Configuring the ActivID AS Properties
The principal ActivID AS properties are contained in the system configuration files. The following sections provide guidelines for the settings contained the files.
It is recommended that you contact HID Global Technical Support before modifying these properties.
Properties Files
The properties of the ActivID AS system (applications and features) are organized in the following .properties files that are called by ActivID AS.
All entries are commented with the default values.
For details about each property, refer to the property’s comments.
Location - <ACTIVID_HOME>/ActivID_AS/applications/resources/srv/
- ac-4tress-scim.properties - configuration of ActivID AS SCIM API
- activid_server.properties
- srvlog4j.xml - to change the logging level, see Logging
- emvCardImportDefaults.properties - see Configure the EMV Card Import Settings
- The following properties files define the strategy validation for parameter values passed to ActivID AS public API methods:
- validation.properties
- inputValidationFilters.properties
Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).
Location - <ACTIVID_HOME>/ActivID_AS/applications/resources/ap/
- samlidp.properties - see Configure the ActivID Identity Provider
- csrfguard.properties - defines the security settings for the protection of the IdP against Cross-Site Request Forgery attacks.
Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).
- The following properties files define the validation of the input fields in the ActivID IdP screens:
- validation.properties
- inputValidationFilters.properties
Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).
Location - <ACTIVID_HOME>/ActivID_AS/applications/resources/mc/
- mgtcons.properties - user and device search parameters, see Configure the Search Limits
- mclog4j.xml - to change the logging level, see Logging
- csrfguard.properties - defines the security settings for the protection of the ActivID Management Console against Cross-Site Request Forgery attacks.
Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).
- The following properties files define the validation of the input fields in the ActivID Management Console screens:
- validation.properties
- inputValidationFilters.properties
Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).
Location - <ACTIVID_HOME>/ActivID_AS/applications/resources/ssp/
- ssp.properties - see Configure the Portal Settings
- ssplog4j.xml - to change the logging level, see Logging
- ssp_devicetypes.properties
- csrfguard.properties - defines the security settings for the protection of the Self-Service Portal against Cross-Site Request Forgery attacks.
Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).
- The following properties files define the validation of the input fields in the Self-Service Portal screens:
- validation.properties
- inputValidationFilters.properties
Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).
Location - <ACTIVID_HOME>/ActivID_AS/config/
- ActivID.keystore - keystore contains the ActivID Authentication Portal SAML certificates (see Update the ActivID IdP Certificates)
- SYSUSERS.keystore - contains the ActivID AS applications internal system users’ certificates (see System Recovery and Update the ActivID AS Applications Keystore Password)
For software keystore deployments, this keystore also contains the ActivID AS encryption/signature keys (see Managing the System Encryption).
Location - <ACTIVID_HOME>/ActivID_AS/applications/resources/common/
- activid.properties - defines the hostnames and ports for the ActivID Authentication Web Services address and ActivID Authentication Services public address
- activid_security.properties - defines the Truststore settings
- ESAPI.properties - defines the global settings for input validation in all ActivID AS applications
Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).
Modify a Property
-
To modify the properties, it is recommended that you first Generate a Customization Package.
-
Modify the relevant properties in the generated configuration files of the customization package (and not the original properties files on the file system).
-
Restart the server.
To change the default behavior, uncomment the property and set your required value.
Configure the Authentication Services Settings
You can configure the hostname and port for the ActivID Authentication Services and ActivID Authentication Web Services.
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid.properties |
---|---|
Type |
Default |
Value |
<hostname> |
Description |
ActivID Authentication Services public hostname (depending on deployment topology, it refers to the proxy address or ActivID Authentication Services address). |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid.properties |
---|---|
Type |
Default |
Value |
8445 |
Description |
ActivID Authentication Services public port (depending on deployment topology, it refers to the proxy port or ActivID Authentication Services port). Possible values:
|
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid.properties |
---|---|
Type |
Default |
Value |
<hostname> |
Description |
The hostname (fully qualified domain name) to connect to the ActivID Authentication Web Services from this node. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid.properties |
---|---|
Type |
Default |
Value |
8445 |
Description |
HTTPS port to connect to the ActivID Authentication Web Services from this node. This is typically the:
|
See also:
Update the HTTPS Ports or Proxy Hostname/Ports
Configure Forward Proxy Support
Configure the Safeguarded Critical Entities Settings
Configure the Cache Settings
To enhance performance and the retrieval of business configuration data from the database, ActivID AS can be configured to cache this data for a period of time.
This mechanism allows reading objects from the database only when the objects have been updated since the last access. In this case, the corresponding cache value is also updated.
Therefore, the cache values are always synchronized with database objects in a single server node deployment.
For cache synchronization across several nodes, ActivID AS stores caches timestamps in the database, allowing all nodes to check if they need to refresh their local cache values when an object has been created/updated or deleted in the database by another node.
For example, if an adapter configuration is created/updated/deleted on one server node, this node will update the corresponding cache timestamp in the database, allowing other nodes to refresh their local caches (by comparing the local cache timestamp with the timestamp on database).
To avoid reading the caches timestamps from the database at every request, server nodes will, by default, read this value every 10 seconds (defined by the CACHE_TIMESTAMPS_REFRESH_INTERVAL property). Therefore, this value represents the maximum latency period of object change visibility across all server nodes.
Cached objects are discarded from cache if not accessed during a period defined by the following Cache timeout values. This allows reducing the memory footprint for objects that are rarely used. It also means reduced memory footprint for unused security domains.
The timeout values (normally in milliseconds) for these caches indicate when this data is discarded. Any entry in the activid_server.properties file with a property name ending with _CACHE_TIMEOUT can be altered to reflect how long the data is cached for.
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
10000 |
Description |
Defines the interval (in milliseconds) between each refresh of the local node cache timestamp with the corresponding value of the global cache timestamp. |
The following caches values are discarded if not used for the above duration:
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
3600000 |
Description |
Assets set cache timeout in milliseconds. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
3600000 |
Description |
Function set (Permission set) cache timeout in milliseconds. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
3600000 |
Description |
Authentication Type (Authentication Policy) cache timeout in milliseconds. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
3600000 |
Description |
Memorable data group cache timeout in milliseconds. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
3600000 |
Description |
Memorable data prompt cache timeout in milliseconds. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
3600000 |
Description |
Device Type cache timeout in milliseconds. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
3600000 |
Description |
Transaction Set cache timeout in milliseconds. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
3600000 |
Description |
Group function privilege cache timeout in milliseconds. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
3600000 |
Description |
Group Transaction privilege cache timeout in milliseconds. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
3600000 |
Description |
Authentication adapter cache timeout in milliseconds. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
3600000 |
Description |
Authentication manager adapter cache timeout in milliseconds. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
3600000 |
Description |
Channel cache timeout in milliseconds. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
3600000 |
Description |
LDAP connection pool timeout in milliseconds. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
3600000 |
Description |
Role function privilege cache timeout in milliseconds. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
3600000 |
Description |
Role transaction privilege cache timeout in milliseconds. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
3600000 |
Description |
Transaction cache timeout in milliseconds. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
3600000 |
Description |
Status transition cache timeout in milliseconds. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
3600000 |
Description |
Adapter configuration cache timeout in milliseconds. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
3600000 |
Description |
Group structure cache timeout in milliseconds. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
3600000 |
Description |
Dictionary cache timeout in milliseconds. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
86400000 |
Description |
Mail session cache timeout in milliseconds. |
The following cache value is discarded after the period defined by the timeout (even if accessed). This allows forcing the refresh of the cache value.
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
3600000 |
Description |
Trust store cache timeout in milliseconds. Trust store is where all the public certificates for external systems are stored. |
Configure the Search Limits
Searches performed in the ActivID AS portals can place a large load on the application. The number of records displayed should be limited to a reasonable size. The ActivID Authentication Server contains a method to limit the number of records that can be returned from the database. Returning larger result sets does place a strain on the server in terms of memory (need to keep the result set) and in terms of HSM load since ActivID AS verifies each records data signature.
If search performance is slow, very slowly, or there are 'out of memory' errors on ActivID Authentication Server application server instance nodes, you might need to adjust the search limits.
It is recommended that search limits (with a property name starting with SEARCH_) should be kept to a reasonable size (such as the default values).
For example, to configure User or Device search parameters, select the customizable activid_server.properties core properties file, then update the following:
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
100 |
Description |
Defines the maximum number of users returned in the search results. See Audit Sequence Settings. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
20 |
Description |
Defines the maximum number of assets returned in the search results. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
100 |
Description |
Defines the maximum number of audit log records returned in the search results. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
100 |
Description |
Defines the maximum number of tokens returned in the search results. See Audit Sequence Settings |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
100 |
Description |
Defines the maximum number of user asset transaction set privileges returned in the search results. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
150 |
Description |
Defines the maximum number of device issuance requests returned in the search results. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
100 |
Description |
Defines the maximum number of LDAP users returned in the search results. |
The user or device search performed in the ActivID Management Console will take into account the limit set in mgtcons.properties file.
To configure User or Device search parameters for the ActivID Management Console, in the mgtcons.properties file, update the following:
# Max numbers of devices displayed by the Management Console. Note: This number is ignored if it is greater than the SEARCH_LIMIT_TOKEN (activid_server.properties)
# Uncomment to enable.
#com.actividentity.iasp.ui.maxdevicesearch=100
# Max numbers of users displayed by the Management Console. Note: This number is ignored if it is greater than the SEARCH_LIMIT_USER (activid_server.properties)
# Uncomment to enable.
#com.actividentity.iasp.ui.maxusersearch=100
Configure the Truststore Settings
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid_security.properties |
---|---|
Type |
Default |
Value |
JKS |
Description |
Truststore file type defined during installation Possible values:
|
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid_security.properties |
---|---|
Type |
Default |
Value |
none |
Description |
Truststore file path defined during installation |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid_security.properties |
---|---|
Type |
Default |
Value |
none |
Description |
Truststore password defined during installation. |
Configure the Audit Settings
See also Add a Custom Audit Adapter for details on deploying custom audit adapters.
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
true |
Description |
By default, the value is set to true (auditing is enabled). Set this value to false to disable auditing on a server node and then restart the server node. When audit is disabled, the operations will not generate audit records in the ActivID AS database. Old audit records are still available in the database and can be accessed. If you have multiple server nodes, this setting needs to be configured on each one. You do not need to apply the same configuration on all the nodes (that is, auditing can be disabled on some nodes and enabled on others). |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
^get\\S*,^search\\S*,hasFunctionPrivilege,isRFEConfigurationStale |
Description |
Defines the audit events that should not be stored in the database (to avoid filling the database with unnecessary events). The value is a regular expression of EventID to exclude. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
sequencesAndMatchedRows |
Description |
Define the behavior for verifying the audit record during audit search (using the API or using the ActivID Management Console Reporting tab). Possible values:
|
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
DESC |
Description |
Defines the search order on audit table, default is descending order (most recent records are returned). |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
True |
Description |
Defines if the audit log is tokenized (anonymized) to protect PII data. For further information about anonymization, see Protecting Personal Data with ActivID AS. Possible values:
|
Disclaimer: If your organization requires audit log data to be detokenized for specific needs and usages, HID Global offers guidance in the form of APIs, sample code, and utilities, and it is recommended to adopt that approach while leaving the audit tokenization feature enabled.
Prior to disabling audit tokenization, it is recommended that you consult with your legal department to align with your organization’s policies with regard to the processing of personal data.
Audit Sequence Settings
Each ActivID AS instance is allocated a dedicated pool of audit sequences. For security reason this pool is limited in size (default limit is 100). To avoid contentions make sure that application server worker threads can always immediately acquire a free sequence.
The ActivID Authentication Server log files might indicate if the sequence pool has run out of available sequence generators. For example, "No more sequence generators: pool at max size of XX and pool empty" where XX is defined below”.
If this occurs, make sure the audit sequences matches the maximum number of worker threads allowed in the J2EE application server by setting the value of the SEQ_GEN_POOL_MAX_SIZE property.
It is recommended that the tuning of the application server (changing the threads etc.) should be done in parallel with this setting.
Also see the guidelines on tuning the system in the ActivID AS installation guide for your application server available from the ActivID Customer Portal.
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
5 |
Description |
Default sequence generator pool size. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
100 |
Description |
Maximum number of allowed sequence generators. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
4 |
Description |
When all the sequence generators are being used, ActivID Authentication Server allocates more sequence generators. The number specified here is the number of additional sequence generators that is allocated. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
true |
Description |
Defines the synchronization method for sequence generation. If true, the database is used, else software is used. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
0 |
Description |
Defines the retry period when all the sequence generators are being used. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
5 |
Description |
Defines the number of retires when all the sequence generators are being used. |
Audit Security Enhancements
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
true |
Description |
Set this value to false to disable notifications when audit tampering is detected. Otherwise, set to true. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
50000 |
Description |
Number of audit logs read from the database at one time. If you set this value to 1000, then ActivID Authentication Server verifies 1000 records at a time until it reaches the number of records to read for the specified period. If you set it too high, 100000 for example, then you might have insufficient memory issues. The system configuration of the deployment determines whether this value can be increased or decreased. In addition, the transaction timeout value of the application server might impact the verification of the audit logs. It is recommended that the entire database verification be performed offline and NOT through the user interface. |
Audit Log Resilience
On a busy server, the audit log can grow quickly and, in some cases, can exceed the amount of space available for storing the audit data.
The ActivID AS might have sufficient data space available to continue its normal operations despite the failure of the audit log.
If the audit log has been overrun because of underestimating the space required for it, certain operations can continue working despite the fact that those calls will not be logged.
When the audit fails (for an authentication or administration operation), ActivID AS behavior depends on the configuration of the Resilience to Audit Log Failure properties (ALLOW_XXX_TO_PROCEED_WITHOUT_AUDIT_<DOMAIN>):
- If the Resilience to Audit Log Failure is allowed:
-
Write Audit log value to the following file:
<ACTIVID_HOME>/ActivID_AS/servers/server_<n>/logs/activid-server-audit.log.<domain>
-
Proceed as normal.
- If the Resilience to Audit Log Failure is denied:
-
Write Audit log value to the following file:
<ACTIVID_HOME>/ActivID_AS/servers/server_<n>/logs/activid-server-audit.log.<domain>
-
Prevent the operation.
If, during execution of the ActivID AS, the audit log begins to fail, use the following procedure to change the Resilience to Audit Log Failure (RALF) settings at runtime.
For each security domain configured on the ActivID AS instance, two properties can be added to the <ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid.properties file (illustrated with DOMAIN1 as the security domain):
File |
activid.properties |
---|---|
Type |
Optional |
Value |
none |
Description |
Defines if ActivID AS will allow authentication to the domain when the audit log fails:
For example: ALLOW_AUTHENTICATION_TO_PROCEED_WITHOUT_AUDIT_DOMAIN1=ALLOW |
File |
activid.properties |
---|---|
Type |
Optional |
Value |
none |
Description |
Defines if ActivID AS will allow other configuration processes for the domain when the audit log fails:
For example: ALLOW_ADMINISTRATION_TO_PROCEED_WITHOUT_AUDIT_DOMAIN1=ALLOW |
-
If the ALLOW_XXX properties are not defined, then the default value is DENY so both authentications and other configuration processes will fail if the audit log has failed.
-
As all operations require authentication, ALLOW_AUTHENTICATION must be set to ALLOW if you also set ALLOW_ADMINISTRATION to ALLOW.
Configure User Case Sensitivity
To configure User Case Sensitivity, set the CASE_SENSITIVE property to true.
To illustrate the case when the user case sensitivity is set to true, the following summary is used as an example:
- The user “jdoe” is unable to authenticate if you enter “JDOE” in the login page username field, they can only authenticate if they enter “jdoe”.
- The user “jdoe” is not returned in a user search if you enter “JDOE” in the search field, only if you enter “jdoe”.
- You are able to create simultaneously a “JDOE” and a “jdoe” user.
- The user “jdoe” can authenticate if you enter “JDOE” in the login page username field.
- The user “jdoe” is returned in a user search if you enter “JDOE” in the search field.
- You are unable to create simultaneously a “JDOE” and a “jdoe” user. A warning message appears reporting the user already exists.
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
false |
Description |
User case-sensitivity configuration. |
Configure Generic Dictionary to User Attribute Mapping
The user attribute mapping is used in the context of the Authorization Profiles Selection Rules.
This mapping is shared by all security domains.
Setting FORCE_SERVER_GENERIC_RULE to true enables this mapping for generic dictionary attribute used in check before authorization profile rules when the comparison attribute selected in the check before rule is a static value. When the comparison attribute selected in the check before rule is dynamic (ActivID AS attribute), the check before attribute from generic dictionary is mapped to the attribute coming with the authentication request.
This is the default configuration.
When the setting is false, the check before attribute from generic dictionary is mapped to authentication request attribute.
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
true |
Description |
Defines if the attribute mapping defined below is used to force the mapping of generic attributes to ActivID AS attributes. |
The following entries define the mapping of attributes that applies when FORCE_SERVER_GENERIC_RULE is true.
Property name | Property value |
---|---|
Date-of-Birth |
DOB |
Title |
TITLE |
User-Type |
USER_TYPE |
Last-Success-Auth |
LAST_AUTH |
Type-Of-System |
ATR_SYSTYP |
E-Mail-Address |
ATR_EMAIL |
Mobile-Phone-Number |
ATR_MOBILE |
Address-Line-1 |
ADDRESS1 |
Address-Line-2 |
ADDRESS2 |
Address-Line-3 |
ADDRESS3 |
Address-Line-4 |
ADDRESS4 |
City |
CITY |
Post-Code |
POSTCODE |
First-Name |
FIRSTNAME |
Last-Name |
LASTNAME |
Custom-Attribute-1 |
|
Custom-Attribute-2 |
|
Custom-Attribute-3 |
|
Custom-Attribute-4 |
|
Custom-Attribute-5 |
|
Custom-Attribute-6 |
|
Custom-Attribute-7 |
|
Custom-Attribute-8 |
|
Custom-Attribute-9 |
|
Custom-Attribute-10 |
|
Configure the Default Status Category Workflow
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
UATSP |
Description |
Defines the default status category for the asset workflow. |
Configure Adapter Settings
Add Adapter Definitions
In the activid_server.properties file, the following entries can be used to add new adapters to ActivID AS:
-
ADPTR.AUTHENTICATION.adptr%nb – authentication process adapters
-
ADPTR.AUTH_MANAGER.adptr%nb – authenticator management adapters
-
ADPTR.CREDENTIAL.adptr%nb – credential management adapters
-
ADPTR.OOB.adptr%nb – delivery gateways adapters
-
ADPTR.DEVICE.adptr%nb – device management adapters
-
ADPTR.DATASOURCE.adptr%nb – LDAP adapters
-
ADPTR.PROCS.adptr%nb – authentication pre or post-process adapters
-
ADPTR.USER_MANAGER.adptr%nb – user management adapters
-
ADPTR.DEVICE_IMPORT.adptr%nb – device import adapters
-
ADPTR.AUDIT.adptr%nb – adapters to handle audit event notifications
-
ADPTR.ORGANIZATION.adptr%nb – organizations adapters
################################################################################
#
# Adapters declaration
#
#################################################################################
#ADAPTER_TYPE_AUTHENTICATION: template ADPTR.AUTHENTICATION.adptr%nb
#ADPTR.AUTHENTICATION.adptr1=my.adapter.class.path
#ADAPTER_TYPE_AUTHENTICATION_MANAGER: template ADPTR.AUTH_MANAGER.adptr%nb
#ADPTR.AUTH_MANAGER.adptr1=my.adapter.class.path
#ADAPTER_TYPE_CREDENTIAL: template ADPTR.CREDENTIAL.adptr%nb
#ADPTR.CREDENTIAL.adptr1=my.adapter.class.path
#ADAPTER_TYPE_OOB: template ADPTR.OOB.adptr%nb
#ADPTR.OOB.adptr1=my.adapter.class.path
#ADAPTER_TYPE_DEVICE: template ADPTR.DEVICE.adptr%nb
#ADPTR.DEVICE.adptr1=my.adapter.class.path
#ADAPTER_TYPE_DATASOURCE: template ADPTR.DATASOURCE.adptr%nb
#ADPTR.DATASOURCE.adptr1=my.adapter.class.path
#ADAPTER_TYPE_PROCS: template ADPTR.PROCS.adptr%nb
#ADPTR.PROCS.adptr1=my.adapter.class.path
#ADAPTER_TYPE_USER_MANAGER: template ADPTR.USER_MANAGER.adptr%nb
#ADPTR.USER_MANAGER.adptr1=my.adapter.class.path
#ADAPTER_TYPE_DEVICE_IMPORT: template ADPTR.DEVICE_IMPORT.adptr%nb
#ADPTR.DEVICE_IMPORT.adptr1=my.adapter.class.path
#ADAPTER_TYPE_AUDIT: template ADPTR.AUDIT.adptr%nb
#ADPTR.AUDIT.adptr1=my.adapter.class.path
#ADAPTER_TYPE_ORGANIZATION: template ADPTR.ORGANIZATION.adptr%nb
#ADPTR.ORGANIZATION.adptr1=my.adapter.class.path
For example, to add a new custom device adapter with a Java implementation class name that is com.test.mydeviceadapter:
-
Locate the #ADAPTER_TYPE_DEVICE: template ADPTR.DEVICE.adptr%nb entry.
-
Add the following line using next available adapter number for the adapter template (for example, for the first device adapter, use adptr1) :
ADPTR.DEVICE.adptr1=com.test.mydeviceadapter
For further information about developing new adapters, contact HID Global Technical Support.
Credential Adapters
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
true |
Description |
It is possible to automatically resynchronize soft PIN-enabled devices by entering either OTP only, or soft PIN + OTP. This flag can be set to false if you want to define that entering both the soft PIN and the generated OTP is mandatory to resynchronize soft PIN-enabled devices. |
Import Device and Import Adapters
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
5 |
Description |
Defines a tempo to wait between the devices import inside a batch. This avoids overloading the CPU by device import background task. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
*,*,0/10 |
Description |
Configuration for scheduling Large Device Import timer. |
Global Process Adapters Parameters
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
none |
Description |
Pre-process adapter configuration identifiers. Used by the authenticate process. Allows to define the pre-process (before verification of the secret) adapters that will be activated during authentication. Configuration identifiers can be retrieved using the public API getAdapterConfigurationsForType(), or created using createAdapterConfiguration(). |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
none |
Description |
Post-process adapter configuration identifiers. Used by the authenticate process. Allows to define the post-process (after verification of the secret) adapters that will be activated during authentication. Configuration identifiers can be retrieved using the public API getAdapterConfigurationsForType(), or created using createAdapterConfiguration(). |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
facsimileTelephonenumber |
Description |
Used by the AAAAutoBindProcessAdapter. Defines the LDAP attribute that stores the device serial number. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
10000 |
Description |
Used by the LDAP adaptors. Defines the LDAP connection timeout. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
10000 |
Description |
Used by the LDAP adaptors. Defines the LDAP read timeout. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
2000 |
Description |
Used by the LDAP adaptors to define the LDAP search page size. To add specific value for a directory type:
|
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
com.hid.ai.interceptor.LoggingInterceptor |
Description |
Adapter class to be invoked on UserManager calls. For example: com.hid.ai.interceptor.LoggingInterceptor |
Configure the Concurrent Login Policy
The Concurrent Login Policy enables you to limit active sessions to a single session at a time for a single user account. Concurrent Login Policy is configured globally per domain.
When the concurrent login policy is enabled, only one login session is permitted per user. Within the same browser session, different service providers/channels can be accessed for the same user account using the same session.
When the same user tries to access a service provider (for example, the ActivID Management Console) from another browser session, the authentication is denied as long as the other session remains opened. The user must wait until the other session is closed or is timed-out.
If a user tries to launch a concurrent login session, the error message “Login is denied. You cannot log on as long as your previous session remains open. Log out from the previous session or wait for the session to time out and try again” is displayed.
When LOGIN_POLICY_SESSION_DUPLICATE_FAIL_<DOMAINX> is absent (the default and equivalent to false), then the ActivID Authentication Portal allows concurrent login.
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
false |
Description |
Defines how the ActivID Authentication Portal manages concurrent login for the same user account, where <DOMAINX> is the domain name. Possible values:
|
Configure the Direct Authentication Failure Response Details
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
all |
Description |
Define the level of details returned for direct authentication failure. Possible values:
|
Configure the RFE Forward Reasons Codes
The following codes are the RFE forward reasons codes that are enabled by default. The complete list of reason codes can be found in the ActivID AS API Javadoc documentation.
To modify the settings, update the values in the following properties.
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
0 − Reason indicating that the authenticator could not be found 1 − Reason indicating that the authenticator is disabled 7 − Reason indicating that the authenticator is not yet valid 8 − Reason indicating that the authenticator is expired 15 − Reason indicating that the user was not found 19 − Reason indicating a password's maximum usages has been reached 20 − Reason indicating the device is not valid 23 − Reason indicating that no valid credentials were found 26 − Reason indicating that amount value for EMV CAP verification is invalid, It must not have decimal character and it should be a numeric value |
Description |
Defines the authentication RFE forward reason codes. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
1 − Reason indicating that challenge counter reached disable threshold |
Description |
Defines the challenge RFE forward reason codes. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
1200 − A user with the specified code (external reference) could not be found 1261 − A device with the specified ID could not be found 1270 − An authenticator could not be found 6058 − There was no active device on the authenticator 6200 − No active authenticator was found for dynamic authenticator selection get Challenge request 6201 − No active authenticator was found for dynamic authenticator selection Device Authentication request 6202 − No active authenticator was found for dynamic authenticator selection UP Authentication request |
Description |
Defines the error RFE forward reason codes. |
Configure the ActivID SCIM Settings
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/ac-4tress-scim.properties |
---|---|
Type |
Default |
Value |
CH_DIRECT |
Description |
Defines the ActivID AS channel (default CH_DIRECT) used by SCIM API endpoints to interact with ActivID AS server. This channel must be allowed for the user performing the SCIM API call. |
Configure the Safeguarded Critical Entities Settings
Several critical ActivID AS system entities are safeguarded against updates that could interfere with the system stability or access.
To edit these entities, you must have a higher level of privilege defined by the OVRD_SAFEGUARD (Override Safeguard) permission that is only assigned to ActivID AS administrators (in the ActivID Administration Functions permission set).
The Safeguard check is performed for the following operations:
-
Delete or update of Authentication Types
-
Delete or update of Device Types
-
Delete Roles
You can define the comma-separated list of protected entities in the SAFEGUARDED_ENTITIES_CODES.
For example:
SAFEGUARDED_ENTITIES_CODES=DT_TDSV4,AT_TDS
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid.properties |
---|---|
Type |
Default |
Value |
none |
Description |
Defines the set of resources (as a comma-separated list of protected entities) that are critical to the system and that should only be edited by ActivID AS users with a higher level of privilege. Comma-separated list of protected entities |
Configure the Certificate Validation Settings
You can define the settings to check the trust chain of client certificate on import and certificate revocation status for PKI C/R authentication.
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
15 |
Description |
TCP connection timeout in seconds. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
10 |
Description |
TCP read timeout in seconds. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
10 |
Description |
For performance reasons, certificate revocation lists (CRL) are cached. Defines the validity of cached CRL responses in hours. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
10 |
Description |
For performance reasons, Online Certificate Status Protocol (OCSP) responses concerning intermediate CA certificates are cached. Defines the validity of cached OCSP responses in hours. This setting only applies to responses for intermediate CA certificates. OCSP responses for end-user certificates are not cached. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
30 |
Description |
Defines the black list period for URLs of unreachable CDP or OCSP responders in seconds. During this period, the system will failover, if available, to the redundant URL. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
true |
Description |
Defines if certificate revocation check is performed at authentication time. If the certificate revocation status is already checked at the TLS termination, you do not need to perform this check at authentication. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
true |
Description |
Defines if certificate revocation check is performed when importing certificates. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
true |
Description |
Defines if the certificate path validation is disabled for any legacy certificates credentials that could not be validated (due to missing intermediate certificates). |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
false |
Description |
As many OCSP responders do not use the nonce to create a different response for each request, you can disable the nonce verification. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
true |
Description |
OCSP and CRL can both be used to check the revocation status of a certificate. If both methods are available, defines if OCSP is the preferred method. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
true |
Description |
If a forward proxy is configured, web-based (not LDAP) CRL downloads and OCSP requests will use this proxy by default. To use a local OCSP responders or CRL Distribution Points, set this setting to false. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
true |
Description |
By default OCSP requests use SHA256-based certificate ID. In case of compatibility issues, you might have to use SHA1 certificate ID by setting this to false. |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
none |
Description |
By default, there is no restriction on the OCSP response signature algorithms. Specifies a comma separated list of valid OCSP response signature algorithm OID (see RFC 2313). |
File |
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties |
---|---|
Type |
Default |
Value |
none |
Description |
Specifies a comma-separated list of redundant CDP URLs that will be used in place of the CDPs defined in the certificates. |
Configure the EMV Card Import Settings
You can customize the EMV card profile settings that ActivID AS uses to import EMV cards.
The profiles are properties that are defined in the emvCardImportDefaults.properties file (in <ACTIVID_HOME>/ActivID_AS/applications/resources/srv/) and contain a minimum set of card and key data that is applied to all cards associated to that profile:
-
IIPB – Internet Proprietary Bitmap
-
masterKeyLabel – string label name of the master key from which the card keys will be derived
-
AIP – Application Interchange Profile
-
CVR – Cardholder Verification Results
-
IAF – Internet Application Flags
-
Additional definitions required by the EMV CAP specification for verification:
- terminalCountryCode
- terminalVerificationResult
- transactionCurrencyCode
- transactionDate
- ATC – Application Transaction Counter
- CVN – Cryptogram Version Number
-
Additional definitions required by ActivID AS for EMV CAP specification for verification:
- authType
- authVersion
- CVRMask
- extendedCVRMask
- truncatedARQCLength
- truncatedATCLength
For example, you could create a profile called EMVProfile1 with the following configuration:
EMVProfile1.IIPB=8000FFFFFF00000000000000000000000000
EMVProfile1.masterKeyLabel=masterkey123
EMVProfile1.AIP=1000
EMVProfile1.CVR=03A49000
EMVProfile1.IAF=00
EMVProfile1.terminalCountryCode=0000
EMVProfile1.terminalVerificationResult=8000000000
EMVProfile1.transactionCurrencyCode=0000
EMVProfile1.transactionDate=010101
EMVProfile1.ATC=0000
EMVProfile1.CVN=0A
EMVProfile1.authType=1
EMVProfile1.authVersion=0
EMVProfile1.CVRMask=0000
EMVProfile1.extendedCVRMask=00
EMVProfile1.truncatedARQCLength=5
EMVProfile1.truncatedATCLength=3