Connector Guides › Connectors Guide › Configuring CA IAM CS › Customize the Configuration for CA IAM CS

Customize the Configuration for CA IAM CS

Previous versions of this connector server were named Java CS or JCS. From CA Identity Manager 12.6 onwards, the connector server is named CA IAM CS At the same time, we changed the way configuration is handled.

The configuration for CA IAM CS is stored in five configuration files, which are described in Configuration Files for CA IAM CS.

When you upgrade CA IAM CS, any changes you made to the XML configuration files are lost. This loss happens whether you are upgrading from Java CS or from CA IAM CS.

However, any changes you made to the following files are preserved:

• cs_home\conf\override\server_jcs.properties
• cs_home\conf\override\server_ad.properties
• cs_home\conf\override\server_shared.properties
• cs_home\conf\override\server_ui.properties
• cs_home\conf\override\server_common.properties
• cs_home\conf\override\server_ccs.properties

The settings in these files override the settings in the XML configuration files.

For this reason, we recommend that you do not change the settings in the XML configuration files. Instead, add any settings that you want to configure to the properties files in the override folder.

Note: Each XML configuration file has a matching override file. However, the filenames of the override files do not contain _osgi. Otherwise they match. For example, server_ad.properties is the override file for server_osgi_ad.xml.

Follow these steps:

1. If the properties file does not exist, copy the matching sample file and change its name.
2. Open the properties file in a text editor.
3. Edit the values for any of the settings already in the file.
4. If you want to customize other settings, add them to the properties file.

   Ensure that you use property names that match the nested structure of the entries in the XML configuration files.

5. Save the edited properties file.
6. Restart CA IAM CS.

Retry Configuration

You can configure the Exception Map setting to contain groups of exception messages that require special handling (and optionally associated retry delay and retry count settings).

In particular, the JDBC connector defines entries for exceptions signifying these conditions which drive retrying when connections to the endpoint experience problems:

• Stale—The connection to the endpoint has become stale and is reestablished immediately.
• Retriable—The connection to the endpoint has encountered a transient soft failure, in which case a retry loop is started with the configured count and delay. If the count is exhausted before connectivity is restored, then the current request is considered to have suffered a hard failure which is reported to CA IAM CS.
• Busy—The endpoint has reported it is too busy to complete a request in which case a retry loop is started with a separate retry delay and count settings. For example, the MSSQL database reports deadlock exceptions when it is unable to complete processing a transaction within a certain time interval. The delay and recount settings are typically much longer than the Retriable case.

In addition to these triggering exceptions, each ExceptionRetryGroup has associated resilientDelay and resilientMaxRetries settings which specify how many retry attempts are required when a matching exception is encountered, and the delay between each attempt.

Disable FIPS for CA IAM CS

When you install CA IAM CS, you can enable FIPS. If you upgrade to CA IAM CS from a Java CS that had FIPS enabled, it is still enabled after the upgrade.

In either of these situations, you can disable FIPS without running the installation program again.

The FIPS setting is in the server_osgi_shared.xml. We recommend that you customize this setting in an override file.

Follow these steps:

1. Open the following properties file in a text editor:

   cs_home/conf/override/server_shared.properties
   

   If it does not already exist, follow the steps in Customize the Configuration for CA IAM CS to create it.

2. Find the following setting, or add it to the file:

   JsafeJCE.fipsEnabled=false
   

3. Ensure that the setting is not commented out with a # character.
4. Save the edited properties file.
5. Restart CA IAM CS.

Configure CA IAM CS to Work Under Heavy Loads (UNIX Only)

We recommend that you consider carefully the ulimit -n setting for the user for which you install CA IAM CS. The default setting is too low to allow CA IAM CS to function properly under load.

When this problem occurs the Java virtual machine shuts down and the following message appears in the jcs_daily log:

exiting because of 120 exceptions in a row: Too many open files

CA IAM CS requires a minimum ulimit -n setting of around 80.

Follow these steps:

1. Find out the value of maxThreads.

   The default value is stored in the following file:

   cs_home/jcs/conf/server_osgi_ad.xml
   

   If a custom value has been specified, it is stored in the following file:

   cs_home/jcs/conf/override/server_ad.properties
   

2. Calculate the best ulimit value, using the maxThreads value:
   • ulimit = 50 + 2 x maxThreads
3. Set the ulimit value.

Set the TLS Store Certificate Password

CA IAM CS uses two certificates: one for each of the following roles:

• CA IAM CS as a server—When LDAP and client requests a TLS-secured connection, CA IAM CS acts as an LDAP server. CA IAM CS uses a certificate to secure this communication.
• CA IAM CS as a client—When CA IAM CS requests a secure connection with an endpoint, CA IAM CS acts as a client. It uses a different certificate to secure this communication.

When you install CA IAM CS these certificates each have a temporary password. We recommend that you update these passwords.

By default, these certificates are stored in the same keystore. However you can store them in separate keystores if you prefer.

Follow these steps:

1. Stop CA IAM CS.
2. Open a command prompt, then change to the following directory:

   cs_home/jcs/tools/ldaps_password
   

3. Use the following command to update the password of the keystore for the server:

   ldaps_password new-password
   

   This command updates the encrypted commonConfiguration.keystorePassword value in server_shared.properties.

4. Use the following command to update the password of the keystore for the client:

   ldaps_password new-password connectorManager.connectorClientCertStorePassword ../conf/override/server_jcs.properties
   

   This command updates the encrypted connectorManager.connectorClientCertStorePassword value in server_jcs.properties.

   Note: The password for the keystore is the password that you set during CA IAM CS installation.

5. Restart CA IAM CS.

Note: Alternatively, you can manage the keystore using the keytool utility included in the Java Runtime Environment. This lets you install your own certificate instead of the default Provisioning Server certificate that the installer configures.