urn:infinispan:server:14.0

Name	Type	Default	Description
principal	string		Specifies the principal that the KeyTab represents.
keytab-path	string		Sets the path to the KeyTab for retrieving credentials.
relative-to	string		Specifies the name of a named path or a standard path that the system provides. If set, the value of the "path" attribute becomes relative to this path.
minimum-remaining-lifetime	int	0	Specifies, in seconds, how long a cached credential can remain before it is recreated.
request-lifetime	int		Specifies, in seconds, how much lifetime to request for newly created credentials.
fail-cache	int		Specifies the amount of time, in seconds, to wait before attempting to obtain server credential if the previous attempt failed. Prevents long waiting periods on every authentication attempt if the KDC is unavailable.
server	boolean	true	Specifies if the realm is server-side (default) or client-side.
obtain-kerberos-ticket	boolean	false	Controls if a KerberosTicket is also obtained and associated with the credential. The value must be true if credentials are delegated to the server.
debug	boolean	false	Defines if the JAAS step to obtain the credential has debug logging enabled.
wrap-gss-credential	boolean	false	Specifies if generated GSS credentials are wrapped to prevent improper disposal.
required	boolean	false	Specifies if the keytab file with adequate principal must exist when the service starts.
mechanism-names		KRB5 SPNEGO	Defines the mechanism names with which the credential can be used. Names are converted to OIDs and used together with OIDs from the mechanism-oids attribute.
mechanism-oids			Defines the mechanism OIDs with which the credential can be used. Used with OIDs derived from names from the mechanism-names attribute.

Credential reference to be used by the configuration.

Name	Type	Default	Description
store	string		Credential store name used to fetch credential with given 'alias' from. Credential store name has to be defined elsewhere.
alias	string		Alias of credential in the credential store.

Specifies a LDAP name rewriter that transforms names returned by LDAP servers.

Specifies configuration options that define how principals are mapped to corresponding entries in LDAP servers.

Name	Type	Default	Description
search-dn	string		Names the context for query execution. This option provides a useful method to authenticate users based on names that do not use X.500 format, such as "plainUser". In this case, you must also specify the rdn-identifier. If names to authenticate users are based on the X.500 format, you can suppress this configuration. You should also note that this option lets realms authenticate users based on simple, or X.500, names.
rdn-identifier	string		Specifies an LDAP attribute that contains the user name and appears in the path of new entries.
search-recursive	boolean	false	Performs recursive queries.
search-time-limit	int	10000	The time limit of LDAP search in milliseconds. Defaults to 10000 ms.
filter-name	string	(rdn_identifier={0})	Specifies the LDAP filter that retrieves an identity by name. In the default value, "{0}" is replaced with the searched identity name and "rdn_identifier" is replaced with the value of the "rdn-identifier" attribute.

Name	Type	Default	Description
path	string
relative-to	string
digest-realm-name	string
plain-text	boolean	false

Name	Type	Default	Description
path	string
relative-to	string

Name	Type	Default	Description
issuer			Defines one or more string values representing an unique identifier for the entities that are allowed as issuers of a given JWT. During validation JWT tokens must have a iss claim that contains one of the values defined here. If not provided, the validator will not perform validations based on the issuer claim.
audience			Defines one or more string values representing the audiences supported by this configuration. During validation JWT tokens must have an aud claim that contains one of the values defined here. If not provided, the validator will not perform validations based on the audience claim.
public-key	string		A default public key in its PEM format used to validate the signature of tokens without kid header parameter. If not provided, the validator will not validate signatures.
jku-timeout	long	120000	A timeout, in milliseconds for cached jwks when using jku claim. After this timeout, the keys of need to be re-cached before use. Default value is 2 minutes.
connection-timeout	integer	2000	Sets the timeout, in milliseconds, for connections to the JKU server. The default value is 2 seconds.
read-timeout	integer	2000	Sets the read timeout, in milliseconds, for the JKU server. operations. The default value is 2 seconds.
client-ssl-context	string		The name of a realm which provides a trust store with which to validate SSL client connections.
host-name-verification-policy	string		A HostnameVerifier that will be used to validate the hostname when using SSL/TLS. This configuration is mandatory if using jku claims. Can be ANY or DEFAULT.

Name	Type	Default	Description
client-id	string		The identifier of a client registered within the OAuth2 Authorization Server that will be used to authenticate this server in order to validate bearer tokens arriving to this server. Please note that the client will be usually a confidential client with both an identifier and secret configured in order to authenticate against the token introspection endpoint. In this case, the endpoint must support HTTP BASIC authentication using the client credentials (both id and secret).
client-secret	string		The secret of the client identified by the given clientId.
introspection-url	string		An URL pointing to a RFC-7662 OAuth2 Token Introspection compatible endpoint.
connection-timeout	integer	2000	Sets the timeout, in milliseconds, for connections to the OAuth2 server. The default value is 2 seconds.
read-timeout	integer	2000	Sets the read timeout, in milliseconds, for the OAuth2 server. operations. The default value is 2 seconds.
client-ssl-context	string		The name of a realm which provides a trust store with which to validate SSL client connections.
host-name-verification-policy	string		A HostnameVerifier that will be used to validate the hostname when using SSL/TLS. This configuration is mandatory if the given token introspection url is using SSL/TLS. Can be ANY or DEFAULT.

The configuration of the SASL authentication layer for this server. The optional "include-mechanisms" attribute contains a list of allowed SASL mechanism names. No mechanisms will be allowed which are not present in this list. The optional "qop" attribute contains a list of quality-of-protection values, in decreasing order of preference. The optional "strength" attribute contains a list of cipher strength values, in decreasing order of preference. The optional "policy" attribute contains a list of policies to use to narrow down the available set of mechanisms. The optional nested "property" elements specify additional properties required by the specified mechanisms

Name	Type	Default	Description
server-principal	string		The principal to use as the server identity. The principal must be present in the security realm. This is required for Kerberos-based SASL mechs (e.g. GSSAPI, GS2_KRB5)
server-name	string		Names the server that is exposed to clients.
mechanisms
qop
strength
policy

An element specifying a TLS SNI mapping.

Name	Type	Default	Description
host-name	string		TLS SNI host name
security-realm	string		A corresponding security realm. If none is specified, the default will be used.

Defines a CORS rule for one or more origins.

Name	Type	Default	Description
name	string		Defines a name for a CORS rule.
allow-credentials	boolean	false	Configures if CORS requests use credentials and sets the CORS 'Access-Control-Allow-Credentials' response header.
max-age-seconds	int	0	Configures how long CORS preflight request headers can be caches and sets the CORS 'Access-Control-Max-Age' response header.
allowed-origins	string		Specifies the CORS 'Access-Control-Allow-Origin' header that controls which origins can access resources.
allowed-methods			Specifies the CORS 'Access-Control-Allow-Methods' header in the preflight response. Controls the methods that origins can access.
allowed-headers			Specifies the CORS 'Access-Control-Allow-Headers' header in the preflight response. Controls the headers that origins can access.
expose-headers			Specifies the CORS 'Access-Control-Expose-Headers' header in the preflight response. Controls the headers that are exposed to origins.

An element specifying a TLS SNI mapping.

Name	Type	Default	Description
host-name	string		TLS SNI host name
security-realm	string		A corresponding security realm. If none is specified, the default will be used.

An element specifying a TLS SNI mapping.

Name	Type	Default	Description
host-name	string		TLS SNI host name
security-realm	string		A corresponding security realm. If none is specified, the default will be used.

Name	Type	Default	Description
path	string		Specifies the location of the keystore on the host file system. You can set a relative or absolute value. If you set a relative value, configure a value for the 'relative-to' attribute. The type of the keystore will be auto-detected among JKS, JCEKS, PKCS12 or PEM. BKS, BCFKS and UBER are also supported if the `bouncycastle` libary is present. The path may be omitted when using global store providers, such as 'SunPKCS11-NSS-FIPS'.
relative-to	string	infinispan.server.config.path	Specifies a property name that resolves to a directory on the host file system. Any files that you specify with the 'path' attribute, unless absolute, must be relative to this directory.
keystore-password	string		Deprecated: use the 'password' attribute instead.
password	string		The password required to open the keystore. If the keystore is a PEM file, this should be specified as an empty string.
alias	string		The alias of the entry in the keystore to use as the server identity. Only required if there are multiple entries in the keystore.
key-password	string		A password required to access a specific entry within the keystore. Only needed if the keystore type supports it and the entries have been protected by an additional password.
generate-self-signed-certificate-host	string		If this attribute is set and if the file that backs the KeyStore does not exist, then a self-signed certificate will be generated on first use and it will be persisted to the file that backs the KeyStore. The value of this attribute will be used for the Common Name value in the self-signed certificate. The use of this attribute is intended for testing purposes only. This attribute is not intended for production use.
provider	string		The name of the provider to use to instantiate the KeyManagerFactory. If the provider is not specified, and OpenSSL is available and supported on the platform and architecture, the 'openssl' provider will be used. Otherwise the first provider found that can create an instance of the specified 'type' will be used.
type	string		The type of the keystore. Normally the type will be auto-detected. This attribute is required for file-less keystores, for example when using the `SunPKCS11-nss-fips` provider.

Name	Type	Default	Description
path	string		Specifies the location of the truststore on the host file system. You can set a relative or absolute value. If you set a relative value, configure a value for the 'relative-to' attribute. The type of the keystore will be auto-detected among JKS, JCEKS, PKCS12 or PEM. BKS, BCFKS and UBER are also supported if the `bouncycastle` libary is present. The path may be omitted when using global store providers, such as 'SunPKCS11-NSS-FIPS'.
relative-to	string	infinispan.server.config.path	Specifies a property name that resolves to a directory on the host file system. Any files that you specify with the 'path' attribute, unless absolute, must be relative to this directory.
password	string		The password required to open the truststore. If the truststore is a PEM file, this should be specified as an empty string.
provider	string		The name of the provider to use to instantiate the TrustManagerFactory. If the provider is not specified, and OpenSSL is available and supported on the platform and architecture, the 'openssl' provider will be used. Otherwise the first provider found that can create an instance of the specified 'type' will be used.
type	string		The type of the truststore. Normally the type will be auto-detected. This attribute is required for file-less truststores, for example when using the `SunPKCS11-nss-fips` provider.

Name	Type	Default	Description
enabled-protocols
enabled-ciphersuites	string	DEFAULT	The filter to be applied to the cipher suites made available by this SSL engine.
enabled-ciphersuites-tls13	string	TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256	The ciphersuite names to use for the TLSv1.3 engine.

Specifies a PrincipalTransformer definition using regular expressions and Matcher based replacement.

Name	Type	Default	Description
pattern	string		Specifies the regular expression for this PrincipalTransformer.
replacement	string		Specifies the replacement string for the PrincipalTransformer.
replace-all	boolean	false	Replaces all occurrences instead of the first occurrence.

Specifies the attribute mappings defined for this resource.

Specifies the user password credential mapping defined for this resource.

Name	Type	Default	Description
from	string		The name of the LDAP attribute to map to an identity user password credential.
verifiable	boolean		If the password credential is verifiable.

Credential reference to be used by the configuration.

Name	Type	Default	Description
store	string		Credential store name used to fetch credential with given 'alias' from. Credential store name has to be defined elsewhere.
alias	string		Alias of credential in the credential store.