Misc Configuration options
Different configuration options.
Please make sure to have a resent copy/backup of the files being edited before making the changes.
Default country prefix
Go to Scenarios, Radius, <your scenario>. On the tab"Execution flow" edit the valve used for message delivery (SMS or Voice), for example OTPBySMSValve, press "+ Add" and set the following:
Parameter = recipient_prefix Value = +46
Suffix for token enrollment
During the configuration of scenario "Self Service" you will set the value for "Issuer". This is the name that will be seen when doing enrollment.
If this needs to be changed please go to Scenarios, Applications, Self Service, Self Service and the tab Software token/One Touch. Edit the value for "Issuer".
OTP Retries
To enable OTP retries, please go to Scenarios, Radius, <your scenario>. On the tab"Execution flow" edit the OTPValidationValve on the pipe "Verify otp", press "+ Add" and set the number of retries accordingly:
Parameter = otp_retries Value= 3
Should look like this:
{
"generated_otp_param_name": "generated_otp",
"provided_otp_param_name": "{{request.User-Password}}",
"otp_retries": "3"
}
We also need the valve called ItemCreateValve. Press "+ Add valve", "Type" should be "ItemCreateValve", set it to "Enabled" and add the parameter "dest_id" with the value "data" and press "Add valve" Should now look like this:
{
"dest_id": "data"
}
Drag it before the OTPValidationValve in the Validation pipe, then press "Save".
To change the corresponding message, in the file <PhenixIDinstallationdirectory>/mods/com.phenixidentity~phenix-radius~<version>/lang/en/strings.xml/ change <string name="radius.uidpwdotpauth.accesschallenge.retry.message">Wrong otp. Please enter your otp:</string>
SMTP with TLS and self-signed certificates
If the SMTP server uses a self-signed certificate or a certificate that not is included in the cacerts, we have two options.
The first option is to import the self-signed certificate into the file cacerts, located in <PhenixID Server installationdirectory>/jre/lib/security. This is the recommended way. Example of how this is done can be found here: http://docs.oracle.com/cd/E19340-01/820-6740/aeogk/index.html
The second option is to use a JAVA parameter to trust self-signed certificates. For Linux, add the following to <PhenixID Server installationdirectory>/bin/start-PhenixID.sh:
JAVA_OPTS=${JAVA_OPTS} -Dmail.smtp.ssl.trust=*
For Windows, the add following parameter to <PhenixID Server installationdirectory>/bin/phenixidserver.vmoptions and phenixservice.vmoptions:
-Dmail.smtp.ssl.trust=*
Customized Challenge response message
In the configuration GUI go to the tab "Advanced", press the pencil besides "Authentication - Radius" and add the desired message to the parameter challenge_message, ilke this:
"challenge_message”:”Your customized message to the user:”
Then press "Stage changes"/"Commit changes".
The RADIUS AUTHENTICATOR should be of the type usernamepasswordotp
Change post SAML assertion delay
Open <auth_http_template_root>/templates/autopost.template
Change timeout value (default is 5s (5000ms)):
setTimeout('document.phenixform.submit()',5000);
Save file.
LDAP Connection settings in some Firewall scenarios
In the configuration GUI, go to Scenarios, Connections, LDAP, <yourldap>. Set the value for "Connection pool max age" like the example below. This setting will reconnect to the LDAP server every minute, to make sure we won't time out.
"pool_max_age" : "60000"
Property expansion expressions with dotted keys
Turn on globally with system property: com.phenixidentity.globals.useExtendedExprSyntax=true
Example in vmoptions file:
-Dcom.phenixidentity.globals.useExtendedExprSyntax=true
Has to be added to each valve where used if not configured globally.
"use_extended_expr_syntax": "true"
Requires dots to be escaped with '\\' (ex: {{request.apa\\.banan}})
Also supported for system properties (when turned on, otherwise use '_' as separator)
By default this behaviour is switched off (for compatibility with existing configurations)