You can customize the security settings as required.
Properties that are highlighted as cross-tenant properties can only be changed using ARIS Cloud Controller Command-line Tool. To change the settings, enter the following:
reconfigure umcadmin_<size of your installation, s, m, or l> JAVA-D<property name>="<value>"
Example
reconfigure umcadmin_m JAVA-Dcom.aris.umc.loadbalancer.url="https://myserver.com"
Account lockout
Key |
Description |
Valid input |
Example |
---|---|---|---|
com.aris.umc.authentication.lock.enabled |
Lock users after failed login attempts Specifies whether a user login is temporarily locked when a user causes too many failed logins. The default value is false. |
true, false |
|
com.aris.umc.authentication.lock.counter.limit |
Attempt limit Specifies the number of failed login attempts that are allowed before user login is locked. |
Integer > 0 |
|
com.aris.umc.authentication.lock.ttl |
Lockout duration (in seconds) Specifies how long a user login is temporarily locked when a user causes too many failed logins. This is defined in seconds. |
Integer > 0 |
|
com.aris.umc.authentication.lock.counter.ttl |
Lock counter duration (in seconds) Time that must elapse before the number of failed login attempts is reset. This is defined in seconds. |
Integer > 0 |
|
User sessions
Key |
Description |
Valid input |
Example |
---|---|---|---|
com.aris.umc.session.renewal.cache.size |
Session cache size Specifies how many session IDs are saved in the session renewal cache. When the cache is full, the least recently used sessions are removed. This is defined in seconds. Cross-tenant property that can only be changed using ARIS Cloud Controller. For more information, refer to ARIS Cloud Controller (ACC) Command-line Tool manual. |
Integer > 0 |
|
com.aris.umc.session.renewal.cache.ttl |
Session cache lifetime (in seconds) Specifies the maximum duration in seconds that a renewed session remains in the session renewal cache. A session can be renewed at the earliest after this period of time. Cross-tenant property that can only be changed using ARIS Cloud Controller. For more information, refer to ARIS Cloud Controller (ACC) Command-line Tool manual. |
Integer > 0 |
|
com.aris.umc.session.identifier.generator |
Session ID generator Specifies the random number generator used for generating session IDs. |
String |
|
com.aris.umc.session.identifier.length.min |
Minimum length of session ID (in bytes) Specifies the minimum length of a session ID in bytes. For security reasons this value should not be less than 32. |
Integer > 0 |
|
com.aris.umc.session.identifier.length.max |
Maximum length of session ID (in bytes) Specifies the maximum length of a session ID in bytes. |
Integer > 0 |
|
com.aris.umc.session.concurrent.max |
Maximum concurrent sessions Specifies the maximum number of concurrent sessions that can be active for a single user. This does not apply to the arisservice and superuser users. |
Integer > 0 |
|
Multi-factor authentication
Key |
Description |
Valid input |
Example |
---|---|---|---|
com.aris.umc.authentication.multiFactor.active |
Use multi-factor authentication Specifies whether multi-factor authentication is required. The default value is false. You can use the multi-factor authentication only in API Portal and ARIS Advanced. |
true, false |
|
com.aris.umc.authentication.multiFactor.clockSkew |
Clock skew intervals Specifies the clock skew in number of intervals. One-time passwords (OTPs) that are within the valid range [currentTimeStep - clock_skew, currentTimeStep + clock_skew] are permitted. This is defined in milliseconds. You can use the multi-factor authentication only in API Portal and ARIS Advanced. |
Integer > 0 |
|
com.aris.umc.authentication.multiFactor.excludedUsers |
Excluded users Specifies a comma-separated list of users for whom the multi-factor authentication is not required. You can use the multi-factor authentication only in API Portal and ARIS Advanced. |
String |
|
Advanced settings
Key |
Description |
Valid input |
Example |
---|---|---|---|
com.aris.umc.audit.enabled |
Generate user statistics Enables the generation of user statistics. The default value is false. If you specify this as true, the following properties for distinct user statistics are enabled as default:
|
true, false |
false |
com.aris.umc.audit.log.auth.enabled |
Log authentication Enables authentication logging. The default value is true but this property is only enabled when Generate user statistics is specified as true. The following user statistics are logged and can be exported:
|
true, false |
true |
com.aris.umc.audit.log.conf.enabled |
Log changes to configuration Enables logging of changes to the configuration. The default value is true. The following user statistics are logged and can be exported:
|
true, false |
true |
com.aris.umc.audit.log.license.privilege.enabled |
Log changes to licenses/privileges Enables logging of changes to licenses or privileges. The default value is true. The following user statistics are logged and can be exported:
|
true, false |
true |
com.aris.umc.audit.log.user.group.enabled |
Log changes to users/user groups Enables logging of changes to users or user groups. The default value is true. The following user statistics are logged and can be exported:
|
true, false |
true |
com.aris.umc.authentication.sso.only |
Force SSO Specifies that only an SSO login is allowed. The default value is false. |
true, false |
false |
com.aris.umc.authentication.sso.for.downloadclient.only |
Force SSO for ARIS Download Client If this option is enabled, a user must be logged in to the portal to be able to start ARIS Download Client. The default value is false. |
true, false |
false |
com.aris.umc.authentication.delay.min |
Minimum authentication delay (in milliseconds) Specifies the minimum delay that is added at each login. This is defined in milliseconds. |
Integer > 0 |
|
com.aris.umc.authentication.delay.max |
Maximum authentication delay (in milliseconds) Specifies the maximum delay that is added at each login. This is defined in milliseconds. |
Integer > 0 |
|
com.aris.umc.otp.active |
Use OTPs Specifies whether or not the generation of one-time passwords (OTPs) is allowed. |
true, false |
|
com.aris.umc.otp.ttl |
Lifetime (in seconds) Specifies the lifetime of a one-time password (OTP) in seconds. Passwords become invalid after this time period at the latest. |
|
|
com.aris.umc.license.distribution.handling |
License pools at user group-level Specifies that license pools are assigned at the user group level. If this option is enabled, licenses must not be assigned to users directly, but are to be assigned via user groups only. |
true, false |
false |
com.aris.ums.user.statistics.backup |
User statistics in backup Specifies that the user statistics are part of the backup. The default value is false. |
true, false |
false |