Global Security Panel
Required panel.
################################################################
Global Security Panel
################################################################
enabled=true
enforceJava2Security=false
useDomainQualifiedUserNames=false
cacheTimeout=600
ltpaTimeOut=720
issuePermissionWarning=true
activeProtocol=CSI
useFIPS=false
activeAuthMechanism=LTPA
activeUserRegistry=LDAP LocalOS WIM Custom CustomLAM <repository_id>:
<repository_base_name>
Note to users of previous versions of HCL Workload Automation: Nearly all of the properties are unchanged with respect to previous HCL Workload Automation releases.
The following property is new:
- enabled=true|false
- Specifies if application security is enabled (true) or not (false). The default is "true".
- enforceJava2Security=false
- Specify if Java™ 2 security is enabled (true). HCL Workload Automation does not support Java 2 security so this must be set to false (the default).
- useDomainQualifiedUserNames=true|false
- Specify if domain-qualified (realm-qualified) user names are to be used (true). If this is set to true, all user names in the Security file must be qualified with their domains. The default is false. Changing this value while using HCL Workload Automation could endanger your access to the product; if you need to do so discuss the best method with HCL Software Support.
- cacheTimeout=<seconds>
- Specifies the timeout value in seconds for the security cache. The security cache timeout can influence performance. The timeout setting specifies how often to refresh the security-related caches. Security information pertaining to beans, permissions, and credentials is cached. When the cache timeout expires, all cached information becomes invalid. Subsequent requests for the information result in a database lookup. Sometimes, acquiring the information requires invoking a Lightweight Directory Access Protocol (LDAP)-bind or native authentication. Both invocations are relatively costly operations for performance. Determine the best trade off for the application, by looking at usage patterns and security needs for the site. The default security cache timeout value is 600 seconds. If you have a small number of users, it should be set higher than that, or if a large number of users, it should be set lower.
- ltpaTimeout=<seconds>
- Specifies the cache timeout for the LTPA data. The LTPA timeout value should not be set lower than the security cache timeout. The default is 720 seconds.
- issuePermissionWarning=true
- Specifies that during application deployment and application start, the security run time issues a warning if applications are granted any custom permissions (true). Custom permissions are permissions that are defined by the user applications, not Java API permissions. Java API permissions are permissions in the java.* and javax.* packages. For HCL Workload Automation leave the setting as "true".
- activeProtocol=CSI
- Specifies the active authentication protocol for Remote Method Invocation over the Internet Inter-ORB Protocol (RMI IIOP) requests, when security is enabled. For HCL Workload Automation leave the setting as "CSI".
- useFIPS=true|false
- Specify if the HCL Workload Automation network is FIPS compliant (true) and thus uses GSKit, for SSL or is not FIPS compliant (false), and uses OpenSSL. The default is false. See FIPS compliance for more details.
- activeAuthMechanism=LTPA
- Specifies the active authentication mechanism. For HCL Workload Automation leave the setting as "LTPA".
- activeUserRegistry=<space_separated_list>
- Specifies a list of space-separated entries that identify the
registries to enable. All the entries listed here will be enabled
together in the VMM Federated User Registry.
Allowed values are:
- LocalOS
- Custom (on UNIX and Linux operating systems), CustomPAM (on AIX® operating systems)
- CustomLAM
- LDAP
- WIM
- <REPOSITORY_ID>:<REPOSITORY_REALM_BASENAME>
Use this if you have configured another repository using Integrated Solutions Console or any other mechanism other than the HCL Workload Automation WebSphere Application Server tools, and you want to enable such a repository either on its own or together with the default registries indicated above.
For example, if you have created a repository with id "BluePages" and with a realm base name of "ibm.com®", you must specify:activeUserRegistry=BluePages:o=ibm.com <other_repository_ids>
Note: On AIX, the CustomPAM authentication system is mutually exclusive with both the CustomLAM and LocalOS values.