[App_Service]
The [App_Service] stanza is used to configure the MVMMApplication Service.
Parameter | Description |
|---|---|
| The domain name of the Active Directory domain. Example: |
| This was used when configuring Active Directory Legacy mode security; this mode is no longer supported. |
| Active Directory Fully Qualified Domain Name Example : This must match the distinguishedName of your Active Directory Domain. |
| This was used when configuring Active Directory Legacy mode security; this mode is no longer supported. |
| This was used when configuring Active Directory Legacy mode security; this mode is no longer supported. |
| Active Directory Security Trust Policy. Used when configuring Active Directory Delegate mode security. Defines the way security certificates are processed when connecting to an Active Directory Domain Controller. The value The value |
| Active Directory Security Host Name. Used when configuring Active Directory delegate mode security. Defines the DNS names of one or more Active Directory Domain Controllers, or if the Active Directory Domain Controllers are referenced by the domain name, that domain name. The SecurityConfig program sets this based on your configuration information. |
| Active Directory Security Maximum Group Recursion. Used when configuring Active Directory delegate mode security. Defines the depth limit that is searched to find a user's group affiliation. This can be set if there are large numbers of AD groups and the response time to AD Domain Controllers is slow. Defaults to 3. |
| Active Directory Security Monitor Delay. Used when configuring Active Directory Delegate mode security. Controls the length of time (in seconds) between checks on the health of an Active Directory Domain Controller. Defaults to 30 seconds. This is a tuning parameter and generally should not be modified. |
| Active Directory Security Monitor Thread Count. Used when configuring Active Directory Delegate mode security. Controls the number of threads used to monitor the Active Directory Domain Controllers. Defaults to 10. This is a tuning parameter and generally should not be modified. |
| Used when configuring Active Directory Delegate mode security. Must be set to 636 if using SSL (recommended) to connect to Active Directory Domain Controllers; set to 389 if not using SSL. The SecurityConfig program sets this based on your configuration information. |
| Active Directory Security Transport Type. Used when configuring Active Directory Delegate mode security. Set to NONE, SSL, SASL, or SSL+SASL. Controls the protocol used to connect to Active Directory Domain Controllers. The SecurityConfig program sets this based on your configuration information. |
| Default: 5. Time, in seconds, to delay agent status updates. Before editing this setting, contact BMC Support. |
| Default: 8. Number of threads in the agent status executor pool. Before editing this setting, contact BMC Support. |
| Used with the execution key to determine product licensing. |
| Default:15005. Defines the port that the Management Console client connects to. |
| Defines the config files used to configure jetty. By default it starts the main MVMMApplication Service applications including the apache LDAP server. When running with Active Directory authentication, the jetty/apache-ds.xml can be removed. |
| This allows a user to override the location of the online Documents directory. It defaults to the install directory. |
| Used with the company_name to determine product licensing. |
| When set to TRUE, forces clients to use the server's timezone. Useful for instances where clients are in a different timezone than the server to avoid gaps in queried report data. The timezone in use by the client is displayed on the clock in the lower right-hand corner of the client window. |
| Default: localhost. Defines the host name or IP address of the computer on which the MVMMApplication Service runs. |
| This allows a user to override the name of the Java JAAS config file used for configuring java application security. It defaults to the configuration for the IETF user authentication. The user overrides this in order to set up Active Directory authentication. The name refers to a file in the jetty directory. |
| Defines the password used to start and stop the LDAP service. It needs to be changed whenever the user runs the setadminpw script to match the new password. |
| Defines the internal user id used to start and stop the LDAP service. It should not normally be changed. |
| Default: ldapsTruststore.jks This is a java keystore containing certificates of trusted directory servers. The LDAP Directory Service internal to the product always has an entry in this keystore. A trusted entry for the self-signed certificate is added when the certificate is generated (see The Security Config tool can be used to populate this keystore. |
| Default: BMCSOFTWARE (stored in obfuscated format). The password for the javax.net.ssl.trustStore java keystore file. The password may be in plain text or obfuscated in "Cryptor" format using mqsusertool to encode a plain text password. The Security Config tool can be used to set this. |
| This allows a user to override the location of the jetty home directory. It defaults to the jetty directory in the install directory. |
| A java keystore file containing the keys and certificate used to secure the HTTPS port (15004 by default), and the client port (15005 by default). Users may access the product launch page, reports or agent distributions using HTTPS. A self-signed certificate is generated when the Application Service starts if the keystore file does not already exist. See Post core component installation and configuration for more information. |
jetty_ssl_stsMaxAgeSeconds | Sets the "max-age" value in the Strict-Transport-Security HTTPS header used for the Application Service HTTPS port. Default value is 31536000. Set to -1 to disable the header. |
jetty_ssl_stsIncludeSubdomains | Set to True to add "includeSubDomains" to the Strict-Transport-Security HTTPS header. Set to False to delete it from the header. |
https_certificate_cn | A fully qualified host name. Overrides the common name ("cn") attribute in the generated HTTPS self-signed certificate. The "cn" is used for host name verification during TLS handshakes. If this parameter is not set the common name is the detected cannonical host name. To regenerate the self-signed certificate, stop the MVMM Application Service, removed the existing Jetty keystore file, and start the MVMM Application Service. |
| Defines the keystore key password used for the jetty_keystore file. See Post core component installation and configuration for more information. |
| Defines the keystore password used for the jetty_keystore file. See Post core component installation and configuration for more information. |
| This allows a user to override the base LDAP fully qualified domain name. It needs to be changed when using Active Directory authentication. |
| Active Directory Security Bind DN pattern. Used when configuring Active Directory Delegate mode security. Overrides the default bind DN pattern used to access the LDAP server. Before editing this setting, contact BMC Support. |
| Active Directory Security User DN pattern. Used when configuring Active Directory Delegate mode security. Overrides the default user DN pattern used to access the LDAP server. Before editing this setting, contact BMC Support. |
| Active Directory Security Group DN pattern. Used when configuring Active Directory Delegate mode security. Overrides the default group DN pattern used to access the LDAP server. Before editing this setting, contact BMC Support. |
| Default: localhost. When using Microsoft Active Directory it defines the host name or IP address of the computer on which Microsoft Active Directory runs. Otherwise it defines the host name where the product is installed. When integrating with MVMA located on another host, network interfaces are used by default to determine a hostname or IP address to configure TSMA so that it can connect to TMTM. If for some reason the hostname or IP address used is not reachable from the TSMA machine you can specify a hostname or IP address yourself by changing this keyword from localhost to a reachable hostname or IP address. |
ldaps_keystore | Default : ldapsKeystore.jks A keystore that contains the key and certificate used for the LDAPS port. A self-signed certificate is generated when the Application Service starts if the keystore file does not already exist. |
ldaps_certificate_cn | A fully qualified host name. Overrides the common name ("cn") attribute in the generated LDAPS self-signed certificate. The "cn" is used for host name verification during TLS handshakes. If this parameter is not set the common name is the detected cannonical host name. To regenerate the self-signed certificate, stop the MVMM Application Service, removed the existing LDAPS keystore file, and start the MVMM Application Service. |
ldaps_keystore_password | Default: BMCSOFTWARE (stored in obfuscated format). The password for the ldaps_keystore file. The password may be obfuscated in "Cryptor" format using mqsusertool to encode a plain text password. |
| Default:15008. Defines the port on which the MVMM Application Service connects to the internal directory service using LDAP. |
ldaps_port | Default:15011. Defines the port on which the MVMM Application Service connects to the internal directory service using LDAPS. |
| Default: "IETF", indicates the internal LDAP will be used for security. "Delegate" indicates Active Directory Delegate mode. |
| Default: 1000. Defines the maximum number of user entries that can be returned on an LDAP request. |
ldap_timeout | Timeout, in milliseconds, for LDAP operations. Set to 0 to disable timeouts. Defaults to 30000. |
| ldap_retries | Number of retry attempts for failed LDAP operations. Set to 0 to disable retries. Defaults to 3. |
| Defaults to false. If set to true, permits only authenticated users access to the bootstrap agent distribution packages. |
secure_agent_distribution_rights | Defaults to "QPCONFIG_DISTRIBUTE_AGENT". Sets the rights required by authenticated users if secure_agent_distributions is set to true. |
ssl.KeyManagerFactory.algorithm=sunX509 | This is the Java KeyManager algorithm. It is specific to the platform's Java platform. |
| Default:15007. Defines the port on which the MVMM Application Service listens. |
| Default:15004. Defines the port on which the MVMM Application Service secure traffic travels. |
web_redirect_http_to_https | Defaults to false. If true, HTTP requests to the web_port will be redirected to use HTTPS on the web_secure_port for external (end-user) web apps. |
| Default: "TLSv1.2". Defines protocol used for clients. |
| Default: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256". Whitelist of ciphers that can be used with clients. |
| No default. Used to define default JVM launch settings for Management Console clients, e.g. "-Dcom.bmc.mmpa.client_protocols=SSLv3" would restrict the initial client handshake to use SSLv3. Settings are cached on client machines. The client cache must be cleared to pick up changed settings (using the Java Control Panel). |
| Defaults to "256m". Defines the default client VM initial heap size. Can be no lower than the default. |
| Defaults to "512m". Defines the default client VM maximum heap size. Can be no larger than "8000m". |
pwd_allow_user_change | Allow user changes - allow or deny users the ability to change their own password. Defaults to true Only applies when using Internal Security. Defers to Active Directory configuration if using Active Directory Delegate Mode Security. |
pwd_check_quality | Quality Check policy - password check quality. 0 - No check. 1 - Check the password and accept hashed passwords. 2 - Check the password but reject hashed passwords. Note that hashed passwords cannot be checked validated against a password policy. Defaults to 2 Only applies when using Internal Security. Defers to Active Directory configuration if using Active Directory Delegate Mode Security. |
pwd_failure_count_interval | Purging login failures - Failures are stored within the user entry. Failures will be purged according to this interval, or due to a successful login in. When purged due to this interval expiring all the failures older than the current time minus the set interval will be removed from the entry. Defaults to 30 Only applies when using Internal Security. Defers to Active Directory configuration if using Active Directory Delegate Mode Security. |
pwd_in_history | Password History - keep a backlog of passwords so that a user can't keep reusing the same password. The old password(s) will be stored in the user's entry password history. Defaults to 5 Only applies when using Internal Security. Defers to Active Directory configuration if using Active Directory Delegate Mode Security. |
pwd_lockout | If true, accounts are locked if the login failure exceed the threshold set in pwd_max_failure. When the account is locked, no further login attempt will succeed even if the correct password is sent. Locked accounts can be unlocked by administrators by using mqsusertool. Defaults to true Only applies when using Internal Security. Defers to Active Directory configuration if using Active Directory Delegate Mode Security. |
pwd_lockout_duration | Delayed login - If an account is locked due to failed login attempts it will unlock after this duration. A setting of 0 means no unlock will be applied. Time is in seconds. Defaults to 0 Only applies when using Internal Security. Defers to Active Directory configuration if using Active Directory Delegate Mode Security. |
pwd_max_failure | Attempts counter - Each failed login attempt will be logged in the user entry. When the failure count exceeds this limit the user account may be locked, based on the pwd_lockout and pwd_lockout_duration parameters. A value of 0 disables login failure tracking. Defaults to 5 Only applies when using Internal Security. Defers to Active Directory configuration if using Active Directory Delegate Mode Security. |
pwd_max_idle | Idle Password - if the user does no login for the idle period, the password is expired. A value of 0 disabled the idle check. Time is in seconds. Defaults to 0 Only applies when using Internal Security. Defers to Active Directory configuration if using Active Directory Delegate Mode Security. |
pwd_max_length | Password length constraint - maximum password length. A value of 0 disables the maximum length check. Defaults to 0 Only applies when using Internal Security. Defers to Active Directory configuration if using Active Directory Delegate Mode Security. |
pwd_min_age | Minimum delay between modifications - when the password history is activated, some users may change their passwords many times to get their old password out of the history, and add it as their password again. Setting a delay between two password changes may protect the password against such action. A value of 0 disables the age check. Defaults to 0 Only applies when using Internal Security. Defers to Active Directory configuration if using Active Directory Delegate Mode Security. |
pwd_min_length | Password length constraint - minimum password length. A value of 0 disables the minimum length check. Defaults to 5 Only applies when using Internal Security. Defers to Active Directory configuration if using Active Directory Delegate Mode Security. |
ldaps_protocols | Sets the TLS protocols used for the internal LDAP Server (on port 15011 by default). Default is TLSv1.2. Applies when using Internal Security or Active Directory Delegate Mode Security. |
ldaps_ciphersuites | Sets the TLS cipher suites used for the internal LDAP Server (on port 15011 by default). Default is TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 Applies when using Internal Security or Active Directory Delegate Mode Security. |
ldap_password_hashing_algorithm | Defines the hashing algorithm used to store passwords in the internal LDAP directory. Any of the following are supported. Previously stored hashed passwords are not changed. An Application Service restart is required. SHA-384 Default is SSHA-256 |
Comments
Log in or register to comment.