11.9 Configuration Properties for OAA
OAA provides REST APIs for configuring properties for challenge factors and other settings.
Configuration Properties for OAA
<PolicyUrl>/policy/config/property/v1 REST
API to configure properties.
Note:
In this case remove/oaa-policy from the
<PolicyUrl>, for example use
https://<host>:<port>/policy/config/property/v1
not
https://<host>:<port>/oaa-policy/policy/config/property/v1For details about finding the PolicyUrl and
authenticating, see OAA Admin API.
For details about the Configuration Properties REST Endpoint, see Configuration Properties REST Endpoints.
Table 11-2 Configuration Properties for OAA
| Property Name | Default Value | Description |
|---|---|---|
bharosa.uio.default.all.factor.challengecounter.expiryTime |
1800000
|
Expiry time of the challenge counter lock for the factors. This is the time duration for which the challenge remains unavailable for users, after challenge is locked due to maximum number of unsuccessful retries. |
bharosa.uio.default.all.factor.retry.count |
10 |
Maximum number of unsuccessful retries of the challenge for the factors. Beyond this count the challenge is locked. |
bharosa.uio.default.challenge.type.enum.ChallengeEmail.appName |
OAA |
Name of the application. |
bharosa.uio.default.challenge.type.enum.ChallengeEmail.challengeText
|
Enter OTP sent to {0}. |
Prompt message to enter One Time Pin (OTP) on the end-user challenge page. |
bharosa.uio.default.challenge.type.enum.ChallengeEmail.fromAddress
|
oaa@oracle.com |
Email address of the email sending entity. |
bharosa.uio.default.challenge.type.enum.ChallengeEmail.fromName
|
OAA |
Name of the From email sending entity. |
bharosa.uio.default.challenge.type.enum.ChallengeEmail.msgIPTemplate
|
IP Address: |
Part of the email template to display message IP addres.s |
bharosa.uio.default.challenge.type.enum.ChallengeEmail.msgPinTemplate
|
Please use following one time pin to login to protected
resource: |
Part of the email template to display One Time Pin (OTP). |
bharosa.uio.default.challenge.type.enum.ChallengeEmail.msgResourceURLTemplate
|
Resource URL Access: |
Part of the email template to display message resource URL. |
bharosa.uio.default.challenge.type.enum.ChallengeEmail.msgSubject
|
One Time Pin: OAA |
Subject title of the email template. |
bharosa.uio.default.challenge.type.enum.ChallengeEmail.challengeCounterExpiryTime |
1800000
|
Expiry time of the challenge counter lock. This is the time duration for which the challenge remains unavailable for users, after challenge is locked due to maximum number of unsuccessful retries.
If the value is not provided then the value for |
bharosa.uio.default.challenge.type.enum.ChallengeEmail.retrycount |
|
Maximum number of unsuccessful retries of the challenge. Beyond this count the challenge is locked.
If the value is not provided then the value for |
bharosa.uio.default.challenge.type.enum.ChallengeEmail.msgTimeTemplate
|
Time of Access: |
Part of the email template to display message time. |
bharosa.uio.default.challenge.type.enum.ChallengeEmail.promptmessage
|
Send OTP to {0} |
Prompt message to send One Time Pin (OTP) through email used on end-user challenge page. |
bharosa.uio.default.challenge.type.enum.ChallengeEmail.promptselectmessage
|
Please select one of following addresses to receive OTP.
|
Prompt message to select addresses to send One Time Pin (OTP) to user on end-user challenge page. |
bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.challengeText
|
Enter OTP from device {1} |
Prompt message to enter time-based One Time Pin (OTP) on end-user challenge page. |
bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.promptselectmessage
|
Please select one of following channels |
Prompt message to select channels to send time-based One Time Pin (OTP) to user on end-user challenge page. |
bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.challengeCounterExpiryTime |
1800000
|
Expiry time of the challenge counter lock. This is the time duration for which the challenge remains unavailable for users, after challenge is locked due to maximum number of unsuccessful retries.
If the value is not provided then the value for |
bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.retrycount |
|
Maximum number of unsuccessful retries of the challenge. Beyond this count the challenge is locked.
If the value is not provided then the value specified for |
bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.registration.showSecretKeyText |
true |
Displays a secret key in the Self-Service Portal,
for use with Oracle Mobile Authenticator, Google Authenticator, or
Microsoft Authenticator. If the value is set to
false, the secret key isn't displayed.
|
bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.registration.showQrcode |
true |
Displays a QR code in the Self-Service Portal, for
use with Oracle Mobile Authenticator, Google Authenticator, or
Microsoft Authenticator. If the value is set to
false, the QR code isn't displayed.
|
bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.keyExpiryEnabled |
false |
A boolean value that indicates whether or not secret key expiration is enabled. When enabled, the Time-based One Time Passcode (TOTP) secret key expiration time is checked during the challenge flow. If the key has expired, the challenge flow fails and the key is deleted. If the key has not expired, the challenge flow will continue as usual. |
bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.keyExpiryTimeMinutes |
60
|
Specifies the key's expiration time in minutes. This must be a positive whole number. |
bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.registration.otpexpirytimeMs |
300000
|
Specifies the timeout in millisecond for the Time-based One Time Passcode (TOTP) generated registration URL. |
bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.registration.oma.config |
oraclemobileauthenticator://settings?ServiceName::=%deviceName%&ServiceType::=SharedSecret&SharedSecretAuthServerType::=HTTPBasicAuthentication&LoginURL::=%totpRegistrationEndpoint%/oaa/rui/totpPreferences/v1Note: If the value of |
|
database.cache.type.enum.factor.expiryTime |
Value must be greater than equal to bharosa.uio.default.challenge.type.enum.ChallengeOMATOTP.registration.otpexpirytimeMs.If not specified default value is |
Specifies the cache timeout in seconds. |
bharosa.uio.default.challenge.type.enum.ChallengeSMS.challengeCounterExpiryTime |
1800000
|
Expiry time of the challenge counter lock. This is the time duration for which the challenge remains unavailable for users, after challenge is locked due to maximum number of unsuccessful retries.
If the value is not provided then the value for |
bharosa.uio.default.challenge.type.enum.ChallengeSMS.retrycount |
|
Maximum number of unsuccessful retries of the challenge. Beyond this count the challenge is locked.
If the value is not provided then the value specified for |
bharosa.uio.default.challenge.type.enum.ChallengeSMS.appName
|
OAA |
Name of the application. |
bharosa.uio.default.challenge.type.enum.ChallengeSMS.challengeText
|
Enter OTP sent to {0}. |
Prompt message to enter One Time Pin (OTP) on end-user challenge page. |
bharosa.uio.default.challenge.type.enum.ChallengeSMS.fromAddress
|
oaa@oracle.com |
Mobile number of the SMS sending entity. |
bharosa.uio.default.challenge.type.enum.ChallengeSMS.fromName
|
OAA |
Name of the From SMS sending entity. |
bharosa.uio.default.challenge.type.enum.ChallengeSMS.msgIPTemplate
|
IP Address: |
Part of the SMS template to display message IP address. |
bharosa.uio.default.challenge.type.enum.ChallengeSMS.msgPinTemplate
|
Please use following one time pin to login to protected
resource: |
Part of the SMS template to display One Time Pin (OTP). |
bharosa.uio.default.challenge.type.enum.ChallengeSMS.msgResourceURLTemplate
|
Resource URL Access: |
Part of the SMS template to display message resource URL. |
bharosa.uio.default.challenge.type.enum.ChallengeSMS.msgSubject
|
One Time Pin: OAA |
Subject title of the SMS template. |
bharosa.uio.default.challenge.type.enum.ChallengeSMS.msgTimeTemplate
|
Time of Access: |
Part of the SMS template to display message time. |
bharosa.uio.default.challenge.type.enum.ChallengeSMS.promptmessage
|
Send OTP to phone {0} |
Prompt message to send One Time Pin (OTP) through SMS used on end-user challenge page. |
bharosa.uio.default.challenge.type.enum.ChallengeSMS.promptselectmessage
|
Please select one of following numbers to receive OTP.
|
Prompt message to select addresses to send One Time Pin (OTP) to user on end-user challenge page. |
bharosa.uio.default.challenge.type.enum.ChallengeTOTP.promptmessage
|
Enter OTP from registered phone |
Prompt message to send time-based One Time Pin (OTP) used on end-user challenge page. |
bharosa.uio.default.challenge.type.enum.ChallengeYubicoOTP.challengeCounterExpiryTime |
1800000
|
Expiry time of the challenge counter lock. This is the time duration for which the challenge remains unavailable for users, after challenge is locked due to maximum number of unsuccessful retries.
If the value is not provided then the value for |
bharosa.uio.default.challenge.type.enum.ChallengeYubicoOTP.retrycount |
Maximum number of unsuccessful retries of the challenge. Beyond this count the challenge is locked.
If the value is not provided then the value specified for |
|
bharosa.uio.default.challenge.type.enum.ChallengeFIDO2.challengeCounterExpiryTime |
1800000 |
Expiry time of the challenge counter lock. This is the time duration for which the challenge remains unavailable for users, after challenge is locked due to maximum number of unsuccessful retries.
If the value is not provided then the value for |
bharosa.uio.default.challenge.type.enum.ChallengeFIDO2.retrycount |
Maximum number of unsuccessful retries of the challenge. Beyond this count the challenge is locked.
If the value is not provided then the value specified for |
|
oracle.security.oaa.kba.challenge.number |
1 |
Number of security questions that the user will be asked to answer during the challenge flow. This should be set to a value no larger than the maximum number of active questions answered by the user during security question registration. Note: This property should be used in conjunction with the
|
oracle.security.oaa.kba.challenge.separator |
| |
If
oracle.security.oaa.kba.challenge.number is set
to a value greater than 1, the generated challenge will contain the
multiple challenges as a string, separated by the value of
oracle.security.oaa.kba.challenge.separator.
For example: What is your name?|What is your age?|What is
your birthplace? .
When the response to the challenge is presented to the OAA server, the response is also expected to be seperated by the same separator. By default the value is If you anticipate any of the questions or
answers could contain the value To
override this value set
Note: Changing the separator may impact in flight KBA authentications, Hence, perform updates to this configuration when the KBA service is offline. |
oaa.user.auth.question.authn.counter.enabled |
true |
If this property is true, the risk
counters are incremented.
|
oaa.user.auth.question.next.seq |
false |
If this property is false,
oaam.kba.questions.randomorder is
true, and
oracle.security.oaa.kba.challenge.number is 1,
the questions selected from picklist are at random. Else, the user
is challenged by questions from the picklist in sequential
order.
|
oaam.kba.questions.randomorder |
false |
If this property is true,
oaa.user.auth.question.next.seq is
false, and
oracle.security.oaa.kba.challenge.number is 1,
questions selected from picklist are at random. Else, the user is
challenged by questions from the picklist in sequential
order.
|
bharosa.kba.questions.trim.answers.for.matching |
true |
If this property is set to true,
the answer and the matched value are trimmed before
matching.
|
oaa.browser.cookie.domain |
In case of an OAA-OARM install this must be set to the OAA host domain to
collect the device cookie properly. For example, if the OAA is
accessible on https://oaa.example.com, then set the
value to oaa.example.com.
|
|
oaa.risk.integration.postauth.cp |
postauth |
Defines the default risk assurance level for OAA assurance level. The default value
is Note: This property is related to OAA-OARM integration. |
oaa.policy.assurance.level.default.action |
Challenge |
Defines the default action associated with the OAA assurance level. Note: This property is related to OAA-OARM integration. |
profile.type.enum.<AssuranceLevelKey>.riskcheckpoint |
Checkpoint associated with the existing assurance level. Note: This property is related to OAA-OARM integration. |
|
profile.type.enum.<AssuranceLevelKey>.defaultaction |
Default action associated with the existing assurance level. Acceptable values are Note: This property is related to OAA-OARM integration. |
|
rule.action.enum.<actionName>.priority |
Defines the priority of the action. It can be a integer value or string "max" to identify the highest priority. For instance: Note: This property is related to OAA-OARM integration. |
|
default.all.factor.bypassChallenge.durationInMinutes |
Specifies the duration for which the user is no longer challenged after a successful login.
Note: You can set the property to a negative value to disable this feature. |
Configuration Properties for OUA
bharosa.uio.default.challenge.type.enum.ChallengeOMAPUSH.retrycount
(which uses the <PolicyUrl> endpoint), should be set using
the <DRSS>/oaa-drss/oua/property/v1 REST API endpoint.
Note:
For details on the<DRSS> endpoint and the username and
password, see Printing Deployment Details.
Table 11-3 Configuration Properties for OUA
| Property Name | Default Value | Description |
|---|---|---|
echo.elapsed.time |
2 |
This property is required to determine the count for an unreachable device. The default value '2' means that if a device does not send an echo/heartbeat for 2 hours it will be recognized as an unreachable device. |
oua.drss.lcm.heartbeatFrequency |
1800000 |
Specifies the time frequency between device heartbeat calls in milliseconds. |
oua.drss.lcm.pollingFrequency |
43200000 |
Specifies the time frequency between checking for new Oracle Universal Authenticator client software versions in milliseconds. |
oua.drss.lcm.monitoringFrequency |
10000 |
Specifies the time frequency in milliseconds used by the monitoring agent to check and restart (if required) OUADesktopHelper and OUAUpgradeAgent processes. |
oua.drss.ssoLoginUrl |
Specifies the value of the OAM endpoint. By default
this value is not set and should only be set if the OAM login URL is
different to the value specified for
oua.oamRuntimeEndpoint in the
installOAA.properties. See, Oracle Universal Authenticator Configuration.
A sample value is |
|
bharosa.uio.default.challenge.type.enum.ChallengeOMAPUSH.retrycount |
10 |
Specifies the maximum number of unsuccessful retries of the challenge. Beyond this count the challenge is locked. This value must be set to 50 if using OMA Push Notification Challenge with Oracle Universal Authenticator. |
Configuration Properties For Customizing the User Interfaces
To configure properties to customize the user interface (UI) for the OAA Administration Console, Self-Service Portal, and Runtime UI, see Customizing the OAA User Interface.
Configuration Properties For Factor Verification
To configure properties for Factor Verification, see Configuring Factor Verification.