YAML Configuration Guide

Schema Docs

Typeobject
Additional propertiesAny type: allowed
Defined in#/definitions/config_root

Description: Yaml Configuration Guide.

To get started with authoring ISVAOP configuration YAML, refer to the Configuration.

Example:

# Full YAML based configuration example
version: 24.06
server:
  ssl:
    key: 'secret:keystore/httpserverkey.pem'
    certificate: 'secret:keystore/httpservercert.pem'
    require_mtls : true
    client_auth_trust_store : ks:truststore
  pages:
    type: zip
    content: "configmap:provider/pages.zip"
logging:
  level: debug
secrets:
  obf_key: 'secret:keystore/obf_key'
template_macros:
  user_macros:
    - name
    - family_name
    - given_name
    - display_name
  request_macros:
    - authorization_details
    - claims
    - user_code
    - state
ssl:
  certificate:
    - ks:rt_profile_keys
  disable_hostname_verification: true
definition:
  id: 1
  name: OIDC Definition
  grant_types:
    - authorization_code
    - implicit
    - password
    - client_credentials
    - refresh_token
    - 'urn:openid:params:grant-type:ciba'
  access_policy_id: 1
  pre_mappingrule_id: 100
  post_mappingrule_id: 101
  base_url: 'https://localhost:445'
  mtls_base_url: 'https://localhost:445'
  mtls_certificate_header_name: X-Client-Certificate
  features:
    enable_fault_tolerance: false
    enable_dynamic_registration: true
    consent_prompt: NEVER_PROMPT
    fapi_compliant: false
    enforce_par: false
  token_settings:
    issuer: 'https://www.ibm.com'
    signing_alg: RS256
    signing_keystore: rt_profile
    signing_keylabel: rsa256
    authorization_code_lifetime: 300
    access_token_lifetime: 7200
    id_token_lifetime: 3600
    refresh_token_lifetime: 64800
  request_object:
    lifetime: 3600
    require_expiry: true
    only_request_object_params: false
    enforce_single_usage: false
  backchannel_settings:
    default_expiry: 900
    maximum_expiry: 1800
    polling_interval: 5
    notifyuser_mappingrule_id: notifyuser
    checkstatus_mappingrule_id: checkstatus
  attribute_map:
    name: display_name # 1
    age: age # 2
  metadata:
    claims_supported:
      - iss
      - name
      - displayName
janitor:
  batch_size: 1000
  max_duration: 0
  check_frequency: 10
jwks:
  signing_keystore: rt_profile
  encryption_keystore: rt_profile
authentication:
  endpoint: >-
    https://auth-machine/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:password
  callback_param_name: Target
javascript:
  timeout: 0
  max_load: 16
  max_idle_time: 600
  max_ctx_in_isolate: 0
  cleanup_frequency: 0
  use_pool: false
dynamic_registration:
  recipe: Default
  mappingrule_id: dcr
  software_statement_validation:
    jwks_uri: >-
      https://oidc-dev-test.ite1.idng.ibmcloudsecurity.com/oidc/endpoint/default/jwks
    signing_algs:
      - PS256
      - ES256
  registration_endpoint_authentication:
    require_mtls: false
    require_bearer_token: false
    require_software_statement: false
    allow_custom_client_creds: true
  management_endpoint_authentication:
    require_mtls: false
    require_bearer_token: true
    require_software_statement: false
  registration_access_token:
    generate: true
    lifetime: 86400
    scopes:
      - 'cdr:registration'

runtime_db: mydb2
session_cache:
  type: redis
  cfg: myredis
server_connections:
  - name: mydb2
    type: db2
    database_name: secret:storage/mydb2_dbname
    hosts:
      - hostname: secret:storage/mydb2_hostname1
        hostport: secret:storage/mydb2_hostport1
    credential:
      username: secret:storage/mydb2_username
      password: secret:storage/mydb2_password
    conn_settings:
      max_pool_size: 50
      max_idle_size: 5
      max_idle_time: 10
      aged_timeout: 30
      connect_timeout: 5
    ssl:
      certificate:
        - ks:rt_profile
        - 'b64:LS0tLS1CRUdJTiBDR...LQo='
      disable_hostname_verification: true
  - "configmap:storage/myredis.yml"
  - name: ldap_test
    type: ldap
    hosts:
      - hostname: pentest-isva-openldap
        hostport: 636
        credential:
          bind_dn: 'cn=root,secAuthority=default'
          bind_password: passw0rd
        ssl:
          certificate:
            - ks:rt_profile
          disable_hostname_verification: true
    conn_settings:
      max_pool_size: 50
      connect_timeout: 3
attribute_sources:
  - id: 1
    name: display_name
    type: value
    value: anonymous
  - id: 2
    name: age
    type: credential
    value: AZN_CRED_AGE
  - id: 3
    name: website
    type: ldap
    value: website
    scope: subtree
    filter: (objectclass=*)
    selector: nickname,gender,sn
    srv_conn: ldap
    baseDN: dc=iswga
  - "configmap:attrsrc/attr_src_3_dup1.yml"
ldapcfg:
  - name: ldap_test_cfg_01
    scope: subtree
    user_object_classes: top,Person,organizationalPerson,inetOrgPerson
    filter: (|(|(objectclass=ePerson)(objectclass=person))(objectclass=User))
    selector: objectClass,cn,sn,givenName,userPassword
    srv_conn: ldap_test
    attribute: uid
    baseDN: dc=ibm,dc=com
rules:
  access_policy:
    - name: default_policy
      type: javascript
      content: |
        importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        ...
  mapping:
    - name: isvaop_pretoken
      content: |
        importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        ...
    - name: isvaop_posttoken
      content: |
        importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        ...
    - name: attrUtil
      content: "B64:aW1wb3J0Q2xhc3MoUGFj...Cg=="
    - name: checkstatus
      content: "configmap:rules/mapping_checkstatus.js"
    - name : dcr
      content: "B64:aW1wb...pCn0K"
    - name: extCache
      content: |
        importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        ...
    - name: httpClient
      content: "configmap:rules/mapping_httpClient.js"
    - name: jwt
      content: "B64:aW1wb...T047"
    - name: ldapClient
      content: |
        importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        ...
    - name: library
      content: "configmap:rules/mapping_library.js"
    - name: notifyuser
      content: |
        importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        ...
    - name: oauthUtil
      content: "B64:aW1w...Cgo="
    - name: ropc
      content: |
        importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        ...
clients:
  - client_id: client01
    client_id_issued_at: 1642399207
    client_secret: secret
    client_secret_expires_at: 0
    client_name: Client Test
    enabled: true
    redirect_uris:
      - https://www.google.com
    grant_types:
      - authorization_code
      - password
      - client_credentials
      - implicit
      - refresh_token
      - urn:openid:params:grant-type:ciba
    response_types:
      - code id_token
      - code token id_token
      - code
      - code token
      - none
      - code token id_token
    scopes:
      - openid
      - profile
      - test
    token_endpoint_auth_method: client_secret_post # tls_client_auth # client_secret_post
    token_endpoint_auth_signing_alg: RS384
    token_endpoint_auth_single_use_jti: false
    tls_client_auth_subject_dn: CN=oidc-dev-test.ite1.idng.ibmcloudsecurity.com,OU=,O=,L=,ST=,C=
    tls_client_certificate_bound_access_tokens: false
    id_token_signed_response_alg: PS512
    jwks_uri: https://oidc-dev-test.ite1.idng.ibmcloudsecurity.com/oidc/endpoint/default/jwks
    request_object_signing_alg: ES256
    require_pushed_authorization_requests: false
    require_pkce: false
    backchannel_token_delivery_mode: poll
    backchannel_client_notification_endpoint: https://notifyme.com
    backchannel_user_code_parameter: false
    extension:
      contact_type: "ADMINISTRATIVE"
      encryptDB: "rt_profile_keys"
      phone: "12345678"
      contact_person: "TESTUSER"
      company_name: "IBM"
      company_url: "https://ibm.com"
      encryptKey: "server"
      email: "[email protected]"
  - client_id: client01dpop
    client_id_issued_at: 1642399207
    client_secret: secret
    client_secret_expires_at: 0
    client_name: Client Test
    enabled: true
    redirect_uris:
      - https://www.google.com
    grant_types:
      - authorization_code
      - password
      - client_credentials
      - implicit
      - refresh_token
      - urn:openid:params:grant-type:ciba
    response_types:
      - code id_token
      - code token id_token
      - code
      - code token
      - none
      - code token id_token
    scopes:
      - openid
      - profile
      - test
    token_endpoint_auth_method: client_secret_post # tls_client_auth # client_secret_post
    id_token_signed_response_alg: PS512
    jwks_uri: https://oidc-dev-test.ite1.idng.ibmcloudsecurity.com/oidc/endpoint/default/jwks
    dpop_bound_access_tokens: true
    dpop_signing_alg: PS256
    dpop_single_use_jti: false
  - "configmap:clients/client01jarm.yml"
  - "configmap:clients/client01mtls.yml"
  - "configmap:clients/client01ping.yml"
  - "configmap:clients/client01pingmisconfig.yml"
  - "configmap:clients/client01pingmtls.yml"
  - "configmap:clients/client01pingmtlsmisconfig.yml"
  - "configmap:clients/client01pwt.yml"
  - client_id: client02
    client_id_issued_at: 1642399207
    client_secret: secret
    client_secret_expires_at: 0
    client_name: Client Test
    enabled: true
    redirect_uris:
      - https://www.google.com
      - https://www.mysp.ibm.com/isam/sps/oidc/rp/oidcrp/redirect/partner2
    grant_types:
      - authorization_code
      - password
      - client_credentials
      - implicit
      - refresh_token
    response_types:
      - code id_token
      - code id_token token
      - code
      - code token
    scopes:
      - openid
      - profile
    token_endpoint_auth_method: tls_client_auth
    token_endpoint_auth_signing_alg: RS384
    token_endpoint_auth_single_use_jti: false
    tls_client_auth_subject_dn: CN=clientID01,OU=security,O=IBM,L=singapore,ST=singapore,C=SG
    tls_client_certificate_bound_access_tokens: true
    id_token_signed_response_alg: PS512
    jwks_uri: https://oidc-dev-test.ite1.idng.ibmcloudsecurity.com/oidc/endpoint/default/jwks
    request_object_signing_alg: PS256
    require_pushed_authorization_requests: false
    require_pkce: false
    extension:
      email: [email protected]
      contactType: ADMINISTRATOR
      companyName: IBM
      encryptDB: rt_encrypt
      encryptKey: rsa
keystore:
  - name: db2client
    type: p12
    content: "secret:keystore/db2client.p12"
    password: "secret:keystore/db2client.obf"
  - name: test
    type: p12
    content: "secret:keystore/test.p12"
    password: "secret:keystore/test.obf"
  - name: postgres
    type: p12
    content: "secret:keystore/postgres.p12"
    password: "secret:keystore/postgres.obf"
  - name: redis
    type: p12
    content: "B64:MIIWX...AA=="
    password: "p@ssw0rd"
  - name: rt_profile
    type: zip
    content: "secret:keystore/rt_profile.zip"
  - name: rt_profile_dup01
    type: zip
    content: "B64:UEsDBBQAA.....A"
  - name: rt_profile_keys
    type: pem
    certificate:
      - label: httpservercert
        content: "B64:LS0tL...g=="
      - label: ldap
        content: "secret:keystore/rt_profile_keys_signer_ldap.pem"
      - label: ldap_gh
        content: |
          -----BEGIN CERTIFICATE-----
          MIIDBzCCAo2gAwIBAgIUbfkAdyPC1l5aUiTt6OUbS9Q+MbkwCgYIKoZIzj0EAwMw
          g...
          p8HLCUpB/3KPtmg=
          -----END CERTIFICATE-----
      - label: localLDAP
        content: "secret:keystore/rt_profile_keys_signer_localLDAP.pem"
      - label: rel-verify-ibmcloudsecurity-com-chain
        content: "B64:LS0tLS1CR...Q0K"
    key:
      - label: httpserverkey
        content: |
          -----BEGIN PRIVATE KEY-----
          MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDcfy4ptpTSA2DE
          ...
          tf5q/y+aDIXOsF03swP+J60GPQ==
          -----END PRIVATE KEY-----
  - name: truststore
    type: pem
    certificate:
      - label: mtlsclientcert
        content: |
          -----BEGIN CERTIFICATE-----
          MIIE5jCCAs6gAwIBAgIII7QhYxUdmcswDQYJKoZIhvcNAQELBQAwETEPMA0GA1UE
          AxMGaXN2YW9wMB4XDTI0MDQwNzA0MTMwNFoXDTM0MDQwNjA0MTMwNFowETEPMA0G
          A1UEAxMGaXN2YW9wMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmukm
          abTj0CHVrG/nTDAMm+jEQ7YJURg/XfQpIlrELLMEubXHDzn3Rk4jYkwaJHnKd2Jz
          nWVluSyngF/TgWqhRALdKn4zel1djia8pB6fkoOkjHqlNlX86O7PDvgVko2HBXBL
          2CJsOa787pw8kl4Odw9W6WeRmHz6VybTw91z0xfjfk3MCgCKUXg61RFlYtOIHU8B
          jeUxitwWBcF93Qa/AB7MXINKHSmxfqNqfMJMH26Dfu6N0DWQEttEmUphNo1NJynC
          ofZUUImGJcDKmr8m8JeSwLBXha0dvOmNnFVQ4GkUwsOk3zjP21JwB6Gy4TqvcYSU
          tt7jrJSqTeJFKIH2FMHbegpxwCDVlVz3cmilsIv1n9I4glkZCNLn2xNnYGyMW+tH
          /K628zKeB1KfZIcubgp1iMzmMhcSkiQ3Fpg7gSNRSDSMp8qPbK4b1qEqTux5KO5d
          HHUy3+MJHZX/0S7EYMmSbMC9sdFs75i3/eHEWtkcX8X2pS0CS+JzVG/Of3Ua1wwg
          qx8HxOMEDkxqzwQGA4/pzHh8CwXZ4bPKEIhMGW9z0Q2FE2LNeAu7t5ZurDecgkOP
          4nelnABqMTfdJQ38+0H5BkUEXdLxXzFQpKpFsZQpOfw9mu6JCgbElfbmltPDhGEw
          0+WqjaPLg+dxXjPAPVQn55fnd7W1CpCxy66xnvMCAwEAAaNCMEAwHQYDVR0OBBYE
          FA13+nOk4op66sDx6loy2OoTaHJFMB8GA1UdIwQYMBaAFA13+nOk4op66sDx6loy
          2OoTaHJFMA0GCSqGSIb3DQEBCwUAA4ICAQBwM7lTvU7ChadVtKfdMceQleVWDcJu
          5hBKhwGfk+2udW4naJrKWfCO88zsm1D62b+bYb4myAJiUxxqA2pIioI9Veaor/U8
          iQXZXC9NxA8gmyFr2KO47siIbbIK2QNeAePMh7FVOkzRq21FWgIJI+D7QXiMy3YZ
          PORq2qZJfyLmKoMEfnH4sdTu61BRzKuiL6crThTuB4agXAv1YeevKr2DX3tQ9etW
          WUQFF9ZiGWazUY6OoHyWxlQX5edShZbmwAJ/6A+DZ1Tywh5j4xVOWZzqDoAIqiIW
          xytHUnVwthGYNQV6q52E39xGHVn5pu0Co/3cmvnguc9IRbLcmBakM7llC07YWvWV
          2UGLqggRMR1B11FJZ5lubOL2hyqswGTz7AP4vrS/VLVmO7pcIZoz4pLMH6FBC+6/
          sI8c59jmFNmY4Ue0peLfnx+bWI9pEebh56hSTeNCvWdiJgRcE4Avf9iIG0q75nJ1
          n5+hGN9kBmT68uumA2waCkNtOX+75GD/m45d7slH3IHTg7YhtwnuepZe0cL/7Ksf
          CuIhUVZK9BYqKKE2CsaTGM7XquFg1jjPHBCQ3zCMHd+JlKzpGKay3Jm9gi2lMZeF
          wx7TNlZtKhNpxV0bO3x5aF+fjEWTBuqXooMAfNai7iANaNlLbWgvtbSo0xRFrI2j
          TV+GFMVLwuHGPg==
          -----END CERTIFICATE-----

1. [Optional] Property root > version
Typestring
Default22.12
Defined inyaml_provider.yml#/definitions/version

Description: The IBM Security Verify Access OIDC Provider (ISVAOP) configuration version. If version is not specified, the default value 22.12 will be used.

2. [Required] Property root > definition
Typeobject
Additional propertiesAny type: allowed
Defined inyaml_provider.yml#/definitions/definition

Description: Definition

Read more about Definition.

Example:

definition:
  id: 1                                                     # Definition ID
  name: OIDC Definition                                     # Definition Name
  grant_types:                                              # Supported grant types.
    - authorization_code
    - implicit
    - password
    - client_credentials
    - refresh_token
    - urn:openid:params:grant-type:ciba
    - urn:ietf:params:oauth:grant-type:token-exchange 
  access_policy_id: 1                                       # Access Policy Rule ID.
  pre_mappingrule_id: isvaop_pretoken                       # Pre-Token mapping rule ID.
  post_mappingrule_id: isvaop_posttoken                     # Post-Token mapping rule ID.
  ropc_mappingrule_id: ropc                                 # ROPC mapping rule ID.
  base_url: https://isvaop.ibm.com:445                      # Base url of the endpoints.
  mtls_base_url: https://isvaop.ibm.com:445                 # Base url of the MTLS endpoints.
  mtls_certificate_header_name: x-client-certificate        # HTTP header name that contains MTLS certificate.
  features:                                                 # Features Flags
    enable_fault_tolerance: false                           # Enable multiple refresh token for fault tolerance.
    consent_prompt: ALWAYS_PROMPT                           # Prompt for consent. ALWAYS_PROMPT, NEVER_PROMPT, PROMPT_ONCE_AND_REMEMBER
    fapi_compliant: false                                   # Whether to enforce all the FAPI checks.
    enforce_par: false                                      # Only accept authorize request using push authorize.
    prefer_claims_at_userinfo: true                         # This is introduced to address this requirement (https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.4). When it is set to true and an OAuth/OIDC flow generates access token, instead of returning the requested claims in the id_token, the claims are returned only at /userinfo endpoint; unless such claims are essential to be returned in id_token.
  token_settings:                                           # Token Settings
    issuer: https://isvaop.ibm.com                          # OP's issuer URI.
    signing_alg: PS512                                      # Signing algorithm for ID token generated.
    signing_keystore: rt_profile_keys                       # Signing keystore name.
    signing_keylabel: rsa256                                # Signing key label.
    encryption_alg: none                                    # Key encryption algorithm for ID token generated.
    encryption_enc: none                                    # Content encryption algorithm for ID token generated.
    authorization_code_lifetime: 300                        # Lifetime of authorization code.
    access_token_lifetime: 7200                             # Lifetime of access token.
    id_token_lifetime: 3600                                 # Lifetime of id_token.
    refresh_token_lifetime: 64800                           # Lifetime of refresh token.
  backchannel_settings:                                     # Backchannel Settings
    default_expiry: 900                                     # The default CIBA session lifetime in seconds. If not specified, it is set to 900 seconds.
    maximum_expiry: 1800                                    # Maximum CIBA session lifetime in seconds. If not specified, it is set to 1800 seconds.
    polling_interval: 5                                     # Polling interval value that will be communicated to the relying party. Default is 5 seconds.
    notifyuser_mappingrule_id: notifyuser                   # Mapping rule ID that will be executed when notifying the user. Default is `notifyuser`.
    checkstatus_mappingrule_id: checkstatus                 # Mapping rule ID that will be executed when checking authentication status. Default is `checkstatus`.
    user_code_support: false                                # Whether this CIBA implementation supports user_code. This information will be published in `.well-known` endpoint.
  attribute_map:                                            # Attribute mapping to resolve claims. also refer to attributesources.yml
    name: display_name
    age: age
  metadata:                                                 # name-value pair to override metadata information
    claims_supported:
      - iss
      - name
      - displayName
  dpop_max_lifetime: 3600                                   # Lifetime of DPoP proof JWT. 
  request_object:
    lifetime: 3600                                          # Lifetime of the incoming JWT-Secured Authorization Request.
    require_expiry: true                                    # Boolean flag to check if the JWT-Secured Authorization Request contains a exp claim.
    only_request_object_params: false                       # Boolean flag to enforce the JWT-Secured Authorization Request to contain all the request parameters.
    enforce_single_usage: false                             # Boolean flag to enforce single use of a JWT-Secured Authorization Request.

2.1. [Optional] Property root > definition > id
Typestring

Description: Definition ID.Required for DCR flows.

2.2. [Optional] Property root > definition > name
Typestring

Description: Definition Name. Required for DCR flows.

2.3. [Required] Property root > definition > grant_types
Typearray of string

Description: Supported grant types.

Each item of this array must beDescription
grant_types items-

2.3.1. root > definition > grant_types > grant_types items

Typestring
2.4. [Optional] Property root > definition > access_policy_id
Typestring

Description: Access Policy Rule ID.

2.5. [Optional] Property root > definition > pre_mappingrule_id
Typestring

Description: Pre-Token mapping rule ID.

2.6. [Optional] Property root > definition > post_mappingrule_id
Typestring

Description: Post-Token mapping rule ID.

2.7. [Optional] Property root > definition > ropc_mappingrule_id
Typestring

Description: ROPC-mapping rule ID.

2.8. [Required] Property root > definition > base_url
Typestring

Description: Base url of the endpoints. Example: https://www.idp.com/isvaop

2.9. [Optional] Property root > definition > mtls_base_url
Typestring

Description: Base url of the MTLS endpoints. Example: https://www.idp-mtls.com/isvaop

2.10. [Optional] Property root > definition > mtls_certificate_header_name
Typestring
Default"X-Client-Certificate"

Description: JWT header name that contains MTLS certificate. Example: X-Client-Certificate

2.11. [Required] Property root > definition > token_settings
Typeobject
Additional propertiesAny type: allowed

Description: Token Settings

Read more about Token Settings.

2.11.1. [Required] Property root > definition > token_settings > issuer
Typestring

Description: OP's issuer URI.

2.11.2. [Required] Property root > definition > token_settings > signing_alg
Typestring

Description: Signing algorithm for ID token generated.

2.11.3. [Required] Property root > definition > token_settings > signing_keystore
Typestring

Description: Signing keystore name.

NOTE: signing_keystore is the keystore name WITHOUT ks: annotation.

2.11.4. [Required] Property root > definition > token_settings > signing_keylabel
Typestring

Description: Signing key label.

NOTE: signing_keylabel isthe key label name WITHOUT ks: annotation.

2.11.5. [Required] Property root > definition > token_settings > encryption_alg
Typestring

Description: Key encryption algorithm for ID token generated.

2.11.6. [Required] Property root > definition > token_settings > encryption_enc
Typestring

Description: Content encryption algorithm for ID token generated.

2.11.7. [Optional] Property root > definition > token_settings > authorization_code_lifetime
Typenumber
Default300

Description: Lifetime of authorization code in seconds.

2.11.8. [Optional] Property root > definition > token_settings > access_token_lifetime
Typenumber
Default7200

Description: Lifetime of access token in seconds.

2.11.9. [Optional] Property root > definition > token_settings > id_token_lifetime
Typenumber
Default3600

Description: Lifetime of id_token in seconds.

2.11.10. [Optional] Property root > definition > token_settings > refresh_token_lifetime
Typenumber
Default64800

Description: Lifetime of refresh token in seconds.

2.12. [Optional] Property root > definition > features
Typeobject
Additional propertiesAny type: allowed

Description: Feature Flags

Read more about Features Flags.

2.12.1. [Optional] Property root > definition > features > consent_prompt
Typeenum (of string)
Default"ALWAYS_PROMPT"

Description: Prompt for consent vs auto-consent.

Must be one of:

  • "ALWAYS_PROMPT"
  • "NEVER_PROMPT"
  • "PROMPT_ONCE_AND_REMEMBER"
2.12.2. [Optional] Property root > definition > features > enforce_par
Typeboolean
Defaultfalse

Description: Accept only authorized request using push authorize.

2.12.3. [Optional] Property root > definition > features > prefer_claims_at_userinfo
Typeboolean
Defaultfalse

Description: This is introduced to address this requirement (https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.4). When it is set to true and an OAuth/OIDC flow generates access token, instead of returning the requested claims in the id_token, the claims are returned only at /userinfo endpoint; unless such claims are essential to be returned in id_token.

2.13. [Optional] Property root > definition > backchannel_settings
Typeobject
Additional propertiesAny type: allowed

Description: These settings are related to Client-Initiated Backchannel Authentication (CIBA).

Read more about Backchannel Settings.

2.13.1. [Optional] Property root > definition > backchannel_settings > default_expiry
Typenumber
Default900

Description: The default CIBA session lifetime in seconds.

2.13.2. [Optional] Property root > definition > backchannel_settings > maximum_expiry
Typenumber
Default1800

Description: Maximum CIBA session lifetime in seconds.

2.13.3. [Optional] Property root > definition > backchannel_settings > polling_interval
Typenumber
Default5

Description: Polling interval value that is communicated to the relying party in seconds.

2.13.4. [Optional] Property root > definition > backchannel_settings > notifyuser_mappingrule_id
Typestring
Default"notifyuser"

Description: Mapping rule ID that is run when the user is notified.

2.13.5. [Optional] Property root > definition > backchannel_settings > checkstatus_mappingrule_id
Typestring
Default"checkstatus"

Description: Mapping rule ID that is run when the authentication status is checked.

2.13.6. [Optional] Property root > definition > backchannel_settings > user_code_support
Typeboolean
Defaultfalse

Description: Whether this CIBA implementation supports user_code. This information is published in .well-known endpoint.

2.14. [Optional] Property root > definition > attribute_map
Typemap of string -> string

Description: Attribute mapping to resolve claims.

2.15. [Optional] Property root > definition > metadata
Typemap of string -> any

Description: name-value pair to override metadata information

2.16. [Optional] Property root > definition > request_object
Typeobject
Additional propertiesAny type: allowed

Description: These settings are related to JWT-Secured Authorization Request(JAR).

Read more about JWT Secured Authorization Request Settings.

2.16.1. [Optional] Property root > definition > request_object > lifetime
Typenumber

Description: The maximum lifetime of the incoming request-JWT in seconds.

2.16.2. [Optional] Property root > definition > request_object > require_expiry
Typeboolean
Defaultfalse

Description: Boolean flag to check if the request-JWT contains a exp claim

2.16.3. [Optional] Property root > definition > request_object > only_request_object_params
Typeboolean
Defaultfalse

Description: Boolean flag to enforce the request-JWT to contain all the request parameters.

2.16.4. [Optional] Property root > definition > request_object > enforce_single_usage
Typeboolean
Defaultfalse

Description: Boolean flag to enforce single use of a request-JWT.

2.17. [Optional] Property root > definition > dpop_max_lifetime
Typenumber

Description: Maximum lifetime of a DPoP proof JWT in seconds.

3. [Required] Property root > jwks
Typeobject
Additional propertiesAny type: allowed
Defined inyaml_provider.yml#/definitions/jwks

Description: JSON Web Key Set (JWKS) Settings

Read more about JSON Web Key Set (JWKS) Settings.

Example:

jwks:                                                       # JSON Web Key Set (JWKS) Settings
  signing_keystore: signing_keystore                         # Keystore name containing keys related to JWT signing/signature validation.
  encryption_keystore: encryption_keystore                      # Keystore name containing keys related to JWT encryption/decryption.

3.1. [Required] Property root > jwks > signing_keystore
Typestring

Description: Keystore name that contains keys that are related to JWT signing and signature validation.

NOTE: signing_keystore is the keystore name WITHOUT ks: annotation.

3.2. [Required] Property root > jwks > encryption_keystore
Typestring

Description: Keystore name that contains keys that are related to JWT encryption and decryption.

NOTE: encryption_keystore is the keystore name WITHOUT ks: annotation.

4. [Optional] Property root > authentication
Typeobject
Additional propertiesAny type: allowed
Defined inyaml_provider.yml#/definitions/authentication

Description: Authentication Settings

Read more about Authentication Settings.

Example:

authentication:                                             # Authentication Settings
  endpoint: https://isvaop.ibm.com:445/isvaop/oauth2/auth
                                                            # Endpoint to redirect when authentication is required. This is mandatory when `grant_types` contains `authorization_code` or `implicit`
  callback_param_name: Target                               # Parameter name to specify the callback target URI. If it is not specified, the default callback param name is `Target`.
  subject_attribute_name: uid                               # Name of the user or credential attribute that will be used to populate the `sub`. If it is not specified, the default attribute is `uid`.

4.1. [Optional] Property root > authentication > endpoint
Typestring
Default"https://isvaop.ibm.com:445/isvaop/oauth2/auth"

Description: Endpoint to redirect to when authentication is needed. This setting is mandatory when grant_types contains authorization_code or implicit (refer to Definition).

4.2. [Optional] Property root > authentication > callback_param_name
Typestring
Default"Target"

Description: Parameter name to specify the callback target URI. If it is not specified, the default callback param name is Target.

4.3. [Optional] Property root > authentication > subject_attribute_name
Typestring
Default"uid"

Description: Name of the user or credential attribute that is used to populate the sub. If it is not specified, the default attribute is uid.

5. [Optional] Property root > template_macros
Typeobject
Additional propertiesAny type: allowed
Defined inyaml_provider.yml#/definitions/template_macros

Description: Template Macros

Read more about template_macros.

Example:

template_macros:
  user_macros:
    - name
    - family_name
    - given_name
    - display_name
  request_macros:
    - authorization_details
    - claims
    - user_code
    - state

5.1. [Optional] Property root > template_macros > user_macros
Typearray of string

Description: List of authenticated user claims to be made available.

Each item of this array must beDescription
user_macros items-

5.1.1. root > template_macros > user_macros > user_macros items

Typestring
5.2. [Optional] Property root > template_macros > request_macros
Typearray of string

Description: List of request parameters to be made available.

Each item of this array must beDescription
request_macros items-

5.2.1. root > template_macros > request_macros > request_macros items

Typestring
6. [Optional] Property root > ssl
Typeobject
Additional propertiesAny type: allowed
Defined inyaml_provider.yml#/definitions/ssl

Description: SSL Setting

Read more about SSL Settings.

Example:

ssl:
  certificate:
    - ks:https_keys                                         # The default SSL keystore to be used for SSL connections. It is used when SSL keystore is not specified in server connection SSL settings.
  disable_hostname_verification: true                       # The default flag to enable or disable hostname verification for SSL connections. It is used when SSL disable_hostname_verification is not specified in server connection SSL settings.

6.1. [Optional] Property root > ssl > certificate
Typearray of string

Description: The list of default SSL keystore to be used for all SSL connections. It is used when SSL keystore is not specified in server connection SSL settings.

Each item of this array must beDescription
certificate items-

6.1.1. root > ssl > certificate > certificate items

Typestring
6.2. [Optional] Property root > ssl > disable_hostname_verification
Typeboolean
Defaultfalse

Description: The default flag to enable or disable hostname verification for SSL connections. It is used when SSL disable_hostname_verification is not specified in server connection SSL settings.

7. [Required] Property root > server
Typeobject
Additional propertiesAny type: allowed
Defined inyaml_provider.yml#/definitions/server

Description: Server Settings

Read more about Server Settings.

Example:

server:
  ssl:
    key: ks:https_keys/httpserverkey                       # Name of the keystore/key for the ISVAOP HTTPS server.
    certificate: ks:https_keys/httpservercert              # Name of the keystore/certificate for the ISVAOP HTTPS server.
    ca:
      - ks:https_keys/httpserverca                         # Name of the keystore/CA for the ISVAOP HTTPS server.
  pages:
    type: zip # path is also supported, which indicates it is unpacked
    content: "B64:<encoded_binary>"

7.1. [Required] Property root > server > ssl
Typeobject
Additional propertiesAny type: allowed

Description: HTTPS server SSL settings

Read more about key management here.

7.1.1. [Required] Property root > server > ssl > key
Typestring

Description: Name of the keystore/key for the ISVAOP HTTPS server.

7.1.2. [Required] Property root > server > ssl > certificate
Typestring

Description: Name of the keystore/certificate for the ISVAOP HTTPS server.

7.1.3. [Optional] Property root > server > ssl > ca
Typearray of string

Description: Array of CA certificates

Each item of this array must beDescription
ca items-
7.1.3.1. root > server > ssl > ca > ca items
Typestring
7.2. [Optional] Property root > server > pages
Typeobject
Additional propertiesAny type: allowed

Description: Customized template pages settings

7.2.1. [Required] Property root > server > pages > type
Typeenum (of string)

Description: When customized template pages is provided, it is the type of content that is being supplied. Either a zip file or a directory name.

Must be one of:

  • "path"
  • "zip"
7.2.2. [Required] Property root > server > pages > content
Typestring

Description: The content that is used for the customized template pages.

  • When the type is path, specify the path of the customized template pages directory, which is relative to the /var/isvaop/config directory of the container.
  • when type is zip
    • use @ annotation to specify the customized template pages zip file path, which is relative to the /var/isvaop/config directory of the container.
    • or use B64: annotation to specify the base64 encoded customized template pages zip file.
8. [Optional] Property root > javascript
Typeobject
Additional propertiesAny type: allowed
Defined inyaml_provider.yml#/definitions/javascript

Description: JavaScript Settings

Read more about JavaScript Settings.

Example:

javascript:                                                 # Javascript Settings
  timeout: 0                                                # Maximum execution time for a script in ms. Set to 0 for unlimited execution time.
  max_load: 16                                              # Maximum number of v8 engine spawned.
  max_ctx_in_isolate: 50                                    # Maximum reuse of v8 engine before recreated. Set to 0 to disable.
  use_pool: false                                           # If true, run in `pool` mode, otherwise run in `worker` mode.

8.1. [Optional] Property root > javascript > use_pool
Typeboolean
Defaultfalse

Description: If true, run in pool mode, otherwise run in worker mode.

8.2. [Optional] Property root > javascript > max_load
Typenumber
Default16

Description: Maximum number of v8 engine created.

8.3. [Optional] Property root > javascript > timeout
Typenumber
Default0

Description: Maximum execution time for a script in ms. Set to 0 for unlimited execution time.

8.4. [Optional] Property root > javascript > max_ctx_in_isolate
Typenumber
Default0

Description: Maximum reuse of v8 engine before recreation. Set to 0 to disable.

9. [Optional] Property root > janitor
Typeobject
Additional propertiesAny type: allowed
Defined inyaml_provider.yml#/definitions/janitor

Description: In ISVAOP, we use a binary janitor to perform cleanup of data. Read more about Database cleanup

Example:

janitor:                                                    # Janitor Settings
  batch_size: 1000                                          # It is the maximum records being cleaned up with each iteration.
  max_duration: 0                                           # When the max_duration is set to 0, the janitor program runs until all records are cleaned up.
  check_frequency: 10                                       # It indicates the number of iterations to be run before the janitor check whether the maximum duration is exceeded. 

9.1. [Optional] Property root > janitor > batch_size
Typenumber
Default1000

Description: It is the maximum records being cleaned up with each iteration.

9.2. [Optional] Property root > janitor > max_duration
Typenumber
Default0

Description: When the max_duration is set to 0, the janitor program runs until all records are cleaned up. Depending on how often you run the janitor, the number of records can be large. The maximum duration needs to be specified in milliseconds.

9.3. [Optional] Property root > janitor > check_frequency
Typenumber
Default10

Description: It indicates the number of iterations to be run before the janitor check whether the maximum duration is exceeded.

10. [Optional] Property root > logging
Typeobject
Additional propertiesAny type: allowed
Defined inyaml_provider.yml#/definitions/logging

Description: Logging Settings

Read more about Logging Settings.

Example:

logging:                                                    # Logging Settings
  level: finest                                             # Logging level setting. If the level is not set or invalid, `info` will be used. `panic`, `fatal`, `error`, `warn`, `warning` (alias of `warn`), `info`, `debug`, `fine`(alias of `debug`), `trace`, `finest` (alias of `trace`)

10.1. [Optional] Property root > logging > level
Typeenum (of string)
Default"info"

Description: Logging level setting. If the level is not set or invalid, info is used.

  • warning is alias of warn
  • fine is alias of debug
  • finest is alias of trace

Must be one of:

  • "panic"
  • "fatal"
  • "error"
  • "warn"
  • "warning"
  • "info"
  • "debug"
  • "fine"
  • "trace"
  • "finest"
11. [Optional] Property root > dynamic_registration
Typeobject
Additional propertiesAny type: allowed
Defined inyaml_provider.yml#/definitions/dynamic_registration

Description: Dynamic Client Profile

Read more about Dynamic Client Profile.

Example:

dynamic_registration:
  recipe: FAPI_UK-OB                                        # Security profile to use, option Default, FAPI_DEFAULT, FAPI_UK-OB, FAPI_AU-CDR
  mappingrule_id: dcr                                       # Dynamic registration mapping rule ID.
  software_statement_validation:                            # Software statement validation settings.
    jwks_uri: http://172.16.123.1:3000/jwks/obdirectory     # Jwks URI containing the public key required to validate the software statement signature.
    signing_algs:                                           # Accepted signing algorithms.
      - ES256
  registration_endpoint_authentication:                     # Authentication settings for POST operation.
    require_mtls: true                                      # Specifies whether the endpoint requires MTLS.
    require_bearer_token: true                              # Specifies whether the endpoint requires bearer token.
    require_software_statement: false                       # Specifies whether the endpoint requires software statement.
    allow_custom_client_creds: true                         # Only for POST. Specifies whether to accept client_id/client_secret in the POST payload.
  management_endpoint_authentication:                       # Authentication settings for PUT/GET/DELETE operations.
    require_mtls: false                                     # Specifies whether the endpoint requires MTLS.
    require_bearer_token: true                              # Specifies whether the endpoint requires bearer token.
    require_software_statement: false                       # Specifies whether the endpoint requires software statement. This is only applicable for PUT operation.
  registration_access_token:                                # Registration access token settings.
    generate: true                                          # Specifies whether to produce registration access token as part of POST/PUT/GET operations.
    lifetime: 86400                                         # Specifies the lifetime of the registration access token.
    scopes:                                                 # Specify the scopes required by the access token. All scopes specified here are mandatory. Unauthorized if any scope is not present in the access token.
      - cdr:registration

11.1. [Optional] Property root > dynamic_registration > recipe
Typeenum (of string)
Default"Default"

Description: Security profile to be used, option Default, FAPI_DEFAULT, FAPI_UK-OB, FAPI_AU-CDR

Must be one of:

  • "Default"
  • "FAPI_DEFAULT"
  • "FAPI_UK-OB"
  • "FAPI_AU-CDR"
11.2. [Optional] Property root > dynamic_registration > mappingrule_id
Typestring

Description: Dynamic registration-mapping rule ID.

11.3. [Optional] Property root > dynamic_registration > software_statement_validation
Typeobject
Additional propertiesAny type: allowed

Description: Software Statement Validation

Read more about Software Statement Validation.

11.3.1. [Optional] Property root > dynamic_registration > software_statement_validation > jwks_uri
Typestring

Description: JWKS URI containing the public key that is needed to validate the software statement signature.

11.3.2. [Optional] Property root > dynamic_registration > software_statement_validation > signing_algs
Typearray of string

Description: Accepted signing algorithms

Each item of this array must beDescription
signing_algs items-
11.3.2.1. root > dynamic_registration > software_statement_validation > signing_algs > signing_algs items
Typestring
11.4. [Optional] Property root > dynamic_registration > registration_endpoint_authentication
Typeobject
Additional propertiesAny type: allowed

Description: Registration Endpoint Authentication

Read more about Registration Endpoint Authentication.

11.4.1. [Optional] Property root > dynamic_registration > registration_endpoint_authentication > require_mtls
Typeboolean
Defaultfalse

Description: Specifies whether the endpoint requires MTLS.

11.4.2. [Optional] Property root > dynamic_registration > registration_endpoint_authentication > require_bearer_token
Typeboolean
Defaultfalse

Description: Specifies whether the endpoint requires bearer token.

11.4.3. [Optional] Property root > dynamic_registration > registration_endpoint_authentication > require_software_statement
Typeboolean
Defaultfalse

Description: Specifies whether the endpoint requires software statement.

11.4.4. [Optional] Property root > dynamic_registration > registration_endpoint_authentication > allow_custom_client_creds
Typeboolean
Defaultfalse

Description: Only for POST. Specifies whether to accept client_id/client_secret in the POST payload.

11.5. [Optional] Property root > dynamic_registration > management_endpoint_authentication
Typeobject
Additional propertiesAny type: allowed

Description: Management Endpoint Authentication

Read more about Management Endpoint Authentication.

11.5.1. [Optional] Property root > dynamic_registration > management_endpoint_authentication > require_mtls
Typeboolean
Defaultfalse

Description: Specifies whether the endpoint requires MTLS.

11.5.2. [Optional] Property root > dynamic_registration > management_endpoint_authentication > require_bearer_token
Typeboolean
Defaultfalse

Description: Specifies whether the endpoint requires bearer token.

11.5.3. [Optional] Property root > dynamic_registration > management_endpoint_authentication > require_software_statement
Typeboolean
Defaultfalse

Description: Specifies whether the endpoint requires software statement.

11.6. [Optional] Property root > dynamic_registration > registration_access_token
Typeobject
Additional propertiesAny type: allowed

Description: Registration Access Token

Read more about Registration Access Token.

11.6.1. [Optional] Property root > dynamic_registration > registration_access_token > generate
Typeboolean

Description: Specifies whether to produce registration access token as part of POST/PUT/GET operations.

11.6.2. [Optional] Property root > dynamic_registration > registration_access_token > lifetime
Typenumber

Description: Specifies the lifetime of the registration access token.

11.6.3. [Optional] Property root > dynamic_registration > registration_access_token > scopes
Typearray of string

Description: Specify the access token scopes. All scopes specified here are mandatory. Unauthorized if any scope is not present in the access token.

Each item of this array must beDescription
scopes items-
11.6.3.1. root > dynamic_registration > registration_access_token > scopes > scopes items
Typestring
12. [Optional] Property root > secrets
Typeobject
Additional propertiesAny type: allowed
Defined inyaml_provider.yml#/definitions/secrets

Description: Secrets

Read more about Secrets.

Example:

secrets:
  obf_key: "<obfuscation key>"
  enc_key: "@private.pem"

12.1. [Optional] Property root > secrets > obf_key
Typestring

Description: Specifies an obfuscation key that is used to decrypt the OBF:<data> type entries.

12.2. [Optional] Property root > secrets > enc_key
Typestring

Description: Specifies an encryption key that is used to decrypt the ENC:<data> type entries.

13. [Required] Property root > runtime_db
Typestring
Defined inyaml_storage.yml#/definitions/runtime_db

Description: Runtime Database Configuration

Read more about Runtime Database Configuration.

14. [Required] Property root > session_cache
Typeobject
Additional propertiesAny type: allowed
Defined inyaml_storage.yml#/definitions/session_cache

Description: Session Cache Configuration

Read more about Session Cache Configuration.

14.1. [Required] Property root > session_cache > type
Typeenum (of string)

Description: Specifies the type of session cache, in-memory, redis, or db.

Must be one of:

  • "in-memory"
  • "redis"
  • "db"
14.2. [Optional] Property root > session_cache > life_time
Typenumber
Default600

Description: For in-memory session cache type, specifies the session entry duration in seconds.

14.3. [Optional] Property root > session_cache > max_entries
Typenumber
Default60000

Description: For in-memory session cache type, specifies the maximum number of session entries.

14.4. [Optional] Property root > session_cache > cfg
Typestring

Description: For redis type, specifies the server connection configuration name of the redis server.

15. [Required] Property root > server_connections
Typearray of object
Defined inyaml_storage.yml#/definitions/server_connections

Description: Specifies a list of server connection configurations.

Read more about Storage Configuration.

Each item of this array must beDescription
server_connections itemsSpecifies the server connection configuration details. ...

15.1. root > server_connections > server_connections items

Typeobject
Additional propertiesAny type: allowed

Description: Specifies the server connection configuration details.

Server connection can be categorized into database, redis or ldap. Refer to each server connection category for details.

15.1.1. [Optional] Property root > server_connections > server_connections items > server_connection (database)
Typeobject
Additional propertiesAny type: allowed

Description: Runtime Database Server Connection

Read more about Runtime Database Server Connection.

Examples:

# PostgreSQL Runtime Database configuration sample
runtime_db: mypq                                            # Configuration of runtime database. Points to the database server connection.
session_cache:
  type: db                                                  # Specifies the type of session cache, in-memory, redis, or db.
  # cfg: redis-standalone                                   # Specifies the configuration of the `redis` cache, for `redis` type only. Points to `redis` server connection
  # life_time: 600                                          # Specifies the session entry duration in seconds. It applies to `in-memory` type sessions only. Default is `600`
  # max_entries: 60000                                      # Specifies the maximum number of session entries. It applies to `in-memory` type sessions only. Default is `60000`
server_connections:                                         # Server connections
  - name: mypq                                              # Connection name
    type: postgresql                                        # Connection type, `redis`, `ldap`, `postgresql`, `oracle`
    database_name: verify-access                            # Specifies the database or service name. For database types only.
    hosts:                                                  # List of host information (IP and port)
      - hostname: postgresql                                # Server's hostname
        hostport: 5432                                      # Server's host port
    credential:                                             # Credential information to connect to the server
      username: postgres                                    # Specifies the username to access the server.
      password: 'OBF:gJDSuqEFmORCR2Uw3FsAmFKomjYLmhMwdDG2XoUxtQ0='
      # Specifies the password to access the server. It is recommended to obfuscate this.
    ssl:
      certificate:                                          # The SSL connection certificate array.
        - ks:postgres_keys                                  # The SSL keystore to be used for SSL connections. ks: indicates keystore.
      mutual_auth:
        key: ks:rt_profile_keys/postgres                    # When mutual TLS is needed, specify the keystore and label that contains the client's private key.
        certificate: ks:rt_profile_keys/postgres            # When mutual TLS is needed, specify the keystore and label of the client's leaf certificate.
        ca:
          - ks:rt_profile_keys/ca                           # When mutual TLS is needed, specify the keystore and label of the client's CA certificate.
      disable_hostname_verification: false                  # The SSL connection validates the hostname.
    conn_settings:                                          # Connection settings
      max_idle_time: 10                                     # Maximum idle time in seconds
      min_pool_size: 5                                      # Minimum connection pool size
      max_pool_size: 50                                     # Maximum connection pool size
      connect_timeout: 5                                    # Connect timeout, in seconds
      aged_timeout: 30                                      # Aged timeout, in seconds

# Oracle Runtime Database configuration sample
runtime_db: myoracle                                        # Configuration of runtime database. Points to the database server connection.
session_cache:
  type: db                                                  # Specifies the type of session cache, in-memory, redis, or db.
server_connections:                                         # Server connections
  - name: myoracle                                          # Connection name
    type: oracle                                            # Connection type, `redis`, `ldap`, `postgresql`, `oracle`
    database_name: verify-access                            # Specifies the database or service name. For database types only.
    hosts:                                                  # List of host information (IP and port)
      - hostname: myoracle                                  # Server's hostname
        hostport: 2484                                      # Server's host port
    credential:                                             # Credential information to connect to the server
      username: SYSTEM                                      # Specifies the username to access the server.
      password: 'OBF:gJDSuqEFmORCR2Uw3FsAmFKomjYLmhMwdDG2XoUxtQ0='
      # Specifies the password to access the server. It is recommended to obfuscate this.
    ssl:
      wallet:                                               # For Oracle database only. Oracle database uses client wallet for SSL connection and mutual TLS. The client wallet contains the certificates that are required for Oracle SSL connection and mutual TLS.
        type: path                                          # The type of content that is being supplied, either a zip file or a directory name. 
        content: oracle/wallet                              # The content that is used for the wallet. When the type is path, specify the path of the wallet.
        # type: zip                                         # The content is used for the wallet. When the type is zip, the content can be specified by using either @ or B64: annotation.
        # content: "@oracle/wallet.zip"                     # when type is zip, use @ annotation to specify the wallet zip file path.
        # content: "B64:UEsDBBQACAAIAAJg......+ScAAAAA"     # when type is zip, use B64: annotation to specify the base64 encoded wallet zip file.
      disable_hostname_verification: false                  # The SSL connection validates the hostname.
    conn_settings:                                          # Connection settings
      max_idle_time: 10                                     # Maximum idle time in seconds
      aged_timeout: 30                                      # Aged timeout, in seconds
      max_idle_size: 5                                      # Maximum connection idle size
      max_pool_size: 50                                     # Maximum connection pool size
      connect_timeout: 5                                    # Connect timeout, in seconds

# Db2 Runtime Database configuration sample
runtime_db: mydb2                                           # Configuration of runtime database. Points to the database server connection.
session_cache:
  type: db                                                  # Specifies the type of session cache, in-memory, redis, or db.
server_connections:                                         # Server connections
  - name: mydb2                                             # Connection name
    type: db2                                               # Connection type, `redis`, `ldap`, `postgresql`, `oracle`, `db2`
    database_name: verify-access                            # Specifies the database or service name. For database types only.
    hosts:                                                  # List of host information (IP and port)
      - hostname: mydb2                                     # Server's hostname
        hostport: 50001                                     # Server's host port
    credential:                                             # Credential information to connect to the server
      username: db2inst1                                    # Specifies the username to access the server.
      password: 'OBF:gJDSuqEFmORCR2Uw3FsAmFKomjYLmhMwdDG2XoUxtQ0='
      # Specifies the password to access the server. It is recommended to obfuscate this.
    ssl:
      certificate:                                          # The SSL connection certificate for Db2. The Db2 SSL connection certificate must use 'ks', '@' annotation to specify the keystore in P12 format, PEM file or 'B64'annotation to specify the base64 encoded PEM file. If multiple certificates are configured, the first certificate that is specified with '@' or 'B64:' annotation is used. 
        - '@keystore/rt_profile_keys/signer/ca.pem'         # '@' annotation to specify the certificate PEM file.
        # - 'b64:LS0tLS1CRUdJTiBD......tLQo='               # 'B64'annotation to specify the base64 encoded certificate PEM.
        # - 'ks:db2client'                                  # 'ks'annotation to specify keystore in P12 format.
      disable_hostname_verification: false                  # The SSL connection validates the hostname.
    conn_settings:                                          # Connection settings
      max_idle_time: 10                                     # Maximum idle time in seconds
      aged_timeout: 30                                      # Aged timeout, in seconds
      max_idle_size: 5                                      # Maximum connection idle size
      max_pool_size: 50                                     # Maximum connection pool size
      connect_timeout: 5                                    # Connect timeout, in seconds

15.1.1.1. [Required] Property root > server_connections > server_connections items > server_connection (database) > name
Typestring

Description: Connection name.

15.1.1.2. [Required] Property root > server_connections > server_connections items > server_connection (database) > type
Typeenum (of string)

Description: Connection type.

The IBM Security Verify Access OIDC Provider (ISVAOP) supports postgresql, oracle and db2 databases.

Must be one of:

  • "postgresql"
  • "oracle"
  • "db2"
15.1.1.3. [Required] Property root > server_connections > server_connections items > server_connection (database) > database_name
Typestring

Description: Specifies the database or service name. For database types only.

15.1.1.4. [Required] Property root > server_connections > server_connections items > server_connection (database) > hosts
Typearray

Description: List of host information (IP and port)

Each item of this array must beDescription
hosts items-
15.1.1.4.1. root > server_connections > server_connections items > server_connection (database) > hosts > hosts items
Typeobject
Additional propertiesAny type: allowed
15.1.1.4.1.1. [Required] Property root > server_connections > server_connections items > server_connection (database) > hosts > hosts items > hostname
Typestring

Description: Runtime Database Server's hostname

15.1.1.4.1.2. [Required] Property root > server_connections > server_connections items > server_connection (database) > hosts > hosts items > hostport
Typenumber

Description: Runtime Database Server's host port

15.1.1.5. [Required] Property root > server_connections > server_connections items > server_connection (database) > credential
Typeobject
Additional propertiesAny type: allowed
Defined in#/$def/credential

Description: Credential information to connect to the Runtime Database server

15.1.1.5.1. [Required] Property root > server_connections > server_connections items > server_connection (database) > credential > username
Typestring

Description: Specifies the username to access the server.

15.1.1.5.2. [Required] Property root > server_connections > server_connections items > server_connection (database) > credential > password
Typestring

Description: Specifies the password to access the server. Use obfuscation.

15.1.1.6. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl
Typeobject
Additional propertiesAny type: allowed
Defined in#/$def/ssl_db

Description: SSL settings, if missing the connection is non SSL.

15.1.1.6.1. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > certificate
Typearray of string

Description: The array of SSL certificates to be used for SSL connection to the database.

Each item of this array must beDescription
certificate items-
15.1.1.6.1.1. root > server_connections > server_connections items > server_connection (database) > ssl > certificate > certificate items
Typestring
15.1.1.6.2. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth
Typeobject
Additional propertiesAny type: allowed
15.1.1.6.2.1. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > key
Typestring

Description: When mutual TLS is needed, specify the keystore and label that contains the client's private key.

15.1.1.6.2.2. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > certificate
Typestring

Description: When mutual TLS is needed, specify the keystore of the client's leaf certificate.

15.1.1.6.2.3. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > ca
Typearray of string

Description: When mutual TLS is needed, specify an array of CA certificates needed for the connection.

Each item of this array must beDescription
ca items-
15.1.1.6.2.3.1. root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > ca > ca items
Typestring
15.1.1.6.2.4. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > wallet
Typeobject
Additional propertiesAny type: allowed

Description: For Oracle database only. Oracle database uses client wallet for SSL connection and mutual TLS. The client wallet contains the certificates that are required for Oracle SSL connection and mutual TLS.

Oracle Wallet Overview

Oracle Wallet is configuration files that store authentication and signing credentials.
Trusted certificates are stored in the Oracle Wallet when the wallet is used for security credentials.
ISVA OP requires an Oracle client wallet for SSL connection and mutual TLS. The cwallet.sso file must present.
See the Oracle Documentation to create or manage an Oracle wallet.

  • Go to the Oracle Database Documentation page in Oracle Help Center.
  • Select your version of Oracle Database.
  • In the Topics section, select Security.
  • In the Centralized User Management section, select Oracle Database Enterprise User Security Administrator's Guide.
  • See the chapter Using Oracle Wallet Manager.

Or click the following direct links.

15.1.1.6.2.4.1. [Required] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > wallet > type
Typeenum (of string)

Description: When wallet is needed, it is the type of content that is being supplied. Either a zip file or a directory name.

Must be one of:

  • "path"
  • "zip"
15.1.1.6.2.4.2. [Required] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > wallet > content
Typestring

Description: The wallet content or path using corresponding annotation.

Refer to Special Types and Special Types Available in Kubernetes.

15.1.1.6.3. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > disable_hostname_verification
Typebool
Defaultfalse

Description: The flag to enable or disable hostname verification for SSL connections.

15.1.1.7. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings
Typeobject
Additional propertiesAny type: allowed
Defined in#/$def/conn_db

Description: Connection pool settings.

15.1.1.7.1. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings > min_pool_size
Typenumber
Default5

Description: Minimum connection pool size

15.1.1.7.2. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings > max_idle_size
Typenumber
Default10

Description: Maximum connection idle size

15.1.1.7.3. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings > max_pool_size
Typenumber
Default50

Description: Maximum connection pool size

15.1.1.7.4. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings > max_idle_time
Typenumber
Default10

Description: Maximum idle time in seconds

15.1.1.7.5. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings > aged_timeout
Typenumber
Default30

Description: Age timeout, in seconds

15.1.1.7.6. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings > connect_timeout
Typenumber
Default5

Description: Connect timeout, in seconds

15.1.2. [Optional] Property root > server_connections > server_connections items > server_connection (redis)
Typeobject
Additional propertiesAny type: allowed

Description: Session Cache Server Connection

Read more about Session Cache Server Connection.

Example:

runtime_db: mypq                                            # Configuration of runtime database. Points to the database server connection.
session_cache:
  type: redis                                               # Specifies the type of session cache, in-memory, redis, or db.
  cfg: redis-standalone                                     # Specifies the configuration of the `redis` cache, for `redis` type only. Points to `redis` server connection
server_connections:                                         # Server connections
  - name: mypq                                              # Connection name
    ...                      
  - name: ldap_staging                                      # Connection name
    ...
  - name: redis-standalone                                  # Connection name
    type: redis                                             # Connection type
    deployment:                                             # Redis deployment information. for `redis` type only
      model: standalone                                     # Deployment model. standalone or sentinel
      # master: master                                      # Master node information. For `sentinel` model only
    hosts:                                                  # List of host information (IP and port)
      - hostname: redis                                     # Server's hostname
        hostport: 6390                                      # Server's host port
    credential:                                             # Credential information to connect to the host.
      username: isva                                        # Specifies the username to access the server
      password: 'OBF:oUqHV/2VlAeWb1D7uAdfQysti3vh44p5/rpCDR35gn4=' # 
                                                            # Specifies the password for the redis server connection. It is recommended to obfuscate this.
    ssl:
      certificate:                                          # The SSL connection certificate array.
        - ks:redis_keys                                     # The SSL keystore to be used for SSL connections. ks: indicates keystore.
      mutual_auth:
        key: ks:rt_profile_keys/redis                       # When mutual TLS is needed, specify the keystore and label that contains the client's private key.
        certificate: ks:rt_profile_keys/redis               # When mutual TLS is needed, specify the keystore and label of the client's leaf certificate.
        ca:                                                 # The mutual_auth connection certificate array.
          - ks:rt_profile_keys/ca                           # When mutual TLS is needed, specify the keystore and label of the client's CA certificate.
      disable_hostname_verification: false                  # The SSL connection validates the hostname.

15.1.2.1. [Required] Property root > server_connections > server_connections items > server_connection (redis) > name
Typestring

Description: Connection name.

15.1.2.2. [Required] Property root > server_connections > server_connections items > server_connection (redis) > type
Typeconst

Description: Connection type

Specific value: "redis"

15.1.2.3. [Required] Property root > server_connections > server_connections items > server_connection (redis) > deployment
Typeobject
Additional propertiesAny type: allowed

Description: Redis deployment information

15.1.2.3.1. [Required] Property root > server_connections > server_connections items > server_connection (redis) > deployment > model
Typeenum (of string)

Description: Deployment model.

Must be one of:

  • "standalone"
  • "sentinel"
15.1.2.3.2. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > deployment > master
Typestring

Description: Master node information. For sentinel model only

15.1.2.4. [Required] Property root > server_connections > server_connections items > server_connection (redis) > hosts
Typearray

Description: List of host information (IP and port)

Each item of this array must beDescription
hosts items-
15.1.2.4.1. root > server_connections > server_connections items > server_connection (redis) > hosts > hosts items
Typeobject
Additional propertiesAny type: allowed
15.1.2.4.1.1. [Required] Property root > server_connections > server_connections items > server_connection (redis) > hosts > hosts items > hostname
Typestring

Description: Redis Server's hostname

15.1.2.4.1.2. [Required] Property root > server_connections > server_connections items > server_connection (redis) > hosts > hosts items > hostport
Typenumber

Description: Redis Server's host port

15.1.2.5. [Required] Property root > server_connections > server_connections items > server_connection (redis) > credential
Typeobject
Additional propertiesAny type: allowed
Defined in#/$def/credential

Description: Credential information to connect to the Redis Server.

15.1.2.5.1. [Required] Property root > server_connections > server_connections items > server_connection (redis) > credential > username
Typestring

Description: Specifies the username to access the server.

15.1.2.5.2. [Required] Property root > server_connections > server_connections items > server_connection (redis) > credential > password
Typestring

Description: Specifies the password to access the server. Use obfuscation.

15.1.2.6. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl
Typeobject
Additional propertiesAny type: allowed
Defined in#/$def/ssl

Description: SSL settings.

15.1.2.6.1. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl > certificate
Typearray of string

Description: The array of SSL certificates to be used for SSL connection to the database.

Each item of this array must beDescription
certificate items-
15.1.2.6.1.1. root > server_connections > server_connections items > server_connection (redis) > ssl > certificate > certificate items
Typestring
15.1.2.6.2. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl > mutual_auth
Typeobject
Additional propertiesAny type: allowed
15.1.2.6.2.1. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl > mutual_auth > key
Typestring

Description: When mutual TLS is needed, specify the keystore and label that contains the client's private key.

15.1.2.6.2.2. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl > mutual_auth > certificate
Typestring

Description: When mutual TLS is needed, specify the keystore of the client's leaf certificate.

15.1.2.6.2.3. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl > mutual_auth > ca
Typearray of string

Description: When mutual TLS is needed, specify an array of CA certificates needed for the connection.

Each item of this array must beDescription
ca items-
15.1.2.6.2.3.1. root > server_connections > server_connections items > server_connection (redis) > ssl > mutual_auth > ca > ca items
Typestring
15.1.2.6.3. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl > disable_hostname_verification
Typebool
Defaultfalse

Description: The flag to enable or disable hostname verification for SSL connections.

15.1.2.7. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings
Typeobject
Additional propertiesAny type: allowed
Defined in#/$def/conn_redis

Description: Connection pool settings.

15.1.2.7.1. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings > max_pool_size
Typenumber
Default50

Description: Maximum connection pool size.

15.1.2.7.2. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings > min_idle_size
Typenumber
Default3

Description: Minimum connection idle size.

15.1.2.7.3. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings > aged_timeout
Typenumber
Default10

Description: Age timeout, in seconds.

15.1.2.7.4. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings > connect_timeout
Typenumber
Default5

Description: Connect timeout, in seconds.

15.1.2.7.5. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings > idle_timeout
Typenumber
Default10

Description: Idle timeout, in seconds.

15.1.2.7.6. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings > io_timeout
Typenumber
Default10

Description: Input/Output timeout, in seconds.

15.1.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap)
Typeobject
Additional propertiesAny type: allowed

Description: LDAP Server Connection

Read more about LDAP Server Connection.

Example:

runtime_db: mypq                                            # Configuration of runtime database. Points to the database server connection.
session_cache:
  type: db                                                  # Specifies the type of session cache, in-memory, redis, or db.
  # cfg: redis-standalone                                   # Specifies the configuration of the `redis` cache, for `redis` type only. Points to `redis` server connection
  # life_time: 600                                          # Specifies the session entry duration in seconds. It applies to `in-memory` type sessions only. Default is `600`
  # max_entries: 60000                                      # Specifies the maximum number of session entries. It applies to `in-memory` type sessions only. Default is `60000`
server_connections:                                         # Server connections
  - name: mypq                                              # Connection name
   ...
  - name: ldap_staging                                      # Connection name
    type: ldap                                              # Connection type
    hosts:                                                  # List of host information (IP and port)
      - hostname: openldap                                  # Server's hostname
        hostport: 636                                       # Server's host port
    credential:                                             # Credential information to connect to the host.
      bind_dn: cn=root,secAuthority=Default                 # Specifies the binding credential for the LDAP server connection.
      bind_password: 'OBF:gJDSuqEFmORCR2Uw3FsAmFKomjYLmhMwdDG2XoUxtQ0='
                                                            # Specifies the binding password for the LDAP server connection. It is recommended to obfuscate this.
    ssl:
      certificate:                                          # The SSL connection certificate array.
        - ks:ldap_keys                                      # The SSL keystore to be used for SSL connections. ks: indicates keystore.
      mutual_auth:
        key: ks:rt_profile_keys/ldap                        # When mutual TLS is needed, specify the keystore and label that contains the client's private key.
        certificate: ks:rt_profile_keys/ldap                # When mutual TLS is needed, specify the keystore and label of the client's leaf certificate.
        ca:                                                 # The mutual_auth connection certificate array.
          - ks:rt_profile_keys/ca                           # When mutual TLS is needed, specify the keystore and label of the client's CA certificate.
      disable_hostname_verification: false                  # The SSL connection validates the hostname.
    conn_settings:                                          # Connection pool settings for the LDAP server. It can be specified at the top level if the settings are common across hosts.
      max_pool_size: 50                                     # Maximum connection pool size.
      connect_timeout: 3                                    # Connect timeout, in seconds.
      aged_timeout: 5                                       # Aged timeout, in seconds.

15.1.3.1. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > name
Typestring

Description: Connection name.

15.1.3.2. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > type
Typeconst

Description: Connection type

Specific value: "ldap"

15.1.3.3. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > hosts
Typearray

Description: List of host information (IP and port)

Each item of this array must beDescription
hosts items-
15.1.3.3.1. root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items
Typeobject
Additional propertiesAny type: allowed
15.1.3.3.1.1. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > hostname
Typestring

Description: LDAP Server's hostname

15.1.3.3.1.2. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > hostport
Typenumber

Description: LDAP Server's host port

15.1.3.3.1.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > credential
Typeobject
Additional propertiesAny type: allowed
Defined in#/$def/credential_ldap

Description: Credential information to connect to the LDAP server. It can be specified at the top level if the settings are common across hosts.

15.1.3.3.1.3.1. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > credential > bind_dn
Typestring

Description: Specifies the binding credential for the LDAP server connection.

15.1.3.3.1.3.2. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > credential > bind_password
Typestring

Description: Specifies the binding password for the LDAP server connection. Use obfuscation.

15.1.3.3.1.4. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl
Typeobject
Additional propertiesAny type: allowed
Defined in#/$def/ssl

Description: SSL settings for the server. It can be specified at the top level if the settings are common across hosts.

15.1.3.3.1.4.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > certificate
Typearray of string

Description: The array of SSL certificates to be used for SSL connection to the database.

Each item of this array must beDescription
certificate items-
15.1.3.3.1.4.1.1. root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > certificate > certificate items
Typestring
15.1.3.3.1.4.2. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > mutual_auth
Typeobject
Additional propertiesAny type: allowed
15.1.3.3.1.4.2.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > mutual_auth > key
Typestring

Description: When mutual TLS is needed, specify the keystore and label that contains the client's private key.

15.1.3.3.1.4.2.2. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > mutual_auth > certificate
Typestring

Description: When mutual TLS is needed, specify the keystore of the client's leaf certificate.

15.1.3.3.1.4.2.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > mutual_auth > ca
Typearray of string

Description: When mutual TLS is needed, specify an array of CA certificates needed for the connection.

Each item of this array must beDescription
ca items-
15.1.3.3.1.4.2.3.1. root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > mutual_auth > ca > ca items
Typestring
15.1.3.3.1.4.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > disable_hostname_verification
Typebool
Defaultfalse

Description: The flag to enable or disable hostname verification for SSL connections.

15.1.3.3.1.5. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > conn_settings
Typeobject
Additional propertiesAny type: allowed
Defined in#/$def/conn_ldap

Description: Connection pool settings for the LDAP server. It can be specified at the top level if the settings are common across hosts.

15.1.3.3.1.5.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > conn_settings > max_pool_size
Typenumber
Default50

Description: Maximum connection pool size.

15.1.3.3.1.5.2. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > conn_settings > aged_timeout
Typenumber
Default10

Description: Age timeout, in seconds.

15.1.3.3.1.5.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > conn_settings > connect_timeout
Typenumber
Default5

Description: Connect timeout, in seconds.

15.1.3.4. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > credential
Typeobject
Additional propertiesAny type: allowed
Defined in#/$def/credential_ldap

Description: Credential information to connect to the LDAP server

15.1.3.4.1. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > credential > bind_dn
Typestring

Description: Specifies the binding credential for the LDAP server connection.

15.1.3.4.2. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > credential > bind_password
Typestring

Description: Specifies the binding password for the LDAP server connection. Use obfuscation.

15.1.3.5. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl
Typeobject
Additional propertiesAny type: allowed
Defined in#/$def/ssl

Description: SSL settings.

15.1.3.5.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl > certificate
Typearray of string

Description: The array of SSL certificates to be used for SSL connection to the database.

Each item of this array must beDescription
certificate items-
15.1.3.5.1.1. root > server_connections > server_connections items > server_connection (ldap) > ssl > certificate > certificate items
Typestring
15.1.3.5.2. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl > mutual_auth
Typeobject
Additional propertiesAny type: allowed
15.1.3.5.2.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl > mutual_auth > key
Typestring

Description: When mutual TLS is needed, specify the keystore and label that contains the client's private key.

15.1.3.5.2.2. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl > mutual_auth > certificate
Typestring

Description: When mutual TLS is needed, specify the keystore of the client's leaf certificate.

15.1.3.5.2.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl > mutual_auth > ca
Typearray of string

Description: When mutual TLS is needed, specify an array of CA certificates needed for the connection.

Each item of this array must beDescription
ca items-
15.1.3.5.2.3.1. root > server_connections > server_connections items > server_connection (ldap) > ssl > mutual_auth > ca > ca items
Typestring
15.1.3.5.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl > disable_hostname_verification
Typebool
Defaultfalse

Description: The flag to enable or disable hostname verification for SSL connections.

15.1.3.6. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > conn_settings
Typeobject
Additional propertiesAny type: allowed
Defined in#/$def/conn_ldap

Description: Connection pool settings.

15.1.3.6.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > conn_settings > max_pool_size
Typenumber
Default50

Description: Maximum connection pool size.

15.1.3.6.2. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > conn_settings > aged_timeout
Typenumber
Default10

Description: Age timeout, in seconds.

15.1.3.6.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > conn_settings > connect_timeout
Typenumber
Default5

Description: Connect timeout, in seconds.

16. [Optional] Property root > attribute_sources
Typearray of object
Defined inyaml_attributesource.yml#/definitions/attribute_sources

Description: Attribute Sources

Read more about Attribute Sources.

Each item of this array must beDescription
attribute_sources itemsAttribute source can be categorized into 'value', 'credential', and 'ldap'. Refer to each attribute source category for details.

16.1. root > attribute_sources > attribute_sources items

Typeobject
Additional propertiesAny type: allowed

Description: Attribute source can be categorized into value, credential, and ldap. Refer to each attribute source category for details.

16.1.1. [Optional] Property root > attribute_sources > attribute_sources items > attribute_source (value)
Typeobject
Additional propertiesAny type: allowed
16.1.1.1. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (value) > id
Typestring
Defined in#/$def/attribute_source/properties/id

Description: Attribute source ID.

16.1.1.2. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (value) > name
Typestring
Defined in#/$def/attribute_source/properties/name

Description: Attribute source name.

16.1.1.3. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (value) > type
Typeconst

Description: Attribute source type.

Specific value: "value"

16.1.1.4. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (value) > value
Typestring

Description: Attribute source value. For attribute source of type value, this type contains the fixed value.

16.1.2. [Optional] Property root > attribute_sources > attribute_sources items > attribute_source (credential)
Typeobject
Additional propertiesAny type: allowed
16.1.2.1. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (credential) > id
Typestring
Defined in#/$def/attribute_source/properties/id

Description: Attribute source ID.

16.1.2.2. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (credential) > name
Typestring
Defined in#/$def/attribute_source/properties/name

Description: Attribute source name.

16.1.2.3. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (credential) > type
Typeconst

Description: Attribute source type.

Specific value: "credential"

16.1.2.4. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (credential) > value
Typestring

Description: Attribute source value. For credential type, it refers to a credential attribute.

16.1.3. [Optional] Property root > attribute_sources > attribute_sources items > attribute_source (ldap)
Typeobject
Additional propertiesAny type: allowed
16.1.3.1. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > id
Typestring
Defined in#/$def/attribute_source/properties/id

Description: Attribute source ID.

16.1.3.2. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > name
Typestring
Defined in#/$def/attribute_source/properties/name

Description: Attribute source name.

16.1.3.3. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > type
Typeconst

Description: Attribute source type.

Specific value: "ldap"

16.1.3.4. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > value
Typestring

Description: Attribute source value. For ldap type, it refers to an LDAP attribute to be retrieved.

16.1.3.5. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > scope
Typeenum (of string)

Description: Only applicable for attribute source of type ldap. LDAP search scope.

Must be one of:

  • "base"
  • "one level"
  • "subtree"
16.1.3.6. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > filter
Typestring

Description: Only applicable for attribute source type ldap. LDAP search filter. It might contain macros as shown in the previous example.

16.1.3.7. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > selector
Typestring

Description: Only applicable for attribute source type ldap. LDAP selector that contains attributes that are retrieved together.

16.1.3.8. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > srv_conn
Typestring

Description: Only applicable for attribute source type, ldap. LDAP server connection name. This type links to an ldap server connection.

16.1.3.9. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > baseDN
Typestring

Description: Only applicable for attribute source of type ldap. LDAP base DN. It might contain macros similar to filter.

Example:

attribute_sources:
  - id: 1
    name: display_name
    type: value
    value: anonymous
  - id: 2
    name: age
    type: credential
    value: AZN_CRED_AGE
  - id: 3
    name: surname
    type: ldap
    value: sn
    scope: subtree
    filter: (cn={AZN_CRED_PRINCIPAL_NAME})
    selector: nickname,gender,sn
    srv_conn: ldap
    baseDN: dc=ibm,dc=com

17. [Optional] Property root > ldapcfg
Typearray of object
Defined inyaml_ldapcfg.yml#/definitions/ldapcfg

Description: LDAP configuration used by UserLookupHelper and LdapAttributeUtilJavaScript Utility.

Each item of this array must beDescription
ldapcfg itemsLDAP Configuration ...

17.1. root > ldapcfg > ldapcfg items

Typeobject
Additional propertiesAny type: allowed

Description: LDAP Configuration

Read more about LDAP configuration.

17.1.1. [Required] Property root > ldapcfg > ldapcfg items > name
Typestring

Description: The unique name of this ldap configuration. This name is used to initialize UserLookupHelper and LdapAttributeUtil.

17.1.2. [Required] Property root > ldapcfg > ldapcfg items > filter
Typestring

Description: Search filter for UserLookupHelper

17.1.3. [Required] Property root > ldapcfg > ldapcfg items > user_object_classes
Typestring

Description: Comma-separated user object classes

17.1.4. [Required] Property root > ldapcfg > ldapcfg items > attribute
Typestring

Description: Main Attribute to be retrieved

17.1.5. [Required] Property root > ldapcfg > ldapcfg items > selector
Typestring

Description: Comma-separated attributes that are retrieved

17.1.6. [Required] Property root > ldapcfg > ldapcfg items > srv_conn
Typestring

Description: srv_conn is the ldap server connection's name this ldap configuration applies to. The ldap server connection is defined in storage configure - server_connections section.

17.1.7. [Required] Property root > ldapcfg > ldapcfg items > baseDN
Typestring

Description: Base DN

Example:

ldapcfg:
  - name: ldap_staging_config_01
    user_object_classes: top,Person,organizationalPerson,inetOrgPerson
    filter: (|(|(objectclass=ePerson)(objectclass=person))(objectclass=User))
    selector: objectClass,cn,sn,givenName,userPassword
    srv_conn: ldap_staging
    attribute: uid
    baseDN: dc=ibm,dc=com
18. [Optional] Property root > clients
Typearray of object
Defined inyaml_clients.yml#/definitions/clients

Description: Clients

Read more about Clients.

Each item of this array must beDescription
clients itemsClient Configuration ...

18.1. root > clients > clients items

Typeobject
Additional propertiesAny type: allowed

Description: Client Configuration

Read more about Client Configuration.

18.1.1. [Required] Property root > clients > clients items > client_id
Typestring

Description: Client identifier.

18.1.2. [Required] Property root > clients > clients items > client_secret
Typestring

Description: Client secret that is used for client authentication, and JWT signing and encryption. It is recommended to be an obfuscated string. The obfuscation key is read from the provider configuration secrets stanza.

18.1.3. [Required] Property root > clients > clients items > client_name
Typestring

Description: Name of the client.

18.1.4. [Optional] Property root > clients > clients items > client_id_issued_at
Typetimestamp

Description: Timestamp (in seconds) from when the client is created.

18.1.5. [Required] Property root > clients > clients items > enabled
Typeboolean

Description: Set to true to enable this client

18.1.6. [Required] Property root > clients > clients items > grant_types
Typestring array

Description: Grant type that the client is allowed to use at the token endpoint.

18.1.7. [Required] Property root > clients > clients items > response_types
Typestring array

Description: Response type that the client is allowed to use at the authorization endpoint.

18.1.8. [Required] Property root > clients > clients items > redirect_uris
Typestring array

Description: Redirection URI strings for use in redirect-based flows such as the authorization code and implicit flows.

18.1.9. [Required] Property root > clients > clients items > request_uris
Typestring array

Description: Request URIs that are pre-registered by the Relying Party for use at the OIDC Provider.

18.1.10. [Optional] Property root > clients > clients items > scopes
Typestring array

Description: A list of scope values that the client can use when it requests access tokens.

18.1.11. [Optional] Property root > clients > clients items > jwks_uri
Typestring

Description: URL string that references the client's JSON Web Key (JWK) set document that contains the client's public keys.

18.1.12. [Optional] Property root > clients > clients items > id_token_signed_response_alg
Typestring

Description: JWS alg algorithm for signing the ID Token that is issued to the Client. Optional. If present it shall be always the same as the token_settings.signing_alg value set in provider configure.

18.1.13. [Optional] Property root > clients > clients items > id_token_encrypted_response_alg
Typestring

Description: JWE alg algorithm for encrypting the ID Token that is issued to the Client.

18.1.14. [Optional] Property root > clients > clients items > id_token_encrypted_response_enc
Typestring

Description: JWE enc algorithm for encrypting the ID Token that is issued to the Client.

18.1.15. [Optional] Property root > clients > clients items > userinfo_signed_response_alg
Typestring

Description: JWS alg algorithm for signing UserInfo Responses.

18.1.16. [Optional] Property root > clients > clients items > userinfo_encrypted_response_alg
Typestring

Description: JWE alg algorithm for encrypting UserInfo Responses.

18.1.17. [Optional] Property root > clients > clients items > userinfo_encrypted_response_enc
Typestring

Description: JWE enc algorithm for encrypting UserInfo Responses.

18.1.18. [Optional] Property root > clients > clients items > request_object_signing_alg
Typestring

Description: JWS alg algorithm that must be used for signing Request Objects sent to the OIDC Provider.

18.1.19. [Optional] Property root > clients > clients items > request_object_encryption_alg
Typestring

Description: JWE alg algorithm the Relying Party is declaring that it may use for encrypting Request Objects sent to the OIDC Provider.

18.1.20. [Optional] Property root > clients > clients items > request_object_encryption_enc
Typestring

Description: JWE enc algorithm the Relying Party is declaring that it might use for encrypting Request Objects sent to the OIDC Provider.

18.1.21. [Required] Property root > clients > clients items > token_endpoint_auth_method
Typestring

Description: Requested authentication method for the backend endpoints (token, introspect, revoke).

18.1.22. [Optional] Property root > clients > clients items > token_endpoint_auth_signing_alg
Typestring

Description: JWS alg algorithm that must be used for signing the JWT that is used to authenticate the Client at the Token Endpoint for the private_key_jwt authentication methods.

18.1.23. [Optional] Property root > clients > clients items > token_endpoint_auth_single_use_jti
Typeboolean

Description: When set to true and client assertion is used as the method to perform client authentication, the client assertion cannot be reused.

18.1.24. [Optional] Property root > clients > clients items > tls_client_auth_subject_dn
Typestring

Description: Expected subject distinguished name of the certificate that the OAuth client uses in mutual-TLS authentication.

18.1.25. [Optional] Property root > clients > clients items > tls_client_auth_san_dns
Typestring

Description: Expected DNS name SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication.

18.1.26. [Optional] Property root > clients > clients items > tls_client_auth_san_email
Typestring

Description: Expected RFC822 name SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication.

18.1.27. [Optional] Property root > clients > clients items > tls_client_auth_san_ip
Typestring

Description: Expected IP address SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication.

18.1.28. [Optional] Property root > clients > clients items > tls_client_auth_san_uri
Typestring

Description: Expected URI SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication.

18.1.29. [Optional] Property root > clients > clients items > tls_client_certificate_bound_access_tokens
Typeboolean
Defaultfalse

Description: Indicates the client's intention to use mutual-TLS client certificate-bound access tokens. The default value is false.

18.1.30. [Optional] Property root > clients > clients items > require_pushed_authorization_requests
Typeboolean

Description: Indicates the client's intention to enforce usage of push authorization request (PAR) to trigger authorize flow.

18.1.31. [Optional] Property root > clients > clients items > require_pkce
Typeboolean

Description: Indicates the client's intention to enforce usage of proof-key for code exchange.

18.1.32. [Optional] Property root > clients > clients items > backchannel_token_delivery_mode
Typeenum (of string)

Description: Backchannel token delivery mode. One of the following values: poll or ping

Must be one of:

  • "poll"
  • "ping"
18.1.33. [Optional] Property root > clients > clients items > backchannel_user_code_parameter
Typeboolean
Defaultfalse

Description: Boolean value specifying whether the Client supports the user_code parameter. If omitted, the default value is false. This parameter only applies when definition.backchannel_settings.user_code_support in provider configure is set to true

18.1.34. [Optional] Property root > clients > clients items > backchannel_client_notification_endpoint
Typestring

Description: REQUIRED if the token delivery mode is set to ping. This is the endpoint to which the ISVAOP will post a notification after a successful or failed end-user authentication. It MUST be an HTTPS URL.

18.1.35. [Optional] Property root > clients > clients items > dpop_bound_access_tokens
Typeboolean

Description: Boolean value specifying whether to adds the jkt claim to the cnf claim in the access token.

18.1.36. [Optional] Property root > clients > clients items > dpop_signing_alg
Typestring

Description: Expected JWS alg algorithm for signed the DPoP proof JWT. Optional.

18.1.37. [Optional] Property root > clients > clients items > dpop_single_use_jti
Typeboolean

Description: When set to true the DPoP proof JWT should contain a unique identifier in the jti claim which cannot be re-used.

18.1.38. [Optional] Property root > clients > clients items > response_modes
Typestring array

Description: This parameter informs the authorization server of the allowed list of modes that the client expects for the authorization response.

18.1.39. [Optional] Property root > clients > clients items > token_exchange_settings
Typeobject
Additional propertiesAny type: allowed

Description: Token exchange configuration.

18.1.39.1. [Optional] Property root > clients > clients items > token_exchange_settings > client_groups
Typestring array

Description: The list of OpenID Connect client groups. Client groups is a way tagging clients. Tokens generated by a client can be used as the subject token for token exchange with another client using the same tag. If this list is empty, any client can use the tokens generated from this client as the subject token for token exchange.

18.1.39.2. [Optional] Property root > clients > clients items > token_exchange_settings > supported_subject_token_types
Typestring array

Description: This parameter indicates the list of subject token types supported for token exchange. A subject token represents the identity of the party on behalf of whom the token is being requested.

18.1.39.3. [Optional] Property root > clients > clients items > token_exchange_settings > supported_requested_token_types
Typestring array

Description: This parameter indicates the list of requested token types supported for token exchange.

18.1.39.4. [Optional] Property root > clients > clients items > token_exchange_settings > supported_actor_token_types
Typestring array

Description: This parameter indicates the list of actor token types supported for token exchange. An actor token represents the identity of the party to whom the access rights of the issued token are being delegated.

18.1.40. [Optional] Property root > clients > clients items > extension
Typeobject
Additional propertiesAny type: allowed

Description: Other information of the client that does not fit the above metadata.
The following nonexhaustive list of information goes to the extension.

18.1.40.1. [Optional] Property root > clients > clients items > extension > company_name
Typestring

Description: Company name that is associated with this Client.

18.1.40.2. [Optional] Property root > clients > clients items > extension > company_url
Typestring

Description: Company URL that is associated with this Client.

18.1.40.3. [Optional] Property root > clients > clients items > extension > email
Typestring

Description: Company URL that is associated with this Client.

18.1.40.4. [Optional] Property root > clients > clients items > extension > phone
Typestring

Description: Phone number that is associated with this Client.

18.1.40.5. [Optional] Property root > clients > clients items > extension > contact_person
Typestring

Description: Contact person that is associated with this Client.

18.1.40.6. [Optional] Property root > clients > clients items > extension > contact_type
Typestring

Description: Contact type that is associated with this Client.

18.1.40.7. [Optional] Property root > clients > clients items > extension > otherInfo
Typestring

Description: Other information associated with this Client.

18.1.40.8. [Optional] Property root > clients > clients items > extension > encryptKey
Typestring

Description: Key label of the signer key that is used to encrypt ID token.

18.1.40.9. [Optional] Property root > clients > clients items > extension > encryptDB
Typestring

Description: Keystore of the signer key that is used to encrypt ID token.

18.1.40.10. [Optional] Property root > clients > clients items > extension > contacts
Typestring array

Description: Email addresses of people responsible for the Client.

18.1.40.11. [Optional] Property root > clients > clients items > extension > logo_uri
Typestring

Description: URL that references a logo for the Client application.

18.1.40.12. [Optional] Property root > clients > clients items > extension > client_uri
Typestring

Description: URL of the home page of the Client.

18.1.40.13. [Optional] Property root > clients > clients items > extension > policy_uri
Typestring

Description: URL