Security
The Security attributes define encryption, validation and cookie information to control the level of security for the server instance.
Encryption
The encryption attributes are:
Password Encryption Key
Specifies the key used to encrypt and decrypt passwords and is stored in the Service Management System configuration. Value is set during installation. Example: dSB9LkwPCSoXfIKHVMhIt3bKgibtsggd
Authentication Service Shared Secret
The shared secret for application authentication module. Value is set during installation. Example: AQICPX9e1cxSxB2RSy1WG1+O4msWpt/6djZl
Encryption Class
Default value is com.iplanet.services.util.JCEEncryption. Specifies the encrypting class implementation. Available classes are: com.iplanet.services.util.JCEEncryption and com.iplanet.services.util.JSSEncryption.
Secure Random Factory Class
Default value is com.iplanet.am.util.JSSSecureRandomFactoryImpl. Specifies the factory class name for SecureRandomFactory. Available implementation classes are: com.iplanet.am.util.JSSSecureRandomFactoryImpl which uses JSS, and com.iplanet.am.util.SecureRandomFactoryImpl which uses pure Java.
Validation
The validation attributes are:
Platform Low Level Comm. Max. Content Length
Default value is 16384 or 16k. Specifies the maximum content-length for an HttpRequest that OpenSSO Enterprise will accept.
Client IP Address Check
Default value is NO. Specifies whether or not the IP address of the client is checked in all SSOToken creations or validations.
Cookie
The cookie attributes are:
Cookie Name
Default value is iPlanetDirectoryPro. Cookie name used by Authentication Service to set the valid session handler ID. The value of this cookie name is used to retrieve the valid session information.
Secure Cookie
Allows the OpenSSO Enterprise cookie to be set in a secure mode in which the browser will only return the cookie when a secure protocol such as HTTP(s) is used. Default value is false.
Encode Cookie Value
This property allows OpenSSO Enterprise to URLencode the cookie value which converts characters to ones that are understandable by HTTP.
Keystore
The following attributes allow you to configure keystore information for additional sites and servers that you create:
Keystore File
Value is set during installation. Example: OpenSSO-deploy-base/URI/keystore.jks. Specifies the path to the SAML XML keystore password file.
Keystore Password File
Value is set during installation. Example: OpenSSO-deply-base/URI/.storepass. Specifies the path to the SAML XML key storepass file.
Private Key Password File
Value is set during installation. Example: OpenSSO-deploy-base/URI/.keypass Specifies the path to the SAML XML key password file.
Certificate Alias
Default value is test.
Certificate Revocation List Caching
These attributes define the local Certificate Revocation List (CRL) caching repository that is used for keeping the CRL from certificate authorities. Any service that needs to obtain a CRL for certificate validation will receive the CRL based on this information.
LDAP Server Host Name
Specifies the name of the LDAP server where the certificates are stored. The default value is the host name specified when OpenSSO Enterprise was installed. The host name of any LDAP Server where the certificates are stored can be used.
LDAP Server Port Number
Specifies the port number of the LDAP server where the certificates are stored. The default value is the port specified when OpenSSO Enterprise was installed. The port of any LDAP Server where the certificates are stored can be used.
SSL Enabled
Specifies whether to use SSL to access the LDAP server. The default is that the Certificate Authentication service does not use SSL for LDAP access.
LDAP Server Bind User Name
Specifies the bind DN in the LDAP server.
LDAP Server Bind Password
Defines the password to be used for binding to the LDAP server. By default, the amldapuser password that was entered during installation is used as the bind user.
LDAP Search Base DN
This attribute specifies the base DN used by the LDAP Users subject in the LDAP server from which to begin the search. By default, it is the top-level realm of the OpenSSO Enterprise installation base.
Search Attributes
Any DN component of issuer's subjectDN can be used to retrieve a CRL from a local LDAP server. It is a single value string, like, "cn". All Root CAs need to use the same search attribute.
Online Certificate Status Protocol Check
The Online Certificate Status Protocol (OCSP) enables OpenSSO Enterprise services to determine the (revocation) state of a specified certificate. OCSP may be used to satisfy some of the operational requirements of providing more timely revocation information than is possible with CRLs and may also be used to obtain additional status information. An OCSP client issues a status request to an OCSP responder and suspends acceptance of the certificate in question until the responder provides a response.
Check Enabled
This attribute enables OCSP checking. It is enabled by default.
Responder URL
This attribute defines is a URL that identifies the location of the OCSP responder. For example, http://ocsp.example.net:80.
By default, the location of the OCSP responder is determined implicitly from the certificate being validated. The property is used when the Authority Information Access extension (defined in RFC 3280) is absent from the certificate or when it requires overriding.
Certificate Nickname
The OCSP responder nickname is the CA certificate nick name for that responder, for example Certificate Manager - sun. If set, the CA certificate must be presented in the web server's certificate database. If the OCSP URL is set, the OCSP responder nickname must be set also. Otherwise, both will be ignored. If they are not set, the OCSP responder URL presented in user's certificate will be used for OCSP validation. If the OCSP responder URL is not presented in user's certificate, no OCSP validation will be performed.
Federal Information Processing Standards
Under the Information Technology Management Reform Act (Public Law 104-106), the Secretary of Commerce approves standards and guidelines that are developed by the National Institute of Standards and Technology (NIST) for Federal computer systems. These standards and guidelines are issued by NIST as Federal Information Processing Standards (FIPS) for use government-wide. NIST develops FIPS when there are compelling Federal government requirements such as for security and interoperability and there are no acceptable industry standards or solutions.
FIPS Mode
This property can be true or false. All the cryptography operations will be running FIPS compliant mode only if it is true.
- © 2010, Oracle Corporation and/or its affiliates