urn:infinispan:server:15.1

server

interfaces

interface*

NameTypeDefaultDescription
namestring

inet-address?

NameTypeDefaultDescription
valuestring

global?

link-local?

loopback?

non-loopback?

site-local?

match-interface?

NameTypeDefaultDescription
valueFIXME

match-address?

NameTypeDefaultDescription
valueFIXME

socket-bindings

NameTypeDefaultDescription
default-interfacestring
port-offsetstring

socket-binding*

security?

credential-stores?

Complex type to contain the definitions of the credential stores.

credential-store*

An individual credential store definition.
NameTypeDefaultDescription
namestring Specifies the name of the credential keystore.
relative-tostring A property name whose value will be used to resolve relative paths.
pathstring File name of the credential keystore. If the path is relative, the full path will be resolved using the 'relative-to' attribute.
typestringpkcs12 The type of the credential store file. Can be either pkcs12 or jceks. Defaults to pkcs12.

clear-text-credential

Specifies a clear-text password that allows access to the credential keystore.

A clear-text credential.
NameTypeDefaultDescription
clear-textstring The clear-text password.

masked-credential

Specifies a masked password that allows access to the credential keystore.

Adds a masked password for the credential keystore.
NameTypeDefaultDescription
maskedstring Specifies a masked password in the format of `MASKED_VALUE;SALT;ITERATION`.

command-credential

Specifies an external command that supplies a password that allows access to the credential keystore.

Executes an external command that supplies the password for the credential keystore.
NameTypeDefaultDescription
commandstring An external command, including arguments, that returns the credential on the standard output.

credential-reference

Specifies the credential keystore that contains a password that allows access to the credential keystore.

Credential reference to be used by the configuration.
NameTypeDefaultDescription
storestring Credential store name used to fetch credential with given 'alias' from. Credential store name has to be defined elsewhere.
aliasstring Alias of credential in the credential store.

security-realms

security-realm+

NameTypeDefaultDescription
namestring
default-realmstring Specifies which of the underlying realms will be used by default. It defaults to the first realm.
cache-max-sizeint256 The maximum size for the identity cache for this realm. If the size is less than 1, the cache will be disabled. Defaults to 256.
cache-lifespanstring60s The lifespan, in milliseconds, of entries in the identity cache after which they expire and are reloaded from the realm provider. Defaults to -1 (never expires).

evidence-decoder?

x500-subject-evidence-decoder?

An EvidenceDecoder that derives the principal associated with the given evidence from the subject from the first certificate in the certificate chain.

x509-subject-alt-name-evidence-decoder?

An EvidenceDecoder that derives the principal associated with the given evidence from an X.509 subject alternative name from the first certificate in the given evidence.
NameTypeDefaultDescription
alt-name-type
rfc822Name
dNSName
directoryName
uniformResourceIdentifier
ipAddress
registeredID
The subject alternative name type to decode from the given evidence.
segmentint0 The 0-based occurrence of the subject alternative name to map. This attribute is optional and only used when there is more than one subject alternative name of the given alt-name-type

server-identities?

ssl?

keystore?

NameTypeDefaultDescription
pathstring Specifies the location of the keystore on the host file system. You can set a relative or absolute value. If you set a relative value, configure a value for the 'relative-to' attribute. The type of the keystore will be auto-detected among JKS, JCEKS, PKCS12 or PEM. BKS, BCFKS and UBER are also supported if the `bouncycastle` libary is present. The path may be omitted when using global store providers, such as 'SunPKCS11-NSS-FIPS'.
relative-tostringinfinispan.server.config.path Specifies a property name that resolves to a directory on the host file system. Any files that you specify with the 'path' attribute, unless absolute, must be relative to this directory.
keystore-passwordstring Deprecated: use the 'password' attribute instead.
passwordstring The password required to open the keystore. If the keystore is a PEM file, this should be specified as an empty string.
aliasstring The alias of the entry in the keystore to use as the server identity. Only required if there are multiple entries in the keystore.
key-passwordstring A password required to access a specific entry within the keystore. Only needed if the keystore type supports it and the entries have been protected by an additional password.
generate-self-signed-certificate-hoststring If this attribute is set and if the file that backs the KeyStore does not exist, then a self-signed certificate will be generated on first use and it will be persisted to the file that backs the KeyStore. The value of this attribute will be used for the Common Name value in the self-signed certificate. The use of this attribute is intended for testing purposes only. This attribute is not intended for production use.
providerstring The name of the provider to use to instantiate the KeyManagerFactory. If the provider is not specified, the first provider found that can create an instance of the specified 'type' will be used.
typestring The type of the keystore. Normally the type will be auto-detected. This attribute is required for file-less keystores, for example when using the `SunPKCS11-nss-fips` provider.

credential-reference?

Credential reference to be used by the configuration.
NameTypeDefaultDescription
storestring Credential store name used to fetch credential with given 'alias' from. Credential store name has to be defined elsewhere.
aliasstring Alias of credential in the credential store.

truststore?

NameTypeDefaultDescription
pathstring Specifies the location of the truststore on the host file system. You can set a relative or absolute value. If you set a relative value, configure a value for the 'relative-to' attribute. The type of the keystore will be auto-detected among JKS, JCEKS, PKCS12 or PEM. BKS, BCFKS and UBER are also supported if the `bouncycastle` libary is present. The path may be omitted when using global store providers, such as 'SunPKCS11-NSS-FIPS'.
relative-tostringinfinispan.server.config.path Specifies a property name that resolves to a directory on the host file system. Any files that you specify with the 'path' attribute, unless absolute, must be relative to this directory.
passwordstring The password required to open the truststore. If the truststore is a PEM file, this should be specified as an empty string.
providerstring The name of the provider to use to instantiate the TrustManagerFactory. If the provider is not specified, the first provider found that can create an instance of the specified 'type' will be used.
typestring The type of the truststore. Normally the type will be auto-detected. This attribute is required for file-less truststores, for example when using the `SunPKCS11-nss-fips` provider.

credential-reference?

Credential reference to be used by the configuration.
NameTypeDefaultDescription
storestring Credential store name used to fetch credential with given 'alias' from. Credential store name has to be defined elsewhere.
aliasstring Alias of credential in the credential store.

engine?

NameTypeDefaultDescription
enabled-protocols
enabled-ciphersuitesstringDEFAULT The filter to be applied to the cipher suites made available by this SSL engine.
enabled-ciphersuites-tls13stringTLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 The ciphersuite names to use for the TLSv1.3 engine.

kerberos*

NameTypeDefaultDescription
principalstring Specifies the principal that the KeyTab represents.
keytab-pathstring Sets the path to the KeyTab for retrieving credentials.
relative-tostring Specifies the name of a named path or a standard path that the system provides. If set, the value of the "path" attribute becomes relative to this path.
minimum-remaining-lifetimeint0 Specifies, in seconds, how long a cached credential can remain before it is recreated.
request-lifetimeint Specifies, in seconds, how much lifetime to request for newly created credentials.
fail-cacheint Specifies the amount of time, in seconds, to wait before attempting to obtain server credential if the previous attempt failed. Prevents long waiting periods on every authentication attempt if the KDC is unavailable.
serverbooleantrue Specifies if the realm is server-side (default) or client-side.
obtain-kerberos-ticketbooleanfalse Controls if a KerberosTicket is also obtained and associated with the credential. The value must be true if credentials are delegated to the server.
debugbooleanfalse Defines if the JAAS step to obtain the credential has debug logging enabled.
wrap-gss-credentialbooleanfalse Specifies if generated GSS credentials are wrapped to prevent improper disposal.
requiredbooleanfalse Specifies if the keytab file with adequate principal must exist when the service starts.
mechanism-namesKRB5 SPNEGO Defines the mechanism names with which the credential can be used. Names are converted to OIDs and used together with OIDs from the mechanism-oids attribute.
mechanism-oids Defines the mechanism OIDs with which the credential can be used. Used with OIDs derived from names from the mechanism-names attribute.

ldap-realm?

Defines an LDAP security realm.
NameTypeDefaultDescription
namestring Names the security realm to logically separate multiple realms of the same type.
urlstring Specifies the URL for LDAP server connections in the format ldap[s]://{hostname}:{port}.
principalstring Specifies the user principal for LDAP server connections.
credentialstring Specifies the user credential for LDAP server connections.
direct-verificationboolean Configures the realm to verify credentials by connecting to LDAP servers with the account. Values are true / false (default).
page-sizeint50 Sets the page size for realm iteration. The default value is 50.
connection-poolingbooleanfalse Enables connection pooling.
referral-modefollow Specifies if LDAP server referrals are followed and corresponds to the REFERRAL ("java.naming.referral") environment property. Values are "ignore", "follow" (default), and "throw".
connection-timeoutstring5s Sets the timeout, in milliseconds, for LDAP server connections. The default value is 5 seconds. You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
read-timeoutstring1m Sets the read timeout, in milliseconds, for LDAP server operations. The default value is 1 minute. You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
client-ssl-contextstring The name of a realm which provides a trust store with which to validate SSL client connections.

credential-reference?

Credential reference to be used by the configuration.
NameTypeDefaultDescription
storestring Credential store name used to fetch credential with given 'alias' from. Credential store name has to be defined elsewhere.
aliasstring Alias of credential in the credential store.

name-rewriter?

Specifies a name rewriter that transforms names returned by a realm.

case-principal-transformer

Specifies a PrincipalTransformer definition using case conversion
NameTypeDefaultDescription
uppercasebooleantrue Whether to transform to UPPERCASE or lowercase. The default is true.
Specifies the base type for all PrincipalTransformer definitions.
NameTypeDefaultDescription
namestring Deprecated. Will be ignored.

common-name-principal-transformer

Specifies a PrincipalTransformer definition which extracts the first CommonName (CN) from a DistinguishedName (DN).

regex-principal-transformer

Specifies a PrincipalTransformer definition using regular expressions and Matcher based replacement.
NameTypeDefaultDescription
patternstring Specifies the regular expression for this PrincipalTransformer.
replacementstring Specifies the replacement string for the PrincipalTransformer.
replace-allbooleanfalse Replaces all occurrences instead of the first occurrence.
Specifies the base type for all PrincipalTransformer definitions.
NameTypeDefaultDescription
namestring Deprecated. Will be ignored.

identity-mapping*

Specifies configuration options that define how principals are mapped to corresponding entries in LDAP servers.
NameTypeDefaultDescription
search-dnstring Names the context for query execution. This option provides a useful method to authenticate users based on names that do not use X.500 format, such as "plainUser". In this case, you must also specify the rdn-identifier. If names to authenticate users are based on the X.500 format, you can suppress this configuration. You should also note that this option lets realms authenticate users based on simple, or X.500, names.
rdn-identifierstring Specifies an LDAP attribute that contains the user name and appears in the path of new entries.
search-recursivebooleanfalse Performs recursive queries.
search-time-limitint10000 The time limit of LDAP search in milliseconds. Defaults to 10000 ms.
filter-namestring(rdn_identifier={0}) Specifies the LDAP filter that retrieves an identity by name. In the default value, "{0}" is replaced with the searched identity name and "rdn_identifier" is replaced with the value of the "rdn-identifier" attribute.

attribute-mapping?

Specifies the attribute mappings defined for this resource.

attribute

NameTypeDefaultDescription
filterstring The filter to use to obtain the values for a specific attribute. String "{0}" will be replaced by username, "{1}" by user identity DN.
NameTypeDefaultDescription
filter-dnstring The name of the context where the filter should be performed.
fromstring The name of the LDAP attribute to map to an identity attribute. If not defined, DN of the whole entry is used as value.
tostring The name of the identity attribute mapped from a specific LDAP attribute. If not provided, the name of the attribute is the same as define in 'from'. If the 'from' is not defined too, value 'dn' is used.
search-recursivebooleantrue Indicates if attribute LDAP search queries are recursive.
role-recursionint0 Sets recursive roles assignment - value determine maximum depth of recursion. (0 for no recursion)
role-recursion-namestringcn Determine LDAP attribute of role entry which will be substitute for "{0}" in filter-name when searching roles of role. Used only when role-recursion is set.
extract-rdnstring The RDN key to use as the value for an attribute, in case the value in its raw form is in X.500 format.

attribute-reference

NameTypeDefaultDescription
referencestring The name of an LDAP attribute containing DN of entry to obtain value from.
NameTypeDefaultDescription
filter-dnstring The name of the context where the filter should be performed.
fromstring The name of the LDAP attribute to map to an identity attribute. If not defined, DN of the whole entry is used as value.
tostring The name of the identity attribute mapped from a specific LDAP attribute. If not provided, the name of the attribute is the same as define in 'from'. If the 'from' is not defined too, value 'dn' is used.
search-recursivebooleantrue Indicates if attribute LDAP search queries are recursive.
role-recursionint0 Sets recursive roles assignment - value determine maximum depth of recursion. (0 for no recursion)
role-recursion-namestringcn Determine LDAP attribute of role entry which will be substitute for "{0}" in filter-name when searching roles of role. Used only when role-recursion is set.
extract-rdnstring The RDN key to use as the value for an attribute, in case the value in its raw form is in X.500 format.

user-password-mapper?

Specifies the user password credential mapping defined for this resource.
NameTypeDefaultDescription
fromstring The name of the LDAP attribute to map to an identity user password credential.
verifiableboolean If the password credential is verifiable.

local-realm?

NameTypeDefaultDescription
namestringlocal

properties-realm?

NameTypeDefaultDescription
namestring Names the security realm to logically separate multiple realms of the same type.
groups-attributestringRoles

user-properties?

NameTypeDefaultDescription
pathstringusers.properties
relative-tostringinfinispan.server.config.path
digest-realm-namestring
plain-textbooleanfalse

group-properties?

NameTypeDefaultDescription
pathstringgroups.properties
relative-tostringinfinispan.server.config.path

token-realm?

NameTypeDefaultDescription
namestring
auth-server-urlstring
client-idstring
principal-claimstringusername

jwt

NameTypeDefaultDescription
issuer Defines one or more string values representing an unique identifier for the entities that are allowed as issuers of a given JWT. During validation JWT tokens must have a iss claim that contains one of the values defined here. If not provided, the validator will not perform validations based on the issuer claim.
audience Defines one or more string values representing the audiences supported by this configuration. During validation JWT tokens must have an aud claim that contains one of the values defined here. If not provided, the validator will not perform validations based on the audience claim.
public-keystring A default public key in its PEM format used to validate the signature of tokens without kid header parameter. If not provided, the validator will not validate signatures.
jku-timeoutstring2m A timeout, in milliseconds for cached jwks when using jku claim. After this timeout, the keys of need to be re-cached before use. Default value is 2 minutes. You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
connection-timeoutstring2s Sets the timeout, in milliseconds, for connections to the JKU server. The default value is 2 seconds. You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
read-timeoutstring2s Sets the read timeout, in milliseconds, for the JKU server. operations. The default value is 2 seconds. You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
client-ssl-contextstring The name of a realm which provides a trust store with which to validate SSL client connections.
host-name-verification-policystring A HostnameVerifier that will be used to validate the hostname when using SSL/TLS. This configuration is mandatory if using jku claims. Can be ANY or DEFAULT.

oauth2-introspection

NameTypeDefaultDescription
client-idstring The identifier of a client registered within the OAuth2 Authorization Server that will be used to authenticate this server in order to validate bearer tokens arriving to this server. Please note that the client will be usually a confidential client with both an identifier and secret configured in order to authenticate against the token introspection endpoint. In this case, the endpoint must support HTTP BASIC authentication using the client credentials (both id and secret).
client-secretstring The secret of the client identified by the given clientId.
introspection-urlstring An URL pointing to a RFC-7662 OAuth2 Token Introspection compatible endpoint.
connection-timeoutstring2s Sets the timeout, in milliseconds, for connections to the OAuth2 server. The default value is 2 seconds. You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
read-timeoutstring2s Sets the read timeout, in milliseconds, for the OAuth2 server. operations. The default value is 2 seconds. You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
client-ssl-contextstring The name of a realm which provides a trust store with which to validate SSL client connections.
host-name-verification-policystring A HostnameVerifier that will be used to validate the hostname when using SSL/TLS. This configuration is mandatory if the given token introspection url is using SSL/TLS. Can be ANY or DEFAULT.

credential-reference?

Credential reference to be used by the configuration.
NameTypeDefaultDescription
storestring Credential store name used to fetch credential with given 'alias' from. Credential store name has to be defined elsewhere.
aliasstring Alias of credential in the credential store.

truststore-realm?

NameTypeDefaultDescription
namestring

distributed-realm?

A realm definition for authentication and authorization of identities distributed between multiple realms.
NameTypeDefaultDescription
namestring
realms A list of security realms that should be used for authentication until one succeeds. If no realms are specified, all the available realms will be used.

aggregate-realm?

A realm definition for authentication and authorization of identities aggregated between multiple realms.
NameTypeDefaultDescription
namestring
authentication-realmFIXME The name of a security realm that should be used for authentication.
authorization-realms A list of security realm names that should be used for authorization. If no realms are specified, all the available realms will be used.

name-rewriter?

Specifies a name rewriter that transforms names returned by a realm.

case-principal-transformer

Specifies a PrincipalTransformer definition using case conversion
NameTypeDefaultDescription
uppercasebooleantrue Whether to transform to UPPERCASE or lowercase. The default is true.
Specifies the base type for all PrincipalTransformer definitions.
NameTypeDefaultDescription
namestring Deprecated. Will be ignored.

common-name-principal-transformer

Specifies a PrincipalTransformer definition which extracts the first CommonName (CN) from a DistinguishedName (DN).

regex-principal-transformer

Specifies a PrincipalTransformer definition using regular expressions and Matcher based replacement.
NameTypeDefaultDescription
patternstring Specifies the regular expression for this PrincipalTransformer.
replacementstring Specifies the replacement string for the PrincipalTransformer.
replace-allbooleanfalse Replaces all occurrences instead of the first occurrence.
Specifies the base type for all PrincipalTransformer definitions.
NameTypeDefaultDescription
namestring Deprecated. Will be ignored.

data-sources?

data-source*

NameTypeDefaultDescription
nametokenName for the datasource (used for management)
jndi-nametokenJNDI name for the datasource
statisticsbooleanfalseEnable statistics for this datasource

connection-factory

Configuration for the connection factory

NameTypeDefaultDescription
drivertokenUnique reference to the JDBC driver
urltokenJDBC driver connection URL (e.g. "jdbc:h2:tcp://localhost:1234")
transaction-isolation
NONE
READ_UNCOMMITTED
READ_COMMITTED
REPEATABLE_READ
SERIALIZABLE
READ_COMMITTEDSet the java.sql.Connection transaction isolation level to use. Defaults to READ_COMMITTED
new-connection-sqltokenSQL statement to be executed on a connection after creation
usernametokenUsername to use for basic authentication with the database
passwordtokenPassword to use for basic authentication with the database

credential-reference

Credential reference to be used by the configuration.
NameTypeDefaultDescription
storestring Credential store name used to fetch credential with given 'alias' from. Credential store name has to be defined elsewhere.
aliasstring Alias of credential in the credential store.

connection-property

Properties for the JDBC driver

connection-pool

Configuration for the connection pool

NameTypeDefaultDescription
max-sizenonNegativeInteger2147483647Maximum number of connections in the pool
min-sizenonNegativeInteger0Minimum number of connections the pool should hold
initial-sizenonNegativeInteger0Initial number of connections the pool should hold
blocking-timeoutstring0 Maximum time in milliseconds to block while waiting for a connection before throwing an exception This will never throw an exception if creating a new connection takes an inordinately long period of time Default is 0 meaning that a call will wait indefinitely You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
background-validationstring0 Time in milliseconds between background validation runs. A duration of 0 means that this feature is disabled. You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
validate-on-acquisitionstring0 Connections idle for longer than this time, specified in milliseconds, are validated before being acquired (foreground validation). A duration of 0 means that this feature is disabled. You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
leak-detectionstring0 Time in milliseconds a connection has to be held before a leak warning You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
idle-removalstring0 Time in milliseconds a connection has to be idle before it can be removed. You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).

endpoints

NameTypeDefaultDescription
socket-bindingstringSpecifies the socket the endpoint connector binds to.
security-realmstringNames the security realm to use for authentication, cache authorization, and encryption.

endpoint*

NameTypeDefaultDescription
socket-bindingstringSpecifies the socket the endpoint connector binds to.
security-realmstringNames the security realm to use for authentication, cache authorization, and encryption.
adminbooleantrueEnable administrative features on this endpoint. Defaults to true.
metrics-authbooleantrueEnable metrics authentication on this endpoint. Defaults to true.
NameTypeDefaultDescription
socket-bindingstringSpecifies the socket this connector binds to. If no socket binding is declared, the server does not listen to TCP connections.
cache-containerstringNames the cache container this connector exposes.
io-threadsintSets the number of I/O threads. Defaults to 2 * cpu cores. This configuration is ignored when using single port.
idle-timeoutstring0 Specifies the maximum time, in seconds, that client connections can remain inactive. Defaults to 0 (no timeout). You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
tcp-nodelaybooleanEnables TCP NODELAY on the TCP stack. Values are enabled (default) / disabled.
tcp-keepalivebooleanEnables TCP KEEPALIVE on the TCP stack. Values are enabled / disabled (default).
send-buffer-sizeintSets the size of the send buffer.
receive-buffer-sizeintSets the size of the receive buffer.
require-ssl-client-authboolean Requires clients to use certificates for authentication.

interfaces

interface*

NameTypeDefaultDescription
namestring

inet-address?

NameTypeDefaultDescription
valuestring

global?

link-local?

loopback?

non-loopback?

site-local?

match-interface?

NameTypeDefaultDescription
valueFIXME

match-address?

NameTypeDefaultDescription
valueFIXME

data-sources

data-source*

NameTypeDefaultDescription
nametokenName for the datasource (used for management)
jndi-nametokenJNDI name for the datasource
statisticsbooleanfalseEnable statistics for this datasource

connection-factory

Configuration for the connection factory

NameTypeDefaultDescription
drivertokenUnique reference to the JDBC driver
urltokenJDBC driver connection URL (e.g. "jdbc:h2:tcp://localhost:1234")
transaction-isolation
NONE
READ_UNCOMMITTED
READ_COMMITTED
REPEATABLE_READ
SERIALIZABLE
READ_COMMITTEDSet the java.sql.Connection transaction isolation level to use. Defaults to READ_COMMITTED
new-connection-sqltokenSQL statement to be executed on a connection after creation
usernametokenUsername to use for basic authentication with the database
passwordtokenPassword to use for basic authentication with the database

credential-reference

Credential reference to be used by the configuration.
NameTypeDefaultDescription
storestring Credential store name used to fetch credential with given 'alias' from. Credential store name has to be defined elsewhere.
aliasstring Alias of credential in the credential store.

connection-property

Properties for the JDBC driver

connection-pool

Configuration for the connection pool

NameTypeDefaultDescription
max-sizenonNegativeInteger2147483647Maximum number of connections in the pool
min-sizenonNegativeInteger0Minimum number of connections the pool should hold
initial-sizenonNegativeInteger0Initial number of connections the pool should hold
blocking-timeoutstring0 Maximum time in milliseconds to block while waiting for a connection before throwing an exception This will never throw an exception if creating a new connection takes an inordinately long period of time Default is 0 meaning that a call will wait indefinitely You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
background-validationstring0 Time in milliseconds between background validation runs. A duration of 0 means that this feature is disabled. You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
validate-on-acquisitionstring0 Connections idle for longer than this time, specified in milliseconds, are validated before being acquired (foreground validation). A duration of 0 means that this feature is disabled. You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
leak-detectionstring0 Time in milliseconds a connection has to be held before a leak warning You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
idle-removalstring0 Time in milliseconds a connection has to be idle before it can be removed. You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).

security

credential-stores?

Complex type to contain the definitions of the credential stores.

credential-store*

An individual credential store definition.
NameTypeDefaultDescription
namestring Specifies the name of the credential keystore.
relative-tostring A property name whose value will be used to resolve relative paths.
pathstring File name of the credential keystore. If the path is relative, the full path will be resolved using the 'relative-to' attribute.
typestringpkcs12 The type of the credential store file. Can be either pkcs12 or jceks. Defaults to pkcs12.

clear-text-credential

Specifies a clear-text password that allows access to the credential keystore.

A clear-text credential.
NameTypeDefaultDescription
clear-textstring The clear-text password.

masked-credential

Specifies a masked password that allows access to the credential keystore.

Adds a masked password for the credential keystore.
NameTypeDefaultDescription
maskedstring Specifies a masked password in the format of `MASKED_VALUE;SALT;ITERATION`.

command-credential

Specifies an external command that supplies a password that allows access to the credential keystore.

Executes an external command that supplies the password for the credential keystore.
NameTypeDefaultDescription
commandstring An external command, including arguments, that returns the credential on the standard output.

credential-reference

Specifies the credential keystore that contains a password that allows access to the credential keystore.

Credential reference to be used by the configuration.
NameTypeDefaultDescription
storestring Credential store name used to fetch credential with given 'alias' from. Credential store name has to be defined elsewhere.
aliasstring Alias of credential in the credential store.

security-realms

security-realm+

NameTypeDefaultDescription
namestring
default-realmstring Specifies which of the underlying realms will be used by default. It defaults to the first realm.
cache-max-sizeint256 The maximum size for the identity cache for this realm. If the size is less than 1, the cache will be disabled. Defaults to 256.
cache-lifespanstring60s The lifespan, in milliseconds, of entries in the identity cache after which they expire and are reloaded from the realm provider. Defaults to -1 (never expires).

evidence-decoder?

x500-subject-evidence-decoder?

An EvidenceDecoder that derives the principal associated with the given evidence from the subject from the first certificate in the certificate chain.

x509-subject-alt-name-evidence-decoder?

An EvidenceDecoder that derives the principal associated with the given evidence from an X.509 subject alternative name from the first certificate in the given evidence.
NameTypeDefaultDescription
alt-name-type
rfc822Name
dNSName
directoryName
uniformResourceIdentifier
ipAddress
registeredID
The subject alternative name type to decode from the given evidence.
segmentint0 The 0-based occurrence of the subject alternative name to map. This attribute is optional and only used when there is more than one subject alternative name of the given alt-name-type

server-identities?

ssl?

keystore?

NameTypeDefaultDescription
pathstring Specifies the location of the keystore on the host file system. You can set a relative or absolute value. If you set a relative value, configure a value for the 'relative-to' attribute. The type of the keystore will be auto-detected among JKS, JCEKS, PKCS12 or PEM. BKS, BCFKS and UBER are also supported if the `bouncycastle` libary is present. The path may be omitted when using global store providers, such as 'SunPKCS11-NSS-FIPS'.
relative-tostringinfinispan.server.config.path Specifies a property name that resolves to a directory on the host file system. Any files that you specify with the 'path' attribute, unless absolute, must be relative to this directory.
keystore-passwordstring Deprecated: use the 'password' attribute instead.
passwordstring The password required to open the keystore. If the keystore is a PEM file, this should be specified as an empty string.
aliasstring The alias of the entry in the keystore to use as the server identity. Only required if there are multiple entries in the keystore.
key-passwordstring A password required to access a specific entry within the keystore. Only needed if the keystore type supports it and the entries have been protected by an additional password.
generate-self-signed-certificate-hoststring If this attribute is set and if the file that backs the KeyStore does not exist, then a self-signed certificate will be generated on first use and it will be persisted to the file that backs the KeyStore. The value of this attribute will be used for the Common Name value in the self-signed certificate. The use of this attribute is intended for testing purposes only. This attribute is not intended for production use.
providerstring The name of the provider to use to instantiate the KeyManagerFactory. If the provider is not specified, the first provider found that can create an instance of the specified 'type' will be used.
typestring The type of the keystore. Normally the type will be auto-detected. This attribute is required for file-less keystores, for example when using the `SunPKCS11-nss-fips` provider.

credential-reference?

Credential reference to be used by the configuration.
NameTypeDefaultDescription
storestring Credential store name used to fetch credential with given 'alias' from. Credential store name has to be defined elsewhere.
aliasstring Alias of credential in the credential store.

truststore?

NameTypeDefaultDescription
pathstring Specifies the location of the truststore on the host file system. You can set a relative or absolute value. If you set a relative value, configure a value for the 'relative-to' attribute. The type of the keystore will be auto-detected among JKS, JCEKS, PKCS12 or PEM. BKS, BCFKS and UBER are also supported if the `bouncycastle` libary is present. The path may be omitted when using global store providers, such as 'SunPKCS11-NSS-FIPS'.
relative-tostringinfinispan.server.config.path Specifies a property name that resolves to a directory on the host file system. Any files that you specify with the 'path' attribute, unless absolute, must be relative to this directory.
passwordstring The password required to open the truststore. If the truststore is a PEM file, this should be specified as an empty string.
providerstring The name of the provider to use to instantiate the TrustManagerFactory. If the provider is not specified, the first provider found that can create an instance of the specified 'type' will be used.
typestring The type of the truststore. Normally the type will be auto-detected. This attribute is required for file-less truststores, for example when using the `SunPKCS11-nss-fips` provider.

credential-reference?

Credential reference to be used by the configuration.
NameTypeDefaultDescription
storestring Credential store name used to fetch credential with given 'alias' from. Credential store name has to be defined elsewhere.
aliasstring Alias of credential in the credential store.

engine?

NameTypeDefaultDescription
enabled-protocols
enabled-ciphersuitesstringDEFAULT The filter to be applied to the cipher suites made available by this SSL engine.
enabled-ciphersuites-tls13stringTLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 The ciphersuite names to use for the TLSv1.3 engine.

kerberos*

NameTypeDefaultDescription
principalstring Specifies the principal that the KeyTab represents.
keytab-pathstring Sets the path to the KeyTab for retrieving credentials.
relative-tostring Specifies the name of a named path or a standard path that the system provides. If set, the value of the "path" attribute becomes relative to this path.
minimum-remaining-lifetimeint0 Specifies, in seconds, how long a cached credential can remain before it is recreated.
request-lifetimeint Specifies, in seconds, how much lifetime to request for newly created credentials.
fail-cacheint Specifies the amount of time, in seconds, to wait before attempting to obtain server credential if the previous attempt failed. Prevents long waiting periods on every authentication attempt if the KDC is unavailable.
serverbooleantrue Specifies if the realm is server-side (default) or client-side.
obtain-kerberos-ticketbooleanfalse Controls if a KerberosTicket is also obtained and associated with the credential. The value must be true if credentials are delegated to the server.
debugbooleanfalse Defines if the JAAS step to obtain the credential has debug logging enabled.
wrap-gss-credentialbooleanfalse Specifies if generated GSS credentials are wrapped to prevent improper disposal.
requiredbooleanfalse Specifies if the keytab file with adequate principal must exist when the service starts.
mechanism-namesKRB5 SPNEGO Defines the mechanism names with which the credential can be used. Names are converted to OIDs and used together with OIDs from the mechanism-oids attribute.
mechanism-oids Defines the mechanism OIDs with which the credential can be used. Used with OIDs derived from names from the mechanism-names attribute.

ldap-realm?

Defines an LDAP security realm.
NameTypeDefaultDescription
namestring Names the security realm to logically separate multiple realms of the same type.
urlstring Specifies the URL for LDAP server connections in the format ldap[s]://{hostname}:{port}.
principalstring Specifies the user principal for LDAP server connections.
credentialstring Specifies the user credential for LDAP server connections.
direct-verificationboolean Configures the realm to verify credentials by connecting to LDAP servers with the account. Values are true / false (default).
page-sizeint50 Sets the page size for realm iteration. The default value is 50.
connection-poolingbooleanfalse Enables connection pooling.
referral-modefollow Specifies if LDAP server referrals are followed and corresponds to the REFERRAL ("java.naming.referral") environment property. Values are "ignore", "follow" (default), and "throw".
connection-timeoutstring5s Sets the timeout, in milliseconds, for LDAP server connections. The default value is 5 seconds. You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
read-timeoutstring1m Sets the read timeout, in milliseconds, for LDAP server operations. The default value is 1 minute. You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
client-ssl-contextstring The name of a realm which provides a trust store with which to validate SSL client connections.

credential-reference?

Credential reference to be used by the configuration.
NameTypeDefaultDescription
storestring Credential store name used to fetch credential with given 'alias' from. Credential store name has to be defined elsewhere.
aliasstring Alias of credential in the credential store.

name-rewriter?

Specifies a name rewriter that transforms names returned by a realm.

case-principal-transformer

Specifies a PrincipalTransformer definition using case conversion
NameTypeDefaultDescription
uppercasebooleantrue Whether to transform to UPPERCASE or lowercase. The default is true.
Specifies the base type for all PrincipalTransformer definitions.
NameTypeDefaultDescription
namestring Deprecated. Will be ignored.

common-name-principal-transformer

Specifies a PrincipalTransformer definition which extracts the first CommonName (CN) from a DistinguishedName (DN).

regex-principal-transformer

Specifies a PrincipalTransformer definition using regular expressions and Matcher based replacement.
NameTypeDefaultDescription
patternstring Specifies the regular expression for this PrincipalTransformer.
replacementstring Specifies the replacement string for the PrincipalTransformer.
replace-allbooleanfalse Replaces all occurrences instead of the first occurrence.
Specifies the base type for all PrincipalTransformer definitions.
NameTypeDefaultDescription
namestring Deprecated. Will be ignored.

identity-mapping*

Specifies configuration options that define how principals are mapped to corresponding entries in LDAP servers.
NameTypeDefaultDescription
search-dnstring Names the context for query execution. This option provides a useful method to authenticate users based on names that do not use X.500 format, such as "plainUser". In this case, you must also specify the rdn-identifier. If names to authenticate users are based on the X.500 format, you can suppress this configuration. You should also note that this option lets realms authenticate users based on simple, or X.500, names.
rdn-identifierstring Specifies an LDAP attribute that contains the user name and appears in the path of new entries.
search-recursivebooleanfalse Performs recursive queries.
search-time-limitint10000 The time limit of LDAP search in milliseconds. Defaults to 10000 ms.
filter-namestring(rdn_identifier={0}) Specifies the LDAP filter that retrieves an identity by name. In the default value, "{0}" is replaced with the searched identity name and "rdn_identifier" is replaced with the value of the "rdn-identifier" attribute.

attribute-mapping?

Specifies the attribute mappings defined for this resource.

attribute

NameTypeDefaultDescription
filterstring The filter to use to obtain the values for a specific attribute. String "{0}" will be replaced by username, "{1}" by user identity DN.
NameTypeDefaultDescription
filter-dnstring The name of the context where the filter should be performed.
fromstring The name of the LDAP attribute to map to an identity attribute. If not defined, DN of the whole entry is used as value.
tostring The name of the identity attribute mapped from a specific LDAP attribute. If not provided, the name of the attribute is the same as define in 'from'. If the 'from' is not defined too, value 'dn' is used.
search-recursivebooleantrue Indicates if attribute LDAP search queries are recursive.
role-recursionint0 Sets recursive roles assignment - value determine maximum depth of recursion. (0 for no recursion)
role-recursion-namestringcn Determine LDAP attribute of role entry which will be substitute for "{0}" in filter-name when searching roles of role. Used only when role-recursion is set.
extract-rdnstring The RDN key to use as the value for an attribute, in case the value in its raw form is in X.500 format.

attribute-reference

NameTypeDefaultDescription
referencestring The name of an LDAP attribute containing DN of entry to obtain value from.
NameTypeDefaultDescription
filter-dnstring The name of the context where the filter should be performed.
fromstring The name of the LDAP attribute to map to an identity attribute. If not defined, DN of the whole entry is used as value.
tostring The name of the identity attribute mapped from a specific LDAP attribute. If not provided, the name of the attribute is the same as define in 'from'. If the 'from' is not defined too, value 'dn' is used.
search-recursivebooleantrue Indicates if attribute LDAP search queries are recursive.
role-recursionint0 Sets recursive roles assignment - value determine maximum depth of recursion. (0 for no recursion)
role-recursion-namestringcn Determine LDAP attribute of role entry which will be substitute for "{0}" in filter-name when searching roles of role. Used only when role-recursion is set.
extract-rdnstring The RDN key to use as the value for an attribute, in case the value in its raw form is in X.500 format.

user-password-mapper?

Specifies the user password credential mapping defined for this resource.
NameTypeDefaultDescription
fromstring The name of the LDAP attribute to map to an identity user password credential.
verifiableboolean If the password credential is verifiable.

local-realm?

NameTypeDefaultDescription
namestringlocal

properties-realm?

NameTypeDefaultDescription
namestring Names the security realm to logically separate multiple realms of the same type.
groups-attributestringRoles

user-properties?

NameTypeDefaultDescription
pathstringusers.properties
relative-tostringinfinispan.server.config.path
digest-realm-namestring
plain-textbooleanfalse

group-properties?

NameTypeDefaultDescription
pathstringgroups.properties
relative-tostringinfinispan.server.config.path

token-realm?

NameTypeDefaultDescription
namestring
auth-server-urlstring
client-idstring
principal-claimstringusername

jwt

NameTypeDefaultDescription
issuer Defines one or more string values representing an unique identifier for the entities that are allowed as issuers of a given JWT. During validation JWT tokens must have a iss claim that contains one of the values defined here. If not provided, the validator will not perform validations based on the issuer claim.
audience Defines one or more string values representing the audiences supported by this configuration. During validation JWT tokens must have an aud claim that contains one of the values defined here. If not provided, the validator will not perform validations based on the audience claim.
public-keystring A default public key in its PEM format used to validate the signature of tokens without kid header parameter. If not provided, the validator will not validate signatures.
jku-timeoutstring2m A timeout, in milliseconds for cached jwks when using jku claim. After this timeout, the keys of need to be re-cached before use. Default value is 2 minutes. You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
connection-timeoutstring2s Sets the timeout, in milliseconds, for connections to the JKU server. The default value is 2 seconds. You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
read-timeoutstring2s Sets the read timeout, in milliseconds, for the JKU server. operations. The default value is 2 seconds. You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
client-ssl-contextstring The name of a realm which provides a trust store with which to validate SSL client connections.
host-name-verification-policystring A HostnameVerifier that will be used to validate the hostname when using SSL/TLS. This configuration is mandatory if using jku claims. Can be ANY or DEFAULT.

oauth2-introspection

NameTypeDefaultDescription
client-idstring The identifier of a client registered within the OAuth2 Authorization Server that will be used to authenticate this server in order to validate bearer tokens arriving to this server. Please note that the client will be usually a confidential client with both an identifier and secret configured in order to authenticate against the token introspection endpoint. In this case, the endpoint must support HTTP BASIC authentication using the client credentials (both id and secret).
client-secretstring The secret of the client identified by the given clientId.
introspection-urlstring An URL pointing to a RFC-7662 OAuth2 Token Introspection compatible endpoint.
connection-timeoutstring2s Sets the timeout, in milliseconds, for connections to the OAuth2 server. The default value is 2 seconds. You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
read-timeoutstring2s Sets the read timeout, in milliseconds, for the OAuth2 server. operations. The default value is 2 seconds. You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
client-ssl-contextstring The name of a realm which provides a trust store with which to validate SSL client connections.
host-name-verification-policystring A HostnameVerifier that will be used to validate the hostname when using SSL/TLS. This configuration is mandatory if the given token introspection url is using SSL/TLS. Can be ANY or DEFAULT.

credential-reference?

Credential reference to be used by the configuration.
NameTypeDefaultDescription
storestring Credential store name used to fetch credential with given 'alias' from. Credential store name has to be defined elsewhere.
aliasstring Alias of credential in the credential store.

truststore-realm?

NameTypeDefaultDescription
namestring

distributed-realm?

A realm definition for authentication and authorization of identities distributed between multiple realms.
NameTypeDefaultDescription
namestring
realms A list of security realms that should be used for authentication until one succeeds. If no realms are specified, all the available realms will be used.

aggregate-realm?

A realm definition for authentication and authorization of identities aggregated between multiple realms.
NameTypeDefaultDescription
namestring
authentication-realmFIXME The name of a security realm that should be used for authentication.
authorization-realms A list of security realm names that should be used for authorization. If no realms are specified, all the available realms will be used.

name-rewriter?

Specifies a name rewriter that transforms names returned by a realm.

case-principal-transformer

Specifies a PrincipalTransformer definition using case conversion
NameTypeDefaultDescription
uppercasebooleantrue Whether to transform to UPPERCASE or lowercase. The default is true.
Specifies the base type for all PrincipalTransformer definitions.
NameTypeDefaultDescription
namestring Deprecated. Will be ignored.

common-name-principal-transformer

Specifies a PrincipalTransformer definition which extracts the first CommonName (CN) from a DistinguishedName (DN).

regex-principal-transformer

Specifies a PrincipalTransformer definition using regular expressions and Matcher based replacement.
NameTypeDefaultDescription
patternstring Specifies the regular expression for this PrincipalTransformer.
replacementstring Specifies the replacement string for the PrincipalTransformer.
replace-allbooleanfalse Replaces all occurrences instead of the first occurrence.
Specifies the base type for all PrincipalTransformer definitions.
NameTypeDefaultDescription
namestring Deprecated. Will be ignored.

socket-bindings

NameTypeDefaultDescription
default-interfacestring
port-offsetstring

socket-binding*

endpoints

NameTypeDefaultDescription
socket-bindingstringSpecifies the socket the endpoint connector binds to.
security-realmstringNames the security realm to use for authentication, cache authorization, and encryption.

endpoint*

NameTypeDefaultDescription
socket-bindingstringSpecifies the socket the endpoint connector binds to.
security-realmstringNames the security realm to use for authentication, cache authorization, and encryption.
adminbooleantrueEnable administrative features on this endpoint. Defaults to true.
metrics-authbooleantrueEnable metrics authentication on this endpoint. Defaults to true.
NameTypeDefaultDescription
socket-bindingstringSpecifies the socket this connector binds to. If no socket binding is declared, the server does not listen to TCP connections.
cache-containerstringNames the cache container this connector exposes.
io-threadsintSets the number of I/O threads. Defaults to 2 * cpu cores. This configuration is ignored when using single port.
idle-timeoutstring0 Specifies the maximum time, in seconds, that client connections can remain inactive. Defaults to 0 (no timeout). You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
tcp-nodelaybooleanEnables TCP NODELAY on the TCP stack. Values are enabled (default) / disabled.
tcp-keepalivebooleanEnables TCP KEEPALIVE on the TCP stack. Values are enabled / disabled (default).
send-buffer-sizeintSets the size of the send buffer.
receive-buffer-sizeintSets the size of the receive buffer.
require-ssl-client-authboolean Requires clients to use certificates for authentication.

endpoint

NameTypeDefaultDescription
socket-bindingstringSpecifies the socket the endpoint connector binds to.
security-realmstringNames the security realm to use for authentication, cache authorization, and encryption.
adminbooleantrueEnable administrative features on this endpoint. Defaults to true.
metrics-authbooleantrueEnable metrics authentication on this endpoint. Defaults to true.
NameTypeDefaultDescription
socket-bindingstringSpecifies the socket this connector binds to. If no socket binding is declared, the server does not listen to TCP connections.
cache-containerstringNames the cache container this connector exposes.
io-threadsintSets the number of I/O threads. Defaults to 2 * cpu cores. This configuration is ignored when using single port.
idle-timeoutstring0 Specifies the maximum time, in seconds, that client connections can remain inactive. Defaults to 0 (no timeout). You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
tcp-nodelaybooleanEnables TCP NODELAY on the TCP stack. Values are enabled (default) / disabled.
tcp-keepalivebooleanEnables TCP KEEPALIVE on the TCP stack. Values are enabled / disabled (default).
send-buffer-sizeintSets the size of the send buffer.
receive-buffer-sizeintSets the size of the receive buffer.
require-ssl-client-authboolean Requires clients to use certificates for authentication.
Expand/Collapse All