The Security attributes define encryption, validation and cookie information to control the level of security for the server instance.
The encryption attributes are:
Specifies the key used to encrypt and decrypt passwords and is stored in the Service Management System configuration. Value is set during installation. Example: dSB9LkwPCSoXfIKHVMhIt3bKgibtsggd
The shared secret for application authentication module. Value is set during installation. Example: AQICPX9e1cxSxB2RSy1WG1+O4msWpt/6djZl
Default value is com.iplanet.services.util.JCEEncryption. Specifies the encrypting class implementation. Available classes are: com.iplanet.services.util.JCEEncryption and com.iplanet.services.util.JSSEncryption.
Default value is com.iplanet.am.util.JSSSecureRandomFactoryImpl. Specifies the factory class name for SecureRandomFactory. Available implementation classes are: com.iplanet.am.util.JSSSecureRandomFactoryImpl which uses JSS, and com.iplanet.am.util.SecureRandomFactoryImpl which uses pure Java.
The validation attributes are:
Default value is 16384 or 16k. Specifies the maximum content-length for an HttpRequest that OpenSSO Enterprise will accept.
Default value is NO. Specifies whether or not the IP address of the client is checked in all SSOToken creations or validations.
The cookie attributes are:
Default value is iPlanetDirectoryPro. Cookie name used by Authentication Service to set the valid session handler ID. The value of this cookie name is used to retrieve the valid session information.
Allows the OpenSSO Enterprise cookie to be set in a secure mode in which the browser will only return the cookie when a secure protocol such as HTTP(s) is used. Default value is false.
This property allows OpenSSO Enterprise to URLencode the cookie value which converts characters to ones that are understandable by HTTP.
The following attributes allow you to configure keystore information for additional sites and servers that you create:
Value is set during installation. Example: OpenSSO-deploy-base/URI/keystore.jks. Specifies the path to the SAML XML keystore password file.
Value is set during installation. Example: OpenSSO-deply-base/URI/.storepass. Specifies the path to the SAML XML key storepass file.
Value is set during installation. Example: OpenSSO-deploy-base/URI/.keypass Specifies the path to the SAML XML key password file.
Default value is test.
These attributes define the local Certificate Revocation List (CRL) caching repository that is used for keeping the CRL from certificate authorities. Any service that needs to obtain a CRL for certificate validation will receive the CRL based on this information.
Specifies the name of the LDAP server where the certificates are stored. The default value is the host name specified when OpenSSO Enterprise was installed. The host name of any LDAP Server where the certificates are stored can be used.
Specifies the port number of the LDAP server where the certificates are stored. The default value is the port specified when OpenSSO Enterprise was installed. The port of any LDAP Server where the certificates are stored can be used.
Specifies whether to use SSL to access the LDAP server. The default is that the Certificate Authentication service does not use SSL for LDAP access.
Specifies the bind DN in the LDAP server.
Defines the password to be used for binding to the LDAP server. By default, the amldapuser password that was entered during installation is used as the bind user.
This attribute specifies the base DN used by the LDAP Users subject in the LDAP server from which to begin the search. By default, it is the top-level realm of the OpenSSO Enterprise installation base.
Any DN component of issuer's subjectDN can be used to retrieve a CRL from a local LDAP server. It is a single value string, like, "cn". All Root CAs need to use the same search attribute.
The Online Certificate Status Protocol (OCSP) enables OpenSSO Enterprise services to determine the (revocation) state of a specified certificate. OCSP may be used to satisfy some of the operational requirements of providing more timely revocation information than is possible with CRLs and may also be used to obtain additional status information. An OCSP client issues a status request to an OCSP responder and suspends acceptance of the certificate in question until the responder provides a response.
This attribute enables OCSP checking. It is enabled by default.
This attribute defines is a URL that identifies the location of the OCSP responder. For example, http://ocsp.example.net:80.
By default, the location of the OCSP responder is determined implicitly from the certificate being validated. The property is used when the Authority Information Access extension (defined in RFC 3280) is absent from the certificate or when it requires overriding.
The OCSP responder nickname is the CA certificate nick name for that responder, for example Certificate Manager - sun. If set, the CA certificate must be presented in the web server's certificate database. If the OCSP URL is set, the OCSP responder nickname must be set also. Otherwise, both will be ignored. If they are not set, the OCSP responder URL presented in user's certificate will be used for OCSP validation. If the OCSP responder URL is not presented in user's certificate, no OCSP validation will be performed.
Under the Information Technology Management Reform Act (Public Law 104-106), the Secretary of Commerce approves standards and guidelines that are developed by the National Institute of Standards and Technology (NIST) for Federal computer systems. These standards and guidelines are issued by NIST as Federal Information Processing Standards (FIPS) for use government-wide. NIST develops FIPS when there are compelling Federal government requirements such as for security and interoperability and there are no acceptable industry standards or solutions.
This property can be true or false. All the cryptography operations will be running FIPS compliant mode only if it is true.