The configuration files for CA IAM Connector Server are in the following location:
cs_home/jcs/conf
Note: Any changes that you make to these files are lost when you upgrade CA IAM Connector Server. We recommend that you use the properties files in cs_home\conf\override, as described in Customize the Configuration for CA IAM Connector Server.
The server_osgi_jcs.xml file contains the following configuration settings:
Specifies the client certificate store for CA IAM Connector Server. The value is a path to the file which contains trusted certificates that are used to verify the identity of the endpoint server during SSL handshakes. Used for outbound TLS connections that the connectors make themselves, to the endpoint systems they manage. Import any issuer certificates for the endpoints to which TLS connections into this store.
Specifies the certificate store type (JKS or PKCS12).
Specifies the password protecting the connector client store. The same rules apply as for the ldapsCertificatePassword.
During SSL handshakes the peer certificate that the endpoint sends is not verified for trust. That is, the connectorClientCertStore value is ignored and not required for outbound SSL connections in this configuration.
The endpoint host certificate that is presented to CA IAM Connector Server undergoes trust checks against connectorClientCertStore contents.
When TRUE, sends SSL information to a log file.
Enables or disables the HTTP proxy, and configures the proxy details. Use a proxy if CA IAM Connector Server must communicate with other computers outside the network.
The HTTP proxy can be configured when CA IAM Connector Server is installed. You can change it later by updating this value in the configuration file.
Specifies the authentication methods. Only simple is currently supported.
Specifies the authentication principal. By default, ApacheDS sets this value to uid=admin,ou=system by ApacheDS, but an optional java.naming.security.principal.alias= can be specified to ease integration. When this alias is received for authentication, it is treated exactly as uid=admin,ou=system.
Specifies the maximum number of requests that can be processed concurrently for all activated connectors that a single connector server hosts. The default value of 200 matches the Provisioning Server configuration.
If you increase this value, consider also increasing other configuration settings. For example, you can change the heap-space for the Java Virtual Machine or "ulimit –n" setting for open files on Solaris.
Note: For more information, see Configure CA IAM Connector Server to Work Under Heavy Loads (UNIX Only).
Specifies the port on which CA IAM Connector Server listens for insecure connections. Set the port to one of the recommended ports unless many connector servers run on the same computer. Where a secure port is configured, use the secure port instead.
The insecure port can be useful for debugging purposes. By default, CA IAM Connector Server uses only ldapsPort.
Set the port to one of the following port numbers:
Specifies the port on which CA IAM Connector Server listens on for secure connections. The ldapsPort, with associated properties enableLdaps, ldapsCertificateFileldapsCertificateFile, and ldapsCertificatePassword, must be a different port from the one chosen for ldapPort. Traffic on this port is secured using the configured certificate and the Transport Layer Security (TLS) protocol.
ldapsPort can also be useful for debugging. Set the logging level in the log4j.properties file to trace LDAP requests as they are delivered to the connector server.
Set the port to one of the following port numbers:
The ldapsCertificateFile is configured to reference a Java keystore containing the standard IM Provisioning Server certificate. The default ldapsCertificatePassword was set during installation.
Specifies which LDAP schemas the connector server knows. This property incorporates schemas which have been converted to Java objects by the ApacheDS build process.
You can load additional OpenLDAP formatted schema files (see http://www.openldap.org/doc/admin23/schema.html) by placing them in the conf directory (like eta_dyn_openldap.schema) or ideally contributed from the conf/ directory within a specific connector's JCS-connector-*.jar file (refer to SDK connector's conf/etaeta_sdk_openldap.schema _nds_openldap.schema registered through its conf/connector.xml descriptor in the jcs-connector-sdk.jar sample connector).
Specifies the path to an LDAPS certificate store for CA IAM Connector Server. This store contains all the certificates that CA IAM Connector Server uses to verify its identity during inbound LDAPS (TLS) connections. At least one certificate with an accompanying private key issued to represent CA IAM Connector Server is placed in this store.
To change this value, add it to server_osgi_shared.xml. Values in this file overwrite any in server_osgi_ad.xml.
Specifies the password protecting the certificate store specified in ldapsCertificateFile.
The password can either be cleartext or obfuscated. For example:
{ALGORITHM}ciphertext
where ALGORITHM would be typically set to 'AES' . For example, {AES}LQpBXeIjOMGSsGLU
See The Password Tool.
Specifies any other standard ApacheDS interceptor services. The interceptor services that CA IAM Connector Server does not require have been deactivated.
Configure the crypto service for activating encryption convertors on specific fields according to their metadata properties. The most important setting is the isEncrypted boolean metadata setting.
Contains the path to the Java certificate keystore file in properties “keyStore” and “trustStore”.
Contains the HTTP and HTTPS ports that CA IAM Connector Server uses for sending and receiving messages.
Contains the user name and password for accessing the broker.
Enables or disables FIPS compliance.
Default: Enabled.
Contains the timeout periods for messages. When a timeout is reached, CA IAM Connector Server returns an error to the user or to the service that was expecting a response.
The default message timeout (30 minutes).
The timeout for a one-level LDAP search (1 hour).
The timeout for a subtree LDAP search (8 hours).
The timeout for messages coming from the web UI (60 seconds).
The timeout after a connection error occurs (60 seconds).
The time before an ideal HTTP connection is considered inactive (2 minutes).
Default socket timeout for HTTP clients (60 seconds).
The number of times an HTTP operation can be retried (3).
The connection details to a local or remote CCS.
|
Copyright © 2014 CA.
All rights reserved.
|
|