YAML Configuration Guide
Schema Docs
Description: Yaml Configuration Guide.
To get started with authoring ISVAOP configuration YAML, refer to the Configuration.
Example:
# Full YAML based configuration example
version: 24.06
server:
ssl:
key: 'secret:keystore/httpserverkey.pem'
certificate: 'secret:keystore/httpservercert.pem'
require_mtls : true
client_auth_trust_store : ks:truststore
pages:
type: zip
content: "configmap:provider/pages.zip"
logging:
level: debug
secrets:
obf_key: 'secret:keystore/obf_key'
template_macros:
user_macros:
- name
- family_name
- given_name
- display_name
request_macros:
- authorization_details
- claims
- user_code
- state
ssl:
certificate:
- ks:rt_profile_keys
disable_hostname_verification: true
definition:
id: 1
name: OIDC Definition
grant_types:
- authorization_code
- implicit
- password
- client_credentials
- refresh_token
- 'urn:openid:params:grant-type:ciba'
access_policy_id: 1
pre_mappingrule_id: 100
post_mappingrule_id: 101
base_url: 'https://localhost:445'
mtls_base_url: 'https://localhost:445'
mtls_certificate_header_name: X-Client-Certificate
features:
enable_fault_tolerance: false
enable_dynamic_registration: true
consent_prompt: NEVER_PROMPT
fapi_compliant: false
enforce_par: false
token_settings:
issuer: 'https://www.ibm.com'
signing_alg: RS256
signing_keystore: rt_profile
signing_keylabel: rsa256
authorization_code_lifetime: 300
access_token_lifetime: 7200
id_token_lifetime: 3600
refresh_token_lifetime: 64800
request_object:
lifetime: 3600
require_expiry: true
only_request_object_params: false
enforce_single_usage: false
backchannel_settings:
default_expiry: 900
maximum_expiry: 1800
polling_interval: 5
notifyuser_mappingrule_id: notifyuser
checkstatus_mappingrule_id: checkstatus
attribute_map:
name: display_name # 1
age: age # 2
metadata:
claims_supported:
- iss
- name
- displayName
janitor:
batch_size: 1000
max_duration: 0
check_frequency: 10
jwks:
signing_keystore: rt_profile
encryption_keystore: rt_profile
authentication:
endpoint: >-
https://auth-machine/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:password
callback_param_name: Target
javascript:
timeout: 0
max_load: 16
max_idle_time: 600
max_ctx_in_isolate: 0
cleanup_frequency: 0
use_pool: false
dynamic_registration:
recipe: Default
mappingrule_id: dcr
software_statement_validation:
jwks_uri: >-
https://oidc-dev-test.ite1.idng.ibmcloudsecurity.com/oidc/endpoint/default/jwks
signing_algs:
- PS256
- ES256
registration_endpoint_authentication:
require_mtls: false
require_bearer_token: false
require_software_statement: false
allow_custom_client_creds: true
management_endpoint_authentication:
require_mtls: false
require_bearer_token: true
require_software_statement: false
registration_access_token:
generate: true
lifetime: 86400
scopes:
- 'cdr:registration'
runtime_db: mydb2
session_cache:
type: redis
cfg: myredis
server_connections:
- name: mydb2
type: db2
database_name: secret:storage/mydb2_dbname
hosts:
- hostname: secret:storage/mydb2_hostname1
hostport: secret:storage/mydb2_hostport1
credential:
username: secret:storage/mydb2_username
password: secret:storage/mydb2_password
conn_settings:
max_pool_size: 50
max_idle_size: 5
max_idle_time: 10
aged_timeout: 30
connect_timeout: 5
ssl:
certificate:
- ks:rt_profile
- 'b64:LS0tLS1CRUdJTiBDR...LQo='
disable_hostname_verification: true
- "configmap:storage/myredis.yml"
- name: ldap_test
type: ldap
hosts:
- hostname: pentest-isva-openldap
hostport: 636
credential:
bind_dn: 'cn=root,secAuthority=default'
bind_password: passw0rd
ssl:
certificate:
- ks:rt_profile
disable_hostname_verification: true
conn_settings:
max_pool_size: 50
connect_timeout: 3
attribute_sources:
- id: 1
name: display_name
type: value
value: anonymous
- id: 2
name: age
type: credential
value: AZN_CRED_AGE
- id: 3
name: website
type: ldap
value: website
scope: subtree
filter: (objectclass=*)
selector: nickname,gender,sn
srv_conn: ldap
baseDN: dc=iswga
- "configmap:attrsrc/attr_src_3_dup1.yml"
ldapcfg:
- name: ldap_test_cfg_01
scope: subtree
user_object_classes: top,Person,organizationalPerson,inetOrgPerson
filter: (|(|(objectclass=ePerson)(objectclass=person))(objectclass=User))
selector: objectClass,cn,sn,givenName,userPassword
srv_conn: ldap_test
attribute: uid
baseDN: dc=ibm,dc=com
rules:
access_policy:
- name: default_policy
type: javascript
content: |
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
...
mapping:
- name: isvaop_pretoken
content: |
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
...
- name: isvaop_posttoken
content: |
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
...
- name: attrUtil
content: "B64:aW1wb3J0Q2xhc3MoUGFj...Cg=="
- name: checkstatus
content: "configmap:rules/mapping_checkstatus.js"
- name : dcr
content: "B64:aW1wb...pCn0K"
- name: extCache
content: |
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
...
- name: httpClient
content: "configmap:rules/mapping_httpClient.js"
- name: jwt
content: "B64:aW1wb...T047"
- name: ldapClient
content: |
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
...
- name: library
content: "configmap:rules/mapping_library.js"
- name: notifyuser
content: |
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
...
- name: oauthUtil
content: "B64:aW1w...Cgo="
- name: ropc
content: |
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
...
clients:
- client_id: client01
client_id_issued_at: 1642399207
client_secret: secret
client_secret_expires_at: 0
client_name: Client Test
enabled: true
redirect_uris:
- https://www.google.com
grant_types:
- authorization_code
- password
- client_credentials
- implicit
- refresh_token
- urn:openid:params:grant-type:ciba
response_types:
- code id_token
- code token id_token
- code
- code token
- none
- code token id_token
scopes:
- openid
- profile
- test
token_endpoint_auth_method: client_secret_post # tls_client_auth # client_secret_post
token_endpoint_auth_signing_alg: RS384
token_endpoint_auth_single_use_jti: false
tls_client_auth_subject_dn: CN=oidc-dev-test.ite1.idng.ibmcloudsecurity.com,OU=,O=,L=,ST=,C=
tls_client_certificate_bound_access_tokens: false
id_token_signed_response_alg: PS512
jwks_uri: https://oidc-dev-test.ite1.idng.ibmcloudsecurity.com/oidc/endpoint/default/jwks
request_object_signing_alg: ES256
require_pushed_authorization_requests: false
require_pkce: false
backchannel_token_delivery_mode: poll
backchannel_client_notification_endpoint: https://notifyme.com
backchannel_user_code_parameter: false
extension:
contact_type: "ADMINISTRATIVE"
encryptDB: "rt_profile_keys"
phone: "12345678"
contact_person: "TESTUSER"
company_name: "IBM"
company_url: "https://ibm.com"
encryptKey: "server"
email: "[email protected]"
- client_id: client01dpop
client_id_issued_at: 1642399207
client_secret: secret
client_secret_expires_at: 0
client_name: Client Test
enabled: true
redirect_uris:
- https://www.google.com
grant_types:
- authorization_code
- password
- client_credentials
- implicit
- refresh_token
- urn:openid:params:grant-type:ciba
response_types:
- code id_token
- code token id_token
- code
- code token
- none
- code token id_token
scopes:
- openid
- profile
- test
token_endpoint_auth_method: client_secret_post # tls_client_auth # client_secret_post
id_token_signed_response_alg: PS512
jwks_uri: https://oidc-dev-test.ite1.idng.ibmcloudsecurity.com/oidc/endpoint/default/jwks
dpop_bound_access_tokens: true
dpop_signing_alg: PS256
dpop_single_use_jti: false
- "configmap:clients/client01jarm.yml"
- "configmap:clients/client01mtls.yml"
- "configmap:clients/client01ping.yml"
- "configmap:clients/client01pingmisconfig.yml"
- "configmap:clients/client01pingmtls.yml"
- "configmap:clients/client01pingmtlsmisconfig.yml"
- "configmap:clients/client01pwt.yml"
- client_id: client02
client_id_issued_at: 1642399207
client_secret: secret
client_secret_expires_at: 0
client_name: Client Test
enabled: true
redirect_uris:
- https://www.google.com
- https://www.mysp.ibm.com/isam/sps/oidc/rp/oidcrp/redirect/partner2
grant_types:
- authorization_code
- password
- client_credentials
- implicit
- refresh_token
response_types:
- code id_token
- code id_token token
- code
- code token
scopes:
- openid
- profile
token_endpoint_auth_method: tls_client_auth
token_endpoint_auth_signing_alg: RS384
token_endpoint_auth_single_use_jti: false
tls_client_auth_subject_dn: CN=clientID01,OU=security,O=IBM,L=singapore,ST=singapore,C=SG
tls_client_certificate_bound_access_tokens: true
id_token_signed_response_alg: PS512
jwks_uri: https://oidc-dev-test.ite1.idng.ibmcloudsecurity.com/oidc/endpoint/default/jwks
request_object_signing_alg: PS256
require_pushed_authorization_requests: false
require_pkce: false
extension:
email: [email protected]
contactType: ADMINISTRATOR
companyName: IBM
encryptDB: rt_encrypt
encryptKey: rsa
keystore:
- name: db2client
type: p12
content: "secret:keystore/db2client.p12"
password: "secret:keystore/db2client.obf"
- name: test
type: p12
content: "secret:keystore/test.p12"
password: "secret:keystore/test.obf"
- name: postgres
type: p12
content: "secret:keystore/postgres.p12"
password: "secret:keystore/postgres.obf"
- name: redis
type: p12
content: "B64:MIIWX...AA=="
password: "p@ssw0rd"
- name: rt_profile
type: zip
content: "secret:keystore/rt_profile.zip"
- name: rt_profile_dup01
type: zip
content: "B64:UEsDBBQAA.....A"
- name: rt_profile_keys
type: pem
certificate:
- label: httpservercert
content: "B64:LS0tL...g=="
- label: ldap
content: "secret:keystore/rt_profile_keys_signer_ldap.pem"
- label: ldap_gh
content: |
-----BEGIN CERTIFICATE-----
MIIDBzCCAo2gAwIBAgIUbfkAdyPC1l5aUiTt6OUbS9Q+MbkwCgYIKoZIzj0EAwMw
g...
p8HLCUpB/3KPtmg=
-----END CERTIFICATE-----
- label: localLDAP
content: "secret:keystore/rt_profile_keys_signer_localLDAP.pem"
- label: rel-verify-ibmcloudsecurity-com-chain
content: "B64:LS0tLS1CR...Q0K"
key:
- label: httpserverkey
content: |
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDcfy4ptpTSA2DE
...
tf5q/y+aDIXOsF03swP+J60GPQ==
-----END PRIVATE KEY-----
- name: truststore
type: pem
certificate:
- label: mtlsclientcert
content: |
-----BEGIN CERTIFICATE-----
MIIE5jCCAs6gAwIBAgIII7QhYxUdmcswDQYJKoZIhvcNAQELBQAwETEPMA0GA1UE
AxMGaXN2YW9wMB4XDTI0MDQwNzA0MTMwNFoXDTM0MDQwNjA0MTMwNFowETEPMA0G
A1UEAxMGaXN2YW9wMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmukm
abTj0CHVrG/nTDAMm+jEQ7YJURg/XfQpIlrELLMEubXHDzn3Rk4jYkwaJHnKd2Jz
nWVluSyngF/TgWqhRALdKn4zel1djia8pB6fkoOkjHqlNlX86O7PDvgVko2HBXBL
2CJsOa787pw8kl4Odw9W6WeRmHz6VybTw91z0xfjfk3MCgCKUXg61RFlYtOIHU8B
jeUxitwWBcF93Qa/AB7MXINKHSmxfqNqfMJMH26Dfu6N0DWQEttEmUphNo1NJynC
ofZUUImGJcDKmr8m8JeSwLBXha0dvOmNnFVQ4GkUwsOk3zjP21JwB6Gy4TqvcYSU
tt7jrJSqTeJFKIH2FMHbegpxwCDVlVz3cmilsIv1n9I4glkZCNLn2xNnYGyMW+tH
/K628zKeB1KfZIcubgp1iMzmMhcSkiQ3Fpg7gSNRSDSMp8qPbK4b1qEqTux5KO5d
HHUy3+MJHZX/0S7EYMmSbMC9sdFs75i3/eHEWtkcX8X2pS0CS+JzVG/Of3Ua1wwg
qx8HxOMEDkxqzwQGA4/pzHh8CwXZ4bPKEIhMGW9z0Q2FE2LNeAu7t5ZurDecgkOP
4nelnABqMTfdJQ38+0H5BkUEXdLxXzFQpKpFsZQpOfw9mu6JCgbElfbmltPDhGEw
0+WqjaPLg+dxXjPAPVQn55fnd7W1CpCxy66xnvMCAwEAAaNCMEAwHQYDVR0OBBYE
FA13+nOk4op66sDx6loy2OoTaHJFMB8GA1UdIwQYMBaAFA13+nOk4op66sDx6loy
2OoTaHJFMA0GCSqGSIb3DQEBCwUAA4ICAQBwM7lTvU7ChadVtKfdMceQleVWDcJu
5hBKhwGfk+2udW4naJrKWfCO88zsm1D62b+bYb4myAJiUxxqA2pIioI9Veaor/U8
iQXZXC9NxA8gmyFr2KO47siIbbIK2QNeAePMh7FVOkzRq21FWgIJI+D7QXiMy3YZ
PORq2qZJfyLmKoMEfnH4sdTu61BRzKuiL6crThTuB4agXAv1YeevKr2DX3tQ9etW
WUQFF9ZiGWazUY6OoHyWxlQX5edShZbmwAJ/6A+DZ1Tywh5j4xVOWZzqDoAIqiIW
xytHUnVwthGYNQV6q52E39xGHVn5pu0Co/3cmvnguc9IRbLcmBakM7llC07YWvWV
2UGLqggRMR1B11FJZ5lubOL2hyqswGTz7AP4vrS/VLVmO7pcIZoz4pLMH6FBC+6/
sI8c59jmFNmY4Ue0peLfnx+bWI9pEebh56hSTeNCvWdiJgRcE4Avf9iIG0q75nJ1
n5+hGN9kBmT68uumA2waCkNtOX+75GD/m45d7slH3IHTg7YhtwnuepZe0cL/7Ksf
CuIhUVZK9BYqKKE2CsaTGM7XquFg1jjPHBCQ3zCMHd+JlKzpGKay3Jm9gi2lMZeF
wx7TNlZtKhNpxV0bO3x5aF+fjEWTBuqXooMAfNai7iANaNlLbWgvtbSo0xRFrI2j
TV+GFMVLwuHGPg==
-----END CERTIFICATE-----
1. [Optional] Property root > version
Type string
Default 22.12
Defined in yaml_provider.yml#/definitions/version Description: The IBM Security Verify Access OIDC Provider (ISVAOP) configuration version. If
version
is not specified, the default value22.12
will be used.
2. [Required] Property root > definition
Description: Definition
Read more about Definition.
Example:
definition: id: 1 # Definition ID name: OIDC Definition # Definition Name grant_types: # Supported grant types. - authorization_code - implicit - password - client_credentials - refresh_token - urn:openid:params:grant-type:ciba - urn:ietf:params:oauth:grant-type:token-exchange access_policy_id: 1 # Access Policy Rule ID. pre_mappingrule_id: isvaop_pretoken # Pre-Token mapping rule ID. post_mappingrule_id: isvaop_posttoken # Post-Token mapping rule ID. ropc_mappingrule_id: ropc # ROPC mapping rule ID. base_url: https://isvaop.ibm.com:445 # Base url of the endpoints. mtls_base_url: https://isvaop.ibm.com:445 # Base url of the MTLS endpoints. mtls_certificate_header_name: x-client-certificate # HTTP header name that contains MTLS certificate. features: # Features Flags enable_fault_tolerance: false # Enable multiple refresh token for fault tolerance. consent_prompt: ALWAYS_PROMPT # Prompt for consent. ALWAYS_PROMPT, NEVER_PROMPT, PROMPT_ONCE_AND_REMEMBER fapi_compliant: false # Whether to enforce all the FAPI checks. enforce_par: false # Only accept authorize request using push authorize. prefer_claims_at_userinfo: true # This is introduced to address this requirement (https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.4). When it is set to true and an OAuth/OIDC flow generates access token, instead of returning the requested claims in the id_token, the claims are returned only at /userinfo endpoint; unless such claims are essential to be returned in id_token. token_settings: # Token Settings issuer: https://isvaop.ibm.com # OP's issuer URI. signing_alg: PS512 # Signing algorithm for ID token generated. signing_keystore: rt_profile_keys # Signing keystore name. signing_keylabel: rsa256 # Signing key label. encryption_alg: none # Key encryption algorithm for ID token generated. encryption_enc: none # Content encryption algorithm for ID token generated. authorization_code_lifetime: 300 # Lifetime of authorization code. access_token_lifetime: 7200 # Lifetime of access token. id_token_lifetime: 3600 # Lifetime of id_token. refresh_token_lifetime: 64800 # Lifetime of refresh token. backchannel_settings: # Backchannel Settings default_expiry: 900 # The default CIBA session lifetime in seconds. If not specified, it is set to 900 seconds. maximum_expiry: 1800 # Maximum CIBA session lifetime in seconds. If not specified, it is set to 1800 seconds. polling_interval: 5 # Polling interval value that will be communicated to the relying party. Default is 5 seconds. notifyuser_mappingrule_id: notifyuser # Mapping rule ID that will be executed when notifying the user. Default is `notifyuser`. checkstatus_mappingrule_id: checkstatus # Mapping rule ID that will be executed when checking authentication status. Default is `checkstatus`. user_code_support: false # Whether this CIBA implementation supports user_code. This information will be published in `.well-known` endpoint. attribute_map: # Attribute mapping to resolve claims. also refer to attributesources.yml name: display_name age: age metadata: # name-value pair to override metadata information claims_supported: - iss - name - displayName dpop_max_lifetime: 3600 # Lifetime of DPoP proof JWT. request_object: lifetime: 3600 # Lifetime of the incoming JWT-Secured Authorization Request. require_expiry: true # Boolean flag to check if the JWT-Secured Authorization Request contains a exp claim. only_request_object_params: false # Boolean flag to enforce the JWT-Secured Authorization Request to contain all the request parameters. enforce_single_usage: false # Boolean flag to enforce single use of a JWT-Secured Authorization Request.
2.1. [Optional] Property root > definition > id
Type string
Description: Definition ID.Required for DCR flows.
2.2. [Optional] Property root > definition > name
Type string
Description: Definition Name. Required for DCR flows.
2.3. [Required] Property root > definition > grant_types
Type array of string
Description: Supported grant types.
Each item of this array must be Description grant_types items -
Type string
2.4. [Optional] Property root > definition > access_policy_id
Type string
Description: Access Policy Rule ID.
2.5. [Optional] Property root > definition > pre_mappingrule_id
Type string
Description: Pre-Token mapping rule ID.
2.6. [Optional] Property root > definition > post_mappingrule_id
Type string
Description: Post-Token mapping rule ID.
2.7. [Optional] Property root > definition > ropc_mappingrule_id
Type string
Description: ROPC-mapping rule ID.
2.8. [Required] Property root > definition > base_url
Type string
Description: Base url of the endpoints. Example:
https://www.idp.com/isvaop
2.9. [Optional] Property root > definition > mtls_base_url
Type string
Description: Base url of the MTLS endpoints. Example:
https://www.idp-mtls.com/isvaop
2.10. [Optional] Property root > definition > mtls_certificate_header_name
Type string
Default "X-Client-Certificate"
Description: JWT header name that contains MTLS certificate. Example:
X-Client-Certificate
2.11. [Required] Property root > definition > token_settings
Description: Token Settings
Read more about Token Settings.
2.11.1. [Required] Property root > definition > token_settings > issuer
Type string
Description: OP's issuer URI.
2.11.2. [Required] Property root > definition > token_settings > signing_alg
Type string
Description: Signing algorithm for ID token generated.
2.11.3. [Required] Property root > definition > token_settings > signing_keystore
Type string
Description: Signing keystore name.
NOTE:
signing_keystore
is the keystore name WITHOUTks:
annotation.2.11.4. [Required] Property root > definition > token_settings > signing_keylabel
Type string
Description: Signing key label.
NOTE:
signing_keylabel
isthe key label name WITHOUTks:
annotation.2.11.5. [Required] Property root > definition > token_settings > encryption_alg
Type string
Description: Key encryption algorithm for ID token generated.
2.11.6. [Required] Property root > definition > token_settings > encryption_enc
Type string
Description: Content encryption algorithm for ID token generated.
2.11.7. [Optional] Property root > definition > token_settings > authorization_code_lifetime
Type number
Default 300
Description: Lifetime of authorization code in seconds.
2.11.8. [Optional] Property root > definition > token_settings > access_token_lifetime
Type number
Default 7200
Description: Lifetime of access token in seconds.
2.12. [Optional] Property root > definition > features
Description: Feature Flags
Read more about Features Flags.
2.12.1. [Optional] Property root > definition > features > consent_prompt
Type enum (of string)
Default "ALWAYS_PROMPT"
Description: Prompt for consent vs auto-consent.
Must be one of:
- "ALWAYS_PROMPT"
- "NEVER_PROMPT"
- "PROMPT_ONCE_AND_REMEMBER"
2.12.2. [Optional] Property root > definition > features > enforce_par
Type boolean
Default false
Description: Accept only authorized request using push authorize.
2.12.3. [Optional] Property root > definition > features > prefer_claims_at_userinfo
Type boolean
Default false
Description: This is introduced to address this requirement (https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.4). When it is set to true and an OAuth/OIDC flow generates access token, instead of returning the requested claims in the id_token, the claims are returned only at /userinfo endpoint; unless such claims are essential to be returned in id_token.
2.13. [Optional] Property root > definition > backchannel_settings
Description: These settings are related to Client-Initiated Backchannel Authentication (CIBA).
Read more about Backchannel Settings.
2.13.1. [Optional] Property root > definition > backchannel_settings > default_expiry
Type number
Default 900
Description: The default CIBA session lifetime in seconds.
2.13.2. [Optional] Property root > definition > backchannel_settings > maximum_expiry
Type number
Default 1800
Description: Maximum CIBA session lifetime in seconds.
2.13.3. [Optional] Property root > definition > backchannel_settings > polling_interval
Type number
Default 5
Description: Polling interval value that is communicated to the relying party in seconds.
2.13.4. [Optional] Property root > definition > backchannel_settings > notifyuser_mappingrule_id
Type string
Default "notifyuser"
Description: Mapping rule ID that is run when the user is notified.
2.14. [Optional] Property root > definition > attribute_map
Type map of string -> string
Description: Attribute mapping to resolve claims.
2.15. [Optional] Property root > definition > metadata
Type map of string -> any
Description: name-value pair to override metadata information
2.16. [Optional] Property root > definition > request_object
Description: These settings are related to JWT-Secured Authorization Request(JAR).
Read more about JWT Secured Authorization Request Settings.
2.16.1. [Optional] Property root > definition > request_object > lifetime
Type number
Description: The maximum lifetime of the incoming request-JWT in seconds.
2.16.2. [Optional] Property root > definition > request_object > require_expiry
Type boolean
Default false
Description: Boolean flag to check if the request-JWT contains a exp claim
3. [Required] Property root > jwks
Description: JSON Web Key Set (JWKS) Settings
Read more about JSON Web Key Set (JWKS) Settings.
Example:
jwks: # JSON Web Key Set (JWKS) Settings signing_keystore: signing_keystore # Keystore name containing keys related to JWT signing/signature validation. encryption_keystore: encryption_keystore # Keystore name containing keys related to JWT encryption/decryption.
4. [Optional] Property root > authentication
Description: Authentication Settings
Read more about Authentication Settings.
Example:
authentication: # Authentication Settings endpoint: https://isvaop.ibm.com:445/isvaop/oauth2/auth # Endpoint to redirect when authentication is required. This is mandatory when `grant_types` contains `authorization_code` or `implicit` callback_param_name: Target # Parameter name to specify the callback target URI. If it is not specified, the default callback param name is `Target`. subject_attribute_name: uid # Name of the user or credential attribute that will be used to populate the `sub`. If it is not specified, the default attribute is `uid`.
4.1. [Optional] Property root > authentication > endpoint
Type string
Default "https://isvaop.ibm.com:445/isvaop/oauth2/auth"
Description: Endpoint to redirect to when authentication is needed. This setting is mandatory when
grant_types
containsauthorization_code
orimplicit
(refer to Definition).
5. [Optional] Property root > template_macros
Description: Template Macros
Read more about template_macros.
Example:
template_macros: user_macros: - name - family_name - given_name - display_name request_macros: - authorization_details - claims - user_code - state
5.1. [Optional] Property root > template_macros > user_macros
Type array of string
Description: List of authenticated user claims to be made available.
Each item of this array must be Description user_macros items -
Type string
5.2. [Optional] Property root > template_macros > request_macros
Type array of string
Description: List of request parameters to be made available.
Each item of this array must be Description request_macros items -
Type string
6. [Optional] Property root > ssl
Description: SSL Setting
Read more about SSL Settings.
Example:
ssl: certificate: - ks:https_keys # The default SSL keystore to be used for SSL connections. It is used when SSL keystore is not specified in server connection SSL settings. disable_hostname_verification: true # The default flag to enable or disable hostname verification for SSL connections. It is used when SSL disable_hostname_verification is not specified in server connection SSL settings.
6.1. [Optional] Property root > ssl > certificate
Type array of string
Description: The list of default SSL keystore to be used for all SSL connections. It is used when SSL keystore is not specified in server connection SSL settings.
Each item of this array must be Description certificate items -
Type string
7. [Required] Property root > server
Description: Server Settings
Read more about Server Settings.
Example:
server: ssl: key: ks:https_keys/httpserverkey # Name of the keystore/key for the ISVAOP HTTPS server. certificate: ks:https_keys/httpservercert # Name of the keystore/certificate for the ISVAOP HTTPS server. ca: - ks:https_keys/httpserverca # Name of the keystore/CA for the ISVAOP HTTPS server. pages: type: zip # path is also supported, which indicates it is unpacked content: "B64:<encoded_binary>"
7.1. [Required] Property root > server > ssl
Description: HTTPS server SSL settings
Read more about key management here.
7.1.1. [Required] Property root > server > ssl > key
Type string
Description: Name of the keystore/key for the ISVAOP HTTPS server.
7.1.2. [Required] Property root > server > ssl > certificate
Type string
Description: Name of the keystore/certificate for the ISVAOP HTTPS server.
7.1.3. [Optional] Property root > server > ssl > ca
Type array of string
Description: Array of CA certificates
Each item of this array must be Description ca items -
Type string
7.2. [Optional] Property root > server > pages
Description: Customized template pages settings
7.2.1. [Required] Property root > server > pages > type
Type enum (of string)
Description: When customized template pages is provided, it is the type of content that is being supplied. Either a zip file or a directory name.
Must be one of:
- "path"
- "zip"
7.2.2. [Required] Property root > server > pages > content
Type string
Description: The content that is used for the customized template pages.
- When the
type
ispath
, specify the path of the customized template pages directory, which is relative to the/var/isvaop/config
directory of the container.- when
type
iszip
- use
@
annotation to specify the customized template pages zip file path, which is relative to the/var/isvaop/config
directory of the container.- or use
B64:
annotation to specify the base64 encoded customized template pages zip file.
8. [Optional] Property root > javascript
Description: JavaScript Settings
Read more about JavaScript Settings.
Example:
javascript: # Javascript Settings timeout: 0 # Maximum execution time for a script in ms. Set to 0 for unlimited execution time. max_load: 16 # Maximum number of v8 engine spawned. max_ctx_in_isolate: 50 # Maximum reuse of v8 engine before recreated. Set to 0 to disable. use_pool: false # If true, run in `pool` mode, otherwise run in `worker` mode.
8.1. [Optional] Property root > javascript > use_pool
Type boolean
Default false
Description: If true, run in
pool
mode, otherwise run inworker
mode.8.2. [Optional] Property root > javascript > max_load
Type number
Default 16
Description: Maximum number of v8 engine created.
9. [Optional] Property root > janitor
Description: In ISVAOP, we use a binary janitor to perform cleanup of data. Read more about Database cleanup
Example:
janitor: # Janitor Settings batch_size: 1000 # It is the maximum records being cleaned up with each iteration. max_duration: 0 # When the max_duration is set to 0, the janitor program runs until all records are cleaned up. check_frequency: 10 # It indicates the number of iterations to be run before the janitor check whether the maximum duration is exceeded.
9.1. [Optional] Property root > janitor > batch_size
Type number
Default 1000
Description: It is the maximum records being cleaned up with each iteration.
9.2. [Optional] Property root > janitor > max_duration
Type number
Default 0
Description: When the max_duration is set to 0, the janitor program runs until all records are cleaned up. Depending on how often you run the janitor, the number of records can be large. The maximum duration needs to be specified in milliseconds.
10. [Optional] Property root > logging
Description: Logging Settings
Read more about Logging Settings.
Example:
logging: # Logging Settings level: finest # Logging level setting. If the level is not set or invalid, `info` will be used. `panic`, `fatal`, `error`, `warn`, `warning` (alias of `warn`), `info`, `debug`, `fine`(alias of `debug`), `trace`, `finest` (alias of `trace`)
10.1. [Optional] Property root > logging > level
Type enum (of string)
Default "info"
Description: Logging level setting. If the level is not set or invalid,
info
is used.
warning
is alias ofwarn
fine
is alias ofdebug
finest
is alias oftrace
Must be one of:
- "panic"
- "fatal"
- "error"
- "warn"
- "warning"
- "info"
- "debug"
- "fine"
- "trace"
- "finest"
11. [Optional] Property root > dynamic_registration
Description: Dynamic Client Profile
Read more about Dynamic Client Profile.
Example:
dynamic_registration: recipe: FAPI_UK-OB # Security profile to use, option Default, FAPI_DEFAULT, FAPI_UK-OB, FAPI_AU-CDR mappingrule_id: dcr # Dynamic registration mapping rule ID. software_statement_validation: # Software statement validation settings. jwks_uri: http://172.16.123.1:3000/jwks/obdirectory # Jwks URI containing the public key required to validate the software statement signature. signing_algs: # Accepted signing algorithms. - ES256 registration_endpoint_authentication: # Authentication settings for POST operation. require_mtls: true # Specifies whether the endpoint requires MTLS. require_bearer_token: true # Specifies whether the endpoint requires bearer token. require_software_statement: false # Specifies whether the endpoint requires software statement. allow_custom_client_creds: true # Only for POST. Specifies whether to accept client_id/client_secret in the POST payload. management_endpoint_authentication: # Authentication settings for PUT/GET/DELETE operations. require_mtls: false # Specifies whether the endpoint requires MTLS. require_bearer_token: true # Specifies whether the endpoint requires bearer token. require_software_statement: false # Specifies whether the endpoint requires software statement. This is only applicable for PUT operation. registration_access_token: # Registration access token settings. generate: true # Specifies whether to produce registration access token as part of POST/PUT/GET operations. lifetime: 86400 # Specifies the lifetime of the registration access token. scopes: # Specify the scopes required by the access token. All scopes specified here are mandatory. Unauthorized if any scope is not present in the access token. - cdr:registration
11.1. [Optional] Property root > dynamic_registration > recipe
Type enum (of string)
Default "Default"
Description: Security profile to be used, option Default, FAPI_DEFAULT, FAPI_UK-OB, FAPI_AU-CDR
Must be one of:
- "Default"
- "FAPI_DEFAULT"
- "FAPI_UK-OB"
- "FAPI_AU-CDR"
11.2. [Optional] Property root > dynamic_registration > mappingrule_id
Type string
Description: Dynamic registration-mapping rule ID.
11.3. [Optional] Property root > dynamic_registration > software_statement_validation
Description: Software Statement Validation
Read more about Software Statement Validation.
11.3.1. [Optional] Property root > dynamic_registration > software_statement_validation > jwks_uri
Type string
Description: JWKS URI containing the public key that is needed to validate the software statement signature.
11.3.2. [Optional] Property root > dynamic_registration > software_statement_validation > signing_algs
Type array of string
Description: Accepted signing algorithms
Each item of this array must be Description signing_algs items -
11.3.2.1. root > dynamic_registration > software_statement_validation > signing_algs > signing_algs items
Type string
11.4. [Optional] Property root > dynamic_registration > registration_endpoint_authentication
Description: Registration Endpoint Authentication
Read more about Registration Endpoint Authentication.
11.4.1. [Optional] Property root > dynamic_registration > registration_endpoint_authentication > require_mtls
Type boolean
Default false
Description: Specifies whether the endpoint requires MTLS.
11.4.2. [Optional] Property root > dynamic_registration > registration_endpoint_authentication > require_bearer_token
Type boolean
Default false
Description: Specifies whether the endpoint requires bearer token.
11.5. [Optional] Property root > dynamic_registration > management_endpoint_authentication
Description: Management Endpoint Authentication
Read more about Management Endpoint Authentication.
11.5.1. [Optional] Property root > dynamic_registration > management_endpoint_authentication > require_mtls
Type boolean
Default false
Description: Specifies whether the endpoint requires MTLS.
11.6. [Optional] Property root > dynamic_registration > registration_access_token
Description: Registration Access Token
Read more about Registration Access Token.
11.6.1. [Optional] Property root > dynamic_registration > registration_access_token > generate
Type boolean
Description: Specifies whether to produce registration access token as part of POST/PUT/GET operations.
11.6.2. [Optional] Property root > dynamic_registration > registration_access_token > lifetime
Type number
Description: Specifies the lifetime of the registration access token.
11.6.3. [Optional] Property root > dynamic_registration > registration_access_token > scopes
Type array of string
Description: Specify the access token scopes. All scopes specified here are mandatory. Unauthorized if any scope is not present in the access token.
Each item of this array must be Description scopes items -
Type string
12. [Optional] Property root > secrets
Description: Secrets
Read more about Secrets.
Example:
secrets: obf_key: "<obfuscation key>" enc_key: "@private.pem"
13. [Required] Property root > runtime_db
Type string
Defined in yaml_storage.yml#/definitions/runtime_db Description: Runtime Database Configuration
Read more about Runtime Database Configuration.
14. [Required] Property root > session_cache
Description: Session Cache Configuration
Read more about Session Cache Configuration.
14.1. [Required] Property root > session_cache > type
Type enum (of string)
Description: Specifies the type of session cache,
in-memory
,redis
, ordb
.Must be one of:
- "in-memory"
- "redis"
- "db"
14.2. [Optional] Property root > session_cache > life_time
Type number
Default 600
Description: For
in-memory
session cache type, specifies the session entry duration in seconds.
15. [Required] Property root > server_connections
Type array of object
Defined in yaml_storage.yml#/definitions/server_connections Description: Specifies a list of server connection configurations.
Read more about Storage Configuration.
Each item of this array must be Description server_connections items Specifies the server connection configuration details. ...
Description: Specifies the server connection configuration details.
Server connection can be categorized into
database
,redis
orldap
. Refer to each server connection category for details.15.1.1. [Optional] Property root > server_connections > server_connections items > server_connection (database)
Description: Runtime Database Server Connection
Read more about Runtime Database Server Connection.
Examples:
# PostgreSQL Runtime Database configuration sample runtime_db: mypq # Configuration of runtime database. Points to the database server connection. session_cache: type: db # Specifies the type of session cache, in-memory, redis, or db. # cfg: redis-standalone # Specifies the configuration of the `redis` cache, for `redis` type only. Points to `redis` server connection # life_time: 600 # Specifies the session entry duration in seconds. It applies to `in-memory` type sessions only. Default is `600` # max_entries: 60000 # Specifies the maximum number of session entries. It applies to `in-memory` type sessions only. Default is `60000` server_connections: # Server connections - name: mypq # Connection name type: postgresql # Connection type, `redis`, `ldap`, `postgresql`, `oracle` database_name: verify-access # Specifies the database or service name. For database types only. hosts: # List of host information (IP and port) - hostname: postgresql # Server's hostname hostport: 5432 # Server's host port credential: # Credential information to connect to the server username: postgres # Specifies the username to access the server. password: 'OBF:gJDSuqEFmORCR2Uw3FsAmFKomjYLmhMwdDG2XoUxtQ0=' # Specifies the password to access the server. It is recommended to obfuscate this. ssl: certificate: # The SSL connection certificate array. - ks:postgres_keys # The SSL keystore to be used for SSL connections. ks: indicates keystore. mutual_auth: key: ks:rt_profile_keys/postgres # When mutual TLS is needed, specify the keystore and label that contains the client's private key. certificate: ks:rt_profile_keys/postgres # When mutual TLS is needed, specify the keystore and label of the client's leaf certificate. ca: - ks:rt_profile_keys/ca # When mutual TLS is needed, specify the keystore and label of the client's CA certificate. disable_hostname_verification: false # The SSL connection validates the hostname. conn_settings: # Connection settings max_idle_time: 10 # Maximum idle time in seconds min_pool_size: 5 # Minimum connection pool size max_pool_size: 50 # Maximum connection pool size connect_timeout: 5 # Connect timeout, in seconds aged_timeout: 30 # Aged timeout, in seconds
# Oracle Runtime Database configuration sample runtime_db: myoracle # Configuration of runtime database. Points to the database server connection. session_cache: type: db # Specifies the type of session cache, in-memory, redis, or db. server_connections: # Server connections - name: myoracle # Connection name type: oracle # Connection type, `redis`, `ldap`, `postgresql`, `oracle` database_name: verify-access # Specifies the database or service name. For database types only. hosts: # List of host information (IP and port) - hostname: myoracle # Server's hostname hostport: 2484 # Server's host port credential: # Credential information to connect to the server username: SYSTEM # Specifies the username to access the server. password: 'OBF:gJDSuqEFmORCR2Uw3FsAmFKomjYLmhMwdDG2XoUxtQ0=' # Specifies the password to access the server. It is recommended to obfuscate this. ssl: wallet: # For Oracle database only. Oracle database uses client wallet for SSL connection and mutual TLS. The client wallet contains the certificates that are required for Oracle SSL connection and mutual TLS. type: path # The type of content that is being supplied, either a zip file or a directory name. content: oracle/wallet # The content that is used for the wallet. When the type is path, specify the path of the wallet. # type: zip # The content is used for the wallet. When the type is zip, the content can be specified by using either @ or B64: annotation. # content: "@oracle/wallet.zip" # when type is zip, use @ annotation to specify the wallet zip file path. # content: "B64:UEsDBBQACAAIAAJg......+ScAAAAA" # when type is zip, use B64: annotation to specify the base64 encoded wallet zip file. disable_hostname_verification: false # The SSL connection validates the hostname. conn_settings: # Connection settings max_idle_time: 10 # Maximum idle time in seconds aged_timeout: 30 # Aged timeout, in seconds max_idle_size: 5 # Maximum connection idle size max_pool_size: 50 # Maximum connection pool size connect_timeout: 5 # Connect timeout, in seconds
# Db2 Runtime Database configuration sample runtime_db: mydb2 # Configuration of runtime database. Points to the database server connection. session_cache: type: db # Specifies the type of session cache, in-memory, redis, or db. server_connections: # Server connections - name: mydb2 # Connection name type: db2 # Connection type, `redis`, `ldap`, `postgresql`, `oracle`, `db2` database_name: verify-access # Specifies the database or service name. For database types only. hosts: # List of host information (IP and port) - hostname: mydb2 # Server's hostname hostport: 50001 # Server's host port credential: # Credential information to connect to the server username: db2inst1 # Specifies the username to access the server. password: 'OBF:gJDSuqEFmORCR2Uw3FsAmFKomjYLmhMwdDG2XoUxtQ0=' # Specifies the password to access the server. It is recommended to obfuscate this. ssl: certificate: # The SSL connection certificate for Db2. The Db2 SSL connection certificate must use 'ks', '@' annotation to specify the keystore in P12 format, PEM file or 'B64'annotation to specify the base64 encoded PEM file. If multiple certificates are configured, the first certificate that is specified with '@' or 'B64:' annotation is used. - '@keystore/rt_profile_keys/signer/ca.pem' # '@' annotation to specify the certificate PEM file. # - 'b64:LS0tLS1CRUdJTiBD......tLQo=' # 'B64'annotation to specify the base64 encoded certificate PEM. # - 'ks:db2client' # 'ks'annotation to specify keystore in P12 format. disable_hostname_verification: false # The SSL connection validates the hostname. conn_settings: # Connection settings max_idle_time: 10 # Maximum idle time in seconds aged_timeout: 30 # Aged timeout, in seconds max_idle_size: 5 # Maximum connection idle size max_pool_size: 50 # Maximum connection pool size connect_timeout: 5 # Connect timeout, in seconds
15.1.1.1. [Required] Property root > server_connections > server_connections items > server_connection (database) > name
Type string
Description: Connection name.
15.1.1.2. [Required] Property root > server_connections > server_connections items > server_connection (database) > type
Type enum (of string)
Description: Connection type.
The IBM Security Verify Access OIDC Provider (ISVAOP) supports
postgresql
,oracle
anddb2
databases.Must be one of:
- "postgresql"
- "oracle"
- "db2"
15.1.1.3. [Required] Property root > server_connections > server_connections items > server_connection (database) > database_name
Type string
Description: Specifies the database or service name. For database types only.
15.1.1.4. [Required] Property root > server_connections > server_connections items > server_connection (database) > hosts
Type array
Description: List of host information (IP and port)
Each item of this array must be Description hosts items -
15.1.1.4.1. root > server_connections > server_connections items > server_connection (database) > hosts > hosts items15.1.1.5. [Required] Property root > server_connections > server_connections items > server_connection (database) > credential
Description: Credential information to connect to the Runtime Database server
15.1.1.6. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl
Description: SSL settings, if missing the connection is non SSL.
15.1.1.6.1. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > certificate
Type array of string
Description: The array of SSL certificates to be used for SSL connection to the database.
Each item of this array must be Description certificate items -
15.1.1.6.1.1. root > server_connections > server_connections items > server_connection (database) > ssl > certificate > certificate items
Type string
15.1.1.6.2. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth
15.1.1.6.2.1. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > key
Type string
Description: When mutual TLS is needed, specify the keystore and label that contains the client's private key.
15.1.1.6.2.2. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > certificate
Type string
Description: When mutual TLS is needed, specify the keystore of the client's leaf certificate.
15.1.1.6.2.3. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > ca
Type array of string
Description: When mutual TLS is needed, specify an array of CA certificates needed for the connection.
Each item of this array must be Description ca items -
15.1.1.6.2.3.1. root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > ca > ca items
Type string
15.1.1.6.2.4. [Optional] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > wallet
Description: For Oracle database only. Oracle database uses client wallet for SSL connection and mutual TLS. The client wallet contains the certificates that are required for Oracle SSL connection and mutual TLS.
Oracle Wallet OverviewOracle Wallet is configuration files that store authentication and signing credentials.
Trusted certificates are stored in the Oracle Wallet when the wallet is used for security credentials.
ISVA OP requires an Oracle client wallet for SSL connection and mutual TLS. Thecwallet.sso
file must present.
See the Oracle Documentation to create or manage an Oracle wallet.
- Go to the Oracle Database Documentation page in Oracle Help Center.
- Select your version of Oracle Database.
- In the Topics section, select Security.
- In the Centralized User Management section, select Oracle Database Enterprise User Security Administrator's Guide.
- See the chapter
Using Oracle Wallet Manager
.Or click the following direct links.
- Oracle Database 12c Release 1: Using Oracle Wallet Manager
- Oracle Database 12c Release 2: Using Oracle Wallet Manager
- Oracle Database 19c: Using Oracle Wallet Manager
15.1.1.6.2.4.1. [Required] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > wallet > type
Type enum (of string)
Description: When wallet is needed, it is the type of content that is being supplied. Either a zip file or a directory name.
Must be one of:
- "path"
- "zip"
15.1.1.6.2.4.2. [Required] Property root > server_connections > server_connections items > server_connection (database) > ssl > mutual_auth > wallet > content
Type string
Description: The wallet content or path using corresponding annotation.
Refer to Special Types and Special Types Available in Kubernetes.
15.1.1.7. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings
Description: Connection pool settings.
15.1.1.7.1. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings > min_pool_size
Type number
Default 5
Description: Minimum connection pool size
15.1.1.7.2. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings > max_idle_size
Type number
Default 10
Description: Maximum connection idle size
15.1.1.7.3. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings > max_pool_size
Type number
Default 50
Description: Maximum connection pool size
15.1.1.7.4. [Optional] Property root > server_connections > server_connections items > server_connection (database) > conn_settings > max_idle_time
Type number
Default 10
Description: Maximum idle time in seconds
15.1.2. [Optional] Property root > server_connections > server_connections items > server_connection (redis)
Description: Session Cache Server Connection
Read more about Session Cache Server Connection.
Example:
runtime_db: mypq # Configuration of runtime database. Points to the database server connection. session_cache: type: redis # Specifies the type of session cache, in-memory, redis, or db. cfg: redis-standalone # Specifies the configuration of the `redis` cache, for `redis` type only. Points to `redis` server connection server_connections: # Server connections - name: mypq # Connection name ... - name: ldap_staging # Connection name ... - name: redis-standalone # Connection name type: redis # Connection type deployment: # Redis deployment information. for `redis` type only model: standalone # Deployment model. standalone or sentinel # master: master # Master node information. For `sentinel` model only hosts: # List of host information (IP and port) - hostname: redis # Server's hostname hostport: 6390 # Server's host port credential: # Credential information to connect to the host. username: isva # Specifies the username to access the server password: 'OBF:oUqHV/2VlAeWb1D7uAdfQysti3vh44p5/rpCDR35gn4=' # # Specifies the password for the redis server connection. It is recommended to obfuscate this. ssl: certificate: # The SSL connection certificate array. - ks:redis_keys # The SSL keystore to be used for SSL connections. ks: indicates keystore. mutual_auth: key: ks:rt_profile_keys/redis # When mutual TLS is needed, specify the keystore and label that contains the client's private key. certificate: ks:rt_profile_keys/redis # When mutual TLS is needed, specify the keystore and label of the client's leaf certificate. ca: # The mutual_auth connection certificate array. - ks:rt_profile_keys/ca # When mutual TLS is needed, specify the keystore and label of the client's CA certificate. disable_hostname_verification: false # The SSL connection validates the hostname.
15.1.2.1. [Required] Property root > server_connections > server_connections items > server_connection (redis) > name
Type string
Description: Connection name.
15.1.2.2. [Required] Property root > server_connections > server_connections items > server_connection (redis) > type
Type const
Description: Connection type
Specific value:
"redis"
15.1.2.3. [Required] Property root > server_connections > server_connections items > server_connection (redis) > deployment
Description: Redis deployment information
15.1.2.4. [Required] Property root > server_connections > server_connections items > server_connection (redis) > hosts
Type array
Description: List of host information (IP and port)
Each item of this array must be Description hosts items -
15.1.2.4.1. root > server_connections > server_connections items > server_connection (redis) > hosts > hosts items15.1.2.5. [Required] Property root > server_connections > server_connections items > server_connection (redis) > credential
Description: Credential information to connect to the Redis Server.
15.1.2.6. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl
Description: SSL settings.
15.1.2.6.1. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl > certificate
Type array of string
Description: The array of SSL certificates to be used for SSL connection to the database.
Each item of this array must be Description certificate items -
15.1.2.6.1.1. root > server_connections > server_connections items > server_connection (redis) > ssl > certificate > certificate items
Type string
15.1.2.6.2. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl > mutual_auth
15.1.2.6.2.1. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl > mutual_auth > key
Type string
Description: When mutual TLS is needed, specify the keystore and label that contains the client's private key.
15.1.2.6.2.2. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl > mutual_auth > certificate
Type string
Description: When mutual TLS is needed, specify the keystore of the client's leaf certificate.
15.1.2.6.2.3. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > ssl > mutual_auth > ca
Type array of string
Description: When mutual TLS is needed, specify an array of CA certificates needed for the connection.
Each item of this array must be Description ca items -
15.1.2.6.2.3.1. root > server_connections > server_connections items > server_connection (redis) > ssl > mutual_auth > ca > ca items
Type string
15.1.2.7. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings
Description: Connection pool settings.
15.1.2.7.1. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings > max_pool_size
Type number
Default 50
Description: Maximum connection pool size.
15.1.2.7.2. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings > min_idle_size
Type number
Default 3
Description: Minimum connection idle size.
15.1.2.7.3. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings > aged_timeout
Type number
Default 10
Description: Age timeout, in seconds.
15.1.2.7.4. [Optional] Property root > server_connections > server_connections items > server_connection (redis) > conn_settings > connect_timeout
Type number
Default 5
Description: Connect timeout, in seconds.
15.1.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap)
Description: LDAP Server Connection
Read more about LDAP Server Connection.
Example:
runtime_db: mypq # Configuration of runtime database. Points to the database server connection. session_cache: type: db # Specifies the type of session cache, in-memory, redis, or db. # cfg: redis-standalone # Specifies the configuration of the `redis` cache, for `redis` type only. Points to `redis` server connection # life_time: 600 # Specifies the session entry duration in seconds. It applies to `in-memory` type sessions only. Default is `600` # max_entries: 60000 # Specifies the maximum number of session entries. It applies to `in-memory` type sessions only. Default is `60000` server_connections: # Server connections - name: mypq # Connection name ... - name: ldap_staging # Connection name type: ldap # Connection type hosts: # List of host information (IP and port) - hostname: openldap # Server's hostname hostport: 636 # Server's host port credential: # Credential information to connect to the host. bind_dn: cn=root,secAuthority=Default # Specifies the binding credential for the LDAP server connection. bind_password: 'OBF:gJDSuqEFmORCR2Uw3FsAmFKomjYLmhMwdDG2XoUxtQ0=' # Specifies the binding password for the LDAP server connection. It is recommended to obfuscate this. ssl: certificate: # The SSL connection certificate array. - ks:ldap_keys # The SSL keystore to be used for SSL connections. ks: indicates keystore. mutual_auth: key: ks:rt_profile_keys/ldap # When mutual TLS is needed, specify the keystore and label that contains the client's private key. certificate: ks:rt_profile_keys/ldap # When mutual TLS is needed, specify the keystore and label of the client's leaf certificate. ca: # The mutual_auth connection certificate array. - ks:rt_profile_keys/ca # When mutual TLS is needed, specify the keystore and label of the client's CA certificate. disable_hostname_verification: false # The SSL connection validates the hostname. conn_settings: # Connection pool settings for the LDAP server. It can be specified at the top level if the settings are common across hosts. max_pool_size: 50 # Maximum connection pool size. connect_timeout: 3 # Connect timeout, in seconds. aged_timeout: 5 # Aged timeout, in seconds.
15.1.3.1. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > name
Type string
Description: Connection name.
15.1.3.2. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > type
Type const
Description: Connection type
Specific value:
"ldap"
15.1.3.3. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > hosts
Type array
Description: List of host information (IP and port)
Each item of this array must be Description hosts items -
15.1.3.3.1. root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items15.1.3.3.1.1. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > hostname
Type string
Description: LDAP Server's hostname
15.1.3.3.1.2. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > hostport
Type number
Description: LDAP Server's host port
15.1.3.3.1.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > credential
Description: Credential information to connect to the LDAP server. It can be specified at the top level if the settings are common across hosts.
15.1.3.3.1.4. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl
Description: SSL settings for the server. It can be specified at the top level if the settings are common across hosts.
15.1.3.3.1.4.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > certificate
Type array of string
Description: The array of SSL certificates to be used for SSL connection to the database.
Each item of this array must be Description certificate items -
15.1.3.3.1.4.1.1. root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > certificate > certificate items
Type string
15.1.3.3.1.4.2. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > mutual_auth
15.1.3.3.1.4.2.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > mutual_auth > key
Type string
Description: When mutual TLS is needed, specify the keystore and label that contains the client's private key.
15.1.3.3.1.4.2.2. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > mutual_auth > certificate
Type string
Description: When mutual TLS is needed, specify the keystore of the client's leaf certificate.
15.1.3.3.1.4.2.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > mutual_auth > ca
Type array of string
Description: When mutual TLS is needed, specify an array of CA certificates needed for the connection.
Each item of this array must be Description ca items -
15.1.3.3.1.4.2.3.1. root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > ssl > mutual_auth > ca > ca items
Type string
15.1.3.3.1.5. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > conn_settings
Description: Connection pool settings for the LDAP server. It can be specified at the top level if the settings are common across hosts.
15.1.3.3.1.5.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > hosts > hosts items > conn_settings > max_pool_size
Type number
Default 50
Description: Maximum connection pool size.
15.1.3.4. [Required] Property root > server_connections > server_connections items > server_connection (ldap) > credential
Description: Credential information to connect to the LDAP server
15.1.3.5. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl
Description: SSL settings.
15.1.3.5.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl > certificate
Type array of string
Description: The array of SSL certificates to be used for SSL connection to the database.
Each item of this array must be Description certificate items -
15.1.3.5.1.1. root > server_connections > server_connections items > server_connection (ldap) > ssl > certificate > certificate items
Type string
15.1.3.5.2. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl > mutual_auth
15.1.3.5.2.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl > mutual_auth > key
Type string
Description: When mutual TLS is needed, specify the keystore and label that contains the client's private key.
15.1.3.5.2.2. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl > mutual_auth > certificate
Type string
Description: When mutual TLS is needed, specify the keystore of the client's leaf certificate.
15.1.3.5.2.3. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > ssl > mutual_auth > ca
Type array of string
Description: When mutual TLS is needed, specify an array of CA certificates needed for the connection.
Each item of this array must be Description ca items -
15.1.3.5.2.3.1. root > server_connections > server_connections items > server_connection (ldap) > ssl > mutual_auth > ca > ca items
Type string
15.1.3.6. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > conn_settings
Description: Connection pool settings.
15.1.3.6.1. [Optional] Property root > server_connections > server_connections items > server_connection (ldap) > conn_settings > max_pool_size
Type number
Default 50
Description: Maximum connection pool size.
16. [Optional] Property root > attribute_sources
Type array of object
Defined in yaml_attributesource.yml#/definitions/attribute_sources Description: Attribute Sources
Read more about Attribute Sources.
Each item of this array must be Description attribute_sources items Attribute source can be categorized into 'value', 'credential', and 'ldap'. Refer to each attribute source category for details.
Description: Attribute source can be categorized into
value
,credential
, andldap
. Refer to each attribute source category for details.16.1.1. [Optional] Property root > attribute_sources > attribute_sources items > attribute_source (value)
16.1.1.1. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (value) > id
Type string
Defined in #/$def/attribute_source/properties/id Description: Attribute source ID.
16.1.1.2. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (value) > name
Type string
Defined in #/$def/attribute_source/properties/name Description: Attribute source name.
16.1.2. [Optional] Property root > attribute_sources > attribute_sources items > attribute_source (credential)
16.1.2.1. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (credential) > id
Type string
Defined in #/$def/attribute_source/properties/id Description: Attribute source ID.
16.1.2.2. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (credential) > name
Type string
Defined in #/$def/attribute_source/properties/name Description: Attribute source name.
16.1.3. [Optional] Property root > attribute_sources > attribute_sources items > attribute_source (ldap)
16.1.3.1. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > id
Type string
Defined in #/$def/attribute_source/properties/id Description: Attribute source ID.
16.1.3.2. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > name
Type string
Defined in #/$def/attribute_source/properties/name Description: Attribute source name.
16.1.3.3. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > type
Type const
Description: Attribute source type.
Specific value:
"ldap"
16.1.3.4. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > value
Type string
Description: Attribute source value. For
ldap
type, it refers to an LDAP attribute to be retrieved.16.1.3.5. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > scope
Type enum (of string)
Description: Only applicable for attribute source of type
ldap
. LDAP search scope.Must be one of:
- "base"
- "one level"
- "subtree"
16.1.3.6. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > filter
Type string
Description: Only applicable for attribute source type
ldap
. LDAP search filter. It might contain macros as shown in the previous example.16.1.3.7. [Required] Property root > attribute_sources > attribute_sources items > attribute_source (ldap) > selector
Type string
Description: Only applicable for attribute source type
ldap
. LDAP selector that contains attributes that are retrieved together.Example:
attribute_sources: - id: 1 name: display_name type: value value: anonymous - id: 2 name: age type: credential value: AZN_CRED_AGE - id: 3 name: surname type: ldap value: sn scope: subtree filter: (cn={AZN_CRED_PRINCIPAL_NAME}) selector: nickname,gender,sn srv_conn: ldap baseDN: dc=ibm,dc=com
17. [Optional] Property root > ldapcfg
Type array of object
Defined in yaml_ldapcfg.yml#/definitions/ldapcfg Description: LDAP configuration used by
UserLookupHelper
andLdapAttributeUtil
JavaScript Utility.
Each item of this array must be Description ldapcfg items LDAP Configuration ...
Description: LDAP Configuration
Read more about LDAP configuration.
17.1.1. [Required] Property root > ldapcfg > ldapcfg items > name
Type string
Description: The unique name of this ldap configuration. This name is used to initialize
UserLookupHelper
andLdapAttributeUtil
.17.1.2. [Required] Property root > ldapcfg > ldapcfg items > filter
Type string
Description: Search filter for
UserLookupHelper
17.1.3. [Required] Property root > ldapcfg > ldapcfg items > user_object_classes
Type string
Description: Comma-separated user object classes
17.1.4. [Required] Property root > ldapcfg > ldapcfg items > attribute
Type string
Description: Main Attribute to be retrieved
17.1.5. [Required] Property root > ldapcfg > ldapcfg items > selector
Type string
Description: Comma-separated attributes that are retrieved
17.1.6. [Required] Property root > ldapcfg > ldapcfg items > srv_conn
Type string
Description:
srv_conn
is the ldap server connection's name this ldap configuration applies to. The ldap server connection is defined instorage
configure -server_connections
section.Example:
ldapcfg: - name: ldap_staging_config_01 user_object_classes: top,Person,organizationalPerson,inetOrgPerson filter: (|(|(objectclass=ePerson)(objectclass=person))(objectclass=User)) selector: objectClass,cn,sn,givenName,userPassword srv_conn: ldap_staging attribute: uid baseDN: dc=ibm,dc=com
18. [Optional] Property root > clients
Type array of object
Defined in yaml_clients.yml#/definitions/clients Description: Clients
Read more about Clients.
Each item of this array must be Description clients items Client Configuration ...
Description: Client Configuration
Read more about Client Configuration.
18.1.1. [Required] Property root > clients > clients items > client_id
Type string
Description: Client identifier.
18.1.2. [Required] Property root > clients > clients items > client_secret
Type string
Description: Client secret that is used for client authentication, and JWT signing and encryption. It is recommended to be an obfuscated string. The obfuscation key is read from the provider configuration secrets stanza.
18.1.3. [Required] Property root > clients > clients items > client_name
Type string
Description: Name of the client.
18.1.4. [Optional] Property root > clients > clients items > client_id_issued_at
Type timestamp
Description: Timestamp (in seconds) from when the client is created.
18.1.5. [Required] Property root > clients > clients items > enabled
Type boolean
Description: Set to true to enable this client
18.1.6. [Required] Property root > clients > clients items > grant_types
Type string array
Description: Grant type that the client is allowed to use at the token endpoint.
18.1.7. [Required] Property root > clients > clients items > response_types
Type string array
Description: Response type that the client is allowed to use at the authorization endpoint.
18.1.8. [Required] Property root > clients > clients items > redirect_uris
Type string array
Description: Redirection URI strings for use in redirect-based flows such as the authorization code and implicit flows.
18.1.9. [Required] Property root > clients > clients items > request_uris
Type string array
Description: Request URIs that are pre-registered by the Relying Party for use at the OIDC Provider.
18.1.10. [Optional] Property root > clients > clients items > scopes
Type string array
Description: A list of scope values that the client can use when it requests access tokens.
18.1.11. [Optional] Property root > clients > clients items > jwks_uri
Type string
Description: URL string that references the client's JSON Web Key (JWK) set document that contains the client's public keys.
18.1.12. [Optional] Property root > clients > clients items > id_token_signed_response_alg
Type string
Description: JWS
alg
algorithm for signing the ID Token that is issued to the Client. Optional. If present it shall be always the same as the token_settings.signing_alg value set in provider configure.18.1.13. [Optional] Property root > clients > clients items > id_token_encrypted_response_alg
Type string
Description: JWE
alg
algorithm for encrypting the ID Token that is issued to the Client.18.1.14. [Optional] Property root > clients > clients items > id_token_encrypted_response_enc
Type string
Description: JWE
enc
algorithm for encrypting the ID Token that is issued to the Client.18.1.15. [Optional] Property root > clients > clients items > userinfo_signed_response_alg
Type string
Description: JWS
alg
algorithm for signing UserInfo Responses.18.1.16. [Optional] Property root > clients > clients items > userinfo_encrypted_response_alg
Type string
Description: JWE
alg
algorithm for encrypting UserInfo Responses.18.1.17. [Optional] Property root > clients > clients items > userinfo_encrypted_response_enc
Type string
Description: JWE
enc
algorithm for encrypting UserInfo Responses.18.1.18. [Optional] Property root > clients > clients items > request_object_signing_alg
Type string
Description: JWS
alg
algorithm that must be used for signing Request Objects sent to the OIDC Provider.18.1.19. [Optional] Property root > clients > clients items > request_object_encryption_alg
Type string
Description: JWE
alg
algorithm the Relying Party is declaring that it may use for encrypting Request Objects sent to the OIDC Provider.18.1.20. [Optional] Property root > clients > clients items > request_object_encryption_enc
Type string
Description: JWE
enc
algorithm the Relying Party is declaring that it might use for encrypting Request Objects sent to the OIDC Provider.18.1.21. [Required] Property root > clients > clients items > token_endpoint_auth_method
Type string
Description: Requested authentication method for the backend endpoints (token, introspect, revoke).
18.1.22. [Optional] Property root > clients > clients items > token_endpoint_auth_signing_alg
Type string
Description: JWS
alg
algorithm that must be used for signing the JWT that is used to authenticate the Client at the Token Endpoint for theprivate_key_jwt
authentication methods.18.1.23. [Optional] Property root > clients > clients items > token_endpoint_auth_single_use_jti
Type boolean
Description: When set to
true
and client assertion is used as the method to perform client authentication, the client assertion cannot be reused.18.1.24. [Optional] Property root > clients > clients items > tls_client_auth_subject_dn
Type string
Description: Expected subject distinguished name of the certificate that the OAuth client uses in mutual-TLS authentication.
18.1.25. [Optional] Property root > clients > clients items > tls_client_auth_san_dns
Type string
Description: Expected DNS name SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication.
18.1.26. [Optional] Property root > clients > clients items > tls_client_auth_san_email
Type string
Description: Expected RFC822 name SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication.
18.1.27. [Optional] Property root > clients > clients items > tls_client_auth_san_ip
Type string
Description: Expected IP address SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication.
18.1.28. [Optional] Property root > clients > clients items > tls_client_auth_san_uri
Type string
Description: Expected URI SAN entry in the certificate that the OAuth client uses in mutual-TLS authentication.
18.1.29. [Optional] Property root > clients > clients items > tls_client_certificate_bound_access_tokens
Type boolean
Default false
Description: Indicates the client's intention to use mutual-TLS client certificate-bound access tokens. The default value is
false
.18.1.30. [Optional] Property root > clients > clients items > require_pushed_authorization_requests
Type boolean
Description: Indicates the client's intention to enforce usage of push authorization request (PAR) to trigger authorize flow.
18.1.31. [Optional] Property root > clients > clients items > require_pkce
Type boolean
Description: Indicates the client's intention to enforce usage of proof-key for code exchange.
18.1.32. [Optional] Property root > clients > clients items > backchannel_token_delivery_mode
Type enum (of string)
Description: Backchannel token delivery mode. One of the following values:
poll
orping
Must be one of:
- "poll"
- "ping"
18.1.33. [Optional] Property root > clients > clients items > backchannel_user_code_parameter
Type boolean
Default false
Description: Boolean value specifying whether the Client supports the user_code parameter. If omitted, the default value is
false
. This parameter only applies when definition.backchannel_settings.user_code_support in provider configure is set totrue
18.1.34. [Optional] Property root > clients > clients items > backchannel_client_notification_endpoint
Type string
Description: REQUIRED if the token delivery mode is set to ping. This is the endpoint to which the ISVAOP will post a notification after a successful or failed end-user authentication. It MUST be an HTTPS URL.
18.1.35. [Optional] Property root > clients > clients items > dpop_bound_access_tokens
Type boolean
Description: Boolean value specifying whether to adds the
jkt
claim to thecnf
claim in the access token.18.1.36. [Optional] Property root > clients > clients items > dpop_signing_alg
Type string
Description: Expected
JWS
alg algorithm for signed the DPoP proof JWT. Optional.18.1.37. [Optional] Property root > clients > clients items > dpop_single_use_jti
Type boolean
Description: When set to
true
the DPoP proof JWT should contain a unique identifier in the jti claim which cannot be re-used.18.1.38. [Optional] Property root > clients > clients items > response_modes
Type string array
Description: This parameter informs the authorization server of the allowed list of modes that the client expects for the authorization response.
18.1.39. [Optional] Property root > clients > clients items > token_exchange_settings
Description: Token exchange configuration.
18.1.39.1. [Optional] Property root > clients > clients items > token_exchange_settings > client_groups
Type string array
Description: The list of OpenID Connect client groups. Client groups is a way tagging clients. Tokens generated by a client can be used as the subject token for token exchange with another client using the same tag. If this list is empty, any client can use the tokens generated from this client as the subject token for token exchange.
18.1.39.2. [Optional] Property root > clients > clients items > token_exchange_settings > supported_subject_token_types
Type string array
Description: This parameter indicates the list of subject token types supported for token exchange. A subject token represents the identity of the party on behalf of whom the token is being requested.
18.1.39.3. [Optional] Property root > clients > clients items > token_exchange_settings > supported_requested_token_types
Type string array
Description: This parameter indicates the list of requested token types supported for token exchange.
18.1.39.4. [Optional] Property root > clients > clients items > token_exchange_settings > supported_actor_token_types
Type string array
Description: This parameter indicates the list of actor token types supported for token exchange. An actor token represents the identity of the party to whom the access rights of the issued token are being delegated.
18.1.40. [Optional] Property root > clients > clients items > extension
Description: Other information of the client that does not fit the above metadata.
The following nonexhaustive list of information goes to the extension.18.1.40.1. [Optional] Property root > clients > clients items > extension > company_name
Type string
Description: Company name that is associated with this Client.
18.1.40.2. [Optional] Property root > clients > clients items > extension > company_url
Type string
Description: Company URL that is associated with this Client.
18.1.40.3. [Optional] Property root > clients > clients items > extension > email
Type string
Description: Company URL that is associated with this Client.
18.1.40.4. [Optional] Property root > clients > clients items > extension > phone
Type string
Description: Phone number that is associated with this Client.
18.1.40.5. [Optional] Property root > clients > clients items > extension > contact_person
Type string
Description: Contact person that is associated with this Client.
18.1.40.6. [Optional] Property root > clients > clients items > extension > contact_type
Type string
Description: Contact type that is associated with this Client.
18.1.40.7. [Optional] Property root > clients > clients items > extension > otherInfo
Type string
Description: Other information associated with this Client.
18.1.40.8. [Optional] Property root > clients > clients items > extension > encryptKey
Type string
Description: Key label of the signer key that is used to encrypt ID token.
18.1.40.9. [Optional] Property root > clients > clients items > extension > encryptDB
Type string
Description: Keystore of the signer key that is used to encrypt ID token.
18.1.40.10. [Optional] Property root > clients > clients items > extension > contacts
Type string array
Description: Email addresses of people responsible for the Client.
18.1.40.11. [Optional] Property root > clients > clients items > extension > logo_uri
Type string
Description: URL that references a logo for the Client application.