQUESTIONS, CONTEXTPASSWORD, OATH, FIDO_UAF, RECOVERY_CODE, FIDO2, 1,2,3,4,5,6,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23
Multi-client
application.feature.multiclientmode.enabled
- Value: boolean
- Default: false
- Mandatory: no
- Enables the multi-client mode in nevisIDM. If the multi-client mode is disabled, the web GUI will hide the client selections.
REST
rest.limits.result.max
- Value: int
- Default: 1000
- Mandatory: no
- The maximum number of search results. The property applies to all REST interface query methods that support the limit parameter. The goal of the limit is to prevent DoS attacks.
rest.display.timezone
- Value: String
- Default:
Z
- Mandatory: yes
- Specifies the timezone used for displaying date and time values in the REST interface. The value must be one of the following:
Z
: Format of date output:2024-04-19T08:02:45Z
T
: Format of date output:2024-04-19T08:02:45T
N/A
: Format of date output:2024-04-19T08:02:45
- If an invalid timezone is provided, the following error will occur::
{
"errors": [
{
"code": "errors.invalidParameter",
"message": "Invalid Timezone '${providedTimezone}'"
}
]
}
SOAP
webservice.versions
- Value: String
- Default:
<all>
- Mandatory: no
- Defines a comma-separated list of web service versions that are enabled and deployed. If you do not set this parameter, that is, do not include it in the nevisidm-prod.properties file, all web service versions including V1 are enabled (this is the default setting).
Possible values:
latest
: The latest web service version (including the LoginService) is deployed on the corresponding version endpoint and the V1 endpoint.previous
: The web service version before the latest web service version is deployed on the corresponding version endpoint.v1_x
: The web service version v1_x is deployed on the V1_X endpoint.v1
: The latest web service versions (including the LoginService) are deployed on the V1 endpoint.
The LoginService is enabled if the parameter webservice.versions is set to v1
or latest
.
Examples:
- webservice.versions=latest,previous: Only enables the last two web service versions (including V1).
- webservice.versions=v1_44,v1_42? Only enables the web service versions v1_44 and v1_42.
- webservice.versions=: If you set the parameter to an empty value, as shown in the previous example, no web service version is enabled at all.
webservice.limits.result.recursion.max
- Value: int
- Default: 50
- Mandatory: no
- The maximum recursion depth of the get and query methods of the SOAP interface. The limit exists for DoS prevention.
webservice.limits.result.query.max
- Value: int
- Default: 1000
- Mandatory: no
- The maximum number of search results for all query methods of the SOAP interface. The limit exists for DoS prevention.
webservice.limits.result.units.max
- Value: int
- Default: 10000
- Mandatory: no
- Denotes the maximum number of units returned (including child units). The limit exists for DoS prevention.
webservice.limits.input.max
- Value: int
- Default: 50
- Mandatory: no
- Denotes the maximum number of input elements allowed for list operations such as
deleteCredentials
. Note that this number should be kept as small as possible since increasing it will implicate an increased probability of optimistic locking exceptions.
webservice.limits.auth.cache.expire.after
- Value: int
- Default: 600
- Mandatory: no
- Number of seconds while an authentication is kept in the cache for SOAP and Rest services. This new solution replaced using HTTP session and the
webservice.limits.httpsession.inactiveinterval
configuration. For the nevisIDM admin interface, the HTTP session is still used to hold the data of the authenticated user.
webservice.limits.auth.cache.max.size
- Value: int
- Default: 2048
- Mandatory: no
- Maximum number of elements in authentication cache for SOAP and Rest services. In case the cache reaches this value the newly stored user data pushes out the oldest item.
webservice.property.roleexclusion.enabled
- Value: Boolean
- Default: false
- Mandatory: no
- Parameter for backward compatible handling of the
scopeName
field format of the PropertyValue type. If this parameter is enabled, the scopeName contained in responses will just hold the application name, i.e., the role name is not appended.
QueryService
application.queryservice.enabled
- Value: Boolean
- Default: false
- Mandatory: no
- Enables the queryService that provides a REST API for full-text queries.
application.queryservice.index.dir
- Value: String
- Default: /tmp/lucene/indexes
- Mandatory: no
- Path to the directory where the index for the queryService has to be stored.
application.queryservice.instance.index.prefix
- Value: String
- Mandatory: no
- The prefix to be used with the Elastic/Lucene indices. Enables the use of multiple nevisIDM instances with a single Elastic/Lucene backend. It can be any string, but it must be unique by nevisIDM instance. For example, if the production and the pre-production nevisIDM servers use the same search backend, you can use the prefixes
prod
andpreprod
.
application.queryservice.forcedreindex.enabled
- Value: Boolean
- Default: true
- Mandatory: no
- If this is set to true, the index will be recreated on startup even if an index already exists.
application.queryservice.cronjob.enabled
- Value: Boolean
- Default: false
- Mandatory: no
- This is required if one uses the queryService with a multiInstance setup. It will periodically update the index to make sure it is consistent on all instances.
application.queryservice.cronjob.interval
- Values: long (milliseconds)
- Default: 300000
- Mandatory: no
- The time in milliseconds between two runs of the batch job.
application.queryservice.index.length.min
- Default: 3
- Mandatory: no
- The length of the shortest indexed fragment. Note that this is the same as the shortest possible search.
web.gui.quicksearch.fields
- Value: String
- Default: -(all)
- Mandatory: no
- Defines a comma-separated list of field names. The list must only include field names of entities that support the quick search (Users, Clients, Applications, Units). If set, the quick search feature only performs searches on these fields. If you do not specify this parameter, the system queries all fields of the entities supporting the quick search. Invalid field names are silently ignored (that is, no error message will appear).
This parameter is only valid for the quick search feature. The query service (Query Search REST service) ignores this setting.
application.queryservice.backend.type
- Value: String
- Default:
lucene
- Mandatory: no
- Two search backends are supported: Apache Lucene and Elasticsearch. Possible values:
lucene
andelasticsearch
. In multi IDM environments, Elasticsearch is recommended.
application.queryservice.elastic.hosts
- Value: String
- Default:
localhost:9200
- Mandatory: no
- The host name and ports of the Elasticsearch servers to connect to. Expects a String representing a host and port such as localhost or
http://es.mycompany.com:4400
, or a String containing multiple such host-and-port strings separated by commas.
application.queryservice.elastic.protocol
- Value: String
- Default:
http
- Mandatory: no
- The protocol to use when connecting to the Elasticsearch servers.
- Expects either
http
orhttps
.
application.queryservice.elastic.path.prefix
- Value: String
- Default: ``
- Mandatory: no
- Property for specifying the path prefix prepended to the request Elasticsearch end point.
- Use the path prefix if your Elasticsearch instance is located at a specific context path.
application.queryservice.elastic.username
- Value: String
- Mandatory: no
- The username to send when connecting to the Elasticsearch servers (HTTP authentication).
application.queryservice.elastic.password
- Value: String
- Mandatory: no
- The password to send when connecting to the Elasticsearch servers (HTTP authentication).
application.queryservice.elastic.request.timeout
- Value: int (milliseconds)
- Default: 3600000 (1 hour)
- Mandatory: no
- The timeout when executing a request to an Elasticsearch server. This includes the time needed to establish a connection, send the request and read the response.
application.queryservice.elastic.read.timeout
- Value: int (milliseconds)
- Default: 30000
- Mandatory: no
- The timeout when reading responses from an Elasticsearch server.
application.queryservice.elastic.connection.timeout
- Value: int (milliseconds)
- Default: 1000
- Mandatory: no
- The timeout when establishing a connection to an Elasticsearch server.
application.queryservice.elastic.max.connections
- Value: int
- Default: 20
- Mandatory: no
- The maximum number of simultaneous connections to the Elasticsearch cluster, all hosts taken together. Expects a positive integer value.
application.queryservice.elastic.max.connections.per.route
- Value: int (milliseconds)
- Default: 10
- Mandatory: no
- The maximum number of simultaneous connections to each host of the Elasticsearch cluster.
application.queryservice.elastic.discovery.enabled
- Value: boolean
- Default: false
- Mandatory: no
- Whether automatic discovery of nodes in the Elasticsearch cluster is enabled.
application.queryservice.elastic.discovery.refresh.interval
- Value: int
- Default: 10
- Mandatory: no
- The time interval between two executions of the automatic discovery if enabled.
application.queryservice.elastic.log.json.pretty.printing
- Value: boolean
- Default: false
- Mandatory: no
- Whether JSON included in logs should be pretty-printed (indented, with line breaks).
application.queryservice.elastic.multi.tenancy.strategy
- Value: String
- Default:
none
- Mandatory: no
- The multi-tenancy strategy to use. Expects a MultiTenancyStrategyName value.
application.queryservice.elastic.mapping.type.name.strategy
- Value: String
- Default:
discriminator
- Mandatory: no
- The strategy for mapping documents to their type name, i.e. to determine the type name of a document in search hits.
application.queryservice.elastic.layout.strategy
- Value: String
- Default:
simple
- Mandatory: no
- The layout strategy for indexes and their aliases. Expects a reference to a bean of type IndexLayoutStrategy.
application.queryservice.elastic.thread.pool.size
- Value: int
- Default: number of processor cores available to the JVM on startup
- Mandatory: no
- The size of the thread pool assigned to the backend.
application.queryservice.elastic.scroll.timeout
- Value: int (seconds)
- Default: 60
- Mandatory: no
- Property for specifying the maximum duration a Scroll will be usable if no other results are fetched from Elasticsearch.
Authentication (nevisIDM auth state related)
application.feature.loginid.casesensitive.enabled
- Value: boolean
- Default: false
- Mandatory: no
- If set to true, all user searches based on the login ID and triggered by IDM auth states will be case-sensitive. Default is case-insensitive.
application.feature.emaillogin.enabled
- Value: boolean
- Default: false
- Mandatory: no
- If set to
true
, the e-mail address can be used alternatively to the login ID in the IDM auth states. This feature requires e-mail uniqueness per client, which will be enforced automatically. A data consistency check will be performed during start-up of nevisIDM. If e-mail uniqueness per client is violated, start-up of nevisIDM will stop with a corresponding error message (BadConfigurationException: Found duplicate user e-mails on database
) and the violating users will be traced as ERROR in the log file. The non-unique e-mail addresses have to be cleaned up before the feature can be enabled. - If you plan to enable this feature on an existing nevisIDM installation with a large user population, pay attention to the comments concerning migration in the
Client policy
chapter.
This parameter is deprecated. Instead, use the Client policy parameter authentication.loginWithEmail.enabled. For a description of this parameter, see the chapter Client policy.
Vasco Digipass token
application.feature.vascotoken.enabled
- Value: boolean
- Default: false
- Mandatory: no
- Enables support for credentials of type Vasco containing Digipass Tokens.
... of type Vasco Digipass token
if enabled, the java.library.path must also point to the native Vasco library (aal2sdk-3.11 or compatible). Therefore, add the following line to the vmargs.conf of nevisIDM:-Djava.library.path=/path/to/vasco/library
- If disabled, nevisidm will not try to load the native libs, and Vasco Digipass token related operations are prohibited.
Referenced configuration files
application.config.file.idmrole.authorization
- Default: -Loads the file from the classpath (config folder)
- Mandatory: no
- Configures the location of the authorization properties file.
application.config.file.idmrole.mapping
- Default: -Loads the file from the classpath (config folder)
- Mandatory: no
- Configures the location of the role mapping file. This file groups low-level authorizations to form convenient user roles like
nevisIdm.UserAdmin
.
application.config.file.idmrole.assignment
- Default: -Loads the file from the classpath (config folder)
- Mandatory: no
- Configures the location of the roles assignment file. This file defines which nevisidm role is required to assign a given nevisidm role. For example,
nevisIdm.TechUser=nevisIdm.Root,nevisIdm.AppAdmin
defines that you need to be Root or AppAdmin to assign a TechUser role to someone.
application.config.file.attributeaccess
- Default: - Loads the file from the classpath (config folder)
- Mandatory: no
This feature is deprecated. It will be removed in a future version of nevisIDM.
- Configures the location of the attribute access definition file. This file allows defining the
AttributeAccess
parameters for the Unit screens. The following two parameters are available:- AttributeAccess.UnitCreate.Name
- AttributeAccess.UnitModify.Name
- They can be set to
rw
,ro
oroff
.rw
stands for read-write,ro
for read-only andoff
for no rendering of this GUI element. Note that the elementary right EntityAttributeAccessOverride overrides the read-only behavior, rendering it read-write. It does not affect the off setting. - Example:
- AttributeAccess.UnitCreate.Name=off
- AttributeAccess.UnitModify.Name=ro
application.config.file.tldlist
- Default: -Loads the file from the classpath (config folder)
- Mandatory: no
- Location of the file that contains a list of valid top level domains and is used for validating e-mail addresses. Originally downloaded from http://data.iana.org/TLD/tlds-alpha-by-domain.txt. Also see the chapter: Other nevisIDM configuration files.
Audit module
application.modules.auditing.enabled
- Value: boolean
- Default: true
- Mandatory: no
- Enable/disable the audit module.
application.modules.auditing.provider
- Default: jsonAuditProvider
- Mandatory: no
- Configures which audit provider implementation to use. Possible values are:
- jsonAuditProvider: This audit provider implementation logs events in JSON data format into the log file through the
application.modules.auditing.file
property. You can turn it off by leaving theapplication.modules.auditing.file
property empty. - jcanLogAuditProvider: This audit provider implementation uses the configuration from the logging.yml file. You configure the logging.yml file with the nevisIDM config log.
The audit provider jcanLogAuditProvider has been deprecated. Use the jsonAuditProvider instead.
Previously, it was also possible to use a third provider, the fileAuditProvider. However, the fileAuditProvider has been removed in version 2.76. You can use the jsonAuditProvider instead (as it the covers all the functionality of the fileAuditProvider). To migrate from the fileAuditProvider to the jsonAuditProvider, you need to provide a logging.yml file with the desired log format.
application.modules.auditing.file
- Default: -
- Mandatory: no
- Configures the location of the audit file used by the jsonAuditProvider.
application.modules.auditing.repeat.interval
- Value: long (milliseconds)
- Default: 30000
- Mandatory: no
- Configures the interval in milliseconds between two runs of the audit event processing quartz job.
- Do not change this parameter unless the integration partner explicitly recommends it!
application.modules.auditing.repeat.count
- Value: int (-1: unlimited, 0: never)
- Default: -1
- Mandatory: no
- Configures the number of runs of the audit event processing quartz job. Set it to
0
to disable audit event processing on this instance.-1
means unlimited runs. - Do not change this parameter unless the integration partner explicitly recommends it!
application.modules.auditing.autostartup.enabled
- Value: boolean
- Default: true
- Mandatory: no
- Configures whether the audit processing is automatically started after initialization. If it is set to
false
, the audit processing will not start automatically after nevisIDM restart. - To disable the audit processing, set this parameter to
false
, and set the application.modules.auditing.repeat.count parameter to0
. Do not change this parameter unless the integration partner explicitly recommends it!
application.modules.auditing.rolling.daily
- Value: boolean
- Default: true
- Mandatory: no
- Enables a daily rollover of the audit file.
- This property only applies to a jsonAuditProvider (application.modules.auditing.provider=jsonAuditProvider).
application.modules.auditing.rolling.file.size
- Value: string
- Default: -
- Mandatory: no
- Enables a rollover once the file has reached the specified size. Specify the size in bytes, with the suffixes KB, MB or GB. For example: 20MB. This property only applies to a jsonAuditProvider (application.modules.auditing.provider=jsonAuditProvider).
application.modules.auditing.rolling.file.max.backup.count
Value: int
Default: 0
Mandatory: no
Defines the maximum number of archived log files to keep. For example, if you set the property to
3
, three archived log files are kept, besides the active log file. Zero0
means that all the archived files are kept. This property only applies to a jsonAuditProvider (application.modules.auditing.provider=jsonAuditProvider). Furthermore, have set one of the properties application.modules.auditing.rolling.file.sizeor application.modules.auditing.rolling.daily.Decreasing this setting could cause log4j to rename older audit log files
application.modules.auditing.console
- Value: boolean
- Default: false
- Mandatory: no
- Enables the logging of the audit entries to the console. It writes the audit.log prefix to each entry.
- This parameter is supported only by the JSON audit provider ( application.modules.auditing.provider=jsonAuditProvider). Note that console logging ignores rolling configurations.
Event module
application.modules.event.repeat.interval
- Value: long (milliseconds)
- Default: 30000
- Mandatory: no
- Configures the interval in milliseconds between two runs of the batch event processing quartz job.
- Do not change this parameter unless the integration partner explicitly recommends it!
application.modules.event.repeat.count
- Value: int (-1: unlimited, 0: never)
- Default: -1
- Mandatory: no
- Configures the number of runs of the batch event processing quartz job. Set it to
0
to disable batch event processing on this instance.-1
means unlimited runs. - Do not change this parameter unless the integration partner explicitly recommends it!
application.modules.event.retry.interval
- Value: long (milliseconds)
- Default: 360000
- Mandatory: no
- Configures the time after which the handling of an event is stopped, and the state is reset to NEW from EXECUTING.
application.modules.event.chunksize
- Value: int (≤0: unlimited)
- Default: -1
- Mandatory: no
- Configures the maximum number of batch events the batch event processing quartz job processes per run. Parameter could be used for fine-tuning in case the concurrent number of events is too high compared to the heap memory size available. Set chunkSize to 0 or a negative value to apply no chunking, i.e., process all batch events available. Usually, it should not be necessary to change the value of this parameter.
application.modules.event.autostartup.enabled
- Value: boolean
- Default: true
- Mandatory: no
- Configures whether the event processing is automatically started after initialization. If it is set to false, the event processing will not start automatically after nevisIDM restart. To disable the event processing, set this parameter to
false
, and set the application.modules.event.repeat.count parameter to0
. Do not change this parameter unless the integration partner explicitly recommends it!
Provisioning module
application.modules.provisioning.enabled
- Value: boolean
- Default: false
- Mandatory: no
- Enable/disable the provisioning module.
application.modules.provisioning.jmsqueue.username
- Default: -
- Mandatory: no
- The username used for authentication against the JMS destination.
application.modules.provisioning.jmsqueue.password
- Default: -
- Mandatory: no
- The password used for authentication against the JMS destination.
application.modules.provisioning.jmsqueue.msgttl
- Value: long (milliseconds)
- Default: 3600000
- Mandatory: no
- Defines the time-to-live of the JMS queue message.
application.modules.provisioning.erole.enabled
- Value: boolean
- Default: true
- Mandatory: no
- Enable/disable the transparency of the enterprise role provisioning, including the provisioning of adding and deleting of member roles to/from an enterprise role.
application.jms.connection.pool.size
- Value: int (
>1
) - Default:
10
- Mandatory: no
application.jms.connection.pool.size
sets the size of JMS Connection Pool. The value has to be bigger than1
, otherwise the JMS template builds a new connection for each message.
Property value encryption
security.properties.key
- Default: (hidden)
- Mandatory: yes (Attention! Changed!)
- Encryption key. The key value is a base64 encoded string. The key must be explicitly defined for every setup, instead of leaving the default.
- This property cannot be empty.
This key is used for encrypting and decrypting:
- Oath credentials
- Context Passwords if their storage policy is
encrypt
- Property values (both string and enum) if they are encrypted
- OTP credential's card.
- Recovery codes
- Personal answers
security.properties.iv
- Default: (hidden)
- Mandatory: no
- Initialization vector
iv
. The vector must be explicitly defined for every setup, instead of leaving the default. For AES, the vector length must be 16 bytes.
This property is deprecated and not of use anymore. The initialization vector is now randomly generated with a secure random number generator for every new encryption. If the property is set, removal of the value requires migrating encryption with EncryptionFallbackCorrectorJob
.
security.properties.algorithm
- Default: AES
- Mandatory: no
- Encryption algorithm.
security.properties.cipher
- Default:
AES/GCM/NoPadding
- Mandatory: no
- Encryption cipher.
security.properties.paddinglength
- Default: 10
- Mandatory: no
- Padding length.
security.properties.fallback.enabled
- Default: false
- Mandatory: no
- Boolean flag to enable fallback mechanism for cases when the default value of
security.properties.key
and/orsecurity.properties.cipher
is changed on a live system.
Property value encryption with client level configuration
Following properties are used in case the encrypted element is client specific. The placeholder {clientExtId} should be replaced with the client's external ID.
Client level encryption and fall back mechanism are mutually exclusive. If any client level encryption property is set, the fallback mechanism must be disabled.
security.properties.{clientExtId}.key
- Mandatory: no
- Encryption key. The key value is a base64 encoded string. If no value is set, the global key is used.
This key is used for encrypting and decrypting the following credentials if they are assigned to a user in the client:
- Recovery codes
- Oath credentials
- Context Passwords if their storage policy is
encrypt
- OTP credential's card
- Personal answers
Property values (both string and enum) if they are encrypted and assigned to an entity in the client and have the following scopes:
- USER_GLOBAL
- PROFILE_GLOBAL
- CLIENT_GLOBAL
- EROLE_GLOBAL
- CREDENTIAL_CERTIFICATE_GLOBAL
- CREDENTIAL_GENERIC_GLOBAL
- CREDENTIAL_MOBILESIGNATURE_GLOBAL
- CREDENTIAL_SAMLFEDERATION_GLOBAL
- CREDENTIAL_SECURITYQUESTIONS_GLOBAL
security.properties.{clientExtId}.iv
- Mandatory: no
- Initialization vector
iv
. For AES, the vector length must be 16 bytes. If no value is set, the globaliv
is used.
This property is deprecated and not in use anymore. The initialization vector is now randomly generated with a secure random number generator for every new encryption. If the property is set, removal of the value requires migrating encryption with EncryptionFallbackCorrectorJob
.
security.properties.{clientExtId}.algorithm
- Mandatory: no
- Encryption algorithm. If no value is set, the global algorithm is used.
security.properties.{clientExtId}.cipher
- Mandatory: no
- Encryption cipher. If no value is set, the global cipher is used.
security.properties.{clientExtId}.paddinglength
- Mandatory: no
- Padding length. If no value is set, the global padding length is used.
SMTP server
application.mail.smtp.host
- Default: -
- Mandatory: no
- Host name of the SMTP server.
application.mail.smtp.port
- Default: -
- Mandatory: no
- Port of the SMTP server.
application.mail.smtp.username
- Default: -
- Mandatory: no
- Username used for the SMTP authentication.
application.mail.smtp.password
- Default: -
- Mandatory: no
- Password for the SMTP authentication.
application.mail.smtp.connection.timeout
- Default: 60
- Mandatory: no
application.mail.smtp.timeout
- Default: 60
- Mandatory: no
application.mail.debug.enabled
- Default: false
- Mandatory: no
- If set to
true
, the system will write the debug information to stdout. - In installations using systemd, the output is redirected to the journal. You can retrieve it with the following command (replace
<instance-name>
with the relevant nevisIDM instance name):journalctl -u nevisidm@<instance-name>.service -b
application.mail.sender
- Default: -
- Mandatory: no
- Default sender address in e-mails.
application.mail.htmltemplate.encoding
- Value: string
- Default: ISO-8859-1
- Mandatory: no
- The character encoding of the uploaded HTML email templates.
- Be careful when you change the value of this parameter after you have already uploaded a few templates with the previous character encoding. In this case, you have to re-upload all existing HTML email templates with the new encoding via the Template Store. There is no automatic transcoding of templates in nevisIDM.
application.mail.smtp.starttls.enabled
- Value: Boolean
- Default: false
- Mandatory: no
- Use this parameter to enable or disable STARTTLS for the connection with the SMTP server. If STARTTLS is enabled, the system will use TLS/SSL to connect to the SMTP server to create a secure connection.
application.mail.smtp.tls.truststore
- Default: -
- Mandatory: no
- Truststore object used for the TLS with the SMTP server. If not specified, then the system's truststore is used.
application.mail.smtp.tls.truststore-passphrase
- Default: -
- Mandatory: -
Legacy / backward compatibility
application.feature.legacy.passwordprefix
- Value: string
- Default: none
- Mandatory: no
- Used to smoothly migrate prefixed esadb/esmap passwords to nevisIDM.
GUI
web.gui.languages.default
- Value: {de, fr, it, en}
- Default: de
- Mandatory: no
- Two-letter lowercase ISO 639 code of default language.
- Defines the language of newly created user objects if no language has been set explicitly.
- Defines the default language for GUI sessions
web.gui.languages.list
- Value: {de, fr, it, en}
- Default: de, en, fr, it
- Mandatory: no
- Comma-separated list of ISO 639 codes.
web.gui.facing.location
- Value: string
- Default: -
- Mandatory: no
- Location (directory, JAR or ZIP file) of custom facing. On the top-level, it must contain the directories CSS and/or images.
- Has to be relative to the instance folder (e.g. conf/facing/).
web.gui.facing.cache.size
- Value: int (bytes)
- Default: 100000
- Mandatory: no
- Maximum sizeup to which a facing entry is cached in memory. Files larger than that value are read from the disk on every access.
web.gui.uri.logout
- Value: string
- Default: /?logout
- Mandatory: no
- Defines the URI that will be used upon logout, either
Logout.do
for application logout or/?logout
for SSO logout.
application.config.environment.name
- Value: string
- Default: -
- Mandatory: no
- Displayed in the Status servlet as
EnvironmentName
(for example:test
,production
).
web.gui.debug.enabled
- Value: boolean
- Default: false
- Mandatory: no
- Configures whether additional debug information should be displayed. NEVER use this in production.
web.gui.messageresource.dir
- Default: -
- Mandatory: no
- Path to the customized LitDict resource files. The customized file should be named as follows:
custLitDict[_<language code>].properties
. The property files will be read with UTF-8 encoding.
web.gui.landingpage
- Default: selfadmin
- Mandatory: no
- Identifier of a nevisIDM subcomponent if the user accesses the nevisIDM top path, e.g., localhost/nevisidm.
- This can be one of the following identifiers: UserSearch, TemplateManager, UnitModify, ProfileSearch, ClientSearch, ApplicationSearch, UnitSearch, PolicyOverview, selfadmin.
If the user does not have read access on the specified component, a fallback to a viewable page is performed. Setting a relative path instead of an identifier is deprecated.
web.gui.personalquestion.enabled
- Value: boolean
- Default: false
- Mandatory: no
- If this parameter is false, the Personal Question functionality will be hidden on the GUI. This parameter must be set to true if security question credentials are used.
Certificate upload
web.gui.certupload.uri
- Value: string (URI)
- Default: /nevisidm/certupload
- Mandatory: no
- Defines the link that will be provided in certificate upload mails.
This parameter is deprecated. If possible, do not use it anymore.
web.gui.certupload.redirect.uri
- Default: -
- Mandatory: no
- Redirect location after successful certificate upload.
This parameter is deprecated. If possible, do not use it anymore.
web.gui.certupload.redirect.onerror.enabled
- Value: boolean
- Default: false
- Mandatory: no
- Enable/disable redirect even if an error occurred during the certificate upload.
This parameter is deprecated. If possible, do not use it anymore.
Batch jobs
application.modules.batch.context
- Value: string
- Default: -
- Mandatory: no
- Location of the spring application context containing the batch jobs expressed as a valid Unix path, e.g.:
/var/opt/nevisidm/nevisidm/conf/batchContext.xml
The file must be accessible in the file system of the server.
application.modules.batch.classpath
- Value: string
- Default: -
- Mandatory: no
- Colon-separated list of JAR files that are searched when defining custom batch job plug-ins.
Batch jobs are discouraged to use in new installations, instead use one of our APIs. For existing installation batch jobs still work.
Printing
application.modules.printing.host
- Value: string
- Default: localhost
- Mandatory: no
- Host of the OpenOffice daemon (adnooprint).
application.modules.printing.port
- Value: int
- Default: 8912
- Mandatory: no
- Port of the OpenOffice daemon (adnooprint)
application.modules.printing.printer
- Value: string
- Default: -
- Mandatory: no
- CUPS printer to use when printing letters.
application.modules.printing.dir.target
- Default: /var/tmp/nevisidm_pdfs
- Mandatory: yes
- The location where generated PDFs are stored. The location path must be absolute. The location itself has to be writable by the OpenOffice service.
application.modules.printing.retry.count
- Value: int
- Default: 1
- Mandatory: no
- The connection setup to OpenOffice is sometimes unreliable. In that case, a connection setup retry can help.
application.modules.printing.retry.delay
- Value: int (milliseconds)
- Default: 0
- Mandatory: no
- Delay in milliseconds between connection setup retries (see application.modules.printing.retry.count).
application.modules.printing.retry.wait
- Value: int (milliseconds)
- Default: 5000
- Mandatory: no
- If a printing event fails because of an OpenOffice service problem, the event queue will reschedule and retry the failed event after
application.modules.printing.retry.wait milliseconds
. Value-1
means that the automatic retry mechanism is disabled. In that case, a manual retry option is available in the Persistent Queue Manager GUI.
Miscellaneous functionality
application.feature.templatecollection.default.enabled
- Value: boolean
- Default: true
- Mandatory: no
- Defines whether the template collection functionality is available. If set to
true
, the default template collection will be used, and all parts related to the handling of template collections in the web GUI will be hidden.
application.feature.email.validation.enabled
- Value: Boolean
- Default: true
- Mandatory: no
Enables/disables e-mail validation.
- If the parameter is set to
false
, the e-mail validation is disabled. This makes it possible to create/update users with an invalid e-mail address. We advise against disabling this parameter. - If it is disabled, you have to ensure valid e-mail addresses by other means. If you do not, follow-up errors, such as e-mail sending failures, will occur.
- If the client policy
user.email.unicode.allowed
is enabled, it is considered over this configuration. For more information, see Client policy.
application.feature.impersonation.restriction.enabled
- Value: Boolean
- Default: true
- Mandatory: no
- Defines whether non-technical users can be impersonators.
- If set to
false
, impersonation is not restricted to technical users anymore.
application.feature.propvalsearch.caseinsensitive.enabled
- Value: Boolean
- Default: false
- Mandatory: no
- Defines whether the properties in the extended user search are searched case-insensitively. This may result in performance reduction with MySQL databases. We do not recommend turning on this parameter with MySQL databases.
login.id.allowed.characters.version
- Default: V1
- Mandatory: no
- Version of allowed character in login identifiers (and profile names, because the generated default profile name is inherited from the login identifier). Possible values are: V1, V2.
- V1: allowed characters are
a-z
,A-Z
,0-9
,@
,.
,/
,_
,:
,(
,)
,{
,}
,[
,]
,=
,!
,~
,+
and-
. - V2: allowed characters from
!
to~
, means ASCII0x21
to0x7E
, in other words all printable ASCII characters. - Consider changing the setting very carefully because after switching to V2, you cannot switch back to V1 any user that has been created with a login identifier containing special characters.
ID and name generators
application.generators.extid.client
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for clients. Possible values are:
- default: The generator uses the primary key of the entity to build an external ID.
sequence:<seqName>
In this case, the generator derives a value from a DB sequence defined by the name<seqName>
.- uuid: If you select this option, the generator generates a random v4 universally unique identifier (UUID) to build an external ID.
application.generators.extid.user
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for users. For possible values, see the description of the
application.generators.extid.client
parameter.
application.generators.extid.profile
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for profiles. For possible values, see the description of the
application.generators.extid.client
parameter.
application.generators.extid.unit
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for units. For possible values, see the description of the
application.generators.extid.client
parameter.
application.generators.extid.credential
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for credentials. For possible values, see the description of the
application.generators.extid.client
parameter.
application.generators.extid.application
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for applications. For possible values, see the description of the
application.generators.extid.client
parameter.
application.generators.extid.role
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for roles. For possible values, see the description of the
application.generators.extid.client
parameter.
application.generators.extid.policyconfig
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for policies. For possible values, see the description of the
application.generators.extid.client
parameter.
application.generators.extid.template
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for templates. For possible values, see the description of the
application.generators.extid.client
parameter.
application.generators.extid.enterpriserole
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for enterprise roles. For possible values, see the description of the
application.generators.extid.client
parameter.
application.generators.extid.personalquestion
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for personal questions. For possible values, see the description of the
application.generators.extid.client
parameter.
application.generators.extid.authorization
- Value:
{default, sequence:<seqName>, uuid}
- Default: default
- Mandatory: no
- Defines the generator used to build external IDs (extIds) for authorizations and enterprise authorizations. For possible values, see the description of the
application.generators.extid.client
parameter.
application.generators.name.unit
- Value: {none, copy:primarykey}
- Default: none
- Mandatory: no
- Defines the generator used to build the name of a unit.
Reporting
application.modules.reporting.result.max
- Value: int (
>0
) - Default: 5000
- Mandatory: no
- Maximum result rows that can be exported.
application.modules.reporting.header.enabled
- Value: boolean
- Default: true
- Mandatory: no
- Defines whether the first row of the generated CVS is used as a header and contains the names of the columns.
application.modules.reporting.chunksize
- Value: int (
>0
) - Default: 10000
- Mandatory: no
- Maximum number of records retrieved from the database at once.
application.modules.reporting.separator
- Value: character
- Default: , (comma-separated)
- Mandatory: no
- The separator char Character used to separate columns.
If you set this property to something different than the comma character ,
, the generated reports no longer comply with the standard CSV format (RFC4180). Generated reports may become unreadable by other programs.
application.modules.reporting.characterencoding
- Value: {UTF-8, US-ASCII, ISO-8859-1, UTF-16}
- Default: UTF-8
- Mandatory: no
- Defines the character encoding used for the exported report.
application.modules.reporting.concurrrentrequests.max
- Value: int (
>0
) - Default: 5
- Mandatory: no
- Prevent slow-down of nevisIDM or even DoS caused by too many concurrently generated and, thus, running reports.
application.module.reporting.filter.mandatory.enabled
- Value: boolean
- Default: false
- Mandatory: no
- If set to
true
, report generation requires a filter to be set.
Monitoring
application.feature.statusservlet.enabled
- Value: {true, false, localhost-only}
- Default: localhost-only
- Mandatory: no
- Defines whether the status servlet is enabled (reachable at
<host>:<port>/nevisidm/status
). If the parameter is set tolocalhost-only
, only requests from remote address 127.0.0.1 will be answered. See also chapter: Status servlet.
The status servlet is deprecated. To retrieve runtime and database statistics information, use the management service instead (for more information, see the chapter Management Service).
Enterprise roles
application.feature.enterpriserole.enabled
- Default: false
- Mandatory: no
- Enables the enterprise role feature in nevisIDM. If enterprise roles are disabled, the enterprise role views will be hidden on the Web GUI. Further consequences are:
- Web services: Enterprise role related extensions are not accessible, a business exception is thrown.
- Business tier: Enterprise role related functionality is not accessible, a business exception is thrown.
CSRF Guard
security.web.csrf.enabled Deprecated org.owasp.csrfguard.Enabled is not supported anymore
- Default: true
- Mandatory: no
- Enables/disables the CSRF Guard. The CSRF Guard protects all POST requests against CSRF attacks.
- Setting this parameter to
false
seriously weakens the security of the nevisIDM web GUI and is not recommended!
application.owasp.csrfguard.overlay.properties.file
- Default: -
- Mandatory: no
- Location of the OWASP CSRF Guard overlay properties file, which can be used to overwrite nevisIDM's default.
Dataroom
application.limits.dataroom.units.max
- Default: 50
- Mandatory: no
- Limits the number of distinct configured unit data rooms that can be added to a profile. If the limit is exceeded for a user profile, a warning is logged during login.
- Increasing the limit and adding more unit data rooms to a profile can lead to decreased performance of nevisIDM!
application.dataroom.relaxed.permissions
- Default:
AccessControl.UserView
- Mandatory:
no
- The
application.dataroom.relaxed.permissions
parameter defines in a list of;
separated access rights, for which the dataroom check is to be less strict. For more information, see Data room authorization.
SCIM
application.scim.bulk-max-payload
- Default: 200000
- Mandatory: no
- Limits the maximum payload size of a SCIM Bulk Request.
application.scim.bulk-max-operations
- Default: 100
- Mandatory: no
- Limits the maximum number of operations in a SCIM Bulk Request.
application.scim.filter-max-result
- Default: 200
- Mandatory: no
- Limits the maximum number of result returned by a SCIM Search request.
application.scim.idm.uri
- Mandatory: no
- Specifies URLs to be returned by the SCIM interface of IDM, as the location subfield of
meta
field. A URI containingapi/scim/v1
is expected. If not set, then the URI, which the message is last is used.
OpenTelemetry related configuration
add.request.and.response.body.to.opentelemetry
- Default: false
- Mandatory: no
- In case of OpenTelemetry extension agent is configured and this property is
true
the SOAP and REST endpoint spans will contain the request and response bodies as span attribute.
nevisIDM logging
nevisIDM log related properties
By default, nevisIDM stores logs in the instance directory (/var/opt/nevisidm/<instance>/log
). However, the logging behavior can be customized through the nevisidm-prod.properties
configuration file.
To configure a custom logging location, you can use the server.log.dir
property in this file.
nevisIDM log levels (file: logging.yml)
- The nevisIDM log levels are defined in the file logging.yml located in the configuration directory of nevisIDM. By default, the log levels aim for productive setups. As a consequence, the log levels are set in such a way that only the most important information is traced.
- For an in-depth analysis in case of problems, you may want to increase the log levels of the right categories.
For every category, you can define the following log levels:
- OFF: no tracing at all.
- ERROR: only errors are traced. Mainly used in productive setups.
- WARN: notifies of issues that should be addressed but do not block the running system. Example: a configuration parameter or SOAP method that is currently used but marked as deprecated.
- INFO: general information is traced. It is more trace than ERROR would produce, but still okay concerning the amount of information in the log file. INFO includes ERROR too.
- DEBUG: very verbose logging output. DEBUG includes ERROR and INFO too.
- TRACE: includes the output of all other log levels and additionally the entering and exiting events of Java methods.
High log levels are likely to slow down nevisIDM. Therefore, use the log levels with care in productive setups or when performance analyses are performed.
Note that in a YAML file, OFF is a reserved keyword. To disable the tracing of the log level, set OFF with double-quotes in the logging.yml file, otherwise it will not be parsed correctly. Example:
level: `OFF`
The most important categories
ch.adnovum.nevisidm.service.properties
Involved in reading the nevisIDM configuration file nevisidm-prod.properties. By default, this is set to INFO
to trace the configuration parameters into the log file.
ch.adnovum.nevisidm.service.dbperformance
Set this LOG category to INFO
to trace the time spent during database calls. Set it to DEBUG
to trace the variables within the SQL statements, and how many rows were fetched by the statement.
ch.adnovum.nevisidm.ws.NevisIdmAdminServiceV1BusinessMapper
, ch.adnovum.nevisIdm.ws.NevisIdmSelfAdminServiceV1BusinessMapper
, ch.adnovum.nevisIdm.ws.NevisIdmLoginServiceV1BusinessMapper
These classes contain the actual logic of the SOAP interface implementations for all published versions of the SOAP interface.
ch.adnovum.nevisidm.web.filters.JspAppUserRequestInjectingFilter
Increase trace level to observe whether calls to nevisIDM WEB GUI create new HTTP sessions on the container.
ch.adnovum.nevisidm.web.filters.ServiceUserRequestInjectingFilter
Increase trace level to observe whether calls to nevisIDM REST or SOAP services create new HTTP sessions on the container. It is especially useful to find out if SOAP clients use session binding, or not. They should, because otherwise a new session is created on every call, which means that nevisIDM will have a high memory consumption.
ch.adnovum.nevisidm.web.filters.RequestInfoFilter
Traces HTTP request headers, and parameters received by nevisIDM.
ch.adnovum.nevisidm.session
Traces HTTP session size, when the session is created.
ch.adnovum.nevisidm.web.listeners.IdmSessionListener
Traces HTTP session created/removed
events, and the HTTP session size, when the session is removed.
Ninja
Needs to be set to DEBUG
such that the debug option server.auth.ninja.log-debug
for ninja login module takes effect.
org.springframework.web.filter.CommonsRequestLoggingFilter
If set to DEBUG
, REST requests are dumped into the log file. This is helpful if you want to see the actual REST requests.
org.owasp
Controls the log entries of the CSRFGuard.
ch.nevis.ninja
Controls the log entries of the Ninja.
org.hibernate.SQL
When set to DEBUG
, all requests to the database will show up in the logs.
Autodetect logging changes
Autodetect log configuration changes can be done by adding monitorInterval: 5 to the log configuration. The unit of measure for the parameter is seconds, and the minimum interval is 5 seconds. See also the following code snippet as example:
monitorInterval setting
Configuration:
monitorInterval: 5
properties:
property:
name: LOG_PATTERN
value: "%d{ISO8601} %-15.15t %-40.40c %-5.5p %m%n"
appenders:
...
Other nevisIDM configuration files
The following files are also available after a nevisIDM installation and are of interest for further customizing nevisIDM.
conf/batchContext.xml
- This file defines available batch jobs and triggers for the nevisIDM application.
- For example: it defines daily import and export jobs with customer systems or manual cleanup jobs, depending on infrastructure and customer configuration.
conf/env.conf
- Contains environment variable definitions such as JAVA_HOME.
conf/tlds-alpha-by-domain.txt
- Top level domain list file. Contains the list of valid top level domains. Originally downloaded from http://data.iana.org/TLD/tlds-alpha-by-domain.txt
- File format
- first row: comment
- all other rows: one top level domain per line
- Where the comment format is strict, it should look like:
# Version 2015070700, Last Updated Tue Jul 7 07:07:01 2015 UTC
- more precisely:
# Version <version>, Last Updated <weekday> <month> <day> <hour>:<min>:<sec> <year> UTC
- Possible errors:
- file is missing: FileNotFoundException is thrown
- I/O error: IOException is thrown
- malformed file: BadConfigurationException is thrown