--- title: Security properties description: Most security settings are inherited by default. component: pingam version: 8.1 page_id: pingam:setup:server-security canonical_url: https://docs.pingidentity.com/pingam/8.1/setup/server-security.html page_aliases: ["setup-guide:server-security.adoc"] section_ids: security-encryption: Encryption security-validation: Validation security-cookie: Cookie security-keystore: Key store security-revocation: Certificate revocation list caching security-protocol: Online certificate status protocol check security-whitelist: Object deserialisation class allowlist --- # Security properties Most security settings are inherited by default. ## Encryption The following properties are available under the Encryption tab: * Password Encryption Key The encryption key for decrypting stored passwords. The value of the `am.encryption.pwd` property must be the same for all deployed servers in a site. You can set the Password Encryption Key property for all servers at Deployment > Servers > *server name* > Security. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For greater security, store the password encryption key in a keystore and rotate the key periodically:1) Set Enable Encryption KeyStore. 2) Configure the keystore by setting the encryption keystore properties on this page. You can either reference an existing keystore file or create a new one for this purpose. 3) Set Encryption Key Alias to the current active key in the keystore.Learn about creating keystores and aliases in [Key aliases and passwords](../security/configuring-keys.html). | | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you set Enable Encryption KeyStore and AM finds an encryption key for the mapped alias in the keystore, the Password Encryption Key is ignored. | Example: `TF1Aue9c63bWTTY4mmZJeFYubJbNiSE3` Property: `am.encryption.pwd` * Encryption class The default class used to handle encryption. Default: `com.iplanet.services.util.JCEEncryption` Property: `com.iplanet.security.encryptor` * Secure Random Factory Class The class used to provide AM with cryptographically strong random strings. Possible values are the `com.iplanet.am.util.JSSSecureRandomFactoryImpl` class for JSS and the `com.iplanet.am.util.SecureRandomFactoryImpl` class for pure Java. Default: `com.iplanet.am.util.SecureRandomFactoryImpl` Property: `com.iplanet.security.SecureRandomFactorImpl` * Enable Encryption KeyStore If enabled, AM gets the password encryption key from the keystore defined on this page. Default: false Property: `am.encryption.secret.enabled` * Encryption Key Alias The alias of the current active password encryption key in the keystore. Property: `am.encryption.secret.alias` * Encryption KeyStore File The location of the keystore containing the password encryption key, for example, `/path/to/am/security/keystores/encryption-keystore.jceks`. Property: `am.encryption.secret.keystoreFile` * Encryption KeyStore Type The type of the keystore: `JCEKS`, `PKCS12`, or `BCFKS`. Property: `am.encryption.secret.keystoreType` The specified keystore type must be supported by, and configured in, the local Java runtime environment. Default: `JCEKS` * `BCFKS` keystores require specific configuration. Find more information in [FIPS 140–3 compliance](../security/fips.html). * The encryption key is treated as a generic password. If you're migrating to a BCFKS keystore from other keystore types, you might encounter limitations when migrating the encryption key to BCFKS. This is because BCFKS might not support the algorithm used to store the key in the old keystore (for example, `RAW` or `PBEKey`). Before you migrate the encryption key from an old keystore, change the storage algorithm to one that doesn't enforce length restrictions during storage or retrieval of the key, for example, `HmacSHA512`. Length restrictions on actual usage are not subject to this issue. * Encryption KeyStore Password File The location of the file containing the keystore password; for example, `/path/to/am/security/secrets/default/.storepass`. Property: `am.encryption.secret.keystorePass` * Encryption Key Password File The location of the file containing the keystore key password; for example, `/path/to/am/security/secrets/default/.keypass`. Property: `am.encryption.secret.keyPass` ## Validation The following properties are available under the Validation tab: * Platform Low Level Comm. Max. Content Length The maximum content length for an HTTP request. Default: 16384 Property: `com.iplanet.services.comm.server.pllrequest.maxContentLength` * Client IP Address Check When enabled, AM checks client IP addresses when creating and validating SSO tokens. Default: Disabled Property: `com.iplanet.am.clientIPCheckEnabled` ## Cookie The following properties are available under the Cookie tab: * Cookie Name The name of the cookie AM uses to set a session handler ID during authentication. Default: `iPlanetDirectoryPro` Property: `com.iplanet.am.cookie.name` * Secure Cookie When enabled, AM generates secure cookies, which are only transmitted over an encrypted connection like HTTPS. Default: Disabled Property: `com.iplanet.am.cookie.secure` * Encode Cookie Value When enabled, AM URL-encodes the cookie values. Default: Disabled Property: `com.iplanet.am.cookie.encode` ## Key store The following properties are available under the Key Store tab: * Keystore File The path to the AM keystore file, for example, `/path/to/am/security/keystores/keystore.jceks`. Default: `%BASE_DIR%/%SERVER_URI%/keystore.jceks` Property: `com.sun.identity.saml.xmlsig.keystore` * Keystore Type The keystore type, for example `JKS` or `JCEKS`. This can be a custom keystore type, which must be supported by, and configured in, the local Java runtime environment. Default: `JCEKS` Property: `com.sun.identity.saml.xmlsig.storetype` * Keystore Password File The path to the password file for the keystore, for example, `/path/to/am/security/secrets/default/.storepass`. The password contained in this file is in cleartext. Default: `%BASE_DIR%/%SERVER_URI%/.storepass` Property: `com.sun.identity.saml.xmlsig.storepass` * Private Key Password File The path to the password file for the private key aliases contained in the keystore, for example, `/path/to/am/security/secrets/default/.keypass`. The password contained in this file is in cleartext. Default: `%BASE_DIR%/%SERVER_URI%/.keypass` Property: `com.sun.identity.saml.xmlsig.keypass` * Certificate Alias Leave the default `test` alias. Property: `com.sun.identity.saml.xmlsig.certalias` ## Certificate revocation list caching The following properties are available under the Certificate Revocation List Caching tab: * LDAP server host name The hostname of the LDAP server where AM caches the certificate revocation list (CRL). Property: `com.sun.identity.crl.cache.directory.host` * LDAP server port number The port number of the LDAP server where AM caches the certificate revocation list. Property: `com.sun.identity.crl.cache.directory.port` * SSL/TLS Enabled When enabled, AM connects securely to the directory server holding the CRL cache. AM must trust the certificate from the LDAP server if you enable this option. Default: Disabled Property: `com.sun.identity.crl.cache.directory.ssl` * mTLS Enabled When enabled, AM uses mutual TLS (mTLS) to authenticate to the DS server with trusted certificates. If you enable mTLS, you must also: * Set SSL/TLS Enabled. * Set a secure port in the Connection String(s) property. * Configure the DS server for mTLS. Learn more about configuring datastores for mTLS in [Secure authentication to datastores](../security/secure-data-stores.html). * Map the secret label `am.servers.crl.cache.directory.mtls.cert` to a certificate in the secret store. Learn more about configuring certificates and secret store mappings in [Secret stores](../security/secret-stores.html). | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | - If you enable mTLS, AM ignores the values of the LDAP server bind user name and LDAP server bind password properties. - You must restart the server for changes to this setting to take effect. | Default: Disabled property: `com.sun.identity.crl.cache.directory.mtlsenabled` * LDAP server bind user name The bind DN of the service account AM uses to authenticate to the LDAP server holding the CRL cache. Property: `com.sun.identity.crl.cache.directory.user` * LDAP server bind password The bind password of the username set in the LDAP server bind user name property. Property: `com.sun.identity.crl.cache.directory.password` * LDAP search base DN A valid Base DN for the LDAP search, such as `dc=example,dc=com`. Property: `com.sun.identity.crl.cache.directory.searchlocs` * Search Attributes The DN component of the issuer's subject DN used to retrieve the CRL in the LDAP server, for example, `cn`. Property: `com.sun.identity.crl.cache.directory.searchattr` ## Online certificate status protocol check The following properties are available under the Online Certificate Status Protocol Check tab: * Check Enabled When enabled, AM checks the revocation status of certificates using the Online Certificate Status Protocol (OCSP). Default: Disabled Property: `com.sun.identity.authentication.ocspCheck` * Responder URL The URL for the OCSP responder to contact about the revocation status of certificates. Property: `com.sun.identity.authentication.ocsp.responder.url` * Certificate Nickname The nickname for the OCSP responder certificate set in the Responder URL property. Property: `com.sun.identity.authentication.ocsp.responder.nickname` ## Object deserialisation class allowlist * Whitelist A list of classes considered valid when AM performs object deserialization operations. Default: `com.iplanet.dpro.session.DNOrIPAddressListTokenRestriction, com.sun.identity.common.CaseInsensitiveHashMap,com.sun.identity.common.CaseInsensitiveHashSet, com.sun.identity.common.CaseInsensitiveKey, com.sun.identity.common.configuration.ServerConfigXML, com.sun.identity.common.configuration.ServerConfigXML$DirUserObject, com.sun.identity.common.configuration.ServerConfigXML$ServerGroup, com.sun.identity.common.configuration.ServerConfigXML$ServerObject, com.sun.identity.console.base.model.SMSubConfig, com.sun.identity.console.service.model.SMDescriptionData, com.sun.identity.console.service.model.SMDiscoEntryData, com.sun.identity.console.session.model.SMSessionData, com.sun.identity.console.user.model.UMUserPasswordResetOptionsData, com.sun.identity.shared.datastruct.OrderedSet,com.sun.xml.bind.util.ListImpl, com.sun.xml.bind.util.ProxyListImpl, java.lang.Boolean,java.lang.Integer, java.lang.Number,java.lang.StringBuffer, java.net.InetAddress,java.security.cert.Certificate, java.security.cert.Certificate$CertificateRep, java.util.ArrayList,java.util.Collections$EmptyMap, java.util.Collections$EmptySet, java.util.Collections$SingletonList, java.util.HashMap,java.util.HashSet, java.util.LinkedHashSet, java.util.Locale, org.forgerock.openam.authentication.service.protocol.RemoteCookie, org.forgerock.openam.authentication.service.protocol.RemoteHttpServletRequest, org.forgerock.openam.authentication.service.protocol.RemoteHttpServletResponse, org.forgerock.openam.authentication.service.protocol.RemoteServletRequest, org.forgerock.openam.authentication.service.protocol.RemoteServletResponse, org.forgerock.openam.authentication.service.protocol.RemoteSession, org.forgerock.openam.dpro.session.NoOpTokenRestriction` Property: `openam.deserialisation.classes.whitelist`