Security Properties for Java

Property	Description	Default
vbroker.security.logLevel	Use this property to control the degree of logging. 0 means no logging and 7 means maximum logging (debug messages).	0
vbroker.security.secureTransport	This property controls whether the transport connection is encrypted or not. If set to true, transport messages are encrypted. If set to false they are in the clear.	true
vbroker.security.alwaysSecure	This property together with the secureTransport property controls the default QoP on the client-side. If both set to true then transport QoP is set to SECURE_ONLY, which means the client will only accept secure transport. If either of them is set to false then Client does not mandate security at the transport layer.	false
vbroker.security.server.transport	This property is used on the server side to define server transport QoP. Acceptable values are CLEAR_ONLY, SECURE_ONLY or ALL. This allows the client that needs either CLEAR_ONLY or SECURE_ONLY to be able to connect to a server. This property will take effect only when property secureTransport is true.	SECURE_ ONLY
vbroker.security.server. requireUPIdentity	Set this to true if the server requires the client to send a Username/Password for authentication (regardless of certificate-based authentication). This is a server-side property.	n/a
vbroker.security.disable	If set to true, disables all security services.	true
vbroker.security.transport.protocol	This property is used to select a security transport protocol. For a standard list of protocol version names, go to https://docs.oracle.com/en/java/javase/<javaversion>/docs/specs/security/standard-names.html#sslcontext-algorithms. For example: https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html By default, VisiBroker for Java establishes the highest TLS version supported by the underlying Java VM JSSE provider, and uses that as the preferred maximum TLS version bound. For information on these protocols, see the Oracle Corporation documentation.	Highest TLS version supported
vbroker.security. requireAuthentication	Server-side only property used to specify whether the client is required to authenticate.	false
vbroker.security. enableAuthentication	Note: This property is deprecated. See “Authentication” for recommended methods of specifying authentication. Server-side only property. This back-compatible property is used for supporting PasswordBackEnd style authentication. When set to true, the program will try to construct the specified PasswordBackEnd for authenticating.	false
vbroker.security.authentication. callbackHandler	Specifies the callback handler used for login modules to use for interacting with user for credentials. You can specify one of the following or your own custom callback handler: com.borland.security.provider.authn.CmdLineCallbackHandler com.borland.security.provider.authn.HostCallbackHandler CmdLineCallbackHandler has password echo on, while HostCallbackHandler has password echo off.	n/a
vbroker.security.authentication. config	This specifies the path to the configuration file used for authentication.	null
vbroker.security.authentication. retryCount	Number of times to retry if remote authentication failed.	3
vbroker.security.authentication. clearCredentialsOnFailure	By default, if the authorization realm finds the authenticator is incorrect after the maximum number of retries have been attained, the ORB retains the authenticator. If you want the ORB to clear the authenticator (the credential) after the maximum number of retries, set this property to true.	false
vbroker.security.login	If set to true, at initialization-time this property tries to login to all the realms listed by property vbroker.security.login.realms.	false
vbroker.security.login.realms	This gives a list of comma-separated realms to login to. This is used when login takes place, either through property vbroker.security.login (set to true) or API login using login().	n/a
vbroker.security.vault	This property is used to specify the path to the vault file. This property will take effect regardless of whether vbroker.security.login is set to true or false.	n/a
vbroker.security.identity. reauthenticateOnFailure	When set to true the security service will attempt to reacquire authentication information using the CallbackHandler. This property require the callback handler to be set either using the appropriate property or at runtime by calling the appropriate method.	false
vbroker.security.identity. enableReactiveLogin	When set to true, the security service behaves as follows: If the security service cannot find an identity for any of the targets supported by a server it is attempting to communicate with, it will then attempt to acquire credentials for one of the targets in the target object's IOR. If a corresponding authentication realm is available for this target (that the user chooses to provide credentials for), then authentication is also attempted locally. Reactive login requires a callback handler to be set either using the appropriate property or at runtime by calling the appropriate method.	true
vbroker.security.authDomains	Specifies a comma-separated list of available authorization domains. For example: vbroker.security.authDomains=<dom1>,<doma2>…	null
vbroker.security.domain. <domain_name>.rolemap_path	Specifies the location of the RoleDB file that describes the roles used for authorization. This is scoped within the domain <domain_name> specified in vbroker.security.authDomains.	n/a
vbroker.security.domain. <domain_name>.rolemap_enableRefresh	When set to true, enables dynamic loading of the RoleDB file specified in vbroker.security.domain.<domain_name>.rolemap_path property. The interval of dynamic loading is specified by property vbroker.security.domain.<domain_name>.rolemap_refreshTimeInSeconds.	false
vbroker.security.domain. <domain_name>. rolemap_refreshTimeInSeconds	Specifies the rolemap refresh time in seconds.	300
vbroker.security.domain. <domain name>.runas. <run_as_role_name>	Specifies the name of the run-as role. The value can be either use-caller-identity to have the caller principal be in the run-as role, or specify an alias for a run-as principal for the run-as role name.	n/a
vbroker.security.domain. <domain_name>.defaultAccessRule	Specifies whether to grant or deny access to the domain by default in the absence of security roles for the provided domain. Acceptable values are grant or deny.	grant
vbroker.security. peerAuthenticationMode	Sets the peer authentication Mode. Possible values are: REQUIRE REQUIRE_AND_TRUST REQUEST REQUEST_AND_TRUST NONE Note that the REQUEST and REQUEST_AND_TRUST modes cannot receive peer certificate chains due to JSSE restrictions.	NONE
vbroker.security. trustpointsRepository	Specifies a path to the directory containing trusted certificates and CRLs or to a trusted Keystore whose values are implementations of TrustedCertificateEntry. Default values are either a directory, given in the format Directory:<path_to_certs> or a Keystore, given in the format Keystore:<path_to_keystore>.	n/a
vbroker.security.defaultJSSETrust	If set to true, the JSSE default trust files like cacerts and jssecacerts, if present in JRE, will be used to load trusted certificates.	false
vbroker.security.assertions.trust. <n>	This property is used to specify a list of trusted roles (specified with the format <role>@<authorization_domain>). <n> is a uniquely identified for each trust assertion rule as a list of digits. For example, setting vbroker.security.assertions.trust.1=ServerAdmin@default means this process trusts any assertion made by the ServerAdmin role in the default authorization domain.	n/a
vbroker.security.assertions.trust. all	Setting to true will trust all the assertion made by peers.	false
vbroker.security.cipherList	Set this property to a comma-separated list of ciphers to be enabled by default on startup. If not set, a default list of cipher suites will be enabled. These should be valid SSL Ciphers. If this property is set but no certificates are configured, all non-anonymous cipher suites specified as part of this property’s value are ignored; only the anonymous cipher suites specified as part of this property will remain actively available for the SSL handshake.	n/a
vbroker.security.controlAdminAccess	Set this to true for enabling Server Manager operations on a Secure Server.	false
vbroker.security.serverManager. authDomain	Points to a security domain listed in vbroker.security.authDomains. The specified domain is used for the Server Manager's role-based access control checks. A rolemap must be specified for the domain.	n/a
vbroker.security.serverManager. role.all	Specifies the role name required for accessing all Server Manager operations.	n/a
vbroker.security.serverManager. role.<method_name>	Specifies the role name required for accessing the specified method of the Server Manager.	n/a
vbroker.security.wallet.type	A wallet is a set of directories containing encrypted private keys and certificate chains for each identity. The possible values are: Directory:<path_to_identities> Use the Directory value to point to the directory containing the directories for all identities. PKCS12:.<path_to_PKCS#12_KeyStore> Use the PKCS12 value to configure the PKCS#12 keystore directory. See “PKCS#12-based authentication using KeyStores” for details.	n/a
vbroker.security.wallet.identity	If the vbroker.security.wallet.type is set to Directory, use to point to a sub-directory within the path defined in vbroker.security.wallet.type that contains keys and/or certificate information for a specific identity. Note that the value of this property must consist only of lower-case letters. If vbroker.security.wallet.type is set to PKCS12, the VisiBroker for Java secure client then looks for a file <identity>.p12 in the <path_to_PKCS#12_KeyStore> folder.	n/a
vbroker.security.wallet.password	Specifies the password used to decrypt the private key or the password associated with the login.	n/a
vbroker.security.TSS. authenticationTimeToLive	This property sets the time for re-authentication.	600 sec
vbroker.security.TSS.stateful	This corresponds to the IOR component CompoundSecMechList field 'stateful' (see OMG specs). This signifies whether or not the server supports 'stateful' SAS session and therefore the client can make decisions according to the standard behavior as defined by the OMG specifications.	true
vbroker.security.trustProvider	This property is a part of the trust provider plugability mechanism: vbroker.security.trustProvider=xyz where xyz can be any string. The FQCN (fully qualified class name) of the trustprovider class implementation: vbroker.security.trustProvider.xyz.provider=<FQCN of the trustprovider class impl> You can set properties specific to the trustprovider xyz: vbroker.security.trustProvider.xyz.property1=value1 vbroker.security.trustProvider.xyz.property2=value2	set any string
vbroker.security. supportIdentityAssertion	This property corresponds to the IdentityAssertion flag in the IOR sub-component SASContextSec (see the OMG specifications). The default value is true. When set to true, it will set the corresponding bit in the component. When set to false, it will reset it. This bit signifies whether or not the server supports identity assertion and therefore, the client can react according to the pre-defined behavior associated with this bit. (See OMG specifications.)	true
vbroker.security.client. supportNoDelegation	If set to true, the client will add support for NoDelegate in TAG_SSL_SEC_TRANS tag.	false
vbroker.security.server.socket. enabledProtocols vbroker.security.client.socket. enabledProtocols	These properties specify the SSL protocol version, such as TLSv1.2 and TLSv1.3, during the SSL handshaking process when using the VBJ security module, on the server and client sides respectively. The values should be a list of comma-separated values indicating the enabled protocols. (Note: the possible values are different for each underlying JSSE implementation. Please refer to the corresponding JSSE reference guide for the available values). The default depends on the JDK vendor. Note that the highest available protocol version is determined by the installed JSSE implementation.	Depends on the JDK vendor.
vbroker.security.server.ssl. handshakeTimeout	This property specifies the maximum time (in milliseconds) for the SSL handshake to complete at the Server side. It can help to prevent the Server from hanging due to unresponsive Clients during SSL handshake. The default timeout is 5000ms. To disable the timeout, set it to 0.	5000
vbroker.se.iiop_tp.scm.ssl. listener.trustInClient	A server side property. Set to true to have the server require certificates from the client. These certificates must also be trusted by the server by setting the appropriate server-side trust properties. For more information, see the vbroker.security.trustpointsRepository property and the vbroker.security.defaultJSSETrust property.	false
vbroker.se.iiop_tp.scm.ssl.manager. type	Specifies the type of Server Connection Manager. The possible values are Socket and Socket_nio.	Socket
vbroker.se.iiop_tp.scm.ssl. listener.selectorMax	Maximum number of NIO Selectors that can be created in the NIO Selector Pool. Increasing this value may improve the throughput in cases of very high concurrent invocations. This property is only applicable if NIO SSL Socket is configured at the server-side.	20
vbroker.security.CRLRepository	Specifies the directory where you want the list of serial numbers of revoked certificates (Certificate Revocation List (CRL)), issued by the Certificate Authority (CA), to reside. All files in the directory will be loaded and interpreted as CRL—no longer valid. The CRL file must be in the DER format. Once the CRLs are loaded, VisiSecure examines all certificates sent by a peer during SSL handshake. If any of the peer certificates appears in the CRLs, an exception will be thrown and the connection will be refused. For more information, see “Certificate Revocation List (CRL) and revoked certificate serial numbers”.	n/a
vbroker.security.CSS.strict	This property is used to configure the behavior of the Client Security Service (CSS) when an exception is received and the Security Attribute Service (SAS) Context is not set by the Target Security Service (TSS). If this property is set to the default false, the CSS will simply propagate the exception received. If this property is set to true, the CSS throws a BAD_PARAM exception instead, stating that the SAS Context is missing.	false
vbroker.security.CSS.throw_ssl_ exceptions	Determines the form of exception messages thrown by the CSS in response to SSL connection errors, for example when a client tries to make a fresh request over a SSL connection that has been very recently closed by the connection idle and closure mechanism. If this property is set to the default false then a CORBA_BAD_PARAM error is thrown, such as: org.omg.CORBA.BAD_PARAM: CSIV2 Protocol error: TSS did not respond with a SAS context vmcid: 0x0 minor code: 0 completed: No If this property is set to true then the exception thrown is instead a NO_PERMISSION, as is the usual case for SSL exceptions in VisiBroker. For example: org.omg.CORBA.NO_PERMISSION: SSLException: javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: java.net.SocketException: Broken pipe vmcid: 0x0 minor code: 0 completed: No	false
vbroker.security.keyStore.keyPass	This property is used to specify the keypass value of the Java Keystore. If not set, the value set by the JVM vendor’s javax.net.ssl.keyStorePassword property will be used as the keypass.	n/a

vbroker.security.logLevel

Use this property to control the degree of logging. 0 means no logging and 7 means maximum logging (debug messages).

0

vbroker.security.secureTransport

This property controls whether the transport connection is encrypted or not. If set to true, transport messages are encrypted. If set to false they are in the clear.

true

vbroker.security.alwaysSecure

This property together with the secureTransport property controls the default QoP on the client-side. If both set to true then transport QoP is set to SECURE_ONLY, which means the client will only accept secure transport. If either of them is set to false then Client does not mandate security at the transport layer.

false

vbroker.security.server.transport

This property is used on the server side to define server transport QoP. Acceptable values are CLEAR_ONLY, SECURE_ONLY or ALL. This allows the client that needs either CLEAR_ONLY or SECURE_ONLY to be able to connect to a server. This property will take effect only when property secureTransport is true.

SECURE_
ONLY

vbroker.security.server.
requireUPIdentity

Set this to true if the server requires the client to send a Username/Password for authentication (regardless of certificate-based authentication). This is a server-side property.