PingAM

Security properties

Most security settings are inherited by default.

Encryption

The following properties are available under the Encryption tab:

Password Encryption Key

The encryption key for decrypting stored passwords.

The value of the am.encryption.pwd property must be the same for all deployed servers in a site. You can set the Password Encryption Key property for all servers at Deployment > Servers > server name > Security.

For greater security, store the password encryption key in a keystore and rotate the key periodically:

  1. Set Enable Encryption KeyStore.

  2. Configure the keystore by setting the encryption keystore properties on this page.

    You can either reference an existing keystore file or create a new one for this purpose.

  3. Set Encryption Key Alias to the current active key in the keystore.

Learn about creating keystores and aliases in Key aliases and passwords.

If you set Enable Encryption KeyStore and AM finds an encryption key for the mapped alias in the keystore, the Password Encryption Key is ignored.

Example: TF1Aue9c63bWTTY4mmZJeFYubJbNiSE3

Property: am.encryption.pwd

Encryption class

The default class used to handle encryption.

Default: com.iplanet.services.util.JCEEncryption

Property: com.iplanet.security.encryptor

Secure Random Factory Class

The class used to provide AM with cryptographically strong random strings. Possible values are the com.iplanet.am.util.JSSSecureRandomFactoryImpl class for JSS and the com.iplanet.am.util.SecureRandomFactoryImpl class for pure Java.

Default: com.iplanet.am.util.SecureRandomFactoryImpl

Property: com.iplanet.security.SecureRandomFactorImpl

Enable Encryption KeyStore

If enabled, AM gets the password encryption key from the keystore defined on this page.

Default: false

Property: am.encryption.secret.enabled

Encryption Key Alias

The alias of the current active password encryption key in the keystore.

Property: am.encryption.secret.alias

Encryption KeyStore File

The location of the keystore containing the password encryption key, for example, /path/to/am/security/keystores/encryption-keystore.jceks.

Property: am.encryption.secret.keystoreFile

Encryption KeyStore Type

The type of the keystore: JCEKS, PKCS12, or BCFKS.

Property: am.encryption.secret.keystoreType

The specified keystore type must be supported by, and configured in, the local Java runtime environment.

Default: JCEKS

  • BCFKS keystores require specific configuration. Find more information in FIPS 140–3 compliance.

  • The encryption key is treated as a generic password. If you’re migrating to a BCFKS keystore from other keystore types, you might encounter limitations when migrating the encryption key to BCFKS. This is because BCFKS might not support the algorithm used to store the key in the old keystore (for example, RAW or PBEKey).

    Before you migrate the encryption key from an old keystore, change the storage algorithm to one that doesn’t enforce length restrictions during storage or retrieval of the key, for example, HmacSHA512. Length restrictions on actual usage are not subject to this issue.

Encryption KeyStore Password File

The location of the file containing the keystore password; for example, /path/to/am/security/secrets/default/.storepass.

Property: am.encryption.secret.keystorePass

Encryption Key Password File

The location of the file containing the keystore key password; for example, /path/to/am/security/secrets/default/.keypass.

Property: am.encryption.secret.keyPass

Validation

The following properties are available under the Validation tab:

Platform Low Level Comm. Max. Content Length

The maximum content length for an HTTP request.

Default: 16384

Property: com.iplanet.services.comm.server.pllrequest.maxContentLength

Client IP Address Check

When enabled, AM checks client IP addresses when creating and validating SSO tokens.

Default: Disabled

Property: com.iplanet.am.clientIPCheckEnabled

The following properties are available under the Cookie tab:

Cookie Name

The name of the cookie AM uses to set a session handler ID during authentication.

Default: iPlanetDirectoryPro

Property: com.iplanet.am.cookie.name

Secure Cookie

When enabled, AM generates secure cookies, which are only transmitted over an encrypted connection like HTTPS.

Default: Disabled

Property: com.iplanet.am.cookie.secure

Encode Cookie Value

When enabled, AM URL-encodes the cookie values.

Default: Disabled

Property: com.iplanet.am.cookie.encode

Key store

The following properties are available under the Key Store tab:

Keystore File

The path to the AM keystore file, for example, /path/to/am/security/keystores/keystore.jceks.

Default: %BASE_DIR%/%SERVER_URI%/keystore.jceks

Property: com.sun.identity.saml.xmlsig.keystore

Keystore Type

The keystore type, for example JKS or JCEKS.

This can be a custom keystore type, which must be supported by, and configured in, the local Java runtime environment.

Default: JCEKS

Property: com.sun.identity.saml.xmlsig.storetype

Keystore Password File

The path to the password file for the keystore, for example, /path/to/am/security/secrets/default/.storepass. The password contained in this file is in cleartext.

Default: %BASE_DIR%/%SERVER_URI%/.storepass

Property: com.sun.identity.saml.xmlsig.storepass

Private Key Password File

The path to the password file for the private key aliases contained in the keystore, for example, /path/to/am/security/secrets/default/.keypass. The password contained in this file is in cleartext.

Default: %BASE_DIR%/%SERVER_URI%/.keypass

Property: com.sun.identity.saml.xmlsig.keypass

Certificate Alias

Leave the default test alias.

Property: com.sun.identity.saml.xmlsig.certalias

Certificate revocation list caching

The following properties are available under the Certificate Revocation List Caching tab:

LDAP server host name

The hostname of the LDAP server where AM caches the certificate revocation list (CRL).

Property: com.sun.identity.crl.cache.directory.host

LDAP server port number

The port number of the LDAP server where AM caches the certificate revocation list.

Property: com.sun.identity.crl.cache.directory.port

SSL/TLS Enabled

When enabled, AM connects securely to the directory server holding the CRL cache. AM must trust the certificate from the LDAP server if you enable this option.

Default: Disabled

Property: com.sun.identity.crl.cache.directory.ssl

mTLS Enabled

When enabled, AM uses mutual TLS (mTLS) to authenticate to the DS server with trusted certificates.

If you enable mTLS, you must also:

  • Set SSL/TLS Enabled.

  • Set a secure port in the Connection String(s) property.

  • Configure the DS server for mTLS.

    Learn more about configuring datastores for mTLS in Secure authentication to datastores.

  • Map the secret label am.servers.crl.cache.directory.mtls.cert to a certificate in the secret store.

    Learn more about configuring certificates and secret store mappings in Secret stores.

  • If you enable mTLS, AM ignores the values of the LDAP server bind user name and LDAP server bind password properties.

  • You must restart the server for changes to this setting to take effect.

Default: Disabled

property: com.sun.identity.crl.cache.directory.mtlsenabled

LDAP server bind user name

The bind DN of the service account AM uses to authenticate to the LDAP server holding the CRL cache.

Property: com.sun.identity.crl.cache.directory.user

LDAP server bind password

The bind password of the username set in the LDAP server bind user name property.

Property: com.sun.identity.crl.cache.directory.password

LDAP search base DN

A valid Base DN for the LDAP search, such as dc=example,dc=com.

Property: com.sun.identity.crl.cache.directory.searchlocs

Search Attributes

The DN component of the issuer’s subject DN used to retrieve the CRL in the LDAP server, for example, cn.

Property: com.sun.identity.crl.cache.directory.searchattr

Online certificate status protocol check

The following properties are available under the Online Certificate Status Protocol Check tab:

Check Enabled

When enabled, AM checks the revocation status of certificates using the Online Certificate Status Protocol (OCSP).

Default: Disabled

Property: com.sun.identity.authentication.ocspCheck

Responder URL

The URL for the OCSP responder to contact about the revocation status of certificates.

Property: com.sun.identity.authentication.ocsp.responder.url

Certificate Nickname

The nickname for the OCSP responder certificate set in the Responder URL property.

Property: com.sun.identity.authentication.ocsp.responder.nickname

Object deserialisation class allowlist

Whitelist

A list of classes considered valid when AM performs object deserialization operations.

Default: com.iplanet.dpro.session.DNOrIPAddressListTokenRestriction, com.sun.identity.common.CaseInsensitiveHashMap,com.sun.identity.common.CaseInsensitiveHashSet, com.sun.identity.common.CaseInsensitiveKey, com.sun.identity.common.configuration.ServerConfigXML, com.sun.identity.common.configuration.ServerConfigXML$DirUserObject, com.sun.identity.common.configuration.ServerConfigXML$ServerGroup, com.sun.identity.common.configuration.ServerConfigXML$ServerObject, com.sun.identity.console.base.model.SMSubConfig, com.sun.identity.console.service.model.SMDescriptionData, com.sun.identity.console.service.model.SMDiscoEntryData, com.sun.identity.console.session.model.SMSessionData, com.sun.identity.console.user.model.UMUserPasswordResetOptionsData, com.sun.identity.shared.datastruct.OrderedSet,com.sun.xml.bind.util.ListImpl, com.sun.xml.bind.util.ProxyListImpl, java.lang.Boolean,java.lang.Integer, java.lang.Number,java.lang.StringBuffer, java.net.InetAddress,java.security.cert.Certificate, java.security.cert.Certificate$CertificateRep, java.util.ArrayList,java.util.Collections$EmptyMap, java.util.Collections$EmptySet, java.util.Collections$SingletonList, java.util.HashMap,java.util.HashSet, java.util.LinkedHashSet, java.util.Locale, org.forgerock.openam.authentication.service.protocol.RemoteCookie, org.forgerock.openam.authentication.service.protocol.RemoteHttpServletRequest, org.forgerock.openam.authentication.service.protocol.RemoteHttpServletResponse, org.forgerock.openam.authentication.service.protocol.RemoteServletRequest, org.forgerock.openam.authentication.service.protocol.RemoteServletResponse, org.forgerock.openam.authentication.service.protocol.RemoteSession, org.forgerock.openam.dpro.session.NoOpTokenRestriction

Property: openam.deserialisation.classes.whitelist