Misc Configuration options

Different configuration options.

Please make sure to have a resent copy/backup of the files being edited before making the changes.

Default country prefix

Go to Scenarios, Radius, <your scenario>. On the tab"Execution flow" edit the valve used for message delivery (SMS or Voice), for example OTPBySMSValve, press "+ Add" and set the following:

Parameter = recipient_prefix         Value = +46

Suffix for token enrollment

During the configuration of scenario "Self Service" you will set the value for "Issuer". This is the name that will be seen when doing enrollment.

If this needs to be changed please go to Scenarios, Applications, Self Service, Self Service and the tab Software token/One Touch. Edit the value for "Issuer".

OTP Retries

To enable OTP retries, please go to Scenarios, Radius, <your scenario>. On the tab"Execution flow" edit the OTPValidationValve on the pipe "Verify otp", press "+ Add" and set the number of retries accordingly:

Parameter = otp_retries       Value= 3

Should look like this:

	"generated_otp_param_name": "generated_otp",
	"provided_otp_param_name": "{{request.User-Password}}",
	"otp_retries": "3"

We also need the valve called ItemCreateValve. Press "+ Add valve", "Type" should be "ItemCreateValve", set it to "Enabled" and add the parameter "dest_id" with the value "data" and press "Add valve" Should now look like this:

	"dest_id": "data"

Drag it before the OTPValidationValve in the Validation pipe, then press "Save".

To change the corresponding message, in the file <PhenixIDinstallationdirectory>/mods/com.phenixidentity~phenix-radius~<version>/lang/en/strings.xml/ change    <string name="radius.uidpwdotpauth.accesschallenge.retry.message">Wrong otp. Please enter your otp:</string>

SMTP with TLS and self-signed certificates

If the SMTP server uses a self-signed certificate or a certificate that not is included in the cacerts, we have two options.

The first option is to import the  self-signed certificate into the file cacerts, located in <PhenixID  Server installationdirectory>/jre/lib/security. This is the  recommended way. Example of how this is done can be found here: http://docs.oracle.com/cd/E19340-01/820-6740/aeogk/index.html

The second option is to use a  JAVA parameter to trust self-signed certificates.
 For Linux, add the  following to <PhenixID Server  installationdirectory>/bin/start-PhenixID.sh:

JAVA_OPTS=${JAVA_OPTS} -Dmail.smtp.ssl.trust=*

For Windows, the add following  parameter to <PhenixID Server  installationdirectory>/bin/phenixidserver.vmoptions and  phenixservice.vmoptions:


Customized Challenge response message

In the configuration GUI go to the tab "Advanced", press the pencil besides "Authentication - Radius" and add the desired message to the parameter challenge_message, ilke this:

"challenge_message”:”Your customized message to the user:”

Then press "Stage changes"/"Commit changes".

The RADIUS AUTHENTICATOR should be of the type usernamepasswordotp

Change post SAML assertion delay

Open <auth_http_template_root>/templates/autopost.template

Change timeout value (default is 5s (5000ms)):


Save file.


LDAP Connection settings in some Firewall scenarios

In the configuration GUI, go to Scenarios, Connections, LDAP, <yourldap>. Set the value for "Connection pool max age" like the example below. This setting will reconnect to the LDAP server every minute, to make sure we won't time out.

"pool_max_age" : "60000"

Property expansion expressions with dotted keys

Turn on globally with system property: com.phenixidentity.globals.useExtendedExprSyntax=true

Example in vmoptions file:


Has to be added to each valve where used if not configured globally.

"use_extended_expr_syntax": "true" 

Requires dots to be escaped with '\\' (ex: {{request.apa\\.banan}})

Also supported for system properties (when turned on, otherwise use '_' as separator)

By default this behaviour is switched off (for compatibility with existing configurations)