Security Guide : Security Properties for Java

Security Properties for Java
 
This property controls whether the transport connection is encrypted or not. If set to true, transport messages are encrypted. If set to false they are in the clear.
This property together with the secureTransport property controls the default QoP on the client-side. If both set to true then transport QoP is set to SECURE_ONLY, which means the client will only accept secure transport. If either of them is set to false then Client does not mandate security at the transport layer.
This property is used on the server side to define server transport QoP. Acceptable values are CLEAR_ONLY, SECURE_ONLY or ALL. This allows the client that needs either CLEAR_ONLY or SECURE_ONLY to be able to connect to a server. This property will take effect only when property secureTransport is true.
Set this to true if the server requires the client to send a Username/Password for authentication (regardless of certificate-based authentication). This is a server-side property.
If set to true, disables all security services.
This property is used to select a security transport protocol. Possible values are SSL, SSLv2, SSLv3, TLS and TLSv1. For information on these protocols, see the Sun Microsystems documentation at: http://java.sun.com/products/jsse/doc/guide/API_users_guide.html#SSC.
Note: This property is deprecated. See “Authentication” for recommended methods of specifying authentication.
Server-side only property. This back-compatible property is used for supporting PasswordBackEnd style authentication. When set to true, the program will try to construct the specified PasswordBackEnd for authenticating.
CmdLineCallbackHandler has password echo on, while HostCallbackHandler has password echo off.
If set to true, at initialization-time this property tries to login to all the realms listed by property vbroker.security.login.realms.
When set to true the security service will attempt to reacquire authentication information using the CallbackHandler. This property require the callback handler to be set either using the appropriate property or at runtime by calling the appropriate method.
When set to true, the security service behaves as follows: If the security service cannot find an identity for any of the targets supported by a server it is attempting to communicate with, it will then attempt to acquire credentials for one of the targets in the target object's IOR. If a corresponding authentication realm is available for this target (that the user chooses to provide credentials for), then authentication is also attempted locally.
When set to true, enables dynamic loading of the RoleDB file specified in vbroker.security.domain.<domain_name>.rolemap_path property. The interval of dynamic loading is specified by property vbroker.security.domain.<domain_name>.rolemap_refreshTimeInSeconds.
Specifies the name of the run-as role. The value can be either use-caller-identity to have the caller principal be in the run-as role, or specify an alias for a run-as principal for the run-as role name.
Specifies whether to grant or deny access to the domain by default in the absence of security roles for the provided domain. Acceptable values are grant or deny.
Note that the REQUEST and REQUEST_AND_TRUST modes cannot receive peer certificate chains due to JSSE restrictions.
Specifies a path to the directory containing trusted certificates and CRLs or to a trusted Keystore whose values are implementations of TrustedCertificateEntry. Default values are either a directory, given in the format Directory:<path_to_certs> or a Keystore, given in the format Keystore:<path_to_keystore>.
If set to true, the JSSE default trust files like cacerts and jssecacerts, if present in JRE, will be used to load trusted certificates.
This property is used to specify a list of trusted roles (specified with the format <role>@<authorization_domain>). <n> is a uniquely identified for each trust assertion rule as a list of digits.
For example, setting vbroker.security.assertions.trust.1=ServerAdmin@default means this process trusts any assertion made by the ServerAdmin role in the default authorization domain.
Setting to true will trust all the assertion made by peers.
Set this to true for enabling Server Manager operations on a Secure Server.
Points to a security domain listed in vbroker.security.authDomains. The specified domain is used for the Server Manager's role-based access control checks. A rolemap must be specified for the domain.
Use to point to a directory within the path defined in vbroker.security.wallet.type that contains keys and/or certificate information for a specific identity. Note that the value of this property must consist only of lower-case letters.
where xyz can be any string.
vbroker.security.trustProvider.xyz.provider=<FQCN of the trustprovider class impl>
The default value is true. When set to true, it will set the corresponding bit in the component. When set to false, it will reset it.
If set to true, the client will add support for NoDelegate in TAG_SSL_SEC_TRANS tag.
The default depends on the JDK vendor. If running on IBM JVM, the default protocol is SSL_TLS. On other JVMs, default protocol is JDK-version dependent.
The default depends on the JDK vendor. If running on IBM JVM, the default protocol is SSL_TLS. On other JVMs, like SUN, default protocol is JDK-version dependent.
A server side property. Set to true to have the server require certificates from the client. These certificates must also be trusted by the server by setting the appropriate server-side trust properties. For more information, see the vbroker.security.trustpointsRepository property and the vbroker.security.defaultJSSETrust property.
If this property is set to the default false, the CSS will simply propagate the exception received. If this property is set to true, the CSS throws a BAD_PARAM exception instead, stating that the SAS Context is missing.
SSL Server Connection Manager properties
The following table lists the SSL Server Connection Manager (SCM) properties.
In this table, possible values for <se_name> are:
Specifies whether tcp_nodelay should be set on the socket.