Schema Docs


Type	`object`
Additional properties
Defined in	#/definitions/config_root

Description: Yaml Configuration Guide.

To get started with authoring ISVAOP configuration YAML, refer to the Configuration.

Example:

# Full YAML based configuration example
version: 24.06
server:
  ssl:
    key: 'secret:keystore/httpserverkey.pem'
    certificate: 'secret:keystore/httpservercert.pem'
    require_mtls : true
    client_auth_trust_store : ks:truststore
  pages:
    type: zip
    content: "configmap:provider/pages.zip"
logging:
  level: debug
secrets:
  obf_key: 'secret:keystore/obf_key'
template_macros:
  user_macros:
    - name
    - family_name
    - given_name
    - display_name
  request_macros:
    - authorization_details
    - claims
    - user_code
    - state
ssl:
  certificate:
    - ks:rt_profile_keys
  disable_hostname_verification: true
definition:
  id: 1
  name: OIDC Definition
  grant_types:
    - authorization_code
    - implicit
    - password
    - client_credentials
    - refresh_token
    - 'urn:openid:params:grant-type:ciba'
  access_policy_id: 1
  pre_mappingrule_id: 100
  post_mappingrule_id: 101
  base_url: 'https://localhost:445'
  mtls_base_url: 'https://localhost:445'
  mtls_certificate_header_name: X-Client-Certificate
  features:
    enable_fault_tolerance: false
    enable_dynamic_registration: true
    consent_prompt: NEVER_PROMPT
    fapi_compliant: false
    enforce_par: false
  token_settings:
    issuer: 'https://www.ibm.com'
    signing_alg: RS256
    signing_keystore: rt_profile
    signing_keylabel: rsa256
    authorization_code_lifetime: 300
    access_token_lifetime: 7200
    id_token_lifetime: 3600
    refresh_token_lifetime: 64800
  request_object:
    lifetime: 3600
    require_expiry: true
    only_request_object_params: false
    enforce_single_usage: false
  backchannel_settings:
    default_expiry: 900
    maximum_expiry: 1800
    polling_interval: 5
    notifyuser_mappingrule_id: notifyuser
    checkstatus_mappingrule_id: checkstatus
  attribute_map:
    name: display_name # 1
    age: age # 2
  metadata:
    claims_supported:
      - iss
      - name
      - displayName
janitor:
  batch_size: 1000
  max_duration: 0
  check_frequency: 10
jwks:
  signing_keystore: rt_profile
  encryption_keystore: rt_profile
authentication:
  endpoint: >-
    https://auth-machine/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:password
  callback_param_name: Target
javascript:
  timeout: 0
  max_load: 16
  max_idle_time: 600
  max_ctx_in_isolate: 0
  cleanup_frequency: 0
  use_pool: false
dynamic_registration:
  recipe: Default
  mappingrule_id: dcr
  software_statement_validation:
    jwks_uri: >-
      https://oidc-dev-test.ite1.idng.ibmcloudsecurity.com/oidc/endpoint/default/jwks
    signing_algs:
      - PS256
      - ES256
  registration_endpoint_authentication:
    require_mtls: false
    require_bearer_token: false
    require_software_statement: false
    allow_custom_client_creds: true
  management_endpoint_authentication:
    require_mtls: false
    require_bearer_token: true
    require_software_statement: false
  registration_access_token:
    generate: true
    lifetime: 86400
    scopes:
      - 'cdr:registration'

runtime_db: mydb2
session_cache:
  type: redis
  cfg: myredis
server_connections:
  - name: mydb2
    type: db2
    database_name: secret:storage/mydb2_dbname
    hosts:
      - hostname: secret:storage/mydb2_hostname1
        hostport: secret:storage/mydb2_hostport1
    credential:
      username: secret:storage/mydb2_username
      password: secret:storage/mydb2_password
    conn_settings:
      max_pool_size: 50
      max_idle_size: 5
      max_idle_time: 10
      aged_timeout: 30
      connect_timeout: 5
    ssl:
      certificate:
        - ks:rt_profile
        - 'b64:LS0tLS1CRUdJTiBDR...LQo='
      disable_hostname_verification: true
  - "configmap:storage/myredis.yml"
  - name: ldap_test
    type: ldap
    hosts:
      - hostname: pentest-isva-openldap
        hostport: 636
        credential:
          bind_dn: 'cn=root,secAuthority=default'
          bind_password: passw0rd
        ssl:
          certificate:
            - ks:rt_profile
          disable_hostname_verification: true
    conn_settings:
      max_pool_size: 50
      connect_timeout: 3
attribute_sources:
  - id: 1
    name: display_name
    type: value
    value: anonymous
  - id: 2
    name: age
    type: credential
    value: AZN_CRED_AGE
  - id: 3
    name: website
    type: ldap
    value: website
    scope: subtree
    filter: (objectclass=*)
    selector: nickname,gender,sn
    srv_conn: ldap
    baseDN: dc=iswga
  - "configmap:attrsrc/attr_src_3_dup1.yml"
ldapcfg:
  - name: ldap_test_cfg_01
    scope: subtree
    user_object_classes: top,Person,organizationalPerson,inetOrgPerson
    filter: (|(|(objectclass=ePerson)(objectclass=person))(objectclass=User))
    selector: objectClass,cn,sn,givenName,userPassword
    srv_conn: ldap_test
    attribute: uid
    baseDN: dc=ibm,dc=com
rules:
  access_policy:
    - name: default_policy
      type: javascript
      content: |
        importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        ...
  mapping:
    - name: isvaop_pretoken
      content: |
        importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        ...
    - name: isvaop_posttoken
      content: |
        importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        ...
    - name: attrUtil
      content: "B64:aW1wb3J0Q2xhc3MoUGFj...Cg=="
    - name: checkstatus
      content: "configmap:rules/mapping_checkstatus.js"
    - name : dcr
      content: "B64:aW1wb...pCn0K"
    - name: extCache
      content: |
        importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        ...
    - name: httpClient
      content: "configmap:rules/mapping_httpClient.js"
    - name: jwt
      content: "B64:aW1wb...T047"
    - name: ldapClient
      content: |
        importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        ...
    - name: library
      content: "configmap:rules/mapping_library.js"
    - name: notifyuser
      content: |
        importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        ...
    - name: oauthUtil
      content: "B64:aW1w...Cgo="
    - name: ropc
      content: |
        importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        ...
clients:
  - client_id: client01
    client_id_issued_at: 1642399207
    client_secret: secret
    client_secret_expires_at: 0
    client_name: Client Test
    enabled: true
    redirect_uris:
      - https://www.google.com
    grant_types:
      - authorization_code
      - password
      - client_credentials
      - implicit
      - refresh_token
      - urn:openid:params:grant-type:ciba
    response_types:
      - code id_token
      - code token id_token
      - code
      - code token
      - none
      - code token id_token
    scopes:
      - openid
      - profile
      - test
    token_endpoint_auth_method: client_secret_post # tls_client_auth # client_secret_post
    token_endpoint_auth_signing_alg: RS384
    token_endpoint_auth_single_use_jti: false
    tls_client_auth_subject_dn: CN=oidc-dev-test.ite1.idng.ibmcloudsecurity.com,OU=,O=,L=,ST=,C=
    tls_client_certificate_bound_access_tokens: false
    id_token_signed_response_alg: PS512
    jwks_uri: https://oidc-dev-test.ite1.idng.ibmcloudsecurity.com/oidc/endpoint/default/jwks
    request_object_signing_alg: ES256
    require_pushed_authorization_requests: false
    require_pkce: false
    backchannel_token_delivery_mode: poll
    backchannel_client_notification_endpoint: https://notifyme.com
    backchannel_user_code_parameter: false
    extension:
      contact_type: "ADMINISTRATIVE"
      encryptDB: "rt_profile_keys"
      phone: "12345678"
      contact_person: "TESTUSER"
      company_name: "IBM"
      company_url: "https://ibm.com"
      encryptKey: "server"
      email: "TESTUSER@GMAIL.COM"
  - client_id: client01dpop
    client_id_issued_at: 1642399207
    client_secret: secret
    client_secret_expires_at: 0
    client_name: Client Test
    enabled: true
    redirect_uris:
      - https://www.google.com
    grant_types:
      - authorization_code
      - password
      - client_credentials
      - implicit
      - refresh_token
      - urn:openid:params:grant-type:ciba
    response_types:
      - code id_token
      - code token id_token
      - code
      - code token
      - none
      - code token id_token
    scopes:
      - openid
      - profile
      - test
    token_endpoint_auth_method: client_secret_post # tls_client_auth # client_secret_post
    id_token_signed_response_alg: PS512
    jwks_uri: https://oidc-dev-test.ite1.idng.ibmcloudsecurity.com/oidc/endpoint/default/jwks
    dpop_bound_access_tokens: true
    dpop_signing_alg: PS256
    dpop_single_use_jti: false
  - "configmap:clients/client01jarm.yml"
  - "configmap:clients/client01mtls.yml"
  - "configmap:clients/client01ping.yml"
  - "configmap:clients/client01pingmisconfig.yml"
  - "configmap:clients/client01pingmtls.yml"
  - "configmap:clients/client01pingmtlsmisconfig.yml"
  - "configmap:clients/client01pwt.yml"
  - client_id: client02
    client_id_issued_at: 1642399207
    client_secret: secret
    client_secret_expires_at: 0
    client_name: Client Test
    enabled: true
    redirect_uris:
      - https://www.google.com
      - https://www.mysp.ibm.com/isam/sps/oidc/rp/oidcrp/redirect/partner2
    grant_types:
      - authorization_code
      - password
      - client_credentials
      - implicit
      - refresh_token
    response_types:
      - code id_token
      - code id_token token
      - code
      - code token
    scopes:
      - openid
      - profile
    token_endpoint_auth_method: tls_client_auth
    token_endpoint_auth_signing_alg: RS384
    token_endpoint_auth_single_use_jti: false
    tls_client_auth_subject_dn: CN=clientID01,OU=security,O=IBM,L=singapore,ST=singapore,C=SG
    tls_client_certificate_bound_access_tokens: true
    id_token_signed_response_alg: PS512
    jwks_uri: https://oidc-dev-test.ite1.idng.ibmcloudsecurity.com/oidc/endpoint/default/jwks
    request_object_signing_alg: PS256
    require_pushed_authorization_requests: false
    require_pkce: false
    extension:
      email: joe@ibm.com
      contactType: ADMINISTRATOR
      companyName: IBM
      encryptDB: rt_encrypt
      encryptKey: rsa
keystore:
  - name: db2client
    type: p12
    content: "secret:keystore/db2client.p12"
    password: "secret:keystore/db2client.obf"
  - name: test
    type: p12
    content: "secret:keystore/test.p12"
    password: "secret:keystore/test.obf"
  - name: postgres
    type: p12
    content: "secret:keystore/postgres.p12"
    password: "secret:keystore/postgres.obf"
  - name: redis
    type: p12
    content: "B64:MIIWX...AA=="
    password: "p@ssw0rd"
  - name: rt_profile
    type: zip
    content: "secret:keystore/rt_profile.zip"
  - name: rt_profile_dup01
    type: zip
    content: "B64:UEsDBBQAA.....A"
  - name: rt_profile_keys
    type: pem
    certificate:
      - label: httpservercert
        content: "B64:LS0tL...g=="
      - label: ldap
        content: "secret:keystore/rt_profile_keys_signer_ldap.pem"
      - label: ldap_gh
        content: |
          -----BEGIN CERTIFICATE-----
          MIIDBzCCAo2gAwIBAgIUbfkAdyPC1l5aUiTt6OUbS9Q+MbkwCgYIKoZIzj0EAwMw
          g...
          p8HLCUpB/3KPtmg=
          -----END CERTIFICATE-----
      - label: localLDAP
        content: "secret:keystore/rt_profile_keys_signer_localLDAP.pem"
      - label: rel-verify-ibmcloudsecurity-com-chain
        content: "B64:LS0tLS1CR...Q0K"
    key:
      - label: httpserverkey
        content: |
          -----BEGIN PRIVATE KEY-----
          MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDcfy4ptpTSA2DE
          ...
          tf5q/y+aDIXOsF03swP+J60GPQ==
          -----END PRIVATE KEY-----
  - name: truststore
    type: pem
    certificate:
      - label: mtlsclientcert
        content: |
          -----BEGIN CERTIFICATE-----
          MIIE5jCCAs6gAwIBAgIII7QhYxUdmcswDQYJKoZIhvcNAQELBQAwETEPMA0GA1UE
          AxMGaXN2YW9wMB4XDTI0MDQwNzA0MTMwNFoXDTM0MDQwNjA0MTMwNFowETEPMA0G
          A1UEAxMGaXN2YW9wMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmukm
          abTj0CHVrG/nTDAMm+jEQ7YJURg/XfQpIlrELLMEubXHDzn3Rk4jYkwaJHnKd2Jz
          nWVluSyngF/TgWqhRALdKn4zel1djia8pB6fkoOkjHqlNlX86O7PDvgVko2HBXBL
          2CJsOa787pw8kl4Odw9W6WeRmHz6VybTw91z0xfjfk3MCgCKUXg61RFlYtOIHU8B
          jeUxitwWBcF93Qa/AB7MXINKHSmxfqNqfMJMH26Dfu6N0DWQEttEmUphNo1NJynC
          ofZUUImGJcDKmr8m8JeSwLBXha0dvOmNnFVQ4GkUwsOk3zjP21JwB6Gy4TqvcYSU
          tt7jrJSqTeJFKIH2FMHbegpxwCDVlVz3cmilsIv1n9I4glkZCNLn2xNnYGyMW+tH
          /K628zKeB1KfZIcubgp1iMzmMhcSkiQ3Fpg7gSNRSDSMp8qPbK4b1qEqTux5KO5d
          HHUy3+MJHZX/0S7EYMmSbMC9sdFs75i3/eHEWtkcX8X2pS0CS+JzVG/Of3Ua1wwg
          qx8HxOMEDkxqzwQGA4/pzHh8CwXZ4bPKEIhMGW9z0Q2FE2LNeAu7t5ZurDecgkOP
          4nelnABqMTfdJQ38+0H5BkUEXdLxXzFQpKpFsZQpOfw9mu6JCgbElfbmltPDhGEw
          0+WqjaPLg+dxXjPAPVQn55fnd7W1CpCxy66xnvMCAwEAAaNCMEAwHQYDVR0OBBYE
          FA13+nOk4op66sDx6loy2OoTaHJFMB8GA1UdIwQYMBaAFA13+nOk4op66sDx6loy
          2OoTaHJFMA0GCSqGSIb3DQEBCwUAA4ICAQBwM7lTvU7ChadVtKfdMceQleVWDcJu
          5hBKhwGfk+2udW4naJrKWfCO88zsm1D62b+bYb4myAJiUxxqA2pIioI9Veaor/U8
          iQXZXC9NxA8gmyFr2KO47siIbbIK2QNeAePMh7FVOkzRq21FWgIJI+D7QXiMy3YZ
          PORq2qZJfyLmKoMEfnH4sdTu61BRzKuiL6crThTuB4agXAv1YeevKr2DX3tQ9etW
          WUQFF9ZiGWazUY6OoHyWxlQX5edShZbmwAJ/6A+DZ1Tywh5j4xVOWZzqDoAIqiIW
          xytHUnVwthGYNQV6q52E39xGHVn5pu0Co/3cmvnguc9IRbLcmBakM7llC07YWvWV
          2UGLqggRMR1B11FJZ5lubOL2hyqswGTz7AP4vrS/VLVmO7pcIZoz4pLMH6FBC+6/
          sI8c59jmFNmY4Ue0peLfnx+bWI9pEebh56hSTeNCvWdiJgRcE4Avf9iIG0q75nJ1
          n5+hGN9kBmT68uumA2waCkNtOX+75GD/m45d7slH3IHTg7YhtwnuepZe0cL/7Ksf
          CuIhUVZK9BYqKKE2CsaTGM7XquFg1jjPHBCQ3zCMHd+JlKzpGKay3Jm9gi2lMZeF
          wx7TNlZtKhNpxV0bO3x5aF+fjEWTBuqXooMAfNai7iANaNlLbWgvtbSo0xRFrI2j
          TV+GFMVLwuHGPg==
          -----END CERTIFICATE-----

1. [Optional] Property root > version

Type string
Default 22.12
Defined in yaml_provider.yml#/definitions/version

Description: The IBM Security Verify Access OIDC Provider (ISVAOP) configuration version. If version is not specified, the default value 22.12 will be used.


Type	`string`
Default	`22.12`
Defined in	yaml_provider.yml#/definitions/version

2. [Required] Property root > definition

Type object
Additional properties
Defined in yaml_provider.yml#/definitions/definition

Description: Definition

Read more about Definition.

Example:
definition:
  id: 1                                                     # Definition ID
  name: OIDC Definition                                     # Definition Name
  grant_types:                                              # Supported grant types.
    - authorization_code
    - implicit
    - password
    - client_credentials
    - refresh_token
    - urn:openid:params:grant-type:ciba
    - urn:ietf:params:oauth:grant-type:token-exchange 
  access_policy_id: 1                                       # Access Policy Rule ID.
  pre_mappingrule_id: isvaop_pretoken                       # Pre-Token mapping rule ID.
  post_mappingrule_id: isvaop_posttoken                     # Post-Token mapping rule ID.
  ropc_mappingrule_id: ropc                                 # ROPC mapping rule ID.
  base_url: https://isvaop.ibm.com:445                      # Base url of the endpoints.
  mtls_base_url: https://isvaop.ibm.com:445                 # Base url of the MTLS endpoints.
  mtls_certificate_header_name: x-client-certificate        # HTTP header name that contains MTLS certificate.
  features:                                                 # Features Flags
    enable_fault_tolerance: false                           # Enable multiple refresh token for fault tolerance.
    consent_prompt: ALWAYS_PROMPT                           # Prompt for consent. ALWAYS_PROMPT, NEVER_PROMPT, PROMPT_ONCE_AND_REMEMBER
    fapi_compliant: false                                   # Whether to enforce all the FAPI checks.
    enforce_par: false                                      # Only accept authorize request using push authorize.
    prefer_claims_at_userinfo: true                         # This is introduced to address this requirement (https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.4). When it is set to true and an OAuth/OIDC flow generates access token, instead of returning the requested claims in the id_token, the claims are returned only at /userinfo endpoint; unless such claims are essential to be returned in id_token.
  token_settings:                                           # Token Settings
    issuer: https://isvaop.ibm.com                          # OP's issuer URI.
    signing_alg: PS512                                      # Signing algorithm for ID token generated.
    signing_keystore: rt_profile_keys                       # Signing keystore name.
    signing_keylabel: rsa256                                # Signing key label.
    encryption_alg: none                                    # Key encryption algorithm for ID token generated.
    encryption_enc: none                                    # Content encryption algorithm for ID token generated.
    authorization_code_lifetime: 300                        # Lifetime of authorization code.
    access_token_lifetime: 7200                             # Lifetime of access token.
    id_token_lifetime: 3600                                 # Lifetime of id_token.
    refresh_token_lifetime: 64800                           # Lifetime of refresh token.
  backchannel_settings:                                     # Backchannel Settings
    default_expiry: 900                                     # The default CIBA session lifetime in seconds. If not specified, it is set to 900 seconds.
    maximum_expiry: 1800                                    # Maximum CIBA session lifetime in seconds. If not specified, it is set to 1800 seconds.
    polling_interval: 5                                     # Polling interval value that will be communicated to the relying party. Default is 5 seconds.
    notifyuser_mappingrule_id: notifyuser                   # Mapping rule ID that will be executed when notifying the user. Default is `notifyuser`.
    checkstatus_mappingrule_id: checkstatus                 # Mapping rule ID that will be executed when checking authentication status. Default is `checkstatus`.
    user_code_support: false                                # Whether this CIBA implementation supports user_code. This information will be published in `.well-known` endpoint.
  attribute_map:                                            # Attribute mapping to resolve claims. also refer to attributesources.yml
    name: display_name
    age: age
  metadata:                                                 # name-value pair to override metadata information
    claims_supported:
      - iss
      - name
      - displayName
  dpop_max_lifetime: 3600                                   # Lifetime of DPoP proof JWT. 
  request_object:
    lifetime: 3600                                          # Lifetime of the incoming JWT-Secured Authorization Request.
    require_expiry: true                                    # Boolean flag to check if the JWT-Secured Authorization Request contains a exp claim.
    only_request_object_params: false                       # Boolean flag to enforce the JWT-Secured Authorization Request to contain all the request parameters.
    enforce_single_usage: false                             # Boolean flag to enforce single use of a JWT-Secured Authorization Request.
2.1. [Optional] Property root > definition > id

Type string

Description: Definition ID.Required for DCR flows.

2.2. [Optional] Property root > definition > name

Type string

Description: Definition Name. Required for DCR flows.

2.3. [Required] Property root > definition > grant_types

Type array of string

Description: Supported grant types.

Each item of this array must be Description
grant_types items -

2.3.1. root > definition > grant_types > grant_types items

Type string

2.4. [Optional] Property root > definition > access_policy_id

Type string

Description: Access Policy Rule ID.

2.5. [Optional] Property root > definition > pre_mappingrule_id

Type string

Description: Pre-Token mapping rule ID.

2.6. [Optional] Property root > definition > post_mappingrule_id

Type string

Description: Post-Token mapping rule ID.

2.7. [Optional] Property root > definition > ropc_mappingrule_id

Type string

Description: ROPC-mapping rule ID.

2.8. [Required] Property root > definition > base_url

Type string

Description: Base url of the endpoints. Example: https://www.idp.com/isvaop

2.9. [Optional] Property root > definition > mtls_base_url

Type string

Description: Base url of the MTLS endpoints. Example: https://www.idp-mtls.com/isvaop

2.10. [Optional] Property root > definition > mtls_certificate_header_name

Type string
Default "X-Client-Certificate"

Description: JWT header name that contains MTLS certificate. Example: X-Client-Certificate

2.11. [Required] Property root > definition > token_settings

Type object
Additional properties

Description: Token Settings

Read more about Token Settings.

2.11.1. [Required] Property root > definition > token_settings > issuer

Type string

Description: OP's issuer URI.

2.11.2. [Required] Property root > definition > token_settings > signing_alg

Type string

Description: Signing algorithm for ID token generated.

2.11.3. [Required] Property root > definition > token_settings > signing_keystore

Type string

Description: Signing keystore name.

NOTE: signing_keystore is the keystore name WITHOUT ks: annotation.

2.11.4. [Required] Property root > definition > token_settings > signing_keylabel

Type string

Description: Signing key label.

NOTE: signing_keylabel isthe key label name WITHOUT ks: annotation.

2.11.5. [Required] Property root > definition > token_settings > encryption_alg

Type string

Description: Key encryption algorithm for ID token generated.

2.11.6. [Required] Property root > definition > token_settings > encryption_enc

Type string

Description: Content encryption algorithm for ID token generated.

2.11.7. [Optional] Property root > definition > token_settings > authorization_code_lifetime

Type number
Default 300

Description: Lifetime of authorization code in seconds.

2.11.8. [Optional] Property root > definition > token_settings > access_token_lifetime

Type number
Default 7200

Description: Lifetime of access token in seconds.

2.11.9. [Optional] Property root > definition > token_settings > id_token_lifetime

Type number
Default 3600

Description: Lifetime of id_token in seconds.

2.11.10. [Optional] Property root > definition > token_settings > refresh_token_lifetime

Type number
Default 64800

Description: Lifetime of refresh token in seconds.

2.12. [Optional] Property root > definition > features

Type object
Additional properties

Description: Feature Flags

Read more about Features Flags.

2.12.1. [Optional] Property root > definition > features > consent_prompt

Type enum (of string)
Default "ALWAYS_PROMPT"

Description: Prompt for consent vs auto-consent.

Must be one of:

"ALWAYS_PROMPT"

"NEVER_PROMPT"

"PROMPT_ONCE_AND_REMEMBER"

2.12.2. [Optional] Property root > definition > features > enforce_par

Type boolean
Default false

Description: Accept only authorized request using push authorize.

2.12.3. [Optional] Property root > definition > features > prefer_claims_at_userinfo

Type boolean
Default false

Description: This is introduced to address this requirement (https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.4). When it is set to true and an OAuth/OIDC flow generates access token, instead of returning the requested claims in the id_token, the claims are returned only at /userinfo endpoint; unless such claims are essential to be returned in id_token.

2.13. [Optional] Property root > definition > backchannel_settings

Type object
Additional properties

Description: These settings are related to Client-Initiated Backchannel Authentication (CIBA).

Read more about Backchannel Settings.

2.13.1. [Optional] Property root > definition > backchannel_settings > default_expiry

Type number
Default 900

Description: The default CIBA session lifetime in seconds.

2.13.2. [Optional] Property root > definition > backchannel_settings > maximum_expiry

Type number
Default 1800

Description: Maximum CIBA session lifetime in seconds.

2.13.3. [Optional] Property root > definition > backchannel_settings > polling_interval

Type number
Default 5

Description: Polling interval value that is communicated to the relying party in seconds.

2.13.4. [Optional] Property root > definition > backchannel_settings > notifyuser_mappingrule_id

Type string
Default "notifyuser"

Description: Mapping rule ID that is run when the user is notified.

2.13.5. [Optional] Property root > definition > backchannel_settings > checkstatus_mappingrule_id

Type string
Default "checkstatus"

Description: Mapping rule ID that is run when the authentication status is checked.

2.13.6. [Optional] Property root > definition > backchannel_settings > user_code_support

Type boolean
Default false

Description: Whether this CIBA implementation supports user_code. This information is published in .well-known endpoint.

2.14. [Optional] Property root > definition > attribute_map

Type map of string -> string

Description: Attribute mapping to resolve claims.

2.15. [Optional] Property root > definition > metadata

Type map of string -> any

Description: name-value pair to override metadata information

2.16. [Optional] Property root > definition > request_object

Type object
Additional properties

Description: These settings are related to JWT-Secured Authorization Request(JAR).

Read more about JWT Secured Authorization Request Settings.

2.16.1. [Optional] Property root > definition > request_object > lifetime

Type number

Description: The maximum lifetime of the incoming request-JWT in seconds.

2.16.2. [Optional] Property root > definition > request_object > require_expiry

Type boolean
Default false

Description: Boolean flag to check if the request-JWT contains a exp claim

2.16.3. [Optional] Property root > definition > request_object > only_request_object_params

Type boolean
Default false

Description: Boolean flag to enforce the request-JWT to contain all the request parameters.

2.16.4. [Optional] Property root > definition > request_object > enforce_single_usage

Type boolean
Default false

Description: Boolean flag to enforce single use of a request-JWT.

2.17. [Optional] Property root > definition > dpop_max_lifetime

Type number

Description: Maximum lifetime of a DPoP proof JWT in seconds.


Type	`string`


Type	`string`


Type	`array of string`

Each item of this array must be	Description
grant_types items	-


Type	`string`


Type	`string`


Type	`string`


Type	`string`


Type	`string`


Type	`string`


Type	`string`


Type	`string`
Default	`"X-Client-Certificate"`


Type	`string`


Type	`string`


Type	`string`


Type	`string`


Type	`string`


Type	`string`


Type	`number`
Default	`300`


Type	`number`
Default	`7200`


Type	`number`
Default	`3600`


Type	`number`
Default	`64800`


Type	`enum (of string)`
Default	`"ALWAYS_PROMPT"`


Type	`boolean`
Default	`false`


Type	`boolean`
Default	`false`


Type	`number`
Default	`900`


Type	`number`
Default	`1800`


Type	`number`
Default	`5`


Type	`string`
Default	`"notifyuser"`


Type	`string`
Default	`"checkstatus"`


Type	`boolean`
Default	`false`


Type	`map of string -> string`


Type	`map of string -> any`


Type	`number`


Type	`boolean`
Default	`false`


Type	`boolean`
Default	`false`


Type	`boolean`
Default	`false`


Type	`number`

3. [Required] Property root > jwks

Type object
Additional properties
Defined in yaml_provider.yml#/definitions/jwks

Description: JSON Web Key Set (JWKS) Settings

Read more about JSON Web Key Set (JWKS) Settings.

Example:
jwks:                                                       # JSON Web Key Set (JWKS) Settings
  signing_keystore: signing_keystore                         # Keystore name containing keys related to JWT signing/signature validation.
  encryption_keystore: encryption_keystore                      # Keystore name containing keys related to JWT encryption/decryption.
3.1. [Required] Property root > jwks > signing_keystore

Type string

Description: Keystore name that contains keys that are related to JWT signing and signature validation.

NOTE: signing_keystore is the keystore name WITHOUT ks: annotation.

3.2. [Required] Property root > jwks > encryption_keystore

Type string

Description: Keystore name that contains keys that are related to JWT encryption and decryption.

NOTE: encryption_keystore is the keystore name WITHOUT ks: annotation.


Type	`string`


Type	`string`

4. [Optional] Property root > authentication

Type object
Additional properties
Defined in yaml_provider.yml#/definitions/authentication

Description: Authentication Settings

Read more about Authentication Settings.

Example:
authentication:                                             # Authentication Settings
  endpoint: https://isvaop.ibm.com:445/isvaop/oauth2/auth
                                                            # Endpoint to redirect when authentication is required. This is mandatory when `grant_types` contains `authorization_code` or `implicit`
  callback_param_name: Target                               # Parameter name to specify the callback target URI. If it is not specified, the default callback param name is `Target`.
  subject_attribute_name: uid                               # Name of the user or credential attribute that will be used to populate the `sub`. If it is not specified, the default attribute is `uid`.
4.1. [Optional] Property root > authentication > endpoint

Type string
Default "https://isvaop.ibm.com:445/isvaop/oauth2/auth"

Description: Endpoint to redirect to when authentication is needed. This setting is mandatory when grant_types contains authorization_code or implicit (refer to Definition).

4.2. [Optional] Property root > authentication > callback_param_name

Type string
Default "Target"

Description: Parameter name to specify the callback target URI. If it is not specified, the default callback param name is Target.

4.3. [Optional] Property root > authentication > subject_attribute_name

Type string
Default "uid"

Description: Name of the user or credential attribute that is used to populate the sub. If it is not specified, the default attribute is uid.


Type	`string`
Default	`"https://isvaop.ibm.com:445/isvaop/oauth2/auth"`

5. [Optional] Property root > template_macros

Type object
Additional properties
Defined in yaml_provider.yml#/definitions/template_macros

Description: Template Macros

Read more about template_macros.

Example:
template_macros:
  user_macros:
    - name
    - family_name
    - given_name
    - display_name
  request_macros:
    - authorization_details
    - claims
    - user_code
    - state
5.1. [Optional] Property root > template_macros > user_macros

Type array of string

Description: List of authenticated user claims to be made available.

Each item of this array must be Description
user_macros items -

5.1.1. root > template_macros > user_macros > user_macros items

Type string

5.2. [Optional] Property root > template_macros > request_macros

Type array of string

Description: List of request parameters to be made available.

Each item of this array must be Description
request_macros items -

5.2.1. root > template_macros > request_macros > request_macros items

Type string

6. [Optional] Property root > ssl

Type object
Additional properties
Defined in yaml_provider.yml#/definitions/ssl

Description: SSL Setting

Read more about SSL Settings.

Example:
ssl:
  certificate:
    - ks:https_keys                                         # The default SSL keystore to be used for SSL connections. It is used when SSL keystore is not specified in server connection SSL settings.
  disable_hostname_verification: true                       # The default flag to enable or disable hostname verification for SSL connections. It is used when SSL disable_hostname_verification is not specified in server connection SSL settings.
6.1. [Optional] Property root > ssl > certificate

Type array of string

Description: The list of default SSL keystore to be used for all SSL connections. It is used when SSL keystore is not specified in server connection SSL settings.

Each item of this array must be Description
certificate items -

6.1.1. root > ssl > certificate > certificate items

Type string

6.2. [Optional] Property root > ssl > disable_hostname_verification

Type boolean
Default false

Description: The default flag to enable or disable hostname verification for SSL connections. It is used when SSL disable_hostname_verification is not specified in server connection SSL settings.

7. [Required] Property root > server

Type object
Additional properties
Defined in yaml_provider.yml#/definitions/server

Description: Server Settings

Read more about Server Settings.

Example:
server:
  ssl:
    key: ks:https_keys/httpserverkey                       # Name of the keystore/key for the ISVAOP HTTPS server.
    certificate: ks:https_keys/httpservercert              # Name of the keystore/certificate for the ISVAOP HTTPS server.
    ca:
      - ks:https_keys/httpserverca                         # Name of the keystore/CA for the ISVAOP HTTPS server.
  pages:
    type: zip # path is also supported, which indicates it is unpacked
    content: "B64:<encoded_binary>"
7.1. [Required] Property root > server > ssl

Type object
Additional properties

Description: HTTPS server SSL settings

Read more about key management here.

7.1.1. [Required] Property root > server > ssl > key

Type string

Description: Name of the keystore/key for the ISVAOP HTTPS server.

7.1.2. [Required] Property root > server > ssl > certificate

Type string

Description: Name of the keystore/certificate for the ISVAOP HTTPS server.

7.1.3. [Optional] Property root > server > ssl > ca

Type array of string

Description: Array of CA certificates

Each item of this array must be Description
ca items -

7.1.3.1. root > server > ssl > ca > ca items

Type string

7.2. [Optional] Property root > server > pages

Type object
Additional properties

Description: Customized template pages settings

7.2.1. [Required] Property root > server > pages > type

Type enum (of string)

Description: When customized template pages is provided, it is the type of content that is being supplied. Either a zip file or a directory name.

Must be one of:

"path"

"zip"

7.2.2. [Required] Property root > server > pages > content

Type string

Description: The content that is used for the customized template pages.

When the type is path, specify the path of the customized template pages directory, which is relative to the /var/isvaop/config directory of the container.

when type is zip

use @ annotation to specify the customized template pages zip file path, which is relative to the /var/isvaop/config directory of the container.

or use B64: annotation to specify the base64 encoded customized template pages zip file.

8. [Optional] Property root > javascript

Type object
Additional properties
Defined in yaml_provider.yml#/definitions/javascript

Description: JavaScript Settings

Read more about JavaScript Settings.

Example:
javascript:                                                 # Javascript Settings
  timeout: 0                                                # Maximum execution time for a script in ms. Set to 0 for unlimited execution time.
  max_load: 16                                              # Maximum number of v8 engine spawned.
  max_ctx_in_isolate: 50                                    # Maximum reuse of v8 engine before recreated. Set to 0 to disable.
  use_pool: false                                           # If true, run in `pool` mode, otherwise run in `worker` mode.
8.1. [Optional] Property root > javascript > use_pool

Type boolean
Default false

Description: If true, run in pool mode, otherwise run in worker mode.

8.2. [Optional] Property root > javascript > max_load

Type number
Default 16

Description: Maximum number of v8 engine created.

8.3. [Optional] Property root > javascript > timeout

Type number
Default 0

Description: Maximum execution time for a script in ms. Set to 0 for unlimited execution time.

8.4. [Optional] Property root > javascript > max_ctx_in_isolate

Type number
Default 0

Description: Maximum reuse of v8 engine before recreation. Set to 0 to disable.

9. [Optional] Property root > janitor

Type object
Additional properties
Defined in yaml_provider.yml#/definitions/janitor

Description: In ISVAOP, we use a binary janitor to perform cleanup of data. Read more about Database cleanup

Example:
janitor:                                                    # Janitor Settings
  batch_size: 1000                                          # It is the maximum records being cleaned up with each iteration.
  max_duration: 0                                           # When the max_duration is set to 0, the janitor program runs until all records are cleaned up.
  check_frequency: 10                                       # It indicates the number of iterations to be run before the janitor check whether the maximum duration is exceeded. 
9.1. [Optional] Property root > janitor > batch_size

Type number
Default 1000

Description: It is the maximum records being cleaned up with each iteration.

9.2. [Optional] Property root > janitor > max_duration

Type number
Default 0

Description: When the max_duration is set to 0, the janitor program runs until all records are cleaned up. Depending on how often you run the janitor, the number of records can be large. The maximum duration needs to be specified in milliseconds.

9.3. [Optional] Property root > janitor > check_frequency

Type number
Default 10

Description: It indicates the number of iterations to be run before the janitor check whether the maximum duration is exceeded.

10. [Optional] Property root > logging

Type object
Additional properties
Defined in yaml_provider.yml#/definitions/logging

Description: Logging Settings

Read more about Logging Settings.

Example:
logging:                                                    # Logging Settings
  level: finest                                             # Logging level setting. If the level is not set or invalid, `info` will be used. `panic`, `fatal`, `error`, `warn`, `warning` (alias of `warn`), `info`, `debug`, `fine`(alias of `debug`), `trace`, `finest` (alias of `trace`)
10.1. [Optional] Property root > logging > level

Type enum (of string)
Default "info"

Description: Logging level setting. If the level is not set or invalid, info is used.

warning is alias of warn

fine is alias of debug

finest is alias of trace

Must be one of:

"panic"

"fatal"

"error"

"warn"

"warning"

"info"

"debug"

"fine"

"trace"

"finest"

11. [Optional] Property root > dynamic_registration

Type object
Additional properties
Defined in yaml_provider.yml#/definitions/dynamic_registration

Description: Dynamic Client Profile

Read more about Dynamic Client Profile.

Example:
dynamic_registration:
  recipe: FAPI_UK-OB                                        # Security profile to use, option Default, FAPI_DEFAULT, FAPI_UK-OB, FAPI_AU-CDR
  mappingrule_id: dcr                                       # Dynamic registration mapping rule ID.
  software_statement_validation:                            # Software statement validation settings.
    jwks_uri: http://172.16.123.1:3000/jwks/obdirectory     # Jwks URI containing the public key required to validate the software statement signature.
    signing_algs:                                           # Accepted signing algorithms.
      - ES256
  registration_endpoint_authentication:                     # Authentication settings for POST operation.
    require_mtls: true                                      # Specifies whether the endpoint requires MTLS.
    require_bearer_token: true                              # Specifies whether the endpoint requires bearer token.
    require_software_statement: false                       # Specifies whether the endpoint requires software statement.
    allow_custom_client_creds: true                         # Only for POST. Specifies whether to accept client_id/client_secret in the POST payload.
  management_endpoint_authentication:                       # Authentication settings for PUT/GET/DELETE operations.
    require_mtls: false                                     # Specifies whether the endpoint requires MTLS.
    require_bearer_token: true                              # Specifies whether the endpoint requires bearer token.
    require_software_statement: false                       # Specifies whether the endpoint requires software statement. This is only applicable for PUT operation.
  registration_access_token:                                # Registration access token settings.
    generate: true                                          # Specifies whether to produce registration access token as part of POST/PUT/GET operations.
    lifetime: 86400                                         # Specifies the lifetime of the registration access token.
    scopes:                                                 # Specify the scopes required by the access token. All scopes specified here are mandatory. Unauthorized if any scope is not present in the access token.
      - cdr:registration
11.1. [Optional] Property root > dynamic_registration > recipe

Type enum (of string)
Default "Default"

Description: Security profile to be used, option Default, FAPI_DEFAULT, FAPI_UK-OB, FAPI_AU-CDR

Must be one of:

"Default"

"FAPI_DEFAULT"

"FAPI_UK-OB"

"FAPI_AU-CDR"

11.2. [Optional] Property root > dynamic_registration > mappingrule_id

Type string

Description: Dynamic registration-mapping rule ID.

11.3. [Optional] Property root > dynamic_registration > software_statement_validation

Type object
Additional properties

Description: Software Statement Validation

Read more about Software Statement Validation.

11.3.1. [Optional] Property root > dynamic_registration > software_statement_validation > jwks_uri

Type string

Description: JWKS URI containing the public key that is needed to validate the software statement signature.

11.3.2. [Optional] Property root > dynamic_registration > software_statement_validation > signing_algs

Type array of string

Description: Accepted signing algorithms

Each item of this array must be Description
signing_algs items -

11.3.2.1. root > dynamic_registration > software_statement_validation > signing_algs > signing_algs items

Type string

11.4. [Optional] Property root > dynamic_registration > registration_endpoint_authentication

Type object
Additional properties

Description: Registration Endpoint Authentication

Read more about Registration Endpoint Authentication.

11.4.1. [Optional] Property root > dynamic_registration > registration_endpoint_authentication > require_mtls

Type boolean
Default false

Description: Specifies whether the endpoint requires MTLS.

11.4.2. [Optional] Property root > dynamic_registration > registration_endpoint_authentication > require_bearer_token

Type boolean
Default false

Description: Specifies whether the endpoint requires bearer token.

11.4.3. [Optional] Property root > dynamic_registration > registration_endpoint_authentication > require_software_statement

Type boolean
Default false

Description: Specifies whether the endpoint requires software statement.

11.4.4. [Optional] Property root > dynamic_registration > registration_endpoint_authentication > allow_custom_client_creds

Type boolean
Default false

Description: Only for POST. Specifies whether to accept client_id/client_secret in the POST payload.

11.5. [Optional] Property root > dynamic_registration > management_endpoint_authentication

Type object
Additional properties

Description: Management Endpoint Authentication

Read more about Management Endpoint Authentication.

11.5.1. [Optional] Property root > dynamic_registration > management_endpoint_authentication > require_mtls

Type boolean
Default false

Description: Specifies whether the endpoint requires MTLS.

11.5.2. [Optional] Property root > dynamic_registration > management_endpoint_authentication > require_bearer_token

Type boolean
Default false

Description: Specifies whether the endpoint requires bearer token.

11.5.3. [Optional] Property root > dynamic_registration > management_endpoint_authentication > require_software_statement

Type boolean
Default false

Description: Specifies whether the endpoint requires software statement.

11.6. [Optional] Property root > dynamic_registration > registration_access_token

Type object
Additional properties

Description: Registration Access Token

Read more about Registration Access Token.

11.6.1. [Optional] Property root > dynamic_registration > registration_access_token > generate

Type boolean

Description: Specifies whether to produce registration access token as part of POST/PUT/GET operations.

11.6.2. [Optional] Property root > dynamic_registration > registration_access_token > lifetime

Type number

Description: Specifies the lifetime of the registration access token.

11.6.3. [Optional] Property root > dynamic_registration > registration_access_token > scopes

Type array of string

Description: Specify the access token scopes. All scopes specified here are mandatory. Unauthorized if any scope is not present in the access token.

Each item of this array must be Description
scopes items -

11.6.3.1. root > dynamic_registration > registration_access_token > scopes > scopes items

Type string

12. [Optional] Property root > secrets

Type object
Additional properties
Defined in yaml_provider.yml#/definitions/secrets

Description: Secrets

Read more about Secrets.

Example:
secrets:
  obf_key: "<obfuscation key>"
  enc_key: "@private.pem"
12.1. [Optional] Property root > secrets > obf_key

Type string

Description: Specifies an obfuscation key that is used to decrypt the OBF:<data> type entries.

12.2. [Optional] Property root > secrets > enc_key

Type string

Description: Specifies an encryption key that is used to decrypt the ENC:<data> type entries.

13. [Required] Property root > runtime_db

Type string
Defined in yaml_storage.yml#/definitions/runtime_db

Description: Runtime Database Configuration

Read more about Runtime Database Configuration.

14. [Required] Property root > session_cache

Type object
Additional properties
Defined in yaml_storage.yml#/definitions/session_cache

Description: Session Cache Configuration

Read more about Session Cache Configuration.

14.1. [Required] Property root > session_cache > type

Type enum (of string)

Description: Specifies the type of session cache, in-memory, redis, or db.

Must be one of:

"in-memory"

"redis"

"db"

14.2. [Optional] Property root > session_cache > life_time

Type number
Default 600

Description: For in-memory session cache type, specifies the session entry duration in seconds.

14.3. [Optional] Property root > session_cache > max_entries

Type number
Default 60000

Description: For in-memory session cache type, specifies the maximum number of session entries.

14.4. [Optional] Property root > session_cache > cfg

Type string

Description: For redis type, specifies the server connection configuration name of the redis server.

15. [Required] Property root > server_connections

Type array of object
Defined in yaml_storage.yml#/definitions/server_connections

Description: Specifies a list of server connection configurations.

Read more about Storage Configuration.

Each item of this array must be Description
server_connections items Specifies the server connection configuration details. ...

15.1. root > server_connections > server_connections items

Type object
Additional properties

Description: Specifies the server connection configuration details.

Server connection can be categorized into database, redis or ldap. Refer to each server connection category for details.
15.1.1. [Optional] Property root > server_connections > server_connections items > server_connection (database)
Type object
Additional properties

Description: Runtime Database Server Connection

Read more about Runtime Database Server Connection.

Examples:
# PostgreSQL Runtime Database configuration sample
runtime_db: mypq                                            # Configuration of runtime database. Points to the database server connection.
session_cache:
  type: db                                                  # Specifies the type of session cache, in-memory, redis, or db.
  # cfg: redis-standalone                                   # Specifies the configuration of the `redis` cache, for `redis` type only. Points to `redis` server connection
  # life_time: 600                                          # Specifies the session entry duration in seconds. It applies to `in-memory` type sessions only. Default is `600`
  # max_entries: 60000                                      # Specifies the maximum number of session entries. It applies to `in-memory` type sessions only. Default is `60000`
server_connections:                                         # Server connections
  - name: mypq                                              # Connection name
    type: postgresql                                        # Connection type, `redis`, `ldap`, `postgresql`, `oracle`
    database_name: verify-access                            # Specifies the database or service name. For database types only.
    hosts:                                                  # List of host information (IP and port)
      - hostname: postgresql                                # Server's hostname
        hostport: 5432                                      # Server's host port
    credential:                                             # Credential information to connect to the server
      username: postgres                                    # Specifies the username to access the server.
      password: 'OBF:gJDSuqEFmORCR2Uw3FsAmFKomjYLmhMwdDG2XoUxtQ0='
      # Specifies the password to access the server. It is recommended to obfuscate this.
    ssl:
      certificate:                                          # The SSL connection certificate array.
        - ks:postgres_keys                                  # The SSL keystore to be used for SSL connections. ks: indicates keystore.
      mutual_auth:
        key: ks:rt_profile_keys/postgres                    # When mutual TLS is needed, specify the keystore and label that contains the client's private key.
        certificate: ks:rt_profile_keys/postgres            # When mutual TLS is needed, specify the keystore and label of the client's leaf certificate.
        ca:
          - ks:rt_profile_keys/ca                           # When mutual TLS is needed, specify the keystore and label of the client's CA certificate.
      disable_hostname_verification: false                  # The SSL connection validates the hostname.
    conn_settings:                                          # Connection settings
      max_idle_time: 10                                     # Maximum idle time in seconds
      min_pool_size: 5                                      # Minimum connection pool size
      max_pool_size: 50                                     # Maximum connection pool size
      connect_timeout: 5                                    # Connect timeout, in seconds
      aged_timeout: 30                                      # Aged timeout, in seconds
# Oracle Runtime Database configuration sample
runtime_db: myoracle                                        # Configuration of runtime database. Points to the database server connection.
session_cache:
  type: db                                                  # Specifies the type of session cache, in-memory, redis, or db.
server_connections:                                         # Server connections
  - name: myoracle                                          # Connection name
    type: oracle                                            # Connection type, `redis`, `ldap`, `postgresql`, `oracle`
    database_name: verify-access                            # Specifies the database or service name. For database types only.
    hosts:                                                  # List of host information (IP and port)
      - hostname: myoracle                                  # Server's hostname
        hostport: 2484                                      # Server's host port
    credential:                                             # Credential information to connect to the server
      username: SYSTEM                                      # Specifies the username to access the server.
      password: 'OBF:gJDSuqEFmORCR2Uw3FsAmFKomjYLmhMwdDG2XoUxtQ0='
      # Specifies the password to access the server. It is recommended to obfuscate this.
    ssl:
      wallet:                                               # For Oracle database only. Oracle database uses client wallet for SSL connection and mutual TLS. The client wallet contains the certificates that are required for Oracle SSL connection and mutual TLS.
        type: path                                          # The type of content that is being supplied, either a zip file or a directory name. 
        content: oracle/wallet                              # The content that is used for the wallet. When the type is path, specify the path of the wallet.
        # type: zip                                         # The content is used for the wallet. When the type is zip, the content can be specified by using either @ or B64: annotation.
        # content: "@oracle/wallet.zip"                     # when type is zip, use @ annotation to specify the wallet zip file path.
        # content: "B64:UEsDBBQACAAIAAJg......+ScAAAAA"     # when type is zip, use B64: annotation to specify the base64 encoded wallet zip file.
      disable_hostname_verification: false                  # The SSL connection validates the hostname.
    conn_settings:                                          # Connection settings
      max_idle_time: 10                                     # Maximum idle time in seconds
      aged_timeout: 30                                      # Aged timeout, in seconds
      max_idle_size: 5                                      # Maximum connection idle size
      max_pool_size: 50                                     # Maximum connection pool size
      connect_timeout: 5                                    # Connect timeout, in seconds
# Db2 Runtime Database configuration sample
runtime_db: mydb2                                           # Configuration of runtime database. Points to the database server connection.
session_cache:
  type: db                                                  # Specifies the type of session cache, in-memory, redis, or db.
server_connections:                                         # Server connections
  - name: mydb2                                             # Connection name
    type: db2                                               # Connection type, `redis`, `ldap`, `postgresql`, `oracle`, `db2`
    database_name: verify-access                            # Specifies the database or service name. For database types only.
    hosts:                                                  # List of host information (IP and port)
      - hostname: mydb2                                     # Server's hostname
        hostport: 50001                                     # Server's host port
    credential:                                             # Credential information to connect to the server
      username: db2inst1                                    # Specifies the username to access the server.
      password: 'OBF:gJDSuqEFmORCR2Uw3FsAmFKomjYLmhMwdDG2XoUxtQ0='
      # Specifies the password to access the server. It is recommended to obfuscate this.
    ssl:
      certificate:                                          # The SSL connection certificate for Db2. The Db2 SSL connection certificate must use 'ks', '@' annotation to specify the keystore in P12 format, PEM file or 'B64'annotation to specify the base64 encoded PEM file. If multiple certificates are configured, the first certificate that is specified with '@' or 'B64:' annotation is used. 
        - '@keystore/rt_profile_keys/signer/ca.pem'         # '@' annotation to specify the certificate PEM file.
        # - 'b64:LS0tLS1CRUdJTiBD......tLQo='               # 'B64'annotation to specify the base64 encoded certificate PEM.
        # - 'ks:db2client'                                  # 'ks'annotation to specify keystore in P12 format.
      disable_hostname_verification: false                  # The SSL connection validates the hostname.
    conn_settings:                                          # Connection settings
      max_idle_time: 10                                     # Maximum idle time in seconds
      aged_timeout: 30                                      # Aged timeout, in seconds
      max_idle_size: 5                                      # Maximum connection idle size
      max_pool_size: 50                                     # Maximum connection pool size
      connect_timeout: 5                                    # Connect timeout, in seconds
15.1.1.1. [Required] Property root > server_connections > server_connections items > server_connection (database) > name

Type string

Description: Connection name.

15.1.1.2. [Required] Property root > server_connections > server_connections items > server_connection (database) > type

Type enum (of string)

Description: Connection type.

The IBM Security Verify Access OIDC Provider (ISVAOP) supports postgresql, oracle and db2 databases.

Must be one of:

"postgresql"

"oracle"

"db2"

15.1.1.3. [Required] Property root > server_connections > server_connections items > server_connection (database) > database_name

Type string

Description: Specifies the database or service name. For database types only.

15.1.1.4. [Required] Property root > server_connections > server_connections items > server_connection (database) > hosts

Type array

Description: List of host information (IP and port)

Each item of this array must be Description
hosts items -

15.1.1.4.1. root > server_connections > server_connections items > server_connection (database) > hosts > hosts items

Type object
Additional properties

15.1.1.4.1.1. [Required] Property root > server_connections > server_connections items > server_connection (database) > hosts > hosts items > hostname

Type string

Description: Runtime Database Server's hostname

15.1.1.4.1.2. [Required] Property root > server_connections > server_connections items > server_connection (database) > hosts > hosts items > hostport

Type number

Description: Runtime Database Server's host port

15.1.1.5. [Required] Property root > server_connections > server_connections items > server_connection (database) > credential

Type object
Additional properties
Defined in #/$def/credential

Description: Credential information to connect to the Runtime Database server

15.1.1.5.1. [Required] Property root > server_connections > server_connections items > server_connection (database) > credential > username

Type string

Description: Specifies the username to access the server.

15.1.1.5.2. [Required] Property root > server_connections > server_connections items > server_connection (database) > credential > password

Type string

Description: Specifies the password to access the server. Use obfuscation.

15.1.1.6. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl

Type object
Additional properties
Defined in #/$def/ssl_db

Description: SSL settings, if missing the connection is non SSL.

15.1.1.6.1. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > certificate

Type array of string

Description: The array of SSL certificates to be used for SSL connection to the database.

Each item of this array must be Description
certificate items -

15.1.1.6.1.1. root > server_connections > server_connections items > server_connection (database) > ssl > certificate > certificate items

Type string

15.1.1.6.2. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth

Type object
Additional properties

15.1.1.6.2.1. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > key

Type string

Description: When mutual TLS is needed, specify the keystore and label that contains the client's private key.

15.1.1.6.2.2. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > certificate

Type string

Description: When mutual TLS is needed, specify the keystore of the client's leaf certificate.

15.1.1.6.2.3. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > ca

Type array of string

Description: When mutual TLS is needed, specify an array of CA certificates needed for the connection.

Each item of this array must be Description
ca items -

15.1.1.6.2.3.1. root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > ca > ca items

Type string

15.1.1.6.2.4. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > wallet

Type object
Additional properties

Description: For Oracle database only. Oracle database uses client wallet for SSL connection and mutual TLS. The client wallet contains the certificates that are required for Oracle SSL connection and mutual TLS.

Oracle Wallet Overview

Oracle Wallet is configuration files that store authentication and signing credentials.
Trusted certificates are stored in the Oracle Wallet when the wallet is used for security credentials.
ISVA OP requires an Oracle client wallet for SSL connection and mutual TLS. The cwallet.sso file must present.
See the Oracle Documentation to create or manage an Oracle wallet.

Go to the Oracle Database Documentation page in Oracle Help Center.

Select your version of Oracle Database.

In the Topics section, select Security.

In the Centralized User Management section, select Oracle Database Enterprise User Security Administrator's Guide.

See the chapter Using Oracle Wallet Manager.

Or click the following direct links.

Oracle Database 12c Release 1: Using Oracle Wallet Manager

Oracle Database 12c Release 2: Using Oracle Wallet Manager

Oracle Database 19c: Using Oracle Wallet Manager

15.1.1.6.2.4.1. [Required] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > wallet > type

Type enum (of string)

Description: When wallet is needed, it is the type of content that is being supplied. Either a zip file or a directory name.

Must be one of:

"path"

"zip"

15.1.1.6.2.4.2. [Required] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > wallet > content

Type string

Description: The wallet content or path using corresponding annotation.

Refer to Special Types and Special Types Available in Kubernetes.

15.1.1.6.3. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > disable_hostname_verification

Type bool
Default false

Description: The flag to enable or disable hostname verification for SSL connections.

15.1.1.7. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings

Type object
Additional properties
Defined in #/$def/conn_db

Description: Connection pool settings.

15.1.1.7.1. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings > min_pool_size

Type number
Default 5

Description: Minimum connection pool size

15.1.1.7.2. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings > max_idle_size

Type number
Default 10

Description: Maximum connection idle size

15.1.1.7.3. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings > max_pool_size

Type number
Default 50

Description: Maximum connection pool size

15.1.1.7.4. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings > max_idle_time

Type number
Default 10

Description: Maximum idle time in seconds

15.1.1.7.5. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings > aged_timeout

Type number
Default 30

Description: Age timeout, in seconds

15.1.1.7.6. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings > connect_timeout

Type number
Default 5

Description: Connect timeout, in seconds
15.1.2. [Optional] Property root > server_connections > server_connections items > server_connection (redis)
Type object
Additional properties

Description: Session Cache Server Connection

Read more about Session Cache Server Connection.

Example:
runtime_db: mypq                                            # Configuration of runtime database. Points to the database server connection.
session_cache:
  type: redis                                               # Specifies the type of session cache, in-memory, redis, or db.
  cfg: redis-standalone                                     # Specifies the configuration of the `redis` cache, for `redis` type only. Points to `redis` server connection
server_connections:                                         # Server connections
  - name: mypq                                              # Connection name
    ...                      
  - name: ldap_staging                                      # Connection name
    ...
  - name: redis-standalone                                  # Connection name
    type: redis                                             # Connection type
    deployment:                                             # Redis deployment information. for `redis` type only
      model: standalone                                     # Deployment model. standalone or sentinel
      # master: master                                      # Master node information. For `sentinel` model only
    hosts:                                                  # List of host information (IP and port)
      - hostname: redis                                     # Server's hostname
        hostport: 6390                                      # Server's host port
    credential:                                             # Credential information to connect to the host.
      username: isva                                        # Specifies the username to access the server
      password: 'OBF:oUqHV/2VlAeWb1D7uAdfQysti3vh44p5/rpCDR35gn4=' # 
                                                            # Specifies the password for the redis server connection. It is recommended to obfuscate this.
    ssl:
      certificate:                                          # The SSL connection certificate array.
        - ks:redis_keys                                     # The SSL keystore to be used for SSL connections. ks: indicates keystore.
      mutual_auth:
        key: ks:rt_profile_keys/redis                       # When mutual TLS is needed, specify the keystore and label that contains the client's private key.
        certificate: ks:rt_profile_keys/redis               # When mutual TLS is needed, specify the keystore and label of the client's leaf certificate.
        ca:                                                 # The mutual_auth connection certificate array.
          - ks:rt_profile_keys/ca                           # When mutual TLS is needed, specify the keystore and label of the client's CA certificate.
      disable_hostname_verification: false                  # The SSL connection validates the hostname.
15.1.2.1. [Required] Property root > server_connections > server_connections items > server_connection (redis) > name

Type string

Description: Connection name.

15.1.2.2. [Required] Property root > server_connections > server_connections items > server_connection (redis) > type

Type const

Description: Connection type

Specific value: "redis"

15.1.2.3. [Required] Property root > server_connections > server_connections items > server_connection (redis) > deployment

Type object
Additional properties

Description: Redis deployment information

15.1.2.3.1. [Required] Property root > server_connections > server_connections items > server_connection (redis) > deployment > model

Type enum (of string)

Description: Deployment model.

Must be one of:

"standalone"

"sentinel"

15.1.2.3.2. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > deployment > master

Type string

Description: Master node information. For sentinel model only

15.1.2.4. [Required] Property root > server_connections > server_connections items > server_connection (redis) > hosts

Type array

Description: List of host information (IP and port)

Each item of this array must be Description
hosts items -

15.1.2.4.1. root > server_connections > server_connections items > server_connection (redis) > hosts > hosts items

Type object
Additional properties

15.1.2.4.1.1. [Required] Property root > server_connections > server_connections items > server_connection (redis) > hosts > hosts items > hostname

Type string

Description: Redis Server's hostname

15.1.2.4.1.2. [Required] Property root > server_connections > server_connections items > server_connection (redis) > hosts > hosts items > hostport

Type number

Description: Redis Server's host port

15.1.2.5. [Required] Property root > server_connections > server_connections items > server_connection (redis) > credential

Type object
Additional properties
Defined in #/$def/credential

Description: Credential information to connect to the Redis Server.

15.1.2.5.1. [Required] Property root > server_connections > server_connections items > server_connection (redis) > credential > username

Type string

Description: Specifies the username to access the server.

15.1.2.5.2. [Required] Property root > server_connections > server_connections items > server_connection (redis) > credential > password

Type string

Description: Specifies the password to access the server. Use obfuscation.

15.1.2.6. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl

Type object
Additional properties
Defined in #/$def/ssl

Description: SSL settings.

15.1.2.6.1. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl > certificate

Type array of string

Description: The array of SSL certificates to be used for SSL connection to the database.

Each item of this array must be Description
certificate items -

15.1.2.6.1.1. root > server_connections > server_connections items > server_connection (redis) > ssl > certificate > certificate items

Type string

15.1.2.6.2. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl > mutual_auth

Type object
Additional properties

15.1.2.6.2.1. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl > mutual_auth > key

Type string

Description: When mutual TLS is needed, specify the keystore and label that contains the client's private key.

15.1.2.6.2.2. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl > mutual_auth > certificate

Type string

Description: When mutual TLS is needed, specify the keystore of the client's leaf certificate.

15.1.2.6.2.3. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl > mutual_auth > ca

Type array of string

Description: When mutual TLS is needed, specify an array of CA certificates needed for the connection.

Each item of this array must be Description
ca items -

15.1.2.6.2.3.1. root > server_connections > server_connections items > server_connection (redis) > ssl > mutual_auth > ca > ca items

Type string

15.1.2.6.3. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl > disable_hostname_verification

Type bool
Default false

Description: The flag to enable or disable hostname verification for SSL connections.

15.1.2.7. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings

Type object
Additional properties
Defined in #/$def/conn_redis

Description: Connection pool settings.

15.1.2.7.1. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings > max_pool_size

Type number
Default 50

Description: Maximum connection pool size.

15.1.2.7.2. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings > min_idle_size

Type number
Default 3

Description: Minimum connection idle size.

15.1.2.7.3. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings > aged_timeout

Type number
Default 10

Description: Age timeout, in seconds.

15.1.2.7.4. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings > connect_timeout

Type number
Default 5

Description: Connect timeout, in seconds.

15.1.2.7.5. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings > idle_timeout

Type number
Default 10

Description: Idle timeout, in seconds.

15.1.2.7.6. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings > io_timeout

Type number
Default 10

Description: Input/Output timeout, in seconds.
15.1.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap)
Type object
Additional properties

Description: LDAP Server Connection

Read more about LDAP Server Connection.

Example:
runtime_db: mypq                                            # Configuration of runtime database. Points to the database server connection.
session_cache:
  type: db                                                  # Specifies the type of session cache, in-memory, redis, or db.
  # cfg: redis-standalone                                   # Specifies the configuration of the `redis` cache, for `redis` type only. Points to `redis` server connection
  # life_time: 600                                          # Specifies the session entry duration in seconds. It applies to `in-memory` type sessions only. Default is `600`
  # max_entries: 60000                                      # Specifies the maximum number of session entries. It applies to `in-memory` type sessions only. Default is `60000`
server_connections:                                         # Server connections
  - name: mypq                                              # Connection name
   ...
  - name: ldap_staging                                      # Connection name
    type: ldap                                              # Connection type
    hosts:                                                  # List of host information (IP and port)
      - hostname: openldap                                  # Server's hostname
        hostport: 636                                       # Server's host port
    credential:                                             # Credential information to connect to the host.
      bind_dn: cn=root,secAuthority=Default                 # Specifies the binding credential for the LDAP server connection.
      bind_password: 'OBF:gJDSuqEFmORCR2Uw3FsAmFKomjYLmhMwdDG2XoUxtQ0='
                                                            # Specifies the binding password for the LDAP server connection. It is recommended to obfuscate this.
    ssl:
      certificate:                                          # The SSL connection certificate array.
        - ks:ldap_keys                                      # The SSL keystore to be used for SSL connections. ks: indicates keystore.
      mutual_auth:
        key: ks:rt_profile_keys/ldap                        # When mutual TLS is needed, specify the keystore and label that contains the client's private key.
        certificate: ks:rt_profile_keys/ldap                # When mutual TLS is needed, specify the keystore and label of the client's leaf certificate.
        ca:                                                 # The mutual_auth connection certificate array.
          - ks:rt_profile_keys/ca                           # When mutual TLS is needed, specify the keystore and label of the client's CA certificate.
      disable_hostname_verification: false                  # The SSL connection validates the hostname.
    conn_settings:                                          # Connection pool settings for the LDAP server. It can be specified at the top level if the settings are common across hosts.
      max_pool_size: 50                                     # Maximum connection pool size.
      connect_timeout: 3                                    # Connect timeout, in seconds.
      aged_timeout: 5                                       # Aged timeout, in seconds.
15.1.3.1. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > name

Type string

Description: Connection name.

15.1.3.2. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > type

Type const

Description: Connection type

Specific value: "ldap"

15.1.3.3. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > hosts

Type array

Description: List of host information (IP and port)

Each item of this array must be Description
hosts items -

15.1.3.3.1. root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items

Type object
Additional properties

15.1.3.3.1.1. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > hostname

Type string

Description: LDAP Server's hostname

15.1.3.3.1.2. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > hostport

Type number

Description: LDAP Server's host port

15.1.3.3.1.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > credential

Type object
Additional properties
Defined in #/$def/credential_ldap

Description: Credential information to connect to the LDAP server. It can be specified at the top level if the settings are common across hosts.

15.1.3.3.1.3.1. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > credential > bind_dn

Type string

Description: Specifies the binding credential for the LDAP server connection.

15.1.3.3.1.3.2. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > credential > bind_password

Type string

Description: Specifies the binding password for the LDAP server connection. Use obfuscation.

15.1.3.3.1.4. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl

Type object
Additional properties
Defined in #/$def/ssl

Description: SSL settings for the server. It can be specified at the top level if the settings are common across hosts.

15.1.3.3.1.4.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > certificate

Type array of string

Description: The array of SSL certificates to be used for SSL connection to the database.

Each item of this array must be Description
certificate items -

15.1.3.3.1.4.1.1. root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > certificate > certificate items

Type string

15.1.3.3.1.4.2. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > mutual_auth

Type object
Additional properties

15.1.3.3.1.4.2.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > mutual_auth > key

Type string

Description: When mutual TLS is needed, specify the keystore and label that contains the client's private key.

15.1.3.3.1.4.2.2. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > mutual_auth > certificate

Type string

Description: When mutual TLS is needed, specify the keystore of the client's leaf certificate.

15.1.3.3.1.4.2.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > mutual_auth > ca

Type array of string

Description: When mutual TLS is needed, specify an array of CA certificates needed for the connection.

Each item of this array must be Description
ca items -

15.1.3.3.1.4.2.3.1. root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > mutual_auth > ca > ca items

Type string

15.1.3.3.1.4.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > disable_hostname_verification

Type bool
Default false

Description: The flag to enable or disable hostname verification for SSL connections.

15.1.3.3.1.5. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > conn_settings

Type object
Additional properties
Defined in #/$def/conn_ldap

Description: Connection pool settings for the LDAP server. It can be specified at the top level if the settings are common across hosts.

15.1.3.3.1.5.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > conn_settings > max_pool_size

Type number
Default 50

Description: Maximum connection pool size.

15.1.3.3.1.5.2. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > conn_settings > aged_timeout

Type number
Default 10

Description: Age timeout, in seconds.

15.1.3.3.1.5.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > conn_settings > connect_timeout

Type number
Default 5

Description: Connect timeout, in seconds.

15.1.3.4. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > credential

Type object
Additional properties
Defined in #/$def/credential_ldap

Description: Credential information to connect to the LDAP server

15.1.3.4.1. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > credential > bind_dn

Type string

Description: Specifies the binding credential for the LDAP server connection.

15.1.3.4.2. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > credential > bind_password

Type string

Description: Specifies the binding password for the LDAP server connection. Use obfuscation.

15.1.3.5. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl

Type object
Additional properties
Defined in #/$def/ssl

Description: SSL settings.

15.1.3.5.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl > certificate

Type array of string

Description: The array of SSL certificates to be used for SSL connection to the database.

Each item of this array must be Description
certificate items -

15.1.3.5.1.1. root > server_connections > server_connections items > server_connection (ldap) > ssl > certificate > certificate items

Type string

15.1.3.5.2. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl > mutual_auth

Type object
Additional properties

15.1.3.5.2.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl > mutual_auth > key

Type string

Description: When mutual TLS is needed, specify the keystore and label that contains the client's private key.

15.1.3.5.2.2. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl > mutual_auth > certificate

Type string

Description: When mutual TLS is needed, specify the keystore of the client's leaf certificate.

15.1.3.5.2.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl > mutual_auth > ca

Type array of string

Description: When mutual TLS is needed, specify an array of CA certificates needed for the connection.

Each item of this array must be Description
ca items -

15.1.3.5.2.3.1. root > server_connections > server_connections items > server_connection (ldap) > ssl > mutual_auth > ca > ca items

Type string

15.1.3.5.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl > disable_hostname_verification

Type bool
Default false

Description: The flag to enable or disable hostname verification for SSL connections.

15.1.3.6. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > conn_settings

Type object
Additional properties
Defined in #/$def/conn_ldap

Description: Connection pool settings.

15.1.3.6.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > conn_settings > max_pool_size

Type number
Default 50

Description: Maximum connection pool size.

15.1.3.6.2. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > conn_settings > aged_timeout

Type number
Default 10

Description: Age timeout, in seconds.

15.1.3.6.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > conn_settings > connect_timeout

Type number
Default 5

Description: Connect timeout, in seconds.

16. [Optional] Property root > attribute_sources

Type array of object
Defined in yaml_attributesource.yml#/definitions/attribute_sources

Description: Attribute Sources

Read more about Attribute Sources.

Each item of this array must be Description
attribute_sources items Attribute source can be categorized into 'value', 'credential', and 'ldap'. Refer to each attribute source category for details.

16.1. root > attribute_sources > attribute_sources items

Type object
Additional properties

Description: Attribute source can be categorized into value, credential, and ldap. Refer to each attribute source category for details.

16.1.1. [Optional] Property root > attribute_sources > attribute_sources items > attribute_source (value)

Type object
Additional properties

16.1.1.1. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (value) > id

Type string
Defined in #/$def/attribute_source/properties/id

Description: Attribute source ID.

16.1.1.2. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (value) > name

Type string
Defined in #/$def/attribute_source/properties/name

Description: Attribute source name.

16.1.1.3. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (value) > type

Type const

Description: Attribute source type.

Specific value: "value"

16.1.1.4. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (value) > value

Type string

Description: Attribute source value. For attribute source of type value, this type contains the fixed value.

16.1.2. [Optional] Property root > attribute_sources > attribute_sources items > attribute_source (credential)

Type object
Additional properties

16.1.2.1. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (credential) > id

Type string
Defined in #/$def/attribute_source/properties/id

Description: Attribute source ID.

16.1.2.2. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (credential) > name

Type string
Defined in #/$def/attribute_source/properties/name

Description: Attribute source name.

16.1.2.3. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (credential) > type

Type const

Description: Attribute source type.

Specific value: "credential"

16.1.2.4. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (credential) > value

Type string

Description: Attribute source value. For credential type, it refers to a credential attribute.

16.1.3. [Optional] Property root > attribute_sources > attribute_sources items > attribute_source (ldap)

Type object
Additional properties

16.1.3.1. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > id

Type string
Defined in #/$def/attribute_source/properties/id

Description: Attribute source ID.

16.1.3.2. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > name

Type string
Defined in #/$def/attribute_source/properties/name

Description: Attribute source name.

16.1.3.3. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > type

Type const

Description: Attribute source type.

Specific value: "ldap"

16.1.3.4. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > value

Type string

Description: Attribute source value. For ldap type, it refers to an LDAP attribute to be retrieved.

16.1.3.5. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > scope

Type enum (of string)

Description: Only applicable for attribute source of type ldap. LDAP search scope.

Must be one of:

"base"

"one level"

"subtree"

16.1.3.6. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > filter

Type string

Description: Only applicable for attribute source type ldap. LDAP search filter. It might contain macros as shown in the previous example.

16.1.3.7. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > selector

Type string

Description: Only applicable for attribute source type ldap. LDAP selector that contains attributes that are retrieved together.

16.1.3.8. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > srv_conn

Type string

Description: Only applicable for attribute source type, ldap. LDAP server connection name. This type links to an ldap server connection.

16.1.3.9. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > baseDN

Type string

Description: Only applicable for attribute source of type ldap. LDAP base DN. It might contain macros similar to filter.

Example:
attribute_sources:
  - id: 1
    name: display_name
    type: value
    value: anonymous
  - id: 2
    name: age
    type: credential
    value: AZN_CRED_AGE
  - id: 3
    name: surname
    type: ldap
    value: sn
    scope: subtree
    filter: (cn={AZN_CRED_PRINCIPAL_NAME})
    selector: nickname,gender,sn
    srv_conn: ldap
    baseDN: dc=ibm,dc=com

17. [Optional] Property root > ldapcfg

Type array of object
Defined in yaml_ldapcfg.yml#/definitions/ldapcfg

Description: LDAP configuration used by UserLookupHelper and LdapAttributeUtilJavaScript Utility.

Each item of this array must be Description
ldapcfg items LDAP Configuration ...

17.1. root > ldapcfg > ldapcfg items

Type object
Additional properties

Description: LDAP Configuration

Read more about LDAP configuration.

17.1.1. [Required] Property root > ldapcfg > ldapcfg items > name

Type string

Description: The unique name of this ldap configuration. This name is used to initialize UserLookupHelper and LdapAttributeUtil.

17.1.2. [Required] Property root > ldapcfg > ldapcfg items > filter

Type string

Description: Search filter for UserLookupHelper

17.1.3. [Required] Property root > ldapcfg > ldapcfg items > user_object_classes

Type string

Description: Comma-separated user object classes

17.1.4. [Required] Property root > ldapcfg > ldapcfg items > attribute

Type string

Description: Main Attribute to be retrieved

17.1.5. [Required] Property root > ldapcfg > ldapcfg items > selector

Type string

Description: Comma-separated attributes that are retrieved

17.1.6. [Required] Property root > ldapcfg > ldapcfg items > srv_conn

Type string

Description: srv_conn is the ldap server connection's name this ldap configuration applies to. The ldap server connection is defined in storage configure - server_connections section.

17.1.7. [Required] Property root > ldapcfg > ldapcfg items > baseDN

Type string

Description: Base DN

Example:
ldapcfg:
  - name: ldap_staging_config_01
    user_object_classes: top,Person,organizationalPerson,inetOrgPerson
    filter: (|(|(objectclass=ePerson)(objectclass=person))(objectclass=User))
    selector: objectClass,cn,sn,givenName,userPassword
    srv_conn: ldap_staging
    attribute: uid
    baseDN: dc=ibm,dc=com

18. [Optional] Property root > clients

Type array of object
Defined in yaml_clients.yml#/definitions/clients

Description: Clients

Read more about Clients.

Each item of this array must be Description
clients items Client Configuration ...

18.1. root > clients > clients items

Type object
Additional properties

Description: Client Configuration

Read more about Client Configuration.

18.1.1. [Required] Property root > clients > clients items > client_id

Type string

Description: Client identifier.

18.1.2. [Required] Property root > clients > clients items > client_secret

Type string

Description: Client secret that is used for client authentication, and JWT signing and encryption. It is recommended to be an obfuscated string. The obfuscation key is read from the provider configuration secrets stanza.

18.1.3. [Required] Property root > clients > clients items > client_name

Type string

Description: Name of the client.

18.1.4. [Optional] Property root > clients > clients items > client_id_issued_at

Type timestamp

Description: Timestamp (in seconds) from when the client is created.

18.1.5. [Required] Property root > clients > clients items > enabled

Type boolean

Description: Set to true to enable this client

18.1.6. [Required] Property root > clients > clients items > grant_types

Type string array

Description: Grant type that the client is allowed to use at the token endpoint.

18.1.7. [Required] Property root > clients > clients items > response_types

Type string array

Description: Response type that the client is allowed to use at the authorization endpoint.

18.1.8. [Required] Property root > clients > clients items > redirect_uris

Type string array

Description: Redirection URI strings for use in redirect-based flows such as the authorization code and implicit flows.

18.1.9. [Required] Property root > clients > clients items > request_uris

Type string array

Description: Request URIs that are pre-registered by the Relying Party for use at the OIDC Provider.

18.1.10. [Optional] Property root > clients > clients items > scopes

Type string array

Description: A list of scope values that the client can use when it requests access tokens.

18.1.11. [Optional] Property root > clients > clients items > jwks_uri

Type string

Description: URL string that references the client's JSON Web Key (JWK) set document that contains the client's public keys.

18.1.12. [Optional] Property root > clients > clients items > id_token_signed_response_alg

Type string

Description: JWS alg algorithm for signing the ID Token that is issued to the Client. Optional. If present it shall be always the same as the token_settings.signing_alg value set in provider configure.

18.1.13. [Optional] Property root > clients > clients items > id_token_encrypted_response_alg

Type string

Description: JWE alg algorithm for encrypting the ID Token that is issued to the Client.

18.1.14. [Optional] Property root > clients > clients items > id_token_encrypted_response_enc

Type string

Description: JWE enc algorithm for encrypting the ID Token that is issued to the Client.

18.1.15. [Optional] Property root > clients > clients items > userinfo_signed_response_alg

Type string

Description: JWS alg algorithm for signing UserInfo Responses.

18.1.16. [Optional] Property root > clients > clients items > userinfo_encrypted_response_alg

Type string

Description: JWE alg algorithm for encrypting UserInfo Responses.

18.1.17. [Optional] Property root > clients > clients items > userinfo_encrypted_response_enc

Type string

Description: JWE enc algorithm for encrypting UserInfo Responses.

18.1.18. [Optional] Property root > clients > clients items > request_object_signing_alg

Type string

Description: JWS alg algorithm that must be used for signing Request Objects sent to the OIDC Provider.

18.1.19. [Optional] Property root > clients > clients items > request_object_encryption_alg

Type string

Description: JWE alg algorithm the Relying Party is declaring that it may use for encrypting Request Objects sent to the OIDC Provider.

18.1.20. [Optional] Property root > clients > clients items > request_object_encryption_enc

Type string

Description: JWE enc algorithm the Relying Party is declaring that it might use for encrypting Request Objects sent to the OIDC Provider.

18.1.21. [Required] Property root > clients > clients items > token_endpoint_auth_method

Type string

Description: Requested authentication method for the backend endpoints (token, introspect, revoke).

18.1.22. [Optional] Property root > clients > clients items > token_endpoint_auth_signing_alg

Type string

Description: JWS alg algorithm that must be used for signing the JWT that is used to authenticate the Client at the Token Endpoint for the private_key_jwt authentication methods.

18.1.23. [Optional] Property root > clients > clients items > token_endpoint_auth_single_use_jti

Type boolean

Description: When set to true and client assertion is used as the method to perform client authentication, the client assertion cannot be reused.

18.1.24. [Optional] Property root > clients > clients items > tls_client_auth_subject_dn

Type string

Description: Expected subject distinguished name of the certificate that the OAuth client uses in mutual-TLS authentication.

18.1.25. [Optional] Property root > clients > clients items > tls_client_auth_san_dns

Type string

Description: Expected DNS name SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication.

18.1.26. [Optional] Property root > clients > clients items > tls_client_auth_san_email

Type string

Description: Expected RFC822 name SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication.

18.1.27. [Optional] Property root > clients > clients items > tls_client_auth_san_ip

Type string

Description: Expected IP address SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication.

18.1.28. [Optional] Property root > clients > clients items > tls_client_auth_san_uri

Type string

Description: Expected URI SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication.

18.1.29. [Optional] Property root > clients > clients items > tls_client_certificate_bound_access_tokens

Type boolean
Default false

Description: Indicates the client's intention to use mutual-TLS client certificate-bound access tokens. The default value is false.

18.1.30. [Optional] Property root > clients > clients items > require_pushed_authorization_requests

Type boolean

Description: Indicates the client's intention to enforce usage of push authorization request (PAR) to trigger authorize flow.

18.1.31. [Optional] Property root > clients > clients items > require_pkce

Type boolean

Description: Indicates the client's intention to enforce usage of proof-key for code exchange.

18.1.32. [Optional] Property root > clients > clients items > backchannel_token_delivery_mode

Type enum (of string)

Description: Backchannel token delivery mode. One of the following values: poll or ping

Must be one of:

"poll"

"ping"

18.1.33. [Optional] Property root > clients > clients items > backchannel_user_code_parameter

Type boolean
Default false

Description: Boolean value specifying whether the Client supports the user_code parameter. If omitted, the default value is false. This parameter only applies when definition.backchannel_settings.user_code_support in provider configure is set to true

18.1.34. [Optional] Property root > clients > clients items > backchannel_client_notification_endpoint

Type string

Description: REQUIRED if the token delivery mode is set to ping. This is the endpoint to which the ISVAOP will post a notification after a successful or failed end-user authentication. It MUST be an HTTPS URL.

18.1.35. [Optional] Property root > clients > clients items > dpop_bound_access_tokens

Type boolean

Description: Boolean value specifying whether to adds the jkt claim to the cnf claim in the access token.

18.1.36. [Optional] Property root > clients > clients items > dpop_signing_alg

Type string

Description: Expected JWS alg algorithm for signed the DPoP proof JWT. Optional.

18.1.37. [Optional] Property root > clients > clients items > dpop_single_use_jti

Type boolean

Description: When set to true the DPoP proof JWT should contain a unique identifier in the jti claim which cannot be re-used.

18.1.38. [Optional] Property root > clients > clients items > response_modes

Type string array

Description: This parameter informs the authorization server of the allowed list of modes that the client expects for the authorization response.

18.1.39. [Optional] Property root > clients > clients items > token_exchange_settings

Type object
Additional properties

Description: Token exchange configuration.

18.1.39.1. [Optional] Property root > clients > clients items > token_exchange_settings > client_groups

Type string array

Description: The list of OpenID Connect client groups. Client groups is a way tagging clients. Tokens generated by a client can be used as the subject token for token exchange with another client using the same tag. If this list is empty, any client can use the tokens generated from this client as the subject token for token exchange.

18.1.39.2. [Optional] Property root > clients > clients items > token_exchange_settings > supported_subject_token_types

Type string array

Description: This parameter indicates the list of subject token types supported for token exchange. A subject token represents the identity of the party on behalf of whom the token is being requested.

18.1.39.3. [Optional] Property root > clients > clients items > token_exchange_settings > supported_requested_token_types

Type string array

Description: This parameter indicates the list of requested token types supported for token exchange.

18.1.39.4. [Optional] Property root > clients > clients items > token_exchange_settings > supported_actor_token_types

Type string array

Description: This parameter indicates the list of actor token types supported for token exchange. An actor token represents the identity of the party to whom the access rights of the issued token are being delegated.

18.1.40. [Optional] Property root > clients > clients items > extension

Type object
Additional properties

Description: Other information of the client that does not fit the above metadata.
The following nonexhaustive list of information goes to the extension.

18.1.40.1. [Optional] Property root > clients > clients items > extension > company_name

Type string

Description: Company name that is associated with this Client.

18.1.40.2. [Optional] Property root > clients > clients items > extension > company_url

Type string

Description: Company URL that is associated with this Client.

18.1.40.3. [Optional] Property root > clients > clients items > extension > email

Type string

Description: Company URL that is associated with this Client.

18.1.40.4. [Optional] Property root > clients > clients items > extension > phone

Type string

Description: Phone number that is associated with this Client.

18.1.40.5. [Optional] Property root > clients > clients items > extension > contact_person

Type string

Description: Contact person that is associated with this Client.

18.1.40.6. [Optional] Property root > clients > clients items > extension > contact_type

Type string

Description: Contact type that is associated with this Client.

18.1.40.7. [Optional] Property root > clients > clients items > extension > otherInfo

Type string

Description: Other information associated with this Client.

18.1.40.8. [Optional] Property root > clients > clients items > extension > encryptKey

Type string

Description: Key label of the signer key that is used to encrypt ID token.

18.1.40.9. [Optional] Property root > clients > clients items > extension > encryptDB

Type string

Description: Keystore of the signer key that is used to encrypt ID token.

18.1.40.10. [Optional] Property root > clients > clients items > extension > contacts

Type string array

Description: Email addresses of people responsible for the Client.

18.1.40.11. [Optional] Property root > clients > clients items > extension > logo_uri

Type string

Description: URL that references a logo for the Client application.

18.1.40.12. [Optional] Property root > clients > clients items > extension > client_uri

Type string

Description: URL of the home page of the Client.

18.1.40.13. [Optional] Property root > clients > clients items > extension > policy_uri

Type string

Description: URL that the Relying Party Client provides to the user to read about how the profile data is used.

18.1.40.14. [Optional] Property root > clients > clients items > extension > tos_uri

Type string

Description: URL that the Relying Party Client provides to the user to read about the Relying Party's terms of service.

Example:
clients:
- client_id: clientTemplate
  client_secret: "OBF:U2FsdGVkX19iBhlwc53QkybjO6RjFHhSbz4VRudYHA="                                            # Client secret that is used for client authentication and/or JWT signing/encryption. `OBF:` indicates obfuscated string.
  client_name: Client Template with Comments                                                                  # Name of the client.
  client_id_issued_at: 1642399207                                                                             # Timestamp (in seconds) from when the client is created.
  enabled: true                                                                                               # Set to `true` to enable this client
  grant_types:                                                                                                # Grant type that the client is allowed to use at the token endpoint.
    - authorization_code
    - password
    - client_credentials
    - implicit
    - refresh_token
    - urn:openid:params:grant-type:ciba
    - urn:ietf:params:oauth:grant-type:token-exchange 
    - urn:ietf:params:oauth:grant-type:jwt-bearer 
  response_types:                                                                                             # Response type that the client is allowed to use at the authorization endpoint.
    - code id_token
    - code
    - code token
    - none
    - code token id_token
  redirect_uris:                                                                                              # Redirection URI strings for use in redirect-based flows such as the authorization code and implicit flows.
    - https://www.rp.com/redirect
  request_uris:                                                                                               # Request URIs that are pre-registered by the Relying Party for use at the OIDC Provider.
    - https://www.rp.com/request/test.jwt
  scopes:                                                                                                     # A list of scope values that the client can use when requesting access tokens.
    - cdr:registration
    - openid
    - profile
  jwks_uri: https://www.rp.com/oidc/endpoint/default/jwks                                                     # URL string referencing the client's JSON Web Key (JWK) set document, that contains the client's public keys.
  id_token_signed_response_alg: PS512                                                                         # JWS alg algorithm for signing the ID Token that is issued to the Client. Optional. If present it shall be always the same as the token_settings.signing_alg value set in provider.yml
  id_token_encrypted_response_alg: none                                                                       # JWE alg algorithm for encrypting the ID Token that is issued to the Client. Optional, default is `none`.
  id_token_encrypted_response_enc: none                                                                       # JWE enc algorithm for encrypting the ID Token that is issued to the Client. Optional, default is `none`.
  userinfo_signed_response_alg: none                                                                          # JWS alg algorithm for signing UserInfo Responses.
  userinfo_encrypted_response_alg: none                                                                       # JWE alg algorithm for encrypting UserInfo Responses. Optional, default is `none`.
  userinfo_encrypted_response_enc: none                                                                       # JWE enc algorithm for encrypting UserInfo Responses. Optional, default is `none`.
  request_object_signing_alg: PS256                                                                           # JWS alg algorithm that MUST be used for signing Request Objects sent to the OIDC Provider.
  request_object_encryption_alg: none                                                                         # JWE alg algorithm the Relying Party is declaring that it may use for encrypting Request Objects sent to the OIDC Provider.
  request_object_encryption_enc: none                                                                         # JWE enc algorithm the Relying Party is declaring that it might use for encrypting Request Objects sent to the OIDC Provider.
  token_endpoint_auth_method: tls_client_auth                                                                 # Requested authentication method for the backend endpoints (token, introspect, revoke).
  # token_endpoint_auth_signing_alg: RS384                                                                    # JWS alg algorithm that **must** be used for signing the JWT that is used to authenticate the Client at the Token Endpoint for the `private_key_jwt` authentication methods.
  token_endpoint_auth_single_use_jti: false                                                                   # When set to `true` and client assertion is used as the method to perform client authentication, the client assertion cannot be reused.
  tls_client_auth_subject_dn: CN=clientTemplateWithComments,OU=security,O=IBM,L=singapore,ST=singapore,C=SG   # Expected subject distinguished name of the certificate that the OAuth client uses in mutual-TLS authentication.
  # tls_client_auth_san_dns: www.rp.com                                                                       # Expected DNS name SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication.
  # tls_client_auth_san_email: client@www.rp.com                                                              # Expected RFC822 name SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication.
  # tls_client_auth_san_ip: 1.2.3.4                                                                           # Expected IP address SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication.
  # tls_client_auth_san_uri: https://www.rp.com                                                               # Expected URI SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication.
  tls_client_certificate_bound_access_tokens: false                                                           # Indicates the client's intention to use mutual-TLS client certificate-bound access tokens. The default value is `false`.
  require_pushed_authorization_requests: false                                                                # Indicates the client's intention to enforce usage of push authorization request (PAR) to trigger authorize flow.
  require_pkce: true                                                                                          # Indicates the client's intention to enforce usage of proof-key for code exchange.
  backchannel_token_delivery_mode: poll                                                                       # Backchannel token delivery mode. One of the following values: `poll` or `ping`
  backchannel_user_code_parameter: false                                                                      # Boolean value specifying whether the Client supports the user_code parameter. If omitted, the default value is `false`. This parameter only applies when definition.backchannel_settings.user_code_support in provider.yml is set to `true`
  # backchannel_client_notification_endpoint: http://www.rp.com/auth/notification                             # REQUIRED if the token delivery mode is set to `ping`. This is the endpoint to which the ISVAOP will post a notification after a successful or failed end-user authentication. It MUST be an HTTPS URL.
  dpop_bound_access_tokens: true                                                                              # Boolean value specifying whether to adds the `jkt` claim to the `cnf` claim in the access token.
  dpop_signing_alg: PS256                                                                                     # Expected JWS `alg` algorithm for signed the DPoP proof JWT.
  dpop_single_use_jti: false                                                                                  # When set to `true` the DPoP proof JWT should contain a unique identifier in the `jti` claim which cannot be re-used.
  response_modes:                                                                                             # This parameter informs the authorization server of the allowed list of response_modes that the client expects for the authorization response.
    - query
    - fragment
    - form_post
    - query.jwt
    - fragment.jwt
    - form_post.jwt
    - jwt
  token_exchange_settings: 
    client_groups:
      - benefits
      - insurance
    supported_subject_token_types:
      - urn:ietf:params:oauth:token-type:access_token
      - urn:ietf:params:oauth:token-type:refresh_token
      - urn:ietf:params:oauth:token-type:id_token
    supported_actor_token_types:
      - urn:ietf:params:oauth:token-type:access_token
      - urn:ietf:params:oauth:token-type:refresh_token
      - urn:ietf:params:oauth:token-type:id_token
      - urn:x-oath:params:oauth:token-type:device-secret
    supported_requested_token_types: 
      - urn:ietf:params:oauth:token-type:access_token
      - urn:ietf:params:oauth:token-type:refresh_token
      - urn:ietf:params:oauth:token-type:id_token
  extension:                                                                                                  # Other information of the client that does not fit the above metadata.
    email: joe@ibm.com
    contact_type: ADMINISTRATOR
    company_name: IBM
    encryptDB: rt_encrypt
    encryptKey: rsa

19. [Required] Property root > keystore

Type array of object
Defined in yaml_keystore.yml#/definitions/keystore

Description: Specifies the keystores that IBM Security Verify Access OIDC Provider (ISVAOP) is using.

Also refer to key management.

Each item of this array must be Description
keystore items Specify each keystore in one the following types. ...

19.1. root > keystore > keystore items

Type object
Additional properties

Description: Specify each keystore in one the following types.

type description
p12 Specifies a pfx (.p12 file) keystore
pem Specifies the keystore's certificates and keys in PEM format
zip Specifies the keystore using a zip file
path Specifies the path to the keystore contents

19.1.1. [Optional] Property root > keystore > keystore items > keystore (p12)

Type object
Additional properties

19.1.1.1. [Required] Property root > keystore > keystore items > keystore (p12) > name

Type string

Description: The keystore name

19.1.1.2. [Required] Property root > keystore > keystore items > keystore (p12) > type

Type const

Description: The keystore type

Specific value: "p12"

19.1.1.3. [Required] Property root > keystore > keystore items > keystore (p12) > content

Type string

Description: The p12 keystore content or path using corresponding annotation.

Refer to Special Types and Special Types Available in Kubernetes.

19.1.1.4. [Required] Property root > keystore > keystore items > keystore (p12) > password

Type string

Description: The p12 keystore password. Use obfuscation.

19.1.2. [Optional] Property root > keystore > keystore items > keystore (pem)

Type object
Additional properties

19.1.2.1. [Required] Property root > keystore > keystore items > keystore (pem) > name

Type string

Description: The keystore name

19.1.2.2. [Required] Property root > keystore > keystore items > keystore (pem) > type

Type const

Description: The keystore type

Specific value: "pem"

19.1.2.3. [Optional] Property root > keystore > keystore items > keystore (pem) > certificate

Type array of object

Description: Signer certificates of the keystore in PEM format

Each item of this array must be Description
certificate items Signer certificate in PEM format

19.1.2.3.1. root > keystore > keystore items > keystore (pem) > certificate > certificate items

Type object
Additional properties

Description: Signer certificate in PEM format

19.1.2.3.1.1. [Required] Property root > keystore > keystore items > keystore (pem) > certificate > certificate items > label

Type string

Description: Signer certificate label

19.1.2.3.1.2. [Required] Property root > keystore > keystore items > keystore (pem) > certificate > certificate items > content

Type string

Description: Signer certificate content or path using corresponding annotation.

Refer to Special Types and Special Types Available in Kubernetes.

19.1.2.4. [Optional] Property root > keystore > keystore items > keystore (pem) > key

Type array of object

Description: Personal certificate of the keystore in PEM format

Each item of this array must be Description
key items Personal certificate in PEM format

19.1.2.4.1. root > keystore > keystore items > keystore (pem) > key > key items

Type object
Additional properties

Description: Personal certificate in PEM format

19.1.2.4.1.1. [Required] Property root > keystore > keystore items > keystore (pem) > key > key items > label

Type string

Description: Personal certificate label

19.1.2.4.1.2. [Required] Property root > keystore > keystore items > keystore (pem) > key > key items > content

Type string

Description: Personal certificate content or path using corresponding annotation.

Refer to Special Types and Special Types Available in Kubernetes.

19.1.3. [Optional] Property root > keystore > keystore items > keystore (zip)

Type object
Additional properties

19.1.3.1. [Required] Property root > keystore > keystore items > keystore (zip) > name

Type string

Description: The keystore name

19.1.3.2. [Required] Property root > keystore > keystore items > keystore (zip) > type

Type const

Description: The keystore type

Specific value: "zip"

19.1.3.3. [Required] Property root > keystore > keystore items > keystore (zip) > content

Type string

Description: The keystore zip file content or path using corresponding annotation.

Refer to Special Types and Special Types Available in Kubernetes.

19.1.4. [Optional] Property root > keystore > keystore items > keystore (path)

Type object
Additional properties

19.1.4.1. [Required] Property root > keystore > keystore items > keystore (path) > name

Type string

Description: The keystore name

19.1.4.2. [Required] Property root > keystore > keystore items > keystore (path) > type

Type const

Description: The keystore type

Specific value: "path"

19.1.4.3. [Required] Property root > keystore > keystore items > keystore (path) > content

Type string

Description: The keystore path relative to the /var/isvaop/config directory of the container

Example:
keystore:
  - name: ks1
    type: p12
    content: "B64:<encoded_p12>"
    password: "OBF:<obfuscated_p12_password>"
  - name: ks2
    type: pem
    certificate:
      - label: cert01
        content: "B64:<encoded PEM>"
      - label: cert02
        content: "@<file>"
      - label: cert03
        content: |
          <inline PEM>
    key:
      - label: key01
        content: "B64:<encoded PEM>"
      - label: key02
        content: "@<file>"
      - label: key03
        content: |
          <inline PEM>
  - name: ks3
    type: zip
    content: "B64:<encoded zip>"
  - name: ks4
    type: path
    content: "keystore/ks4_contents"

20. [Optional] Property root > rules

Type object
Additional properties
Defined in yaml_rules.yml#/definitions/rules

Description: Specifies the access policies and mapping rules that IBM Security Verify Access OIDC Provider (ISVAOP) runtime flows are using.

Example:
rules:
  access_policy:
    - name: default_policy
      type: javascript
      content: |
        importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        ...

  mapping:
    - name: isvaop_pretoken
      content: |
        importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        ...
    - name: isvaop_posttoken
      content: |
        importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        ...
    - name: attrUtil
      content: "B64:aW1wb3J0Q2xhc3MoUGFj...Cg=="
    - name: checkstatus
      content: "configmap:rules/mapping_checkstatus.js"
    - name : dcr
      content: "B64:aW1wb...pCn0K"
    - name: extCache
      content: |
        importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        ...
    - name: httpClient
      content: "configmap:rules/mapping_httpClient.js"
    - name: jwt
      content: "B64:aW1wb...T047"
    - name: ldapClient
      content: |
        importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        ...
    - name: library
      content: "configmap:rules/mapping_library.js"
    - name: notifyuser
      content: |
        importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        ...
    - name: oauthUtil
      content: "B64:aW1w...Cgo="
    - name: ropc
      content: |
        importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        ...
20.1. [Optional] Property root > rules > mapping

Type array of object

Description: JavaScript mapping rules

Each item of this array must be Description
mapping items JavaScript Mapping rule ...

20.1.1. root > rules > mapping > mapping items

Type object
Additional properties

Description: JavaScript Mapping rule

Read more about JavaScript Mapping rule.

20.1.1.1. [Required] Property root > rules > mapping > mapping items > name

Type string

Description: The mapping rule name

20.1.1.2. [Required] Property root > rules > mapping > mapping items > content

Type string

Description: The mapping rule content or path using corresponding annotation.

Refer to Special Types and Special Types Available in Kubernetes.

20.1.1.3. [Optional] Property root > rules > mapping > mapping items > type

Type enum (of string)
Default "javascript"

Description: The mapping rule type

Must be one of:

"javascript"

20.2. [Optional] Property root > rules > access_policy

Type array of object

Description: Access Policies

Each item of this array must be Description
access_policy items Access Policy ...

20.2.1. root > rules > access_policy > access_policy items

Type object
Additional properties

Description: Access Policy

Read more about Access Policy.

20.2.1.1. [Required] Property root > rules > access_policy > access_policy items > name

Type string

Description: The access policy name

20.2.1.2. [Required] Property root > rules > access_policy > access_policy items > content

Type string

Description: The access policy content or path using corresponding annotation.

Refer to Special Types and Special Types Available in Kubernetes.

20.2.1.3. [Optional] Property root > rules > access_policy > access_policy items > type

Type enum (of string)
Default "javascript"

Description: The access policy type

Must be one of:

"javascript"