Configuring the ActivID AS Properties

The principal ActivID AS properties are contained in the system configuration files. The following sections provide guidelines for the settings contained the files.

Warning! ONLY modify the files if you are sure that you are making the correct changes. Modifying the properties files incorrectly can render the system unusable.

It is recommended that you contact HID Global Technical Support before modifying these properties.

Note: Settings in the properties files can affect some aspects of system performance.

Properties Files

The properties of the ActivID AS system (applications and features) are organized in the following .properties files that are called by ActivID AS.

All entries are commented with the default values.

For details about each property, refer to the property’s comments.

Note: For reference, <ACTIVID_HOME> represents the ActivID AS software installation directory (by default, /usr/local/activid).

Location - <ACTIVID_HOME>/ActivID_AS/applications/resources/srv/

  • ac-4tress-scim.properties - configuration of ActivID AS SCIM API
  • activid_server.properties
  • srvlog4j.xml - to change the logging level, see Logging
  • emvCardImportDefaults.properties - see Configure the EMV Card Import Settings
  • The following properties files define the strategy validation for parameter values passed to ActivID AS public API methods:
    • validation.properties
    • inputValidationFilters.properties

    • Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).

Location - <ACTIVID_HOME>/ActivID_AS/applications/resources/ap/

  • samlidp.properties - see Configure the ActivID Identity Provider
  • csrfguard.properties - defines the security settings for the protection of the IdP against Cross-Site Request Forgery attacks.

    Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).

  • The following properties files define the validation of the input fields in the ActivID IdP screens:
    • validation.properties
    • inputValidationFilters.properties

    • Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).

Location - <ACTIVID_HOME>/ActivID_AS/applications/resources/mc/

  • mgtcons.properties - user and device search parameters, see Configure the Search Limits
  • mclog4j.xml - to change the logging level, see Logging
  • csrfguard.properties - defines the security settings for the protection of the ActivID Management Console against Cross-Site Request Forgery attacks.

    Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).

  • The following properties files define the validation of the input fields in the ActivID Management Console screens:
    • validation.properties
    • inputValidationFilters.properties

    • Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).

Location - <ACTIVID_HOME>/ActivID_AS/applications/resources/ssp/

  • ssp.properties - see Configure the Portal Settings
  • ssplog4j.xml - to change the logging level, see Logging
  • ssp_devicetypes.properties
  • csrfguard.properties - defines the security settings for the protection of the Self-Service Portal against Cross-Site Request Forgery attacks.

    Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).

  • The following properties files define the validation of the input fields in the Self-Service Portal screens:
    • validation.properties
    • inputValidationFilters.properties

    • Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).

Location - <ACTIVID_HOME>/ActivID_AS/config/

Location - <ACTIVID_HOME>/ActivID_AS/applications/resources/common/

  • activid.properties - defines the hostnames and ports for the ActivID Authentication Web Services address and ActivID Authentication Services public address
  • activid_security.properties - defines the Truststore settings
  • ESAPI.properties - defines the global settings for input validation in all ActivID AS applications

    • Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).

Modify a Property

  1. To modify the properties, it is recommended that you first Generate a Customization Package.

  2. Modify the relevant properties in the generated configuration files of the customization package (and not the original properties files on the file system).

    3. To change the default behavior, uncomment the property and set your required value.

  3. Apply a Customization Package.

  4. Restart the server.

Important: You must restart the system in order to apply the modifications for any of the files.

Configure the Authentication Services Settings

You can configure the hostname and port for the ActivID Authentication Services and ActivID Authentication Web Services.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid.properties

Type

Default

Value

<hostname>

Description

ActivID Authentication Services public hostname (depending on deployment topology, it refers to the proxy address or ActivID Authentication Services address).

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid.properties

Type

Default

Value

8445

Description

ActivID Authentication Services public port (depending on deployment topology, it refers to the proxy port or ActivID Authentication Services port).

Possible values:

  • 8445
  • 8443 (with client authentication)

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid.properties

Type

Default

Value

<hostname>

Description

The hostname (fully qualified domain name) to connect to the ActivID Authentication Web Services from this node.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid.properties

Type

Default

Value

8445

Description

HTTPS port to connect to the ActivID Authentication Web Services from this node. This is typically the:

  • Local application server HTTPS port when the authentication services are installed locally.
  • Remote application server or load balancer HTTPS port when the authentication services are installed remotely.

See also:

Update the HTTPS Ports or Proxy Hostname/Ports

Configure Forward Proxy Support

Configure the Safeguarded Critical Entities Settings

Configure the Cache Settings

To enhance performance and the retrieval of business configuration data from the database, ActivID AS can be configured to cache this data for a period of time.

This mechanism allows reading objects from the database only when the objects have been updated since the last access. In this case, the corresponding cache value is also updated.

Therefore, the cache values are always synchronized with database objects in a single server node deployment.

For cache synchronization across several nodes, ActivID AS stores caches timestamps in the database, allowing all nodes to check if they need to refresh their local cache values when an object has been created/updated or deleted in the database by another node.

For example, if an adapter configuration is created/updated/deleted on one server node, this node will update the corresponding cache timestamp in the database, allowing other nodes to refresh their local caches (by comparing the local cache timestamp with the timestamp on database).

To avoid reading the caches timestamps from the database at every request, server nodes will, by default, read this value every 10 seconds (defined by the CACHE_TIMESTAMPS_REFRESH_INTERVAL property). Therefore, this value represents the maximum latency period of object change visibility across all server nodes.

Cached objects are discarded from cache if not accessed during a period defined by the following Cache timeout values. This allows reducing the memory footprint for objects that are rarely used. It also means reduced memory footprint for unused security domains.

The timeout values (normally in milliseconds) for these caches indicate when this data is discarded. Any entry in the activid_server.properties file with a property name ending with _CACHE_TIMEOUT can be altered to reflect how long the data is cached for.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

10000

Description

Defines the interval (in milliseconds) between each refresh of the local node cache timestamp with the corresponding value of the global cache timestamp.

The following caches values are discarded if not used for the above duration:

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

3600000

Description

Assets set cache timeout in milliseconds.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

3600000

Description

Function set (Permission set) cache timeout in milliseconds.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

3600000

Description

Authentication Type (Authentication Policy) cache timeout in milliseconds.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

3600000

Description

Memorable data group cache timeout in milliseconds.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

3600000

Description

Memorable data prompt cache timeout in milliseconds.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

3600000

Description

Device Type cache timeout in milliseconds.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

3600000

Description

Transaction Set cache timeout in milliseconds.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

3600000

Description

Group function privilege cache timeout in milliseconds.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

3600000

Description

Group Transaction privilege cache timeout in milliseconds.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

3600000

Description

Authentication adapter cache timeout in milliseconds.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

3600000

Description

Authentication manager adapter cache timeout in milliseconds.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

3600000

Description

Channel cache timeout in milliseconds.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

3600000

Description

LDAP connection pool timeout in milliseconds.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

3600000

Description

Role function privilege cache timeout in milliseconds.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

3600000

Description

Role transaction privilege cache timeout in milliseconds.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

3600000

Description

Transaction cache timeout in milliseconds.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

3600000

Description

Status transition cache timeout in milliseconds.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

3600000

Description

Adapter configuration cache timeout in milliseconds.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

3600000

Description

Group structure cache timeout in milliseconds.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

3600000

Description

Dictionary cache timeout in milliseconds.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

86400000

Description

Mail session cache timeout in milliseconds.

The following cache value is discarded after the period defined by the timeout (even if accessed). This allows forcing the refresh of the cache value.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

3600000

Description

Trust store cache timeout in milliseconds. Trust store is where all the public certificates for external systems are stored.

Configure the Search Limits

Searches performed in the ActivID AS portals can place a large load on the application. The number of records displayed should be limited to a reasonable size. The ActivID Authentication Server contains a method to limit the number of records that can be returned from the database. Returning larger result sets does place a strain on the server in terms of memory (need to keep the result set) and in terms of HSM load since ActivID AS verifies each records data signature.

If search performance is slow, very slowly, or there are 'out of memory' errors on ActivID Authentication Server application server instance nodes, you might need to adjust the search limits.

It is recommended that search limits (with a property name starting with SEARCH_) should be kept to a reasonable size (such as the default values).

For example, to configure User or Device search parameters, select the customizable activid_server.properties core properties file, then update the following:

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

100

Description

Defines the maximum number of users returned in the search results. See Audit Sequence Settings.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

20

Description

Defines the maximum number of assets returned in the search results.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

100

Description

Defines the maximum number of audit log records returned in the search results.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

100

Description

Defines the maximum number of tokens returned in the search results. See Audit Sequence Settings

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

100

Description

Defines the maximum number of user asset transaction set privileges returned in the search results.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

150

Description

Defines the maximum number of device issuance requests returned in the search results.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

100

Description

Defines the maximum number of LDAP users returned in the search results.
Important: As these settings might impact the search result display performance in the ActivID Management Console, you can add a parameter in the mgtcons.properties file to restrict search limit to a value lower than the value set in activid_server.properties file.

The user or device search performed in the ActivID Management Console will take into account the limit set in mgtcons.properties file.

To configure User or Device search parameters for the ActivID Management Console, in the mgtcons.properties file, update the following:

# Max numbers of devices displayed by the Management Console. Note: This number is ignored if it is greater than the SEARCH_LIMIT_TOKEN (activid_server.properties)
# Uncomment to enable.
#com.actividentity.iasp.ui.maxdevicesearch=100
# Max numbers of users displayed by the Management Console. Note: This number is ignored if it is greater than the SEARCH_LIMIT_USER (activid_server.properties)
# Uncomment to enable.
#com.actividentity.iasp.ui.maxusersearch=100

Configure the Truststore Settings

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid_security.properties

Type

Default

Value

JKS

Description

Truststore file type defined during installation

Possible values:

  • JKS (default)
  • PKCS12

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid_security.properties

Type

Default

Value

none

Description

Truststore file path defined during installation

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid_security.properties

Type

Default

Value

none

Description

Truststore password defined during installation.

See Update the ActivID AS Applications Truststore Password

Configure the Audit Settings

See also Add a Custom Audit Adapter for details on deploying custom audit adapters.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

true

Description

By default, the value is set to true (auditing is enabled).

Set this value to false to disable auditing on a server node and then restart the server node.

When audit is disabled, the operations will not generate audit records in the ActivID AS database.

Old audit records are still available in the database and can be accessed.

If you have multiple server nodes, this setting needs to be configured on each one. You do not need to apply the same configuration on all the nodes (that is, auditing can be disabled on some nodes and enabled on others).

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

^get\\S*,^search\\S*,hasFunctionPrivilege,isRFEConfigurationStale

Description

Defines the audit events that should not be stored in the database (to avoid filling the database with unnecessary events).

The value is a regular expression of EventID to exclude.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

sequencesAndMatchedRows

Description

Define the behavior for verifying the audit record during audit search (using the API or using the ActivID Management Console Reporting tab).

Possible values:

  • none – no audit verification will occur.

  • sequences – defines that only the sequential integrity of audit data will be verified.

  • allRows – defines that all audit data found within the search date range will be verified, regardless of other criteria.

  • sequencesAndMatchedRows – defines that the sequential integrity of audit data will be verified, in addition to audit data that matches all the search criteria.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

DESC

Description

Defines the search order on audit table, default is descending order (most recent records are returned).

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

True

Description

Defines if the audit log is tokenized (anonymized) to protect PII data. For further information about anonymization, see Protecting Personal Data with ActivID AS.

Possible values:

  • true (default)
  • false
Important: By default, in order to assist customers in meeting the requirements of certain data protection regulations, personal data in the audit log is tokenized/anonymized.

Disclaimer: If your organization requires audit log data to be detokenized for specific needs and usages, HID Global offers guidance in the form of APIs, sample code, and utilities, and it is recommended to adopt that approach while leaving the audit tokenization feature enabled.

Prior to disabling audit tokenization, it is recommended that you consult with your legal department to align with your organization’s policies with regard to the processing of personal data.

Audit Sequence Settings

Each ActivID AS instance is allocated a dedicated pool of audit sequences. For security reason this pool is limited in size (default limit is 100). To avoid contentions make sure that application server worker threads can always immediately acquire a free sequence.

The ActivID Authentication Server log files might indicate if the sequence pool has run out of available sequence generators. For example, "No more sequence generators: pool at max size of XX and pool empty" where XX is defined below”.

If this occurs, make sure the audit sequences matches the maximum number of worker threads allowed in the J2EE application server by setting the value of the SEQ_GEN_POOL_MAX_SIZE property.

It is recommended that the tuning of the application server (changing the threads etc.) should be done in parallel with this setting.

Also see the guidelines on tuning the system in the ActivID AS installation guide for your application server available from the ActivID Customer Portal.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

5

Description

Default sequence generator pool size.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

100

Description

Maximum number of allowed sequence generators.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

4

Description

When all the sequence generators are being used, ActivID Authentication Server allocates more sequence generators. The number specified here is the number of additional sequence generators that is allocated.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

true

Description

Defines the synchronization method for sequence generation. If true, the database is used, else software is used.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

0

Description

Defines the retry period when all the sequence generators are being used.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

5

Description

Defines the number of retires when all the sequence generators are being used.

Audit Security Enhancements

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

true

Description

Set this value to false to disable notifications when audit tampering is detected. Otherwise, set to true.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

50000

Description

Number of audit logs read from the database at one time. If you set this value to 1000, then ActivID Authentication Server verifies 1000 records at a time until it reaches the number of records to read for the specified period. If you set it too high, 100000 for example, then you might have insufficient memory issues.

The system configuration of the deployment determines whether this value can be increased or decreased.

In addition, the transaction timeout value of the application server might impact the verification of the audit logs. It is recommended that the entire database verification be performed offline and NOT through the user interface.

Audit Log Resilience

On a busy server, the audit log can grow quickly and, in some cases, can exceed the amount of space available for storing the audit data.

The ActivID AS might have sufficient data space available to continue its normal operations despite the failure of the audit log.

If the audit log has been overrun because of underestimating the space required for it, certain operations can continue working despite the fact that those calls will not be logged.

When the audit fails (for an authentication or administration operation), ActivID AS behavior depends on the configuration of the Resilience to Audit Log Failure properties (ALLOW_XXX_TO_PROCEED_WITHOUT_AUDIT_<DOMAIN>):

  • If the Resilience to Audit Log Failure is allowed:

  1. Write Audit log value to the following file:

    <ACTIVID_HOME>/ActivID_AS/servers/server_<n>/logs/activid-server-audit.log.<domain>

  1. Proceed as normal.

  • If the Resilience to Audit Log Failure is denied:

  1. Write Audit log value to the following file:

    <ACTIVID_HOME>/ActivID_AS/servers/server_<n>/logs/activid-server-audit.log.<domain>

  1. Prevent the operation.

If, during execution of the ActivID AS, the audit log begins to fail, use the following procedure to change the Resilience to Audit Log Failure (RALF) settings at runtime.

Note: You can configure this behavior separately for each security domain.

For each security domain configured on the ActivID AS instance, two properties can be added to the <ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid.properties file (illustrated with DOMAIN1 as the security domain):

File

activid.properties

Type

Optional

Value

none

Description

Defines if ActivID AS will allow authentication to the domain when the audit log fails:

  • When set to ALLOW, authentications will continue but they will not be audited.
  • When set to DENY, authentications will fail.

For example:

ALLOW_AUTHENTICATION_TO_PROCEED_WITHOUT_AUDIT_DOMAIN1=ALLOW

File

activid.properties

Type

Optional

Value

none

Description

Defines if ActivID AS will allow other configuration processes for the domain when the audit log fails:

  • When set to ALLOW, all other operations will continue but they will not be audited.
  • When set to DENY, all other operations will fail.

For example:

ALLOW_ADMINISTRATION_TO_PROCEED_WITHOUT_AUDIT_DOMAIN1=ALLOW
Note:

  • If the ALLOW_XXX properties are not defined, then the default value is DENY so both authentications and other configuration processes will fail if the audit log has failed.

  • As all operations require authentication, ALLOW_AUTHENTICATION must be set to ALLOW if you also set ALLOW_ADMINISTRATION to ALLOW.

Configure User Case Sensitivity

To configure User Case Sensitivity, set the CASE_SENSITIVE property to true.

To illustrate the case when the user case sensitivity is set to true, the following summary is used as an example:

  • The user “jdoe” is unable to authenticate if you enter “JDOE” in the login page username field, they can only authenticate if they enter “jdoe”.
  • The user “jdoe” is not returned in a user search if you enter “JDOE” in the search field, only if you enter “jdoe”.
  • You are able to create simultaneously a “JDOE” and a “jdoe” user.
Note: By default, user search and user authentication are not case-sensitive and the user case sensitivity is set to false. This means that:
  • The user “jdoe” can authenticate if you enter “JDOE” in the login page username field.
  • The user “jdoe” is returned in a user search if you enter “JDOE” in the search field.
  • You are unable to create simultaneously a “JDOE” and a “jdoe” user. A warning message appears reporting the user already exists.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

false

Description

User case-sensitivity configuration.

Configure Generic Dictionary to User Attribute Mapping

The user attribute mapping is used in the context of the Authorization Profiles Selection Rules.

Note:  

  • This mapping is shared by all security domains.

  • Setting FORCE_SERVER_GENERIC_RULE to true enables this mapping for generic dictionary attribute used in check before authorization profile rules when the comparison attribute selected in the check before rule is a static value. When the comparison attribute selected in the check before rule is dynamic (ActivID AS attribute), the check before attribute from generic dictionary is mapped to the attribute coming with the authentication request.

This is the default configuration.

When the setting is false, the check before attribute from generic dictionary is mapped to authentication request attribute.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

true

Description

Defines if the attribute mapping defined below is used to force the mapping of generic attributes to ActivID AS attributes.

The following entries define the mapping of attributes that applies when FORCE_SERVER_GENERIC_RULE is true.

Property name Property value

Date-of-Birth

DOB

Title

TITLE

User-Type

USER_TYPE

Last-Success-Auth

LAST_AUTH

Type-Of-System

ATR_SYSTYP

E-Mail-Address

ATR_EMAIL

Mobile-Phone-Number

ATR_MOBILE

Address-Line-1

ADDRESS1

Address-Line-2

ADDRESS2

Address-Line-3

ADDRESS3

Address-Line-4

ADDRESS4

City

CITY

Post-Code

POSTCODE

First-Name

FIRSTNAME

Last-Name

LASTNAME

Custom-Attribute-1

 

Custom-Attribute-2

 

Custom-Attribute-3

 

Custom-Attribute-4

 

Custom-Attribute-5

 

Custom-Attribute-6

 

Custom-Attribute-7

 

Custom-Attribute-8

 

Custom-Attribute-9

 

Custom-Attribute-10

 
Note: When the “Property value” is not defined, any custom value can be set.

Configure the Default Status Category Workflow

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

UATSP

Description

Defines the default status category for the asset workflow.

Configure Adapter Settings

Add Adapter Definitions

In the activid_server.properties file, the following entries can be used to add new adapters to ActivID AS:

  • ADPTR.AUTHENTICATION.adptr%nb – authentication process adapters

  • ADPTR.AUTH_MANAGER.adptr%nb – authenticator management adapters

  • ADPTR.CREDENTIAL.adptr%nb – credential management adapters

  • ADPTR.OOB.adptr%nb – delivery gateways adapters

  • ADPTR.DEVICE.adptr%nb – device management adapters

  • ADPTR.DATASOURCE.adptr%nb – LDAP adapters

  • ADPTR.PROCS.adptr%nb – authentication pre or post-process adapters

  • ADPTR.USER_MANAGER.adptr%nb – user management adapters

  • ADPTR.DEVICE_IMPORT.adptr%nb – device import adapters

  • ADPTR.AUDIT.adptr%nb – adapters to handle audit event  notifications

  • ADPTR.ORGANIZATION.adptr%nb – organizations adapters

Copy 
################################################################################
#
# Adapters declaration
#
#################################################################################
#ADAPTER_TYPE_AUTHENTICATION: template ADPTR.AUTHENTICATION.adptr%nb
#ADPTR.AUTHENTICATION.adptr1=my.adapter.class.path
 
#ADAPTER_TYPE_AUTHENTICATION_MANAGER: template ADPTR.AUTH_MANAGER.adptr%nb
#ADPTR.AUTH_MANAGER.adptr1=my.adapter.class.path
 
#ADAPTER_TYPE_CREDENTIAL: template ADPTR.CREDENTIAL.adptr%nb
#ADPTR.CREDENTIAL.adptr1=my.adapter.class.path
 
#ADAPTER_TYPE_OOB: template ADPTR.OOB.adptr%nb
#ADPTR.OOB.adptr1=my.adapter.class.path
 
#ADAPTER_TYPE_DEVICE: template ADPTR.DEVICE.adptr%nb
#ADPTR.DEVICE.adptr1=my.adapter.class.path
 
#ADAPTER_TYPE_DATASOURCE: template ADPTR.DATASOURCE.adptr%nb
#ADPTR.DATASOURCE.adptr1=my.adapter.class.path
 
#ADAPTER_TYPE_PROCS: template ADPTR.PROCS.adptr%nb
#ADPTR.PROCS.adptr1=my.adapter.class.path
 
#ADAPTER_TYPE_USER_MANAGER: template ADPTR.USER_MANAGER.adptr%nb
#ADPTR.USER_MANAGER.adptr1=my.adapter.class.path
 
#ADAPTER_TYPE_DEVICE_IMPORT: template ADPTR.DEVICE_IMPORT.adptr%nb
#ADPTR.DEVICE_IMPORT.adptr1=my.adapter.class.path
 
#ADAPTER_TYPE_AUDIT: template ADPTR.AUDIT.adptr%nb
#ADPTR.AUDIT.adptr1=my.adapter.class.path
 
#ADAPTER_TYPE_ORGANIZATION: template ADPTR.ORGANIZATION.adptr%nb
#ADPTR.ORGANIZATION.adptr1=my.adapter.class.path

For example, to add a new custom device adapter with a Java implementation class name that is com.test.mydeviceadapter:

  1. Locate the #ADAPTER_TYPE_DEVICE: template ADPTR.DEVICE.adptr%nb entry.

  1. Add the following line using next available adapter number for the adapter template (for example, for the first device adapter, use adptr1) :

    ADPTR.DEVICE.adptr1=com.test.mydeviceadapter

For further information about developing new adapters, contact HID Global Technical Support.

Credential Adapters

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

true

Description

It is possible to automatically resynchronize soft PIN-enabled devices by entering either OTP only, or soft PIN + OTP.

This flag can be set to false if you want to define that entering both the soft PIN and the generated OTP is mandatory to resynchronize soft PIN-enabled devices.

Import Device and Import Adapters

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

5

Description

Defines a tempo to wait between the devices import inside a batch. This avoids overloading the CPU by device import background task.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

*,*,0/10

Description

Configuration for scheduling Large Device Import timer.

Global Process Adapters Parameters

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

none

Description

Pre-process adapter configuration identifiers.

Used by the authenticate process. Allows to define the pre-process (before verification of the secret) adapters that will be activated during authentication.

Configuration identifiers can be retrieved using the public API getAdapterConfigurationsForType(), or created using createAdapterConfiguration().

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

none

Description

Post-process adapter configuration identifiers.

Used by the authenticate process. Allows to define the post-process (after verification of the secret) adapters that will be activated during authentication.

Configuration identifiers can be retrieved using the public API getAdapterConfigurationsForType(), or created using createAdapterConfiguration().

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

facsimileTelephonenumber

Description

Used by the AAAAutoBindProcessAdapter. Defines the LDAP attribute that stores the device serial number.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

10000

Description

Used by the LDAP adaptors. Defines the LDAP connection timeout.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

10000

Description

Used by the LDAP adaptors. Defines the LDAP read timeout.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

2000

Description

Used by the LDAP adaptors to define the LDAP search page size.

To add specific value for a directory type:

  • For Active Directory, use %ADAPTER_CODE% = AD_ADPT_CODE
    For example, LDAP_SEARCH_PAGE_SIZE_AD_ADPT_CODE=1000
  • For Novell E-directory, use %ADAPTER_CODE% = EDIR_ADPT_CODE
  • For Sun One Directory, use %ADAPTER_CODE% = SUN_ADPT_CODE

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

com.hid.ai.interceptor.LoggingInterceptor

Description

Adapter class to be invoked on UserManager calls. For example:

com.hid.ai.interceptor.LoggingInterceptor

Configure the Concurrent Login Policy

The Concurrent Login Policy enables you to limit active sessions to a single session at a time for a single user account. Concurrent Login Policy is configured globally per domain.

When the concurrent login policy is enabled, only one login session is permitted per user. Within the same browser session, different service providers/channels can be accessed for the same user account using the same session.

When the same user tries to access a service provider (for example, the ActivID Management Console) from another browser session, the authentication is denied as long as the other session remains opened. The user must wait until the other session is closed or is timed-out.

If a user tries to launch a concurrent login session, the error message “Login is denied. You cannot log on as long as your previous session remains open. Log out from the previous session or wait for the session to time out and try again” is displayed.

When LOGIN_POLICY_SESSION_DUPLICATE_FAIL_<DOMAINX> is absent (the default and equivalent to false), then the ActivID Authentication Portal allows concurrent login.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

false

Description

Defines how the ActivID Authentication Portal manages concurrent login for the same user account, where <DOMAINX> is the domain name.

Possible values:

  • true
  • false

Configure the Direct Authentication Failure Response Details

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

all

Description

Define the level of details returned for direct authentication failure.

Possible values:

  • all – allows permissive responses for direct authentications (not safe), then exceptions and reason codes are returned

  • none – does not allow permissive responses for direct authentications (recommended), only a Response code is returned

Configure the RFE Forward Reasons Codes

The following codes are the RFE forward reasons codes that are enabled by default. The complete list of reason codes can be found in the ActivID AS API Javadoc documentation.

To modify the settings, update the values in the following properties.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

0 − Reason indicating that the authenticator could not be found

1 − Reason indicating that the authenticator is disabled

7 − Reason indicating that the authenticator is not yet valid

8 − Reason indicating that the authenticator is expired

15 − Reason indicating that the user was not found

19 − Reason indicating a password's maximum usages has been reached

20 − Reason indicating the device is not valid

23 − Reason indicating that no valid credentials were found

26 − Reason indicating that amount value for EMV CAP verification is invalid, It must not have decimal character and it should be a numeric value

Description

Defines the authentication RFE forward reason codes.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

1 − Reason indicating that challenge counter reached disable threshold

Description

Defines the challenge RFE forward reason codes.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

1200 − A user with the specified code (external reference) could not be found

1261 − A device with the specified ID could not be found

1270 − An authenticator could not be found

6058 − There was no active device on the authenticator

6200 − No active authenticator was found for dynamic authenticator selection get Challenge request

6201 − No active authenticator was found for dynamic authenticator selection Device Authentication request

6202 − No active authenticator was found for dynamic authenticator selection UP Authentication request

Description

Defines the error RFE forward reason codes.

Configure the ActivID SCIM Settings

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/ac-4tress-scim.properties

Type

Default

Value

CH_DIRECT

Description

Defines the ActivID AS channel (default CH_DIRECT) used by SCIM API endpoints to interact with ActivID AS server. This channel must be allowed for the user performing the SCIM API call.

Configure the Safeguarded Critical Entities Settings

Several critical ActivID AS system entities are safeguarded against updates that could interfere with the system stability or access.

To edit these entities, you must have a higher level of privilege defined by the OVRD_SAFEGUARD (Override Safeguard) permission that is only assigned to ActivID AS administrators (in the ActivID Administration Functions permission set).

The Safeguard check is performed for the following operations:

  • Delete or update of Authentication Types

  • Delete or update of Device Types

  • Delete Roles

You can define the comma-separated list of protected entities in the SAFEGUARDED_ENTITIES_CODES.

For example:

SAFEGUARDED_ENTITIES_CODES=DT_TDSV4,AT_TDS

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid.properties

Type

Default

Value

none

Description

Defines the set of resources (as a comma-separated list of protected entities) that are critical to the system and that should only be edited by ActivID AS users with a higher level of privilege. Comma-separated list of protected entities

Configure the Certificate Validation Settings

You can define the settings to check the trust chain of client certificate on import and certificate revocation status for PKI C/R authentication.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

15

Description

TCP connection timeout in seconds.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

10

Description

TCP read timeout in seconds.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

10

Description

For performance reasons, certificate revocation lists (CRL) are cached.

Defines the validity of cached CRL responses in hours.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

10

Description

For performance reasons, Online Certificate Status Protocol (OCSP) responses concerning intermediate CA certificates are cached.

Defines the validity of cached OCSP responses in hours.

This setting only applies to responses for intermediate CA certificates. OCSP responses for end-user certificates are not cached.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

30

Description

Defines the black list period for URLs of unreachable CDP or OCSP responders in seconds.

During this period, the system will failover, if available, to the redundant URL.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

true

Description

Defines if certificate revocation check is performed at authentication time.

If the certificate revocation status is already checked at the TLS termination, you do not need to perform this check at authentication.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

true

Description

Defines if certificate revocation check is performed when importing certificates.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

true

Description

Defines if the certificate path validation is disabled for any legacy certificates credentials that could not be validated (due to missing intermediate certificates).

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

false

Description

As many OCSP responders do not use the nonce to create a different response for each request, you can disable the nonce verification.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

true

Description

OCSP and CRL can both be used to check the revocation status of a certificate.

If both methods are available, defines if OCSP is the preferred method.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

true

Description

If a forward proxy is configured, web-based (not LDAP) CRL downloads and OCSP requests will use this proxy by default.

To use a local OCSP responders or CRL Distribution Points, set this setting to false.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

true

Description

By default OCSP requests use SHA256-based certificate ID. In case of compatibility issues, you might have to use SHA1 certificate ID by setting this to false.

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

none

Description

By default, there is no restriction on the OCSP response signature algorithms.

Specifies a comma separated list of valid OCSP response signature algorithm OID (see RFC 2313).

File

<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties

Type

Default

Value

none

Description

Specifies a comma-separated list of redundant CDP URLs that will be used in place of the CDPs defined in the certificates.

Configure the EMV Card Import Settings

You can customize the EMV card profile settings that ActivID AS uses to import EMV cards.

The profiles are properties that are defined in the emvCardImportDefaults.properties file (in <ACTIVID_HOME>/ActivID_AS/applications/resources/srv/) and contain a minimum set of card and key data that is applied to all cards associated to that profile:

  • IIPB – Internet Proprietary Bitmap

  • masterKeyLabel – string label name of the master key from which the card keys will be derived

  • AIP – Application Interchange Profile

  • CVR – Cardholder Verification Results

  • IAF – Internet Application Flags

  • Additional definitions required by the EMV CAP specification for verification:

    • terminalCountryCode
    • terminalVerificationResult
    • transactionCurrencyCode
    • transactionDate
    • ATC – Application Transaction Counter
    • CVN – Cryptogram Version Number

  • Additional definitions required by ActivID AS for EMV CAP specification for verification:

    • authType
    • authVersion
    • CVRMask
    • extendedCVRMask
    • truncatedARQCLength
    • truncatedATCLength

For example, you could create a profile called EMVProfile1 with the following configuration:

Copy 
EMVProfile1.IIPB=8000FFFFFF00000000000000000000000000
EMVProfile1.masterKeyLabel=masterkey123
EMVProfile1.AIP=1000
EMVProfile1.CVR=03A49000
EMVProfile1.IAF=00
EMVProfile1.terminalCountryCode=0000
EMVProfile1.terminalVerificationResult=8000000000
EMVProfile1.transactionCurrencyCode=0000
EMVProfile1.transactionDate=010101
EMVProfile1.ATC=0000
EMVProfile1.CVN=0A
EMVProfile1.authType=1
EMVProfile1.authVersion=0
EMVProfile1.CVRMask=0000
EMVProfile1.extendedCVRMask=00
EMVProfile1.truncatedARQCLength=5
EMVProfile1.truncatedATCLength=3