Integration Server Administrator's Guide : Server Configuration Parameters : watt.security.
watt.security.
watt.security.cert.wmChainVerifier. enforceExtensionsChecks
Specifies whether Integration Server is to validate (true) or not validate (false) certificate extensions, if any, when the server performs certificate verification. The default is false.
watt.security.cert.wmChainVerifier.trustByDefault
In cases where no directory or a directory containing no certificates is specified for the Trusted Certificates directory, specifies whether the server is to trust:
*Certificates presented by peer servers (in response to this server's outbound request)
*S/MIME signatures
Specifies whether the server is to trust (true) or not trust (false) certificates and S/MIME signatures in this situation. The default is true. For improved security, Software AG recommends that you set this parameter to false and specify a Trusted Certificates directory.
watt.security.decrypt.keyAlias
Specifies the alias of the default private key Integration Server uses for decryption.
watt.security.decrypt.keyStoreAlias
Specifies the alias of the keystore containing the default private key Integration Server uses for decryption.
watt.security.fips.mode
Specifies whether the server is to support FIPS (Federal Information Processing Standards). The default is false. If this parameter is set to true, the server initializes FIPS as part of server startup. If FIPS initialization fails, the error is logged to server.log and the server shuts down.
watt.security.KeystoreAndTruststore.defaultAliasCreated
This is an internal parameter. Do not modify.
watt.security.keyStore.supportedTypes
Specifies the keystore types supported by Integration Server. Each supported type is separated by a comma. The default values are JKS and PKCS12.
To specify additional keystore types for Integration Server, you need to do the following:
1. Add the new keystore type to the list of values for this property.
2. Add the keystore provider, using one of the following methods:
a. Using the "Add Security Provider" link in Integration Server Administrator.
b. Modifying the "java.security" file of the JVM (you must use this method for a PKCS11-type keystore).
Note:  
Software AG does not guarantee the behavior of additional keystore types, and does not provide support for them.
watt.security.ope.AllowInternalPasswordAccess
Specifies whether the built-in services supporting OPE (outbound password encryption) for flow services may access the Integration Server's internal passwords. If this parameter is set to true, the OPE services may access the internal passwords. If it is set to false, the OPE services are not allowed access to the internal passwords. By default, this parameter is set to false.
Internal passwords are passwords for use by the Integration Server itself to access secure resources (e.g., remote Integration Servers, JDBC connection pools, LDAP servers, etc.). Internal passwords are managed using the Integration Server Administrator and are stored in the outbound password store. Flow services are also allowed to store passwords in the outbound password store. However, by default, passwords stored by a flow service are considered public, as opposed to internal. This distinction allows flow services to use the outbound password store as a secure mechanism for storing and retrieving passwords, but protects the Integration Server's internal passwords.
You can allow flow services to access internal passwords (i.e., store, retrieve, and modify) by setting watt.security.ope.AllowInternalPasswordAccess to true. However, this should be done only if you explicitly wish to have a flow service work with internal passwords. Otherwise, it is recommended you deny access to internal passwords by setting watt.security.ope.AllowInternalPasswordAccess to false.
watt.security.openid.logExceptions
Specifies whether Integration Server writes OpenID errors to the error log. When the OpenID authentication process encounters errors, Integration Server returns error and error_description variables in the body of the HTTP response. When watt.security.openid.logExceptions is true, the default, Integration Server throws an exception from the redirection endpoint service, causing the error to be written to the error log. To stop Integration Server from writing OpenID errors to the error log, set watt.security.openid.logExceptions to false.
watt.security.pub.getFile.checkReadAllowed
Specifies whether the pub.file:getFile service is to check the allowedReadPaths property in the fileAccessControl.cnf file to determine if the requested file can be retrieved from the file system. The allowedReadPaths property contains a list of directories to which the services in the pub.file folder have read permission.
When watt.security.pub.getFile.checkReadAllowed is set to true, the pub.file:getFile service checks the allowedReadPaths property in the fileAccessControl.cnf file. If the requested file or file directory is listed, the pub.file:getFile service returns its contents to the pipeline.
If watt.security.pub.getFile.checkReadAllowed is set to true and the file or file directory is not listed in the allowedReadPaths property, the pub.file:getFile service throws an exception.
When watt.security.pub.getFile.checkReadAllowed is set to false, the pub.file:getFile service retrieves the specified file from the local file system without checking the fileAccessControl.cnf file.
Changes to this property take effect immediately. However, if you modify the fileAccessControl.cnf file, the WmPublic package must be reloaded before the changes take effect.
For more information about the pub.file:getFile service and configuring the fileAccessControl.cnf file, see webMethods Integration Server Built-In Services Reference.
watt.security.session.forceReauthOnExpiration
Specifies whether Integration Server accepts or rejects a request that includes an expired or invalid session. When set to true, Integration Server rejects any request that includes a cookie identifying an expired or invalid session, even if the request includes valid user credentials. The rejection response directs the browser to clear its session identifier and to prompt the user for credentials. When set to false, Integration Server creates a new session using the credentials in the cookie. The default value is true. A value of true offers more secure behavior.
watt.security.sign.keyAlias
Specifies the alias of the default private key Integration Server uses to digitally sign documents.
watt.security.sign.keyStoreAlias
Specifies the alias of the keystore containing the default private key Integration Server uses to digitally sign documents.
watt.security.ssl.cacheClientSessions
Controls whether Integration Server reuses previous SSL session information (for example, client certificates) for connections to the same client. When this property is set to true, Integration Server caches and reuses SSL session information. For example, set this property to true when there are repeated HTTPS requests from the same client. If set to false (the default), Integration Server does not cache the sessions and creates a new session for every SSL handshake.
Note:  
Setting the property to false might decrease performance.
watt.security.ssl.cachedClientSessions.sweeperInterval
Specifies, in milliseconds, how often Integration Server checks for and removes expired SSL client sessions from its session cache. The default value is 600000 milliseconds (10 minutes).
watt.security.ssl.client.ignoreEmptyAuthoritiesList
Specifies whether an Integration Server client will send its CA certificate when it receives an empty list of trusted authorities from the SSL server. If set to true, the Integration Server client accepts empty trusted authorities lists from the SSL server and returns its CA certificate. If set to false, the client requires that the trusted authorities list contains a trusted authority before sending its CA certificate. The default is false.
watt.security.ssl.ignoreExpiredChains
Specifies whether the Integration Server ignores expired CA certificates in a certificate chain it receives from an Internet resource (i.e., a web server, another Integration Server). To have the Integration Server ignore expired CA certificates and allow SSL connections when a certificate is expired, set the watt.security.ssl.ignoreExpiredChains setting to true. Note that this is less secure than denying connections when a certificate is expired. The default is false. For more information about this setting, see Integration Server as an SSL Server.
watt.security.ssl.keyAlias
Specifies the alias of the Integration Server default SSL private key.
watt.security.ssl.keypurposeverification
When Integration Server is acting as an HTTPS client, this parameter specifies whether the server should restrict outbound HTTPS connections only when a valid Extended Key Purpose field is present in the server's certificate. The content of the Key Purpose field, id-kp-serverAuth, should be in the IETF-mandated format, TLS WWW server authentication for the verification to pass. Refer to the section titled Extended Key Usage, in the document http://www.ietf.org/rfc/rfc3280.txt for more information regarding this format.
Three values are allowed for this watt property - true, false and log.
*When set to true, it will verify the presence of the key purpose field in the server's certificate. If the key purpose verification fails, an error is logged and the connection is aborted. If the verification succeeds, no error is logged.
*When set to false, it will bypass the verification of the key purpose field. The default is false.
*When set to log, it will log a debug message in the server log if the key purpose field verification fails.watt.security.ssl.keyStoreAlias Specifies the alias of the Integration Server default SSL keystore.
watt.security.ssl.keyStoreAlias
Specifies the alias of the Integration Server default SSL keystore.
watt.security.trustStoreAlias
Specifies the alias for the truststore that Integration Server uses as the default truststore.
When Integration Server is acting as a server, it uses the default truststore to verify the trust relation when no truststore is provided. For example, Integration Server uses the default truststore when no truststore is provided for HTTPS/FTPS ports or for web service security when there is no truststore at the provider web service endpoints alias.
When Integration Server is acting as a client, most of the components in Integration Serverr (for example, HTTPS, FTPS, remote server alias) always use the default truststore to verity the trust relation with the server. However, for web service security, Integration Server only uses the default truststore when the user does not provide a truststore in the consumer endpoint alias.
watt.security.trustStore.supportedTypes
Specifies the truststore types supported by Integration Server. Each supported type is separated by a comma. The default value is JKS.
To specify additional truststore types for Integration Server, you need to do the following:
1. Add the new truststore type to the list of values for this property.
2. Add the truststore provider, using one of the following methods:
a. Using the "Add Security Provider" link in Integration Server Administrator.
b. Modifying the "java.security" file of the JVM.
Note:  
Software AG does not guarantee the behavior of additional truststore types, and does not provide support for them.
Copyright © 2015- 2017 Software AG, Darmstadt, Germany. (Innovation Release)

Product LogoContact Support   |   Community   |   Feedback