Table of Contents

Configuration - backend

The application uses a Spring boot configuration in the application.properties files. All the configuration items which are used solely for idm begin with idm. prefix. The configuration items from the file can be overloaded through a setting agenda in the gui ⇒ a server restart isn't needed for changing the configuration with idm. prefix, which was one of the main goals. The configuration is saved in the database. Use ConfigurationService for reading and saving configuration items.

Naming conventions of the configuration items in idm:

Configure environment properties

Application profiles

We are using Spring profiles: Doc.

Start server under defined profile (add JAVA_OPTS parameters):

-Dspring.profiles.active=production
Configured devstack profiles

External configuration uses Spring: Doc.

Start server with external path to configuration (add JAVA_OPTS parameters):

--spring.config.location=classpath:/default.properties,classpath:/override.properties

Environment properties

Add JAVA_OPTS parameters

Configuration items

Application/ Server

In the application profile (application.properties) and overloadable via ConfigurationService.

# Application stage (development, test, production (default))
#
# Public properties - available for frontend without authentication (show information about app, decorators etc.).
#
# Application stage - development, test, production.
idm.pub.app.stage=
# Application instance / server id - is used for scheduler etc.
# Can be defined in property file only! Overidding via ConfigurationService is not possible for application instance (~ more instanceos on the same database)
idm.pub.app.instanceId=idm-primary
# Frontend server url.
# E.g. http://localhost:3000
# Default: The first 'idm.pub.security.allowed-origins' configured value is used (~ backward compatible).
# @since 12.0.0
idm.pub.app.frontend.url=
# Backend server url.
# E.g. http://localhost:8080/idm
# Default: Url is resolved dynamically from current servlet request.
# @since 12.0.0
idm.pub.app.backend.url=
 
# global date format on BE. Used in notification templates, logs, etc. FE uses localization key 'core:format.date'.
idm.pub.app.format.date=dd.MM.yyyy
# global datetime format on BE. Used in notification templates, logs, etc. FE uses localization key 'core:format.datetime'.
idm.pub.app.format.datetime=dd.MM.yyyy HH:mm
# Show identifiers (uuid) in frontend application. Empty value by default => identifier is shown, when application 'idm.pub.app.stage' is set to 'development'.
idm.pub.app.show.id=
# Show transaction identifiers (uuid) in frontend application.
idm.pub.app.show.transactionId=false
# Show role environment in frontend application for roles (table, role detail, niceLabel, info components, role select).
idm.pub.app.show.environment=true
# Show role baseCode in frontend application for roles (table, role detail, niceLabel, info components, role select).
idm.pub.app.show.role.baseCode=true
# Rendered column in role table agenda. Comma is used as separator. Order of rendered columns is preserved as configured.
# Available columns:
# - name - role name info card with link to detail
# - baseCode - role base code (without environment)
# - environment - role environment
# - disabled
# - description
idm.pub.app.show.role.table.columns=name, baseCode, environment, disabled, description
# Show role catalogue item code in role catalogue tree
idm.pub.app.show.roleCatalogue.tree.code=false
# Number of items (pagination) in role catalogue tree in root level. Used on role select and agenda.
idm.pub.app.show.roleCatalogue.tree.pagination.root.size=25
# Number of items (pagination) in role catalogue tree in other levels. Used on role select and agenda.
idm.pub.app.show.roleCatalogue.tree.pagination.node.size=25
# Number of items (pagination) in tree node structure in root level.
idm.pub.app.show.treeNode.tree.pagination.root.size=50
# Number of items (pagination) in tree node structure in other levels.
idm.pub.app.show.treeNode.tree.pagination.node.size=50
# Available size options for tables in frontend application
idm.pub.app.show.sizeOptions=10, 25, 50, 100
# Show buttons for bulk actions in tables (0 = select box will be shown only).
# Count of quick access buttons for bulk actions in tables - the first count of bulk actions will be shown as button - next action will be rendered in drop down select box.
# Bulk action icon is required for quick access button - action without icon will be rendered in select box.
# Bulk action can enforce showing in quick access button (by bulk action configuration).
idm.pub.app.show.table.quickButton.count=5
# Quick button for bulk actions in tables will be included in drop down select box too (available as button + menu item with text).
# Number of selected record is shown in drop down select header.
idm.pub.app.show.table.quickButton.menuIncluded=true
# Show default form for newly created user.
# Default form can be disabled => at least one configured form projection is needed.
idm.pub.app.show.identity.formProjection.default=true
# Rendered column in identity table agenda. Comma is used as separator. Order of rendered columns is preserved as configured.
# Available columns:
# - username - username with link to detail
# - entityinfo - identity info card
# - lastName
# - firstName
# - externalCode - personal number
# - email
# - state
# - passwordexpiration - information about identity password epiration
# - description
# Note: Table in identity agenda can be configured with this property (common identity table with columns is not specified on FE).
# If you want to configure rendered columns for all tables generalized from identity table (e.g. on role or tree node detail),
# you can use FE configuration https://wiki.czechidm.com/devel/documentation/application_configuration/dev/frontend
idm.pub.app.show.identity.table.columns=username, lastName, firstName, externalCode, email, state, description
idm.pub.app.show.identityRole.table.columns=role, roleAttributes, environment, identityContract, contractPosition, validFrom, validTill, directRole, automaticRole, incompatibleRoles, description, priority
# If is true, then role-request description will be show on the detail.
# Description will hidden if this property will be false and role request
# doesn't contains any value in description (can be filled during the approval process).
idm.pub.app.show.roleRequest.description=true
# Show logout content (~ page) with message, after user is logged out.
# @since 12.0.0
idm.pub.app.show.logout.content=false
#
# Configurable application theme
# @since 12.0.0
idm.pub.app.show.theme={ "palette": { "type": "light", "primary":       { "main": "#5cb85c", "contrastText": "#fff" }, "secondary":       { "main": "#f50057", "dark": "#c51162", "contrastText": "#fff" }, "success":       { "main": "#4caf50", "contrastText": "#ffffff" }, "warning":       { "main": "#ff9800", "contrastText": "#fff" }, "action": {"loading": "rgba(255, 255, 255, 0.7)"}, "background":       { "default": "#fafafa", "paper": "#fff" } }, "shape": {"borderRadius": 3} }
#
# Configurable application logo (attachment uuid identifier)
# Recommended logo size is 165 x 40 px.
# @since 12.0.0
idm.pub.app.show.logo=
# Footer help link url.
# @since 12.0.0
idm.pub.app.show.footer.help.link=https://wiki.czechidm.com/start
# Footer service desk link url.
# @since 12.0.0
idm.pub.app.show.footer.serviceDesk.link=https://redmine.czechidm.com/projects/czechidmng
#
# Private properties - used on backend only.
#
# Create demo data at application start.
idm.sec.core.demo.data.enabled=true
# Demo data was created - prevent to create demo data duplicitly.
idm.sec.core.demo.data.created=false
# Create init data at application start. Init data (product provided roles) are updated automatically with pruct updates.
# Set property to false to disable init data creation and updates.
idm.sec.core.init.data.enabled=true

Change server for asynchronous processing (switch application instance)

@since 11.1.0

Application instance (server) is used for asynchronus processing - for scheduled tasks, asynchronous long running tasks and events. Instance identifier can be defined in the application profile (application.properties) by property idm.pub.app.instanceId. When we want to schedule and process asynchronous tasks and event on other instace (or when one instance shutdown), then we can switch processing by provided bulk action Change server for asynchronous processing in configuration agenda:

Previous and new instance identifier is required as input parameters. All scheduled tasks and all created (~ not processed) asynchronous long running tasks and events will be moved from previous to new instance and will be processed on new instance (server).

Bulk action is available for logged user with required authorities and permissions:

In the application profile (application.properties)

# ZonedDateTime is stored in UTC
spring.jpa.properties.hibernate.jdbc.time_zone=UTC
# Driver (e.g. postgres) does not support contextual LOB creation
spring.jpa.properties.hibernate.jdbc.lob.non_contextual_creation=true
# audit table suffixes
spring.jpa.properties.org.hibernate.envers.audit_table_suffix=_a
spring.jpa.properties.org.hibernate.envers.modified_flag_suffix=_m
# modified flag for all audited columns
spring.jpa.properties.org.hibernate.envers.global_with_modified_flag=true
# prevent to modify attributes created, creator etc.
spring.jpa.properties.org.hibernate.envers.audit_strategy=eu.bcvsolutions.idm.core.model.repository.listener.IdmAuditStrategy
spring.jpa.properties.hibernate.session_factory.interceptor=eu.bcvsolutions.idm.core.model.repository.listener.AuditableInterceptor
# enable / disable audit (envers)
spring.jpa.properties.hibernate.listeners.envers.autoRegister=true
# Spring boot 2 changed default to true, but we are using IDENTITY identifier generators for mssql database.
spring.jpa.hibernate.use-new-id-generator-mappings=false
#
# DB ddl auto generation by hibernate is disabled - flyway database migration is used
spring.jpa.generate-ddl=false
spring.jpa.hibernate.ddl-auto=none
#
# DATASOURCE (DataSourceAutoConfiguration & DataSourceProperties)
spring.datasource.url=jdbc:postgresql://localhost:5432/bcv_idm_storage
spring.datasource.username=*****
spring.datasource.password=*****
spring.datasource.driver-class-name=org.postgresql.Driver
# test connection, when is used from pool (reconnect after db is restarted)
spring.datasource.testOnBorrow=true
spring.datasource.validationQuery=SELECT 1
# Enlarge pool size by default. This property should be revised for each project. Size should be configured by task and event thread pool size - should be higher than sum of pool sizes.
spring.datasource.maximumPoolSize=50

Additional datasources

As of version 12.2.0 we are no longer using spring-boot datasource autoconfiguration. Instead, we define datasources ourseves. This decision was motivated by our need for multiple independent datasources with separated connection pools, which was previously not possible.

Notable changes:

There are by default two datasources configured

  * datasource - default datasource, which is being used for almost all database communication (Flyway, JPA repositories)
  * loggingDatasource - This datasource is used by our database logging appender to write logging messages, when databes appender is enabled. The reason why this is done by separate datasource is to prevent database logging to hog database connections and hinder the application performance

*

Configuration properties, that have changed with introduction of additional datasources:

  * //''spring.datasource.''url →// //''spring.datasource.jdbcUrl'' //
  * spring.datasource.hikari.* → spring.datasource.*

*

Both datasources are required for the app to start.

  * By default, both datasources are configured for H2 in-memory database
  * If you specify property spring.datasource.jdbcUrl, IdM will no longer use in memory database for main datasource and instead it will configure connection using spring.datasource.* properties
  * The same goes for loggingDatasource, which is configured using spring.logging-datasource.* properties

===== Datasource configuration properties

CzechIdM uses HikariCP to manage connections. All possible configuration properties for each datasource can be seen as fields in https://github.com/openbouquet/HikariCP/blob/master/src/main/java/com/zaxxer/hikari/HikariConfig.java class.

Developer

Provisioning

# It's possible to send additional attributes, when password is changed (mapped attributes with flag sendOnPasswordChange)
# - true: additional password attributes will be send in one provisioning operation together with password
# - false: additional password attributes will be send in new provisioning operation, after password change operation
idm.sec.acc.provisioning.sendPasswordAttributesTogether=true
 
# It's possible to automatic mapped existed account on the target system. It means, before create new account (call create on the connector),
# we try to found account (by generated UID) on the target system. If account will be
# returned, then will be mapped on the IdM account. Target account will be reused and only updated by connector.
# - true: for reusing account
# - false: for not reusing account
# - Default value is 'true'
idm.sec.acc.provisioning.allowedAutoMappingOnExistingAccount=true
 
# Default provisioning timeout in milis - every longer provisioning operations will ends with timeout exception (prevent to stuck running operations).
# 3 minutes by default.
# Timeout has to be configured>= 1000, otherwise default will be returned.
idm.sec.acc.provisioning.timeout=180000

Provisioning global break

For enable global provisioning break you must set configurations properties defined below, otherwise global provisioning break will not be activated.
# Global break for update disabled/enabled (values: true/false)
idm.sec.acc.provisioning.break.update.disabled
# Global break for update checked period (integer values)
idm.sec.acc.provisioning.break.update.period
# Global break for update disable limit (integer values)
idm.sec.acc.provisioning.break.update.disableLimit
# Global break for update disabled template (ID of template, if will by null default template will be used)
idm.sec.acc.provisioning.break.update.templateDisable
# Global break for update warning limit (integer values)
idm.sec.acc.provisioning.break.update.warningLimit
# Global break for update warning template (ID of template, if will by null default template will be used)
idm.sec.acc.provisioning.break.update.templateWarning
# Global break for update. Existing identity recipients (identity username or id, split by ',')
idm.sec.acc.provisioning.break.update.identityRecipients
# Global break for update. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',')
idm.sec.acc.provisioning.break.update.roleRecipients
#
#
# Global break for create disabled/enabled (values: true/false)
idm.sec.acc.provisioning.break.create.disabled
# Global break for create checked period (integer values)
idm.sec.acc.provisioning.break.create.period
# Global break for create disable limit (integer values)
idm.sec.acc.provisioning.break.create.disableLimit
# Global break for create disabled template (ID of template, if will by null default template will be used)
idm.sec.acc.provisioning.break.create.templateDisable
# Global break for create warning limit (integer values)
idm.sec.acc.provisioning.break.create.warningLimit
# Global break for create warning template (ID of template, if will by null default template will be used)
idm.sec.acc.provisioning.break.create.templateWarning
# Global break for create. Existing identity recipients (identity username or id, split by ',')
idm.sec.acc.provisioning.break.create.identityRecipients
# Global break for create. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',')
idm.sec.acc.provisioning.break.create.roleRecipients
#
#
#
# Global break for delete disabled/enabled (values: true/false)
idm.sec.acc.provisioning.break.delete.disabled
# Global break for delete checked period (integer values)
idm.sec.acc.provisioning.break.delete.period
# Global break for delete disable limit (integer values)
idm.sec.acc.provisioning.break.delete.disableLimit
# Global break for delete disabled template (ID of template, if will by null default template will be used)
idm.sec.acc.provisioning.break.delete.templateDisable
# Global break for delete warning limit (integer values)
idm.sec.acc.provisioning.break.delete.warningLimit
# Global break for delete warning template (ID of template, if will by null default template will be used)
idm.sec.acc.provisioning.break.delete.templateWarning
# Global break for delete. Existing identity recipients (identity username or id, split by ',')
idm.sec.acc.provisioning.break.delete.identityRecipients
# Global break for delete. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',')
idm.sec.acc.provisioning.break.delete.roleRecipients

Reports

Report executor

In the application profile (application.properties) - overloadable via ConfigurationService. Every report executor (~report) could have his own configuration properties under prefix:

# disable / enable report
idm.sec.<module>.report-executor.<name>.enabled=true

Where <module> is report's module a <name> is report's name.

Common configuration properties for all reports:

In the application profile (application.properties) - overloadable via ConfigurationService. Every report renderer could have his own configuration properties under prefix:

# disable / enable renderer
idm.sec.<module>.report-renderer.<name>.enabled=true

Where <module> is renderer's module a <name> is renderer's name.

Common configuration properties for all renderers:

In the application profile (application.properties):

# Show thread name configured by thread pools (task, event) in logs (generated name is shown otherwise)
# Two appenders 'console' and 'file' are provided by product. Same configuration is needed for your custom appenders (added in logback.xml).
logging.pattern.console=%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{60}.%M : %msg%n
logging.pattern.file=%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{60}.%M : %msg%n

Logger levels can be configured programmatically (override logback.xml file with default logger levels configuration).

In the application profile (application.properties) - overloadable via ConfigurationService:

idm.sec.core.logger.<packageName>=<level>

Where <packageName> is package name to set logger <level>.

Example:

idm.sec.core.logger.eu.bcvsolutions=DEBUG

Monitoring

Monitoring evaluator

In the application profile (application.properties) - overloadable via ConfigurationService.

# disable / enable monitoring evaluator
idm.sec.<module>.monitoring-evaluator.<name>.enabled=true

Where <module> is monitoring's module a <name> is monitoring's name.

Common configuration properties for all monitorings: