Specifies whether Integration Server is to validate (true) or not validate (false) certificate extensions, if any, when the server performs certificate verification. The default is false.

In cases where no directory or a directory containing no certificates is specified for the Trusted Certificates directory, specifies whether the server is to trust:

Specifies whether the server is to trust (true) or not trust (false) certificates and S/MIME signatures in this situation. The default is true. For improved security, Software AG recommends that you set this parameter to false and specify a Trusted Certificates directory.

Specifies the alias of the default private key Integration Server uses for decryption.

Specifies the alias of the keystore containing the default private key Integration Server uses for decryption.

Specifies whether the server is to support FIPS (Federal Information Processing Standards). The default is false. If this parameter is set to true, the server initializes FIPS as part of server startup. If FIPS initialization fails, the error is logged to server.log and the server shuts down.

This is an internal parameter. Do not modify.

Specifies the keystore types supported by Integration Server. Each supported type is separated by a comma. The default values are JKS and PKCS12.

To specify additional keystore types for Integration Server, you need to do the following:

Specifies whether the built-in services supporting OPE (outbound password encryption) for flow services may access the Integration Server's internal passwords. If this parameter is set to true, the OPE services may access the internal passwords. If it is set to false, the OPE services are not allowed access to the internal passwords. By default, this parameter is set to false.

Internal passwords are passwords for use by the Integration Server itself to access secure resources (e.g., remote Integration Servers, JDBC connection pools, LDAP servers, etc.). Internal passwords are managed using the Integration Server Administrator and are stored in the outbound password store. Flow services are also allowed to store passwords in the outbound password store. However, by default, passwords stored by a flow service are considered public, as opposed to internal. This distinction allows flow services to use the outbound password store as a secure mechanism for storing and retrieving passwords, but protects the Integration Server's internal passwords.

You can allow flow services to access internal passwords (i.e., store, retrieve, and modify) by setting watt.security.ope.AllowInternalPasswordAccess to true. However, this should be done only if you explicitly wish to have a flow service work with internal passwords. Otherwise, it is recommended you deny access to internal passwords by setting watt.security.ope.AllowInternalPasswordAccess to false.

Specifies whether Integration Server writes OpenID errors to the error log. When the OpenID authentication process encounters errors, Integration Server returns error and error_description variables in the body of the HTTP response. When watt.security.openid.logExceptions is true, the default, Integration Server throws an exception from the redirection endpoint service, causing the error to be written to the error log. To stop Integration Server from writing OpenID errors to the error log, set watt.security.openid.logExceptions to false.

Specifies whether the pub.file:getFile service is to check the allowedReadPaths property in the fileAccessControl.cnf file to determine if the requested file can be retrieved from the file system. The allowedReadPaths property contains a list of directories to which the services in the pub.file folder have read permission.

When watt.security.pub.getFile.checkReadAllowed is set to true, the pub.file:getFile service checks the allowedReadPaths property in the fileAccessControl.cnf file. If the requested file or file directory is listed, the pub.file:getFile service returns its contents to the pipeline.

If watt.security.pub.getFile.checkReadAllowed is set to true and the file or file directory is not listed in the allowedReadPaths property, the pub.file:getFile service throws an exception.

When watt.security.pub.getFile.checkReadAllowed is set to false, the pub.file:getFile service retrieves the specified file from the local file system without checking the fileAccessControl.cnf file.

Changes to this property take effect immediately. However, if you modify the fileAccessControl.cnf file, the WmPublic package must be reloaded before the changes take effect.

For more information about the pub.file:getFile service and configuring the fileAccessControl.cnf file, see webMethods Integration Server Built-In Services Reference.

Specifies whether Integration Server accepts or rejects a request that includes an expired or invalid session. When set to true, Integration Server rejects any request that includes a cookie identifying an expired or invalid session, even if the request includes valid user credentials. The rejection response directs the browser to clear its session identifier and to prompt the user for credentials. When set to false, Integration Server creates a new session using the credentials in the cookie. The default value is true. A value of true offers more secure behavior.

Specifies the alias of the default private key Integration Server uses to digitally sign documents.

Specifies the alias of the keystore containing the default private key Integration Server uses to digitally sign documents.

Controls whether Integration Server reuses previous SSL session information (for example, client certificates) for connections to the same client. When this property is set to true, Integration Server caches and reuses SSL session information. For example, set this property to true when there are repeated HTTPS requests from the same client. If set to false (the default), Integration Server does not cache the sessions and creates a new session for every SSL handshake.

Specifies, in milliseconds, how often Integration Server checks for and removes expired SSL client sessions from its session cache. The default value is 600000 milliseconds (10 minutes).

Specifies whether an Integration Server acting as a client sends its certificate chain after a remote SSL server returns an empty list of trusted authorities. When set to true, Integration Server disregards the empty trusted authorities list and sends its chain anyway. When set to false, before sending out its certificate chain, Integration Server requires the presentation of trusted authorities list that proves itself trusted. The default is false.

Specifies whether the Integration Server ignores expired CA certificates in a certificate chain it receives from an Internet resource (i.e., a web server, another Integration Server). To have the Integration Server ignore expired CA certificates and allow SSL connections when a certificate is expired, set the watt.security.ssl.ignoreExpiredChains setting to true. Note that this is less secure than denying connections when a certificate is expired. The default is false. For more information about this setting, see Integration Server as an SSL Server.

Specifies the alias of the Integration Server default SSL private key.

When Integration Server is acting as an HTTPS client, this parameter specifies whether the server should restrict outbound HTTPS connections only when a valid Extended Key Purpose field is present in the server's certificate. The content of the Key Purpose field, id-kp-serverAuth, should be in the IETF-mandated format, TLS WWW server authentication for the verification to pass. Refer to the section titled Extended Key Usage, in the document http://www.ietf.org/rfc/rfc3280.txt for more information regarding this format.

Three values are allowed for this watt property - true, false and log.

Specifies the alias of the Integration Server default SSL keystore.

Specifies the alias for the truststore that Integration Server uses as the default truststore.

When Integration Server is acting as a server, it uses the default truststore to verify the trust relation when no truststore is provided. For example, Integration Server uses the default truststore when no truststore is provided for HTTPS/FTPS ports or for web service security when there is no truststore at the provider web service endpoints alias.

When Integration Server is acting as a client, most of the components in Integration Serverr (for example, HTTPS, FTPS, remote server alias) always use the default truststore to verity the trust relation with the server. However, for web service security, Integration Server only uses the default truststore when the user does not provide a truststore in the consumer endpoint alias.

Specifies the truststore types supported by Integration Server. Each supported type is separated by a comma. The default value is JKS.

To specify additional truststore types for Integration Server, you need to do the following: