Configuring the ActivID AS Properties
The principal ActivID AS properties are contained in the system configuration files. The following sections provide guidelines for the settings contained the files.
Warning! ONLY modify the files if you are sure that you are making the correct changes. Modifying the properties files incorrectly can render the system unusable.
It is recommended that you contact HID Global Technical Support before modifying these properties.
Note: Settings in the properties files can affect some aspects of system performance.
Properties Files
The properties of the ActivID AS system (applications and features) are organized in the following .properties files that are called by ActivID AS.
All entries are commented with the default values.
For details about each property, refer to the property’s comments.
Note: For reference, <ACTIVID_HOME> represents the ActivID AS software installation directory (by default, /usr/local/activid).
ActivID Authentication Server
Location - <ACTIVID_HOME>/ActivID_AS/applications/resources/srv/
- ac-4tress-scim.properties - configuration of ActivID AS SCIM API
- activid_server.properties
- srvlog4j.xml - to change the logging level, see Logging
- emvCardImportDefaults.properties - see Configure the EMV Card Import Settings
- The following properties files define the strategy validation for parameter values passed to ActivID AS public API methods:
- validation.properties
- inputValidationFilters.properties
Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).
ActivID Authentication Portal
Location - <ACTIVID_HOME>/ActivID_AS/applications/resources/ap/
- samlidp.properties - see Configure the ActivID Identity Provider
- csrfguard.properties - defines the security settings for the protection of the IdP against Cross-Site Request Forgery attacks.
Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).
- The following properties files define the validation of the input fields in the ActivID IdP screens:
- validation.properties
- inputValidationFilters.properties
Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).
ActivID Management Console
Location - <ACTIVID_HOME>/ActivID_AS/applications/resources/mc/
- mgtcons.properties - user and device search parameters, see Configure the Search Limits
- mclog4j.xml - to change the logging level, see Logging
- csrfguard.properties - defines the security settings for the protection of the ActivID Management Console against Cross-Site Request Forgery attacks.
Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).
- The following properties files define the validation of the input fields in the ActivID Management Console screens:
- validation.properties
- inputValidationFilters.properties
Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).
ActivID Self-Service Portal
Location - <ACTIVID_HOME>/ActivID_AS/applications/resources/ssp/
- ssp.properties - see Configure the Portal Settings
- ssplog4j.xml - to change the logging level, see Logging
- ssp_devicetypes.properties
- csrfguard.properties - defines the security settings for the protection of the Self-Service Portal against Cross-Site Request Forgery attacks.
Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).
- The following properties files define the validation of the input fields in the Self-Service Portal screens:
- validation.properties
- inputValidationFilters.properties
Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).
Common
Location - <ACTIVID_HOME>/ActivID_AS/applications/resources/common/
- activid.properties - defines the hostnames and ports for the ActivID Authentication Web Services address and ActivID Authentication Services public address
- activid_security.properties - defines the Truststore settings
- ESAPI.properties - defines the global settings for input validation in all ActivID AS applications
Contact HID Global Technical Support for changes related to these files (for example, in certain integration contexts, the validation for some parameters might be too restrictive, and these files can be used to extend the allowed values).
Modify a Property
-
To modify the properties, it is recommended that you first Generate a Customization Package.
-
Modify the relevant properties in the generated configuration files of the customization package (and not the original properties files on the file system).
To change the default behavior, uncomment the property and set your required value.
-
Apply a Customization Package.
-
Restart the server.
Important: You must restart the system in order to apply the modifications for any of the files.
You can configure the hostname and port for the ActivID Authentication Services and ActivID Authentication Web Services.
IDP_HOSTNAME
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid.properties
|
Type
|
Default
|
Value
|
<hostname>
|
Description
|
ActivID Authentication Services public hostname (depending on deployment topology, it refers to the proxy address or ActivID Authentication Services address).
|
IDP_HTTPS_PORT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid.properties
|
Type
|
Default
|
Value
|
8445
|
Description
|
ActivID Authentication Services public port (depending on deployment topology, it refers to the proxy port or ActivID Authentication Services port).
Possible values:
- 8445
- 8443 (with client authentication)
|
AUTHENTICATION_SERVER_HOST
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid.properties
|
Type
|
Default
|
Value
|
<hostname>
|
Description
|
The hostname (fully qualified domain name) to connect to the ActivID Authentication Web Services from this node.
|
AUTHENTICATION_SERVER_HTTPS_PORT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid.properties
|
Type
|
Default
|
Value
|
8445
|
Description
|
HTTPS port to connect to the ActivID Authentication Web Services from this node. This is typically the:
- Local application server HTTPS port when the authentication services are installed locally.
- Remote application server or load balancer HTTPS port when the authentication services are installed remotely.
|
See also:
Update the HTTPS Ports or Proxy Hostname/Ports
Configure Forward Proxy Support
Configure the Safeguarded Critical Entities Settings
To enhance performance and the retrieval of business configuration data from the database, ActivID AS can be configured to cache this data for a period of time.
This mechanism allows reading objects from the database only when the objects have been updated since the last access. In this case, the corresponding cache value is also updated.
Therefore, the cache values are always synchronized with database objects in a single server node deployment.
For cache synchronization across several nodes, ActivID AS stores caches timestamps in the database, allowing all nodes to check if they need to refresh their local cache values when an object has been created/updated or deleted in the database by another node.
For example, if an adapter configuration is created/updated/deleted on one server node, this node will update the corresponding cache timestamp in the database, allowing other nodes to refresh their local caches (by comparing the local cache timestamp with the timestamp on database).
To avoid reading the caches timestamps from the database at every request, server nodes will, by default, read this value every 10 seconds (defined by the CACHE_TIMESTAMPS_REFRESH_INTERVAL property). Therefore, this value represents the maximum latency period of object change visibility across all server nodes.
Cached objects are discarded from cache if not accessed during a period defined by the following Cache timeout values. This allows reducing the memory footprint for objects that are rarely used. It also means reduced memory footprint for unused security domains.
The timeout values (normally in milliseconds) for these caches indicate when this data is discarded. Any entry in the activid_server.properties file with a property name ending with _CACHE_TIMEOUT can be altered to reflect how long the data is cached for.
CACHE_TIMESTAMPS_REFRESH_INTERVAL
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
10000
|
Description
|
Defines the interval (in milliseconds) between each refresh of the local node cache timestamp with the corresponding value of the global cache timestamp.
|
The following caches values are discarded if not used for the above duration:
ASSETSETSFORASSET_CACHE_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
3600000
|
Description
|
Assets set cache timeout in milliseconds.
|
FUNCTIONSET_CACHE_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
3600000
|
Description
|
Function set (Permission set) cache timeout in milliseconds.
|
AUTHENTICATIONTYPE_CACHE_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
3600000
|
Description
|
Authentication Type (Authentication Policy) cache timeout in milliseconds.
|
MEMORABLEDATAGROUP_CACHE_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
3600000
|
Description
|
Memorable data group cache timeout in milliseconds.
|
MEMORABLEDATAPROMPT_CACHE_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
3600000
|
Description
|
Memorable data prompt cache timeout in milliseconds.
|
DEVICETYPE_CACHE_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
3600000
|
Description
|
Device Type cache timeout in milliseconds.
|
TRANSACTIONSET_CACHE_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
3600000
|
Description
|
Transaction Set cache timeout in milliseconds.
|
GROUPFUNCTIONPRIV_CACHE_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
3600000
|
Description
|
Group function privilege cache timeout in milliseconds.
|
GROUPTRANSACTIONPRIV_CACHE_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
3600000
|
Description
|
Group Transaction privilege cache timeout in milliseconds.
|
AUTHENTICATIONADAPTER_CACHE_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
3600000
|
Description
|
Authentication adapter cache timeout in milliseconds.
|
AUTHENTICATORMANAGERADAPTER_CACHE_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
3600000
|
Description
|
Authentication manager adapter cache timeout in milliseconds.
|
CHANNEL_CACHE_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
3600000
|
Description
|
Channel cache timeout in milliseconds.
|
LDAPPOOLING_CACHE_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
3600000
|
Description
|
LDAP connection pool timeout in milliseconds.
|
ROLEFUNCTIONPRIV_CACHE_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
3600000
|
Description
|
Role function privilege cache timeout in milliseconds.
|
ROLETRANSACTIONPRIV_CACHE_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
3600000
|
Description
|
Role transaction privilege cache timeout in milliseconds.
|
TRANSACTION_CACHE_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
3600000
|
Description
|
Transaction cache timeout in milliseconds.
|
STATUSTRANSITION_CACHE_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
3600000
|
Description
|
Status transition cache timeout in milliseconds.
|
ADAPTERCONFIG_CACHE_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
3600000
|
Description
|
Adapter configuration cache timeout in milliseconds.
|
GROUPSTRUCTURE_CACHE_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
3600000
|
Description
|
Group structure cache timeout in milliseconds.
|
DICTIONARY_CACHE_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
3600000
|
Description
|
Dictionary cache timeout in milliseconds.
|
MAIL_SESSION_CACHE_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
86400000
|
Description
|
Mail session cache timeout in milliseconds.
|
The following cache value is discarded after the period defined by the timeout (even if accessed). This allows forcing the refresh of the cache value.
TRUSTSTORE_CACHE_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
3600000
|
Description
|
Trust store cache timeout in milliseconds. Trust store is where all the public certificates for external systems are stored.
|
Searches performed in the ActivID AS portals can place a large load on the application. The number of records displayed should be limited to a reasonable size. The ActivID Authentication Server contains a method to limit the number of records that can be returned from the database. Returning larger result sets does place a strain on the server in terms of memory (need to keep the result set) and in terms of HSM load since ActivID AS verifies each records data signature.
If search performance is slow, very slowly, or there are 'out of memory' errors on ActivID Authentication Server application server instance nodes, you might need to adjust the search limits.
It is recommended that search limits (with a property name starting with SEARCH_) should be kept to a reasonable size (such as the default values).
For example, to configure User or Device search parameters, select the customizable activid_server.properties core properties file, then update the following:
SEARCH_LIMIT_USER
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
100
|
Description
|
Defines the maximum number of users returned in the search results. See Audit Sequence Settings.
|
SEARCH_LIMIT_ASSET
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
20
|
Description
|
Defines the maximum number of assets returned in the search results.
|
SEARCH_LIMIT_AUDIT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
100
|
Description
|
Defines the maximum number of audit log records returned in the search results.
|
SEARCH_LIMIT_TOKEN
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
100
|
Description
|
Defines the maximum number of tokens returned in the search results. See Audit Sequence Settings
|
SEARCH_LIMIT_UATSP
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
100
|
Description
|
Defines the maximum number of user asset transaction set privileges returned in the search results.
|
SEARCH_LIMIT_DEVICE_ISSUANCE
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
150
|
Description
|
Defines the maximum number of device issuance requests returned in the search results.
|
SEARCH_LIMIT_LDAP_USER
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
100
|
Description
|
Defines the maximum number of LDAP users returned in the search results.
|
Important: As these settings might impact the search result display performance in the ActivID Management Console, you can add a parameter in the
mgtcons.properties file to restrict search limit to a value lower than the value set in
activid_server.properties file.
The user or device search performed in the ActivID Management Console will take into account the limit set in mgtcons.properties file.
To configure User or Device search parameters for the ActivID Management Console, in the mgtcons.properties file, update the following:
# Max numbers of devices displayed by the Management Console. Note: This number is ignored if it is greater than the SEARCH_LIMIT_TOKEN (activid_server.properties)
# Uncomment to enable.
#com.actividentity.iasp.ui.maxdevicesearch=100
# Max numbers of users displayed by the Management Console. Note: This number is ignored if it is greater than the SEARCH_LIMIT_USER (activid_server.properties)
# Uncomment to enable.
#com.actividentity.iasp.ui.maxusersearch=100
TRUSTSTORE_TYPE
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid_security.properties
|
Type
|
Default
|
Value
|
JKS
|
Description
|
Truststore file type defined during installation
Possible values:
|
TRUSTSTORE_FILE_PATH
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid_security.properties
|
Type
|
Default
|
Value
|
none
|
Description
|
Truststore file path defined during installation
|
See also Add a Custom Audit Adapter for details on deploying custom audit adapters.
AUDIT_ENABLED
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
true
|
Description
|
By default, the value is set to true (auditing is enabled).
Set this value to false to disable auditing on a server node and then restart the server node.
When audit is disabled, the operations will not generate audit records in the ActivID AS database.
Old audit records are still available in the database and can be accessed.
If you have multiple server nodes, this setting needs to be configured on each one. You do not need to apply the same configuration on all the nodes (that is, auditing can be disabled on some nodes and enabled on others).
|
AUDIT.IGNORE.EVENTID
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
^get\\S*,^search\\S*,hasFunctionPrivilege,isRFEConfigurationStale
|
Description
|
Defines the audit events that should not be stored in the database (to avoid filling the database with unnecessary events).
The value is a regular expression of EventID to exclude.
|
audit.verify.strategy
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
sequencesAndMatchedRows
|
Description
|
Define the behavior for verifying the audit record during audit search (using the API or using the ActivID Management Console Reporting tab).
Possible values:
-
none – no audit verification will occur.
-
sequences – defines that only the sequential integrity of audit data will be verified.
-
allRows – defines that all audit data found within the search date range will be verified, regardless of other criteria.
-
sequencesAndMatchedRows – defines that the sequential integrity of audit data will be verified, in addition to audit data that matches all the search criteria.
|
AUDIT_SEARCH_ORDER
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
DESC
|
Description
|
Defines the search order on audit table, default is descending order (most recent records are returned).
|
Important: By default, in order to assist customers in meeting the requirements of certain data protection regulations, personal data in the audit log is tokenized/anonymized.
Disclaimer: If your organization requires audit log data to be detokenized for specific needs and usages, HID Global offers guidance in the form of APIs, sample code, and utilities, and it is recommended to adopt that approach while leaving the audit tokenization feature enabled.
Prior to disabling audit tokenization, it is recommended that you consult with your legal department to align with your organization’s policies with regard to the processing of personal data.
Audit Sequence Settings
Each ActivID AS instance is allocated a dedicated pool of audit sequences. For security reason this pool is limited in size (default limit is 100). To avoid contentions make sure that application server worker threads can always immediately acquire a free sequence.
The ActivID Authentication Server log files might indicate if the sequence pool has run out of available sequence generators. For example, "No more sequence generators: pool at max size of XX and pool empty" where XX is defined below”.
If this occurs, make sure the audit sequences matches the maximum number of worker threads allowed in the J2EE application server by setting the value of the SEQ_GEN_POOL_MAX_SIZE property.
It is recommended that the tuning of the application server (changing the threads etc.) should be done in parallel with this setting.
Also see the guidelines on tuning the system in the ActivID AS installation guide for your application server available from the ActivID Customer Portal.
SEQ_GEN_POOL_SIZE
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
5
|
Description
|
Default sequence generator pool size.
|
SEQ_GEN_POOL_MAX_SIZE
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
100
|
Description
|
Maximum number of allowed sequence generators.
|
SEQ_GEN_POOL_INCREMENT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
4
|
Description
|
When all the sequence generators are being used, ActivID Authentication Server allocates more sequence generators. The number specified here is the number of additional sequence generators that is allocated.
|
SEQ_GEN_DB_SYNC
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
true
|
Description
|
Defines the synchronization method for sequence generation. If true, the database is used, else software is used.
|
SEQ_GEN_POOL_MAX_RETRY_ON_BUSY_WAIT_SECONDS
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
0
|
Description
|
Defines the retry period when all the sequence generators are being used.
|
SEQ_GEN_POOL_MAX_RETRY_ON_BUSY
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
5
|
Description
|
Defines the number of retires when all the sequence generators are being used.
|
Audit Security Enhancements
INITIALIZE_AUDIT_STREAM
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
true
|
Description
|
Set this value to false to disable notifications when audit tampering is detected. Otherwise, set to true.
|
AUDIT_VERIFICATION_PAGE_SIZE
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
50000
|
Description
|
Number of audit logs read from the database at one time. If you set this value to 1000, then ActivID Authentication Server verifies 1000 records at a time until it reaches the number of records to read for the specified period. If you set it too high, 100000 for example, then you might have insufficient memory issues.
The system configuration of the deployment determines whether this value can be increased or decreased.
In addition, the transaction timeout value of the application server might impact the verification of the audit logs. It is recommended that the entire database verification be performed offline and NOT through the user interface.
|
Audit Log Resilience
On a busy server, the audit log can grow quickly and, in some cases, can exceed the amount of space available for storing the audit data.
The ActivID AS might have sufficient data space available to continue its normal operations despite the failure of the audit log.
If the audit log has been overrun because of underestimating the space required for it, certain operations can continue working despite the fact that those calls will not be logged.
When the audit fails (for an authentication or administration operation), ActivID AS behavior depends on the configuration of the Resilience to Audit Log Failure properties (ALLOW_XXX_TO_PROCEED_WITHOUT_AUDIT_<DOMAIN>):
- If the Resilience to Audit Log Failure is allowed:
-
Write Audit log value to the following file:
<ACTIVID_HOME>/ActivID_AS/servers/server_<n>/logs/activid-server-audit.log.<domain>
-
Proceed as normal.
- If the Resilience to Audit Log Failure is denied:
-
Write Audit log value to the following file:
<ACTIVID_HOME>/ActivID_AS/servers/server_<n>/logs/activid-server-audit.log.<domain>
-
Prevent the operation.
If, during execution of the ActivID AS, the audit log begins to fail, use the following procedure to change the Resilience to Audit Log Failure (RALF) settings at runtime.
Note: You can configure this behavior separately for each security domain.
For each security domain configured on the ActivID AS instance, two properties can be added to the <ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid.properties file (illustrated with DOMAIN1 as the security domain):
ALLOW_AUTHENTICATION_TO_PROCEED_WITHOUT_AUDIT_DOMAIN1
File
|
activid.properties
|
Type
|
Optional
|
Value
|
none
|
Description
|
Defines if ActivID AS will allow authentication to the domain when the audit log fails:
- When set to ALLOW, authentications will continue but they will not be audited.
- When set to DENY, authentications will fail.
For example:
ALLOW_AUTHENTICATION_TO_PROCEED_WITHOUT_AUDIT_DOMAIN1=ALLOW
|
ALLOW_ADMINISTRATION_TO_PROCEED_WITHOUT_AUDIT_DOMAIN1
File
|
activid.properties
|
Type
|
Optional
|
Value
|
none
|
Description
|
Defines if ActivID AS will allow other configuration processes for the domain when the audit log fails:
- When set to ALLOW, all other operations will continue but they will not be audited.
- When set to DENY, all other operations will fail.
For example:
ALLOW_ADMINISTRATION_TO_PROCEED_WITHOUT_AUDIT_DOMAIN1=ALLOW
|
Note:
-
If the ALLOW_XXX properties are not defined, then the default value is DENY so both authentications and other configuration processes will fail if the audit log has failed.
-
As all operations require authentication, ALLOW_AUTHENTICATION must be set to ALLOW if you also set ALLOW_ADMINISTRATION to ALLOW.
To configure User Case Sensitivity, set the CASE_SENSITIVE property to true.
To illustrate the case when the user case sensitivity is set to true, the following summary is used as an example:
- The user “jdoe” is unable to authenticate if you enter “JDOE” in the login page username field, they can only authenticate if they enter “jdoe”.
- The user “jdoe” is not returned in a user search if you enter “JDOE” in the search field, only if you enter “jdoe”.
- You are able to create simultaneously a “JDOE” and a “jdoe” user.
Note: By default, user search and user authentication are not case-sensitive and the user case sensitivity is set to false. This means that:
- The user “jdoe” can authenticate if you enter “JDOE” in the login page username field.
- The user “jdoe” is returned in a user search if you enter “JDOE” in the search field.
- You are unable to create simultaneously a “JDOE” and a “jdoe” user. A warning message appears reporting the user already exists.
CASE_SENSITIVE
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
false
|
Description
|
User case-sensitivity configuration.
|
The user attribute mapping is used in the context of the Authorization Profiles Selection Rules.
Note: This mapping is shared by all security domains.
Setting FORCE_SERVER_GENERIC_RULE to true enables this mapping for generic dictionary attribute used in check before authorization profile rules when the comparison attribute selected in the check before rule is a static value. When the comparison attribute selected in the check before rule is dynamic (ActivID AS attribute), the check before attribute from generic dictionary is mapped to the attribute coming with the authentication request.
This is the default configuration.
When the setting is false, the check before attribute from generic dictionary is mapped to authentication request attribute.
FORCE_SERVER_GENERIC_RULE
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
true
|
Description
|
Defines if the attribute mapping defined below is used to force the mapping of generic attributes to ActivID AS attributes.
|
The following entries define the mapping of attributes that applies when FORCE_SERVER_GENERIC_RULE is true.
Mapping names and values
Property name |
Property value |
Date-of-Birth
|
DOB
|
Title
|
TITLE
|
User-Type
|
USER_TYPE
|
Last-Success-Auth
|
LAST_AUTH
|
Type-Of-System
|
ATR_SYSTYP
|
E-Mail-Address
|
ATR_EMAIL
|
Mobile-Phone-Number
|
ATR_MOBILE
|
Address-Line-1
|
ADDRESS1
|
Address-Line-2
|
ADDRESS2
|
Address-Line-3
|
ADDRESS3
|
Address-Line-4
|
ADDRESS4
|
City
|
CITY
|
Post-Code
|
POSTCODE
|
First-Name
|
FIRSTNAME
|
Last-Name
|
LASTNAME
|
Custom-Attribute-1
|
|
Custom-Attribute-2
|
|
Custom-Attribute-3
|
|
Custom-Attribute-4
|
|
Custom-Attribute-5
|
|
Custom-Attribute-6
|
|
Custom-Attribute-7
|
|
Custom-Attribute-8
|
|
Custom-Attribute-9
|
|
Custom-Attribute-10
|
|
Note: When the “Property value” is not defined, any custom value can be set.
UATSP_STATUS_CATEGORY
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
UATSP
|
Description
|
Defines the default status category for the asset workflow.
|
Add Adapter Definitions
In the activid_server.properties file, the following entries can be used to add new adapters to ActivID AS:
-
ADPTR.AUTHENTICATION.adptr%nb – authentication process adapters
-
ADPTR.AUTH_MANAGER.adptr%nb – authenticator management adapters
-
ADPTR.CREDENTIAL.adptr%nb – credential management adapters
-
ADPTR.OOB.adptr%nb – delivery gateways adapters
-
ADPTR.DEVICE.adptr%nb – device management adapters
-
ADPTR.DATASOURCE.adptr%nb – LDAP adapters
-
ADPTR.PROCS.adptr%nb – authentication pre or post-process adapters
-
ADPTR.USER_MANAGER.adptr%nb – user management adapters
-
ADPTR.DEVICE_IMPORT.adptr%nb – device import adapters
-
ADPTR.AUDIT.adptr%nb – adapters to handle audit event notifications
-
ADPTR.ORGANIZATION.adptr%nb – organizations adapters
Sample Definition
Copy
################################################################################
#
# Adapters declaration
#
#################################################################################
#ADAPTER_TYPE_AUTHENTICATION: template ADPTR.AUTHENTICATION.adptr%nb
#ADPTR.AUTHENTICATION.adptr1=my.adapter.class.path
#ADAPTER_TYPE_AUTHENTICATION_MANAGER: template ADPTR.AUTH_MANAGER.adptr%nb
#ADPTR.AUTH_MANAGER.adptr1=my.adapter.class.path
#ADAPTER_TYPE_CREDENTIAL: template ADPTR.CREDENTIAL.adptr%nb
#ADPTR.CREDENTIAL.adptr1=my.adapter.class.path
#ADAPTER_TYPE_OOB: template ADPTR.OOB.adptr%nb
#ADPTR.OOB.adptr1=my.adapter.class.path
#ADAPTER_TYPE_DEVICE: template ADPTR.DEVICE.adptr%nb
#ADPTR.DEVICE.adptr1=my.adapter.class.path
#ADAPTER_TYPE_DATASOURCE: template ADPTR.DATASOURCE.adptr%nb
#ADPTR.DATASOURCE.adptr1=my.adapter.class.path
#ADAPTER_TYPE_PROCS: template ADPTR.PROCS.adptr%nb
#ADPTR.PROCS.adptr1=my.adapter.class.path
#ADAPTER_TYPE_USER_MANAGER: template ADPTR.USER_MANAGER.adptr%nb
#ADPTR.USER_MANAGER.adptr1=my.adapter.class.path
#ADAPTER_TYPE_DEVICE_IMPORT: template ADPTR.DEVICE_IMPORT.adptr%nb
#ADPTR.DEVICE_IMPORT.adptr1=my.adapter.class.path
#ADAPTER_TYPE_AUDIT: template ADPTR.AUDIT.adptr%nb
#ADPTR.AUDIT.adptr1=my.adapter.class.path
#ADAPTER_TYPE_ORGANIZATION: template ADPTR.ORGANIZATION.adptr%nb
#ADPTR.ORGANIZATION.adptr1=my.adapter.class.path
For example, to add a new custom device adapter with a Java implementation class name that is com.test.mydeviceadapter:
-
Locate the #ADAPTER_TYPE_DEVICE: template ADPTR.DEVICE.adptr%nb entry.
-
Add the following line using next available adapter number for the adapter template (for example, for the first device adapter, use adptr1) :
ADPTR.DEVICE.adptr1=com.test.mydeviceadapter
For further information about developing new adapters, contact HID Global Technical Support.
Credential Adapters
ALLOW_AUTO_SYNC_WITHOUT_SOFT_PIN
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
true
|
Description
|
It is possible to automatically resynchronize soft PIN-enabled devices by entering either OTP only, or soft PIN + OTP.
This flag can be set to false if you want to define that entering both the soft PIN and the generated OTP is mandatory to resynchronize soft PIN-enabled devices.
|
Import Device and Import Adapters
ASYNC_DEVICES_IMPORT_TEMPO_MS
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
5
|
Description
|
Defines a tempo to wait between the devices import inside a batch. This avoids overloading the CPU by device import background task.
|
DEVICEIMPORT_SCHED_EXPR
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
*,*,0/10
|
Description
|
Configuration for scheduling Large Device Import timer.
|
Global Process Adapters Parameters
DEFAULT_CHANNEL_PROCESS_PRE
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
none
|
Description
|
Pre-process adapter configuration identifiers.
Used by the authenticate process. Allows to define the pre-process (before verification of the secret) adapters that will be activated during authentication.
Configuration identifiers can be retrieved using the public API getAdapterConfigurationsForType(), or created using createAdapterConfiguration().
|
DEFAULT_CHANNEL_PROCESS_POST
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
none
|
Description
|
Post-process adapter configuration identifiers.
Used by the authenticate process. Allows to define the post-process (after verification of the secret) adapters that will be activated during authentication.
Configuration identifiers can be retrieved using the public API getAdapterConfigurationsForType(), or created using createAdapterConfiguration().
|
AAA_LDAP_USER_ATTRIBUTE
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
facsimileTelephonenumber
|
Description
|
Used by the AAAAutoBindProcessAdapter. Defines the LDAP attribute that stores the device serial number.
|
LDAP_CONNECTION_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
10000
|
Description
|
Used by the LDAP adaptors. Defines the LDAP connection timeout.
|
LDAP_READ_TIMEOUT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
10000
|
Description
|
Used by the LDAP adaptors. Defines the LDAP read timeout.
|
LDAP_SEARCH_PAGE_SIZE_%ADAPTER_CODE%
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
2000
|
Description
|
Used by the LDAP adaptors to define the LDAP search page size.
To add specific value for a directory type:
- For Active Directory, use %ADAPTER_CODE% = AD_ADPT_CODE
For example, LDAP_SEARCH_PAGE_SIZE_AD_ADPT_CODE=1000
- For Novell E-directory, use %ADAPTER_CODE% = EDIR_ADPT_CODE
- For Sun One Directory, use %ADAPTER_CODE% = SUN_ADPT_CODE
|
PROXY_INTERCEPTOR
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
com.hid.ai.interceptor.LoggingInterceptor
|
Description
|
Adapter class to be invoked on UserManager calls. For example:
com.hid.ai.interceptor.LoggingInterceptor
|
The Concurrent Login Policy enables you to limit active sessions to a single session at a time for a single user account. Concurrent Login Policy is configured globally per domain.
When the concurrent login policy is enabled, only one login session is permitted per user. Within the same browser session, different service providers/channels can be accessed for the same user account using the same session.
When the same user tries to access a service provider (for example, the ActivID Management Console) from another browser session, the authentication is denied as long as the other session remains opened. The user must wait until the other session is closed or is timed-out.
If a user tries to launch a concurrent login session, the error message “Login is denied. You cannot log on as long as your previous session remains open. Log out from the previous session or wait for the session to time out and try again” is displayed.
When LOGIN_POLICY_SESSION_DUPLICATE_FAIL_<DOMAINX> is absent (the default and equivalent to false), then the ActivID Authentication Portal allows concurrent login.
LOGIN_POLICY_SESSION_DUPLICATE_FAIL_<DOMAINX>
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
false
|
Description
|
Defines how the ActivID Authentication Portal manages concurrent login for the same user account, where <DOMAINX> is the domain name.
Possible values:
|
DIRECT_AUTH_RETURN_FAILURE_DETAILS
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
false
|
Description
|
Defines if responses for direct authentication failures should contain details of the exceptions.
Possible values:
-
true – allows permissive responses for direct authentications (not safe), then exceptions and reason codes are returned
-
false – does not allow permissive responses for direct authentications (recommended), only a Response code is returned
|
The following codes are the RFE forward reasons codes that are enabled by default. The complete list of reason codes can be found in the ActivID AS API Javadoc documentation.
To modify the settings, update the values in the following properties.
REASON_CODES_AUTHENTICATION
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
0 − Reason indicating that the authenticator could not be found
1 − Reason indicating that the authenticator is disabled
7 − Reason indicating that the authenticator is not yet valid
8 − Reason indicating that the authenticator is expired
15 − Reason indicating that the user was not found
19 − Reason indicating a password's maximum usages has been reached
20 − Reason indicating the device is not valid
23 − Reason indicating that no valid credentials were found
26 − Reason indicating that amount value for EMV CAP verification is invalid, It must not have decimal character and it should be a numeric value
|
Description
|
Defines the authentication RFE forward reason codes.
|
REASON_CODES_CHALLENGE
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
1 − Reason indicating that challenge counter reached disable threshold
|
Description
|
Defines the challenge RFE forward reason codes.
|
REASON_CODES_ERROR
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
1200 − A user with the specified code (external reference) could not be found
1261 − A device with the specified ID could not be found
1270 − An authenticator could not be found
6058 − There was no active device on the authenticator
6200 − No active authenticator was found for dynamic authenticator selection get Challenge request
6201 − No active authenticator was found for dynamic authenticator selection Device Authentication request
6202 − No active authenticator was found for dynamic authenticator selection UP Authentication request
|
Description
|
Defines the error RFE forward reason codes.
|
ac.4tress.scim.channel
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/ac-4tress-scim.properties
|
Type
|
Default
|
Value
|
CH_DIRECT
|
Description
|
Defines the ActivID AS channel (default CH_DIRECT) used by SCIM API endpoints to interact with ActivID AS server. This channel must be allowed for the user performing the SCIM API call.
|
Several critical ActivID AS system entities are safeguarded against updates that could interfere with the system stability or access.
To edit these entities, you must have a higher level of privilege defined by the OVRD_SAFEGUARD (Override Safeguard) permission that is only assigned to ActivID AS administrators (in the ActivID Administration Functions permission set).
The Safeguard check is performed for the following operations:
You can define the comma-separated list of protected entities in the SAFEGUARDED_ENTITIES_CODES.
For example:
SAFEGUARDED_ENTITIES_CODES=DT_TDSV4,AT_TDS
SAFEGUARDED_ENTITIES_CODES
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/common/activid.properties
|
Type
|
Default
|
Value
|
none
|
Description
|
Defines the set of resources (as a comma-separated list of protected entities) that are critical to the system and that should only be edited by ActivID AS users with a higher level of privilege. Comma-separated list of protected entities
|
You can define the settings to check the trust chain of client certificate on import and certificate revocation status for PKI C/R authentication.
CERT_REVOC_CONNECTION_TIMEOUT_S
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
15
|
Description
|
TCP connection timeout in seconds.
|
CERT_REVOC_READ_TIMEOUT_S
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
10
|
Description
|
TCP read timeout in seconds.
|
CRL_CACHE_TIMEOUT_H
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
10
|
Description
|
For performance reasons, certificate revocation lists (CRL) are cached.
Defines the validity of cached CRL responses in hours.
|
OCSP_CACHE_TIMEOUT_H
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
10
|
Description
|
For performance reasons, Online Certificate Status Protocol (OCSP) responses concerning intermediate CA certificates are cached.
Defines the validity of cached OCSP responses in hours.
This setting only applies to responses for intermediate CA certificates. OCSP responses for end-user certificates are not cached.
|
URL_BLACKLIST_TIMEOUT_S
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
30
|
Description
|
Defines the black list period for URLs of unreachable CDP or OCSP responders in seconds.
During this period, the system will failover, if available, to the redundant URL.
|
CERT_REVOC_CHECK_AUTHENTICATION
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
true
|
Description
|
Defines if certificate revocation check is performed at authentication time.
If the certificate revocation status is already checked at the TLS termination, you do not need to perform this check at authentication.
|
CERT_REVOC_CHECK_DEVICE_IMPORT
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
true
|
Description
|
Defines if certificate revocation check is performed when importing certificates.
|
CERTPATH_VALIDATION_LEGACY_CRED
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
true
|
Description
|
Defines if the certificate path validation is disabled for any legacy certificates credentials that could not be validated (due to missing intermediate certificates).
|
CERT_REVOC_DISABLE_OCSP_RESP_NONCE_CHECK
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
false
|
Description
|
As many OCSP responders do not use the nonce to create a different response for each request, you can disable the nonce verification.
|
CERT_REVOC_PREFER_OCSP_METHOD
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
true
|
Description
|
OCSP and CRL can both be used to check the revocation status of a certificate.
If both methods are available, defines if OCSP is the preferred method.
|
CERT_REVOC_PROXY_REQUESTS
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
true
|
Description
|
If a forward proxy is configured, web-based (not LDAP) CRL downloads and OCSP requests will use this proxy by default.
To use a local OCSP responders or CRL Distribution Points, set this setting to false.
|
CERT_REVOC_SUPPORT_OCSP_SHA256_REQUEST
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
true
|
Description
|
By default OCSP requests use SHA256-based certificate ID. In case of compatibility issues, you might have to use SHA1 certificate ID by setting this to false.
|
CERT_REVOC_VALID_OCSP_RESP_ALGO
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
none
|
Description
|
By default, there is no restriction on the OCSP response signature algorithms.
Specifies a comma separated list of valid OCSP response signature algorithm OID (see RFC 2313).
|
CRL_URLS
File
|
<ACTIVID_HOME>/ActivID_AS/applications/resources/srv/activid_server.properties
|
Type
|
Default
|
Value
|
none
|
Description
|
Specifies a comma-separated list of redundant CDP URLs that will be used in place of the CDPs defined in the certificates.
|
You can customize the EMV card profile settings that ActivID AS uses to import EMV cards.
The profiles are properties that are defined in the emvCardImportDefaults.properties file (in <ACTIVID_HOME>/ActivID_AS/applications/resources/srv/) and contain a minimum set of card and key data that is applied to all cards associated to that profile:
-
IIPB – Internet Proprietary Bitmap
-
masterKeyLabel – string label name of the master key from which the card keys will be derived
-
AIP – Application Interchange Profile
-
CVR – Cardholder Verification Results
-
IAF – Internet Application Flags
-
Additional definitions required by the EMV CAP specification for verification:
- terminalCountryCode
- terminalVerificationResult
- transactionCurrencyCode
- transactionDate
- ATC – Application Transaction Counter
- CVN – Cryptogram Version Number
-
Additional definitions required by ActivID AS for EMV CAP specification for verification:
- authType
- authVersion
- CVRMask
- extendedCVRMask
- truncatedARQCLength
- truncatedATCLength
For example, you could create a profile called EMVProfile1 with the following configuration:
Copy
EMVProfile1.IIPB=8000FFFFFF00000000000000000000000000
EMVProfile1.masterKeyLabel=masterkey123
EMVProfile1.AIP=1000
EMVProfile1.CVR=03A49000
EMVProfile1.IAF=00
EMVProfile1.terminalCountryCode=0000
EMVProfile1.terminalVerificationResult=8000000000
EMVProfile1.transactionCurrencyCode=0000
EMVProfile1.transactionDate=010101
EMVProfile1.ATC=0000
EMVProfile1.CVN=0A
EMVProfile1.authType=1
EMVProfile1.authVersion=0
EMVProfile1.CVRMask=0000
EMVProfile1.extendedCVRMask=00
EMVProfile1.truncatedARQCLength=5
EMVProfile1.truncatedATCLength=3