AFM Properties File

CA Adapter Windows Installation Guide › Configuration Files and Options › AFM Properties File

AFM Properties File

To manually configure the AFM properties, perform the following steps:

Navigate to the following directory on the system where you have installed AFM:
```
AFM_HOME\conf\afm\
```
Open the arcotafm.properties file in a text editor.
The following table describes the State Manager configuration parameters in this properties file:

Parameter	Required/ Optional	Used By	Description

Most Used State Manager Parameters
ArcotSMHostname	Required	SAML SiteMinder	Specify the Fully Qualified Distinguished Name (FQDN) or IP address of State Manager.
ArcotSMPort	Required	SAML SiteMinder	Specify the port of the application server where State Manager is deployed.
ArcotSMBaseURL	Optional	SAML SiteMinder	Specify the URL where State Manager is available. Default value: arcotsm/servlet
ArcotSMSecure Connection	Optional	SAML SiteMinder	Specify whether AFM communicates with State Manager in a secure mode over SSL. Possible values are: true false Default value: true
ArcotSMTrustStore	Optional	SAML SiteMinder	Specify the path where the root SSL certificate of State Manager is present. This parameter is valid if ArcotSMSecureConnection is set to true. Default value: /certs/tsclient.truststore Note: This setting is ignored if the JRE parameters javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword are set.
ArcotSMTrustStore Password	Optional (Required, if ArcotSM TrustStore is provided.)	SAML SiteMinder	Specify the password of the truststore. This parameter is valid if the SMTrustStore path is provided. Default value: 123456
ArcotSMKeyStore	Optional	SAML SiteMinder	Specify the path of the client SSL keystore. Default value: /certs/tsclient.keystore This setting is ignored if the JRE parameters javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword are set.
ArcotSMKeyStorePassword	Optional (Required, if ArcotSM KeyStore is provided.)	SAML SiteMinder	Specify the password of the keystore. Default value: 123456
Least Used State Manager Parameters
ArcotAFMLandingURL	Optional	SiteMinder	This parameter is used by Authentication Shim or other components that redirect the user’s authentication request to AFM to verify whether or not the user’s request was processed with the redirected URL. Specify this parameter only if the application server does not map the URL to the same value as Authentication Shim that is used for redirection. Default value: URL of the Controller JSP that receives HTTPRequest.
ArcotSMConnTime outMS	Optional	SAML SiteMinder	Specify the time (in milliseconds) before State Manager is considered unreachable and the attempt is aborted. Default value: 15000 (15 seconds)
ArcotSMReadTime outMS	Optional	SAML SiteMinder	Specify the maximum time (in milliseconds) for which AFM must wait for a response from State Manager. Note: Do not set this parameter to 0 as the client will wait for a response indefinitely. Default value: 30000 (30 seconds)
ArcotSMMaxRetries	Optional	SAML SiteMinder	Specify the maximum number of retries allowed to connect to State Manager. Default value: 0 (no retries)
ArcotSMTestConnAtStartup	Optional	SAML SiteMinder	Specify whether a test token must be created when the Web application starts. Note: If you are using JRE 1.4.2.x and AFM starts before State Manager, then AFM cannot time-out the connection, and cannot start up. Possible values are: true false Set this to false if AFM and State Manager are deployed on the same application server, because the application server may hang if the test is run before State Manager is initialized. Default value: true

The following table describes the AuthMinder Server’s authentication and issuance-related parameters:

Parameter

Required/
Optional

Used By

Description

Most Used AuthMinder Server Authentication Parameters

WebFortauthentication.host.1

WebFortauthentication.host.2

Optional,

Required only if CA AuthMinder is used.

SAML

SiteMinder

VPN

Specify the FQDN or IP address of AuthMinder Server.

WebFortauthentication.port.1

WebFortauthentication.port.2

Optional,

Required only if CA AuthMinder is used.

SAML

SiteMinder

VPN

Specify the port at which AuthMinder Server is available.

Default value: 9742

WebFortauthentication.transport.1

Optional

SAML

SiteMinder

VPN

Specify the protocol for AuthMinder Server.

Note: CA recommends that the communication between AFM and AuthMinder must be over SSL. Refer to the CA AuthMinder Installation and Deployment Guide for more information on how to configure AuthMinder for SSL.

Possible values are:

Default value: TCP

WebFortauthentication.serverCACert
PEMPath.1

Optional,

Required only if WebFortauthentication.transport.1=SSL and AuthMinder Server is configured for two-way SSL.

SAML

SiteMinder

VPN

Specify the complete path of the certification authority (CA) certificate file for AuthMinder Server. The file must be in .PEM format.

WebFortauthentication.clientCertKey
P12Path.1

Optional,

Required only if WebFortauthentication.transport.1=SSL and AuthMinder Server is configured for two-way SSL.

SAML

SiteMinder

VPN

Specify the path of the p12 file that contains the

key and certificate of the client communicating with AuthMinder Server. This establishes a two-way SSL between the AuthMinder client and server.

WebFortauthentication.clientCertKey
Password.1

Optional,

Required only if WebFortauthentication.transport.1=SSL and AuthMinder Server is configured for two-way SSL.

SAML

SiteMinder

VPN

Specify the client key pair password to open the p12 file specified in the WebFortauthentication.clientCertKeyP12Path.1 parameter.

WebFortpool.lifo

Optional

SAML

SiteMinder

VPN

Determines whether or not the pool returns idle objects in the last-in-first-out (LIFO) order.

Possible values are:

true: Idle objects are returned in the LIFO order
false: Idle objects are not returned in the LIFO order

Default: false

WebFortpool.num
PreCreate

Optional

SAML

SiteMinder

VPN

Specify the number of connections to be created during pool initialization.

Default: 0

WebFortpool.num
ConnectFailuresTo
TriggerFailover

Optional

SAML

SiteMinder

VPN

Specify the number of consecutive connection failures required to fallback to another pool.

Default: 1

Least Used AuthMinder Server Authentication Parameters

WebFortpool.max
active

Optional

SAML

SiteMinder

VPN

Specify the maximum number of connections that can exist between AFM and AuthMinder Server.

The number of connections should not exceed this value.

Default value: 32

WebFortpool.max
Idle

Optional

SAML

SiteMinder

VPN

Specify the maximum number of idle connections that can be established between SDK and AuthMinder Server.

Default value: 16

WebFortpool.max
WaitTimeMillis

Optional

SAML

SiteMinder

VPN

Specify the maximum amount of time (in milliseconds) that a request waits to establish the connection. The default value of -1 indicates that the thread will wait indefinitely.

Default value: -1

WebFortpool.min
EvictableIdleTime
Millis

Optional

SAML

SiteMinder

VPN

Specify the minimum amount of time a connection might be idle in the pool before it is evicted by the idle connection evictor, if any. The default value of -1 indicates that the idle connection would not be evicted.

Default value: -1

WebFortpool.time
BetweenEviction
RunsMillis

Optional

SAML

SiteMinder

VPN

The amount of time (in milliseconds) to sleep before checking the pool to evict the idle connections. The default value of -1 indicates that there would not be any connection eviction.

Default value: -1

WebFortauthentication.connectionTimeout.1

Optional

SAML

SiteMinder

VPN

Specify the time (in milliseconds) before AuthMinder Server is considered unreachable.

Default value: 10000 (10 seconds)

WebFortauthentication.readTimeout.1

Optional

SAML

SiteMinder

VPN

Specify the maximum time (in milliseconds) allowed for a response from AuthMinder Server.

Default value: 30000 (30 seconds)

Note: A value of 0 results in the request waiting for a connection indefinitely.

Most Used AuthMinder Server Issuance Parameters

WebFortissuance.
host.1

WebFortissuance.
host.2

Optional,

Required only if CA AuthMinder is used.

SAML

SiteMinder

VPN

Specify the FQDN or IP address of the server hosting the AuthMinder Issuance service.

WebFortissuance.
port.1

WebFortissuance.
port.2

Optional,

Required only if CA AuthMinderCA AuthMinder is used.

SAML

SiteMinder

VPN

Specify the port at which the server hosting the AuthMinder Issuance service is available.

Default value: 9742

WebFortissuance.
transport.1

Optional

SAML

SiteMinder

VPN

Specify the protocol for the AuthMinder Issuance service.

Possible values are:

Default value: TCP

WebFortissuance.
serverCACertPEM
Path.1

Optional,

Required only if WebFortissuance.transport.1=SSL

SAML

SiteMinder

VPN

Specify the complete path of the CA certificate file for AuthMinder Server. The file must be in .PEM format.

WebFortissuance.
clientCertKeyP12
Path.1

Optional,

Required only if WebFortissuance.transport.1=SSL and AuthMinder Server is configured for two-way SSL.

SAML

SiteMinder

VPN

Specify the path of the p12 file that contains the key and certificate of the client communicating with AuthMinder Server. This would establish two-way SSL between the AuthMinder client and server.

WebFortissuance.
clientCertKeyPass
word.1

Optional,

Required only if WebFortissuance.transport.1=SSL and AuthMinder Server is configured for two-way SSL

SAML

SiteMinder

VPN

Specify the client key pair password for the p12 file specified in the WebFortissuance.clientCertKeyP12Path.1 parameter.

Least Used AuthMinder Server Issuance Parameters

WebFortissaunce.
connectionTimeout.1

Optional

SAML

SiteMinder

VPN

Specify the time (in milliseconds) before AuthMinder Server is considered unreachable.

Default value: 10000 (10 seconds)

WebFortissuance.
readTimeout.1

Optional

SAML

SiteMinder

VPN

Specify the maximum time (in milliseconds) allowed for a response from AuthMinder.

Default value: 30000 (30 seconds)

The following table describes the User Data Service (UDS) parameters. These settings control how AFM communicates with UDS.

Parameter	Required/ Optional	Used By	Description

uds.connection. pool.count	Optional	SAML SiteMinder VPN	Specify the maximum number of connections maintained by AFM with the UDS Web service at any given time. Default value: 20
uds.ssl.keystore.path	Optional	SAML SiteMinder VPN	Specify the absolute path to the two-way SSL keystore for UDS.
uds.ssl.keystore.password	Optional Required only if uds.ssl.keystore.path parameter is set.	SAML SiteMinder VPN	Specify the password for the UDS keystore.
uds.ssl.truststore.path	Optional	SAML SiteMinder VPN	Specify the absolute path to the two-way SSL truststore for UDS.
uds.ssl.truststore.password	Optional Required only if uds.ssl.truststore.path parameter is set.	SAML SiteMinder VPN	Specify the password for the UDS truststore.
UDS Web Services Parameters
uds.user.management.webservice. protocol	Required	SAML SiteMinder VPN	Specify the protocol for connecting to UDS.
uds.user.management.webservice. host	Required	SAML SiteMinder VPN	Specify the IP address or the FQDN of UDS.
uds.user.management.webservice. port	Required	SAML SiteMinder VPN	Specify the port at which UDS is available.
uds.user.management.webservice.urlpattern	Required	SAML SiteMinder VPN	Specify the URL pattern for UDS.

The following table describes the SSL VPN parameters. These settings control how AFM communicates with an SSL-enabled VPN.

Parameter	Required/ Optional	Used By	Description
ssl.vpn.username.form.name	Required	VPN	Specify the form parameter name in which the username parameter (collected by AFM) must be passed to the VPN gateway. Default value: username
ssl.vpn.password.form.name	Required	VPN	Specify the form parameter name in which the password parameter (collected by AFM) must be passed to the VPN gateway. Default value: password
ssl.vpn.mandatory.form.names	Optional	VPN	Specify the form parameter name(s) in which the mandatory (or required) request parameters collected from the SSL VPN must be posted back by AFM to the VPN gateway. Note: Multiple form parameters can be specified with a comma as the delimiter. For example, if you specify the value as realm,type, then AFM collects both realm and type from the VPN request. Default value: realm
ssl.vpn.posturl. form.name	Optional Required, if ssl.vpn.form.post.url is specified.	VPN	Specify the form parameter name in which the posturl parameter must be passed to the VPN gateway. Note: The posturl parameter refers to the URL to which AFM posts the authentication response. Default value: posturl
ssl.vpn.form.post.url	Optional Required, if ssl.vpn.form.posturl.form.name is specified.	VPN	Specify the URL to which the authentication response should be posted back.
ssl.vpn.error message.form.name	Optional	VPN	Specify the parameter name from which AFM determines an error occurred at the VPN-end after successful authentication by AFM. In this case, the request is sent back to AFM. Default value: errormessage

The following table describes the RiskMinder Server-related parameters:

Parameter	Required/ Optional	Used By	Description

Most Used RiskMinder Parameters
RiskFortHOST.1 RiskFortHOST.2	Optional, Required only if RiskMinder is used in the integrated solution	SAML	Specify the IP address or the FQDN of RiskMinder Server.
RiskFortPORT.1 RiskFortPORT.2	Optional, Required only if RiskMinder is used in the integrated solution	SAML	Specify the port at which RiskMinder Server is available. Default value: 7680
RiskFortTRANSPORT_TYPE	Optional	SAML	Specify the protocol to connect to RiskMinder Server. Note: CA recommends that the communication between State Manager and RiskMinder must be over SSL. Refer to the CA RiskMinder Installation and Deployment Guide for more information on how to configure RiskMinder for SSL. Possible values are: TCP TLS Default value: TCP
RiskFortCA_CERT_ FILE	Optional, Required only if RiskFortTRANSPORT_TYPE=TLS	SAML	Specify the complete path of the CA certificate file for RiskMinder Server. The file must be in.PEM format.
RiskFortAuthAdditionalInputs_<key>	Optional	SAML	Specify additional inputs to RiskMinder for risk evaluation. <key> should be replaced with the key name. Only alphanumeric characters can be passed as keys and values for the additional input. Note: For ISO 8859 Character Sets support, use the addRfAuthAdditionalInputs method of the AbstractStateData class.
Least Used RiskMinder Parameters
RiskFortCONNECTION_TIMEOUT	Optional	SAML	Specify the time (in milliseconds) before RiskMinder Server is considered unreachable. Default value: 30000 (30 seconds)
RiskFortREAD_TIMEOUT	Optional	SAML	Specify the maximum time (in milliseconds) allowed for a response from RiskMinder Server. Default value: 30000 (30 seconds)
RiskFortCONNECTION_RETRIES	Optional	SAML	Specify the maximum number of retries allowed to connect to RiskMinder Server. Default value: 3
RiskFortUSE_CONNECTION_POOLING	Optional	SAML	Specify whether the connection pooling with RiskMinder Server is enabled or disabled. Possible values are: 1: Enabled 0: Disabled Default value: 1
RiskFortMAX_ACTIVE	Optional	SAML	Specify the number of maximum connections that can exist between State Manager and RiskMinder Server. The number of connections should not exceed this value. Default value: 32
RiskFortTIME_ BETWEEN_CONNECTION_EVICTION	Optional	SAML	Specify the time (in milliseconds) after which the connection eviction thread will be executed to check and delete any idle RiskMinder Server connection. Default value: 900000 (90 seconds)
RiskFortIDLE_TIME_OF_CONNECTION	Optional	SAML	Specify the time (in milliseconds) after which an idle RiskMinder Server connection will be closed. Default value: 1800000 (3 minutes) Note: Ensure that the value of RiskFortTIME_BETWEEN_CONNECTION_EVICTION + RiskFortIDLE_TIME_OF_CONNECTION is less than the firewall connection timeout value.
RiskFortWHEN_EXHAUSTED_ACTION	Optional	SAML	Specify the behavior when the maximum number of supported connections have exhausted. Default value: BLOCK

The following table describes the AFM parameters:

Parameter	Required/ Optional	Used By	Description

Most Used AFM Parameters
User Browser Resources
DeviceIDType	Optional	SAML SiteMinder	Specify the type of cookie that must be stored on the end-user’s system. RiskMinder uses Device ID to register and identify the device that is used by the user during a transaction. The Device ID needs to be set as a cookie on the user’s computer. This cookie can either be an HTTP cookie or a Flash cookie. Possible values are: httpcookie flashcookie Default value: httpcookie
User Credential Settings
ArcotUserIDType	Optional	SiteMinder	Specify the user ID to use for the ArcotID PKI authentication and risk evaluation. Possible values are: LoginID: Indicates that the user ID entered in the authentication page is used for risk evaluation and ArcotID PKI authentication. FullDN: Indicates that disambiguated user ID is used for risk evaluation and ArcotID PKI authentication. Default value: LoginID
Lifecycle Settings
MigrationMessage DisplayTimeLimit	Optional	SAML SiteMinder VPN	Specify the time limit in milliseconds for displaying the migration success message to the user before it proceeds further. Default value: 6000
EnrollSuccess DisplayTimeLimit	Optional	SAML SiteMinder VPN	Specify the time limit in milliseconds for displaying the enrollment success message to the user before it proceeds further. Default value: 6000
FailureMessage DisplayTimeLimit	Optional	SAML SiteMinder VPN	Specify the time limit in milliseconds for displaying the failure message to the user (in case of any credential expiry, locked, or disabled credential) before redirecting back to the caller. Default value: 6000
ProvisionAOTPPage URL	Required	SAML SiteMinder VPN	Specify the URL to issue ArcotID OTP through a mobile device. Default value: /arcotafm/controller_aotp.jsp
EnrollSuccessPage URL	Optional	SAML SiteMinder VPN	Specify the path of the page that must be displayed after successful user enrollment. This parameter is valid only when returnurl parameter is not present in the request. It is useful when a user is going through the registration workflow and not the migration workflow. You must specify this parameter for SiteMinder direct enrollment. Default value: /arcotafm/success.jsp
Notification Settings
sms.service.impl	Required	SAML SiteMinder VPN	Specify the implementation class for the SMS Service Provider. This class should implement the com.arcot.integrations.frontend.SMSService interface. Important! By default, this parameter is set to use the ClickATell SMS Service, which is provided for testing purposes only. CA recommends you not to use the default settings for production deployments.
email.service.impl	Required	SAML SiteMinder VPN	Specify the implementation class for the email Service Provider. This class should implement the com.arcot.integrations.frontend.EmailService interface. Important! By default, this parameter is set to use the ClickATell SMS Service, which is provided for testing purposes only. CA recommends you not use the default settings for production deployments.
email.from.address	Required	SAML SiteMinder VPN	Specify the sender’s email ID. Default value: Do_Not_Reply@arcot.com
email.from.name	Required	SAML SiteMinder VPN	Specify the sender’s name. Default value: Authentication Flow Manager
email.smtp.host.name	Optional	SAML SiteMinder VPN	Specify the FQDN or IP address of the server hosting the SMTP email service.
email.smtp.user.name	Optional	SAML SiteMinder VPN	Specify the user name to access the SMTP email service.
email.smtp.user.password	Optional	SAML SiteMinder VPN	Specify the password to access the SMTP email service.
email.smtp.isauth	Optional	SAML SiteMinder VPN	Specify whether or not user authentication is required to send email notification.

The following table describes the Utility parameters:

Parameter	Required/ Optional	Used By	Description
StopActionMode	Optional	SAML SiteMinder VPN	This option enables you to stop the automatic posting or redirecting of the AFM pages. The pages include a button that you must click to proceed to the next page. Possible values are: true false Default value: false
MaxStateMachineLoopCount	Optional	SAML SiteMinder VPN	Specify the maximum number of loops allowed in the state machine before an error is thrown to indicate an infinite loop condition. Default values: 100

Parameter

Required/
Optional

Used By

Description

StopActionMode

Optional

SAML

SiteMinder

VPN

This option enables you to stop the automatic posting or redirecting of the AFM pages. The pages include a button that you must click to proceed to the next page.

Possible values are:

true
false

Default value: false

MaxStateMachineLoopCount

Optional

SAML

SiteMinder

VPN

Specify the maximum number of loops allowed

in the state machine before an error is thrown to indicate an infinite loop condition.

Default values: 100